[3.3] curl: NTLM credentials not-checked for proxy connection re-use (CVE-2016-0755)
A vulnerability was found in a way libcurl uses NTLM-authenticated proxy
connections.
Libcurl will reuse NTLM-authenticated proxy connections without properly
making sure,
that the connection was authenticated with the same credentials as set
for this transfer.
Affected versions:
libcurl 7.10.7 to and including 7.46.0
Upgrade curl and libcurl to version 7.47.0
References:
https://curl.haxx.se/docs/adv\_20160127A.html
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0755
Patch:
http://curl.haxx.se/CVE-2016-0755.patch
(from redmine: issue id 5069, created on 2016-02-04, closed on 2016-06-23)
- Relations:
- parent #5068 (closed)
- Changesets:
- Revision 13c92a8e by Natanael Copa on 2016-02-08T20:29:29Z:
main/curl: security upgrade to 7.47.0 (CVE-2016-0755)
fixes #5069