Commits · b47c17d67c9b5c9e985375b090f0140bf43cb146 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

Apr 22, 2015
- nss: implement public key pinning for NSS backend · b47c17d6
  Kamil Dudka authored Mar 25, 2015
```
Bug: https://bugzilla.redhat.com/1195771
```
  b47c17d6
- dist: include {src,lib}/checksrc.whitelist · 1fd33e3e
  Daniel Stenberg authored Apr 22, 2015
  
  1fd33e3e
- RELEASE-NOTES: updated for 7.42.0 · 22691f84
  Daniel Stenberg authored Apr 21, 2015
  
  curl-7_42_0
  
  22691f84
- THANKS: added contributors from 7.42.0 release notes · 00e01fc0
  Daniel Stenberg authored Apr 21, 2015
  
  00e01fc0
- THANKS-filter: a few more alterations to squash · aadda65f
  Daniel Stenberg authored Apr 21, 2015
  
  aadda65f
- contrithanks.sh: helper script for maintaining THANKS · 7166fd8a
  Daniel Stenberg authored Apr 21, 2015
  
  7166fd8a
Apr 21, 2015

http_done: close Negotiate connections when done · 79b9d5f1

Daniel Stenberg authored Apr 18, 2015

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

79b9d5f1

fix_hostname: zero length host name caused -1 index offset · 0583e87a

Daniel Stenberg authored Apr 16, 2015

If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck

0583e87a

cookie: cookie parser out of boundary memory access · b5f947b8

Daniel Stenberg authored Apr 16, 2015

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

b5f947b8

ConnectionExists: for NTLM re-use, require credentials to match · 31be461c
Daniel Stenberg authored Apr 16, 2015
```
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
```
31be461c
openssl: add OPENSSL_NO_SSL3_METHOD check · 6088fbce
byronhe authored Apr 21, 2015

6088fbce

Apr 20, 2015
- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc · cf2d21d8
  Daniel Stenberg authored Apr 20, 2015
```
Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon
```
  cf2d21d8
- configure --with-nss: remove unneeded libs from the fallback · 875a6d93
  Mostyn Bramley-Moore authored Apr 20, 2015
  
  875a6d93
- contributors.sh: fix help output, filter out (-prefix from names · 1b8f9c95
  Daniel Stenberg authored Apr 20, 2015
  
  1b8f9c95
- RELEASE-NOTES: synced with cc0e7ebc · 9d704b3d
  Daniel Stenberg authored Apr 20, 2015
  
  9d704b3d
Apr 19, 2015
- CURLMOPT_TIMERFUNCTION.3: Clarify, add an example · cc0e7ebc
  Michael Stapelberg authored Apr 11, 2015
  
  cc0e7ebc
- vtls/openssl: use https in URLs and a comment typo fixed · 3a87bdeb
  Viktor Szakats authored Dec 29, 2014
  
  3a87bdeb
Apr 18, 2015
- curl_version_info.3: fixed the 'protocols' variable type · 63c64e05
  Daniel Stenberg authored Apr 18, 2015
```
Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225
```
  63c64e05
- test1423: added missing "file" to server section · 1e6d0e06
  Dan Fandrich authored Apr 18, 2015
  
  1e6d0e06
Apr 17, 2015
- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods · b6e47789
  Daniel Stenberg authored Apr 17, 2015
```
... and some minor edits
```
  b6e47789
- Revert "HTTP: don't abort connections with pending Negotiate authentication" · 2eb02480
  Daniel Stenberg authored Apr 17, 2015
```
This reverts commit 5dc68dd6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
```
  2eb02480
- cyassl: Fix include order · f7011252
  Jay Satiro authored Apr 17, 2015
```
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
```
  f7011252
- configure --with-nss: drop redundant if statement · 8dc3bbf0
  Kamil Dudka authored Apr 08, 2015
  
  8dc3bbf0
- configure --with-nss=PATH: query pkg-config if available · 67a8bbb5
  Kamil Dudka authored Apr 08, 2015
```
Bug: https://github.com/bagder/curl/pull/171
```
  67a8bbb5
- parsecfg: do not continue past a zero termination · 691a07da
  Daniel Stenberg authored Apr 17, 2015
```
When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.

Reported-by: Hanno Böck
```
  691a07da
Apr 16, 2015
- gitignore: Ignore Windows build output directories · 05e4137d
  Jay Satiro authored Apr 16, 2015
  
  05e4137d
Apr 15, 2015
- RELEASE-NOTES: synced with 1ba6e4c8 · 82805b56
  Daniel Stenberg authored Apr 15, 2015
  
  82805b56
- TODO: 17.9 Choose the name of file in braces for complex URLs · 1ba6e4c8
  Daniel Stenberg authored Apr 15, 2015
  
  1ba6e4c8
- TODO: a little caution that maybe not all ideas are still good · 8f78794f
  Daniel Stenberg authored Apr 15, 2015
  
  8f78794f
- TODO: 17.8 offer color-coded HTTP header output · 0cbbbbdc
  Daniel Stenberg authored Apr 15, 2015
  
  0cbbbbdc
- TODO: 17.7 warning when sending binary output to terminal · 78843afb
  Daniel Stenberg authored Apr 15, 2015
  
  78843afb
- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes · ad48b177
  Daniel Stenberg authored Apr 15, 2015
  
  ad48b177
Apr 14, 2015
- cyassl: Add support for TLS extension SNI · 9430dd58
  Jay Satiro authored Apr 13, 2015
  
  9430dd58
Apr 13, 2015
- gitignore: ignore test-driver file · 8df4b5af
  Matthew Hall authored Mar 24, 2015
  
  8df4b5af
- vtls_openssl: improve PKCS#12 load failure error message · a471a9f3
  Matthew Hall authored Mar 24, 2015
  
  a471a9f3
- vtls_openssl: fix minor typo in PKCS#12 load routine · 27ac6434
  Matthew Hall authored Mar 24, 2015
  
  27ac6434
- vtls_openssl: improve client certificate load failure error messages · b3175a76
  Matthew Hall authored Mar 24, 2015
  
  b3175a76
- vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant · 58b0a8b0
  Matthew Hall authored Mar 24, 2015
  
  58b0a8b0
- BUGS: refer to the github issue tracker now as primary · 9e7125a1
  Daniel Stenberg authored Apr 13, 2015
  
  9e7125a1
- firefox-db2pem: fix wildcard to find Firefox default profile · 7fe172d3
  Daniel Stenberg authored Apr 13, 2015
```
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.

Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
```
  7fe172d3