equal
deleted
inserted
replaced
1 CVE-2014-0015: libcurl can in some circumstances re-use the wrong |
|
2 connection when asked to do an NTLM-authenticated HTTP or HTTPS request. |
|
3 |
|
4 More information at: |
|
5 http://curl.haxx.se/docs/adv_20140129.html |
|
6 |
|
7 Closest relevant upstream patch at: |
|
8 http://curl.haxx.se/CVE-2014-0015-7-27.patch |
|
9 |
|
10 --- lib/url.c.orig 2014-02-04 12:41:29.827372361 -0800 |
|
11 +++ lib/url.c 2014-02-04 12:56:44.394433387 -0800 |
|
12 @@ -2998,7 +2998,7 @@ |
|
13 } |
|
14 if((needle->protocol & PROT_FTP) || |
|
15 ((needle->protocol & PROT_HTTP) && |
|
16 - (data->state.authhost.want==CURLAUTH_NTLM))) { |
|
17 + (data->state.authhost.want & CURLAUTH_NTLM))) { |
|
18 /* This is FTP or HTTP+NTLM, verify that we're using the same name |
|
19 and password as well */ |
|
20 if(!strequal(needle->user, check->user) || |
|