equal
deleted
inserted
replaced
1 CVE-2014-0015: libcurl can in some circumstances re-use the wrong |
|
2 connection when asked to do an NTLM-authenticated HTTP or HTTPS request. |
|
3 |
|
4 More information at: |
|
5 http://curl.haxx.se/docs/adv_20140129.html |
|
6 |
|
7 Relevant upstream patch at: |
|
8 http://curl.haxx.se/CVE-2014-0015-7-27.patch |
|
9 |
|
10 --- lib/url.c.orig 2014-02-04 12:20:53.704898398 -0800 |
|
11 +++ lib/url.c 2014-02-04 12:28:14.698044886 -0800 |
|
12 @@ -3103,8 +3103,8 @@ |
|
13 } |
|
14 if((needle->handler->protocol & CURLPROTO_FTP) || |
|
15 ((needle->handler->protocol & CURLPROTO_HTTP) && |
|
16 - ((data->state.authhost.want==CURLAUTH_NTLM) || |
|
17 - (data->state.authhost.want==CURLAUTH_NTLM_WB)))) { |
|
18 + ((data->state.authhost.want & CURLAUTH_NTLM) || |
|
19 + (data->state.authhost.want & CURLAUTH_NTLM_WB)))) { |
|
20 /* This is FTP or HTTP+NTLM, verify that we're using the same name |
|
21 and password as well */ |
|
22 if(!strequal(needle->user, check->user) || |
|