CVE-2014-0015: libcurl can in some circumstances re-use the wrong
connection when asked to do an NTLM-authenticated HTTP or HTTPS request.
More information at:
http://curl.haxx.se/docs/adv_20140129.html
Relevant upstream patch at:
http://curl.haxx.se/CVE-2014-0015-7-27.patch
--- lib/url.c.orig 2014-02-04 12:20:53.704898398 -0800
+++ lib/url.c 2014-02-04 12:28:14.698044886 -0800
@@ -3103,8 +3103,8 @@
}
if((needle->handler->protocol & CURLPROTO_FTP) ||
((needle->handler->protocol & CURLPROTO_HTTP) &&
- ((data->state.authhost.want==CURLAUTH_NTLM) ||
- (data->state.authhost.want==CURLAUTH_NTLM_WB)))) {
+ ((data->state.authhost.want & CURLAUTH_NTLM) ||
+ (data->state.authhost.want & CURLAUTH_NTLM_WB)))) {
/* This is FTP or HTTP+NTLM, verify that we're using the same name
and password as well */
if(!strequal(needle->user, check->user) ||