# HG changeset patch
# User Rich Burridge <rich.burridge@oracle.com>
# Date 1391612908 28800
# Node ID 3f0c67b12bf76e50c67a36ff81175a2f68c82d9b
# Parent  1a1d0ee12d7c8bdf0be5dd16489e9c59181330d5
18183059 problem in LIBRARY/CURL

diff -r 1a1d0ee12d7c -r 3f0c67b12bf7 components/curl/patches/012-CVE-2014-0015.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2014-0015.patch	Wed Feb 05 07:08:28 2014 -0800
@@ -0,0 +1,22 @@
+CVE-2014-0015: libcurl can in some circumstances re-use the wrong
+connection when asked to do an NTLM-authenticated HTTP or HTTPS request.
+
+More information at:
+http://curl.haxx.se/docs/adv_20140129.html
+
+Relevant upstream patch at:
+http://curl.haxx.se/CVE-2014-0015-7-27.patch
+
+--- lib/url.c.orig	2014-02-04 12:20:53.704898398 -0800
++++ lib/url.c	2014-02-04 12:28:14.698044886 -0800
+@@ -3103,8 +3103,8 @@
+         }
+         if((needle->handler->protocol & CURLPROTO_FTP) ||
+            ((needle->handler->protocol & CURLPROTO_HTTP) &&
+-            ((data->state.authhost.want==CURLAUTH_NTLM) ||
+-             (data->state.authhost.want==CURLAUTH_NTLM_WB)))) {
++            ((data->state.authhost.want & CURLAUTH_NTLM) ||
++             (data->state.authhost.want & CURLAUTH_NTLM_WB)))) {
+           /* This is FTP or HTTP+NTLM, verify that we're using the same name
+              and password as well */
+           if(!strequal(needle->user, check->user) ||