curl-7.39.0

[Fernando de Oliveira]

​http://curl.haxx.se/download/curl-7.39.0.tar.lzma

CVE-2014-3707: libcurl duphandle read out of bounds

​http://curl.haxx.se/docs/adv_20141105.html

...

    Affected versions: from libcurl 7.17.1 to and including 7.38.0
    Not affected versions: libcurl >= 7.39.0

...

RECOMMENDATIONS

We suggest you take one of the following actions immediately,
in order of preference:

A - Upgrade to curl and libcurl 7.39.0

B - Apply the patch and rebuild libcurl

C - Avoid using CURLOPT_COPYPOSTFIELDS then curl_easy_duphandle()

If you are using PHP/CURL, we advice you to avoid
curl_copy_handle() after CURLOPT_POSTFIELDS, since
PHP then uses CURLOPT_COPYPOSTFIELDS "under the hood".
...

A patch for this problem is available at:

http://curl.haxx.se/CVE-2014-3707.patch

​http://curl.haxx.se/changes.html#7_39_0

 Fixed in 7.39.0 - November 5 2014

Changes:

    SSLv3 is disabled by default
    CURLOPT_COOKIELIST: Added "RELOAD" command
    build: Added WinIDN build configuration options to Visual Studio projects
    ssh: improve key file search
    SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
    vtls: remove QsoSSL support, use gskit!
    mk-ca-bundle: added SHA-384 signature algorithm
    docs: added many examples for libcurl opts and other doc improvements
    build: Added VC ssh2 target to main Makefile
    MinGW: Added support to build with nghttp2
    NetWare: Added support to build with nghttp2
    build: added Watcom support to build with WinSSL
    build: Added optional specific version generation of VC project files 

Bugfixes: 
...

[Fernando de Oliveira]

Fixed at r14846.