id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 6618,curl-7.43.0,Fernando de Oliveira,Fernando de Oliveira,"[http://curl.haxx.se/download/curl-7.43.0.tar.lzma] [http://curl.haxx.se/download/curl-7.43.0.tar.lzma.asc] [http://curl.haxx.se/docs/adv_20150617A.html] (CVE-2015-3236) [http://curl.haxx.se/docs/adv_20150617B.html] (CVE-2015-3237) [http://curl.haxx.se/mail/archive-2015-06/0031.html] or [http://curl.haxx.se/changes.html#7_43_0] {{{ Fixed in 7.43.0 - June 17 2015 Changes: • Added CURLOPT_PROXY_SERVICE_NAME • Added CURLOPT_SERVICE_NAME • New curl option: --proxy-service-name • New curl option: --service-name • New curl option: --data-raw • Added CURLOPT_PIPEWAIT • Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING • HTTP/2: requires nghttp2 1.0.0 or later • scripts: add zsh.pl for generating zsh completion • curl.h: add CURL_HTTP_VERSION_2 Bugfixes: • CVE-2015-3236: lingering HTTP credentials in connection re-use • CVE-2015-3237: SMB send off unrelated memory contents • nss: fix compilation failure with old versions of NSS • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION • schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error • Curl_ossl_init: load builtin modules • configure: follow-up fix for krb5-config • sasl_sspi: Populate domain from the realm in the challenge • netrc: support 'default' token • README: convert to UTF-8 • cyassl: Implement public key pinning • nss: implement public key pinning for NSS backend • mingw build: add arch -m32/-m64 to LDFLAGS • schannel: Fix out of bounds array • configure: remove autogenerated files by autoconf • configure: remove --automake from libtoolize call • acinclude.m4: fix shell test for default CA cert bundle/path • schannel: fix regression in schannel_recv • openssl: skip trace outputs for ssl_ver == 0 • gnutls: properly retrieve certificate status • netrc: Read in text mode when cygwin • winbuild: Document the option used to statically link the CRT • FTP: Make EPSV use the control IP address rather than the original host • FTP: fix dangling conn->ip_addr dereference on verbose EPSV • conncache: keep bundles on host+port bases, not only host names • runtests.pl: use 'h2c' now, no -14 anymore • curlver: introducing new version number (checking) macros • openssl: boringssl build brekage, use SSL_CTX_set_msg_callback • CURLOPT_POSTFIELDS.3: correct variable names • curl_easy_unescape.3: update RFC reference • gnutls: don't fail on non-fatal alerts during handshake • testcurl.pl: allow source to be in an arbitrary directory • CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy • SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description • parse_proxy: switch off tunneling if non-HTTP proxy • share_init: fix OOM crash • perl: remove subdir, not touched in 9 years • CURLOPT_COOKIELIST.3: Add example • CURLOPT_COOKIE.3: Explain that the cookies won't be modified • CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain • FAQ: How do I port libcurl to my OS? • openssl: Use TLS_client_method for OpenSSL 1.1.0+ • HTTP-NTLM: fail auth on connection close instead of looping • curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT • curl_getdate.3: update RFC reference • curl_multi_info_read.3: added example • curl_multi_perform.3: added example • curl_multi_timeout.3: added example • cookie: Stop exporting any-domain cookies • openssl: remove dummy callback use from SSL_CTX_set_verify() • openssl: remove SSL_get_session()-using code • openssl: removed USERDATA_IN_PWD_CALLBACK kludge • openssl: removed error string #ifdef • openssl: Fix verification of server-sent legacy intermediates • docs: man page indentation and syntax fixes • docs: Spelling fixes • fopen.c: fix a few compiler warnings • CURLOPT_OPENSOCKETFUNCTION: return error at once • schannel: Add support for optional client certificates • build: Properly detect OpenSSL 1.0.2 when using configure • urldata: store POST size in state.infilesize too • security:choose_mech remove dead code • rtsp_do: remove dead code • docs: many HTTP URIs changed to HTTPS • schannel: schannel_recv overhaul }}}",enhancement,closed,high,7.8,BOOK,SVN,normal,fixed,,