tests/runtests.pl | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 runtests_gdb.

docs/index.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix path to "theartofhttpscripting" in docs.

lib/libcurl.vers.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 keep versioned symbols backwards compatibility.

ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 work around libtool --as-needed reordering bug

lib/smtp.c | 25 8 + 17 - 0 !
1 file changed, 8 insertions(+), 17 deletions(-)

 fix buffer overflow in smtp digest-md5 negotiation
 When negotiating SMTP DIGEST-MD5 authentication, the function
 smtp_state_authdigest_resp() uses the data provided from the
 server without doing the proper length checks and that data is then
 appended to a local fixed-size buffer on the stack.

lib/cookie.c | 24 19 + 5 - 0 !
1 file changed, 19 insertions(+), 5 deletions(-)

 [patch] cookie: fix tailmatching to prevent cross-domain leakage

Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).

 lib/cookie.c        |   24 

tests/data/Makefile.am | 1 1 + 0 - 0 !
tests/data/Makefile.in | 1 1 + 0 - 0 !
tests/data/test1218 | 61 61 + 0 - 0 !
3 files changed, 63 insertions(+)

 [patch] test1218: another cookie tailmatch test

... and make 1216 also verify it with a file input

These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
domain tailmatch" vulnerability. See
http://curl.haxx.se/docs/adv_20130412.html

lib/escape.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] curl_urldecode: no peeking beyond end of input buffer

Security problem: CVE-2013-2174

If a program would give a string like "%" to curl_easy_unescape(), it
would still consider the % as start of an encoded character. The
function then not only read beyond the buffer but it would also deduct
the *unsigned* counter variable for how many more bytes there's left to
read in the buffer by two, making the counter wrap. Continuing this, the
function would go on reading beyond the buffer and soon writing beyond
the allocated target buffer...

Bug: http://curl.haxx.se/docs/adv_20130622.html
Reported-by: Timo Sirainen

lib/getinfo.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] getinfo.c: reset timecond when clearing session-info
 variables

Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
Reported-by: Ludovico Cavedon <cavedon@debian.org>

lib/ssluse.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] openssl: acknowledge curlopt_ssl_verifyhost without
 VERIFYPEER

Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set
should still verify that the host name fields in the server certificate
is fine or return failure.

Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
Reported-by: Ishan SinghLevett

src/tool_operate.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] curl: set curlopt_ssl_verifyhost to 0 to disable
Bug-Debian: http://bugs.debian.org/729965

lib/gtls.c | 8 2 + 6 - 0 !
1 file changed, 2 insertions(+), 6 deletions(-)

 [patch] gtls: respect *verifyhost independently of *verifypeer

This is basically the same fix that 3c3622b6 brought to the OpenSSL
backend and that resulted in CVE-2013-4545.

This version of the problem was independently introduced to the GnuTLS
backend with commit 59cf93cc, present in the code since the libcurl
7.21.4 release.

Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html
Reported-by: Marc Deslauriers

lib/url.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] connectionexists: fix ntlm check for new connection

When the requested authentication bitmask includes NTLM, we cannot
re-use a connection for another username/password as we then risk
re-using NTLM (connection-based auth).

This has the unfortunate downside that if you include NTLM as a possible
auth, you cannot re-use connections for other usernames/passwords even
if NTLM doesn't end up the auth type used.

Reported-by: Paras S
Patched-by: Paras S
Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html

lib/http.c | 2 1 + 1 - 0 !
lib/url.c | 6 3 + 3 - 0 !
lib/urldata.h | 2 2 + 0 - 0 !
tests/data/DISABLED | 1 1 + 0 - 0 !
4 files changed, 7 insertions(+), 4 deletions(-)

 fix connection re-use when using different log-in credentials
 In addition to FTP, other connection based protocols such as IMAP, POP3,

lib/ssluse.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 reject ip address wildcard matches
 There are server certificates used with IP address in the CN field, but
 we MUST not allow wildcard certs for hostnames given as IP addresses
 only. Therefore we must make Curl_cert_hostcheck() fail such attempts.

lib/cookie.c | 49 39 + 10 - 0 !
tests/data/test1105 | 3 1 + 2 - 0 !
tests/data/test31 | 53 27 + 26 - 0 !
tests/data/test8 | 5 3 + 2 - 0 !
4 files changed, 70 insertions(+), 40 deletions(-)

 only use full host matches for hosts used as ip address

lib/cookie.c | 6 6 + 0 - 0 !
tests/data/test61 | 1 1 + 0 - 0 !
2 files changed, 7 insertions(+)

 reject incoming cookies set for tlds

lib/formdata.c | 52 9 + 43 - 0 !
lib/strdup.c | 26 26 + 0 - 0 !
lib/strdup.h | 3 2 + 1 - 0 !
lib/url.c | 22 17 + 5 - 0 !
lib/urldata.h | 11 9 + 2 - 0 !
src/Makefile.inc | 3 2 + 1 - 0 !
src/tool_setup.h | 5 2 + 3 - 0 !
src/tool_strdup.c | 47 47 + 0 - 0 !
src/tool_strdup.h | 30 30 + 0 - 0 !
9 files changed, 144 insertions(+), 55 deletions(-)

 [patch] curl_easy_duphandle: curlopt_copypostfields read out of
 bounds

When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.

Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.

Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis

lib/url.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] url-parsing: reject crlfs within urls

Bug: http://curl.haxx.se/docs/adv_20150108B.html
Reported-by: Andrey Labunets

lib/url.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch] connectionexists: for ntlm re-use, require credentials to
 match

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia

lib/http.c | 6 6 + 0 - 0 !
lib/http_negotiate.c | 1 0 + 1 - 0 !
lib/http_negotiate_sspi.c | 1 0 + 1 - 0 !
3 files changed, 6 insertions(+), 2 deletions(-)

 [patch] don't clear gssapi state between each exchange in the
 negotiation

GSSAPI doesn't work very well if we forget everything ever time.

XX: Is Curl_http_done() the right place to do the final cleanup?

lib/http.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] http_done: close negotiate connections if not 401

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

configure.ac | 4 2 + 2 - 0 !
docs/examples/Makefile.am | 2 1 + 1 - 0 !
lib/Makefile.am | 6 3 + 3 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 4 2 + 2 - 0 !
5 files changed, 10 insertions(+), 10 deletions(-)

 build with gnutls.

configure.ac | 2 1 + 1 - 0 !
docs/examples/Makefile.am | 2 1 + 1 - 0 !
lib/Makefile.am | 6 3 + 3 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 4 2 + 2 - 0 !
5 files changed, 9 insertions(+), 9 deletions(-)

 build with nss.