curl-7.29.0-25.0.1.el7.AXS7

curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.

Security issues fixed with this release:

CVE-2014-3613
cURL and libcurl before 7.38.0 does not properly handle IP addresses
in cookie domain names, which allows remote attackers to set cookies
for or send arbitrary cookies to certain sites, as demonstrated by a
site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVE-2014-3707
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0,
when running with the CURLOPT_COPYPOSTFIELDS option, does not properly
copy HTTP POST data for an easy handle, which triggers an
out-of-bounds read that allows remote web servers to read sensitive
memory information.
CVE-2014-8150
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0,
when using an HTTP proxy, allows remote attackers to inject arbitrary
HTTP headers and conduct HTTP response splitting attacks via CRLF
sequences in a URL.
CVE-2015-3143
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM
connections, which allows remote attackers to connect as other users
via an unauthenticated request, a similar issue to CVE-2014-0015.
CVE-2015-3148
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use
authenticated Negotiate connections, which allows remote attackers to
connect as other users via a request.

Fixed bugs:

* An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API.
* TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API.
* FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers.
Enhancements:

* With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol.
* The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket.
* The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs.