[El-errata] ELSA-2015-1254 Moderate: Oracle Linux 6 curl security, bug fix, and enhancement update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Jul 29 09:29:50 PDT 2015

Oracle Linux Security Advisory ELSA-2015-1254


The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:




Description of changes:

- require credentials to match for NTLM re-use (CVE-2015-3143)
- close Negotiate connections when done (CVE-2015-3148)

- reject CRLFs in URLs passed to proxy (CVE-2014-8150)

- use only full matches for hosts used as IP address in cookies 
- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle 

- fix manpage typos found using aspell (#1011101)
- fix comments about loading CA certs with NSS in man pages (#1011083)
- fix handling of DNS cache timeout while a transfer is in progress 
- eliminate unnecessary inotify events on upload via file protocol (#883002)
- use correct socket type in the examples (#997185)
- do not crash if MD5 fingerprint is not provided by libssh2 (#1008178)
- fix SIGSEGV of curl --retry when network is down (#1009455)
- allow to use TLS 1.1 and TLS 1.2 (#1012136)
- docs: update the links to cipher-suites supported by NSS (#1104160)
- allow to use ECC ciphers if NSS implements them (#1058767)
- make curl --trace-time print correct time (#1120196)
- let tool call PR_Cleanup() on exit if NSPR is used (#1146528)
- ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747)
- allow to enable/disable new AES cipher-suites (#1156422)
- include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163)
- disable libcurl-level downgrade to SSLv3 (#1154059)

- do not force connection close after failed HEAD request (#1168137)
- fix occasional SIGSEGV during SSL handshake (#1168668)

- fix a connection failure when FTPS handle is reused (#1154663)

More information about the El-errata mailing list