curl -- multiple vulnerabilities

Daniel Stenberg reports:

CVE-2022-32221: POST following PUT confusion

      When doing HTTP(S) transfers, libcurl might erroneously
      use the read callback
      (CURLOPT_READFUNCTION) to ask for data to
      send, even when the CURLOPT_POSTFIELDS
      option has been set, if the same handle previously was
      used to issue a PUT request which used that
      callback. This flaw may surprise the application and
      cause it to misbehave and either send off the wrong data
      or use memory after free or similar in the subsequent
      POST request. The problem exists in the
      logic for a reused handle when it is changed from a PUT
      to a POST.

CVE-2022-35260: .netrc parser out-of-bounds access

      curl can be told to parse a .netrc file for
      credentials. If that file ends in a line with
      consecutive non-white space letters and no newline, curl
      could read past the end of the stack-based buffer, and
      if the read works, write a zero byte possibly beyond its
      boundary. This will in most cases cause a segfault or
      similar, but circumstances might also cause different
      outcomes. If a malicious user can provide a custom netrc
      file to an application or otherwise affect its contents,
      this flaw could be used as denial-of-service.

CVE-2022-42915: HTTP proxy double-free

      f curl is told to use an HTTP proxy for a transfer with
      a non-HTTP(S) URL, it sets up the connection to the
      remote server by issuing a CONNECT request to the proxy,
      and then tunnels the rest of protocol through. An HTTP
      proxy might refuse this request (HTTP proxies often only
      allow outgoing connections to specific port numbers,
      like 443 for HTTPS) and instead return a non-200
      response code to the client. Due to flaws in the
      error/cleanup handling, this could trigger a double-free
      in curl if one of the following schemes were used in the
      URL for the transfer: dict, gopher, gophers, ldap,
      ldaps, rtmp, rtmps, telnet

CVE-2022-42916: HSTS bypass via IDN

      curl's HSTS check could be bypassed to trick it to keep
      using HTTP. Using its HSTS support, curl can be
      instructed to use HTTPS directly instead of using an
      insecure clear-text HTTP step even when HTTP is provided
      in the URL. This mechanism could be bypassed if the host
      name in the given URL uses IDN characters that get
      replaced to ASCII counterparts as part of the IDN
      conversion. Like using the character UTF-8 U+3002
      (IDEOGRAPHIC FULL STOP) instead of the common ASCII full
      stop (U+002E) .. Like this: http://curl。se。