curl security, bug fix, and enhancement update

2016-11-09T00:00:00
ID ELSA-2016-2575
Type oraclelinux
Reporter Oracle
Modified 2016-11-09T00:00:00

Description

[7.29.0-35] - fix incorrect use of a previously loaded certificate from file (related to CVE-2016-5420) [7.29.0-34] - acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option (required by the fix for CVE-2016-5419) [7.29.0-33] - fix re-using connections with wrong client cert (CVE-2016-5420) - fix TLS session resumption client cert bypass (CVE-2016-5419) [7.29.0-32] - configure: improve detection of GCC's -fvisibility= flag [7.29.0-31] - prevent curl_multi_wait() from missing an event (#1347904) [7.29.0-30] - curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts (#1305974) [7.29.0-29] - SSH: make CURLOPT_SSH_PUBLIC_KEYFILE treat '' as NULL (#1275769) [7.29.0-28] - prevent NSS from incorrectly re-using a session (#1269855) - call PR_Cleanup() in the upstream test-suite if NSPR is used (#1243324) - disable unreliable upstream test-case 2032 (#1241168) [7.29.0-27] - SSH: do not require public key file for user authentication (#1275769) [7.29.0-26] - implement 'curl --unix-socket' and CURLOPT_UNIX_SOCKET_PATH (#1263318) - improve parsing of URL-encoded user name and password (#1260178) - prevent test46 from failing due to expired cookie (#1258834)