curl - security update

Several vulnerabilities were discovered in cURL, an URL transfer library:

• CVE-2015-3143
  NTLM-authenticated connections could be wrongly reused for requests
  without any credentials set, leading to HTTP requests being sent
  over the connection authenticated as a different user. This is
  similar to the issue fixed in DSA-2849-1.
• CVE-2015-3144
  When parsing URLs with a zero-length hostname (such as “http://:80”),
  libcurl would try to read from an invalid memory address. This could
  allow remote attackers to cause a denial of service (crash). This
  issue only affects the upcoming stable (jessie) and unstable (sid)
  distributions.
• CVE-2015-3145
  When parsing HTTP cookies, if the parsed cookie’s path element
  consists of a single double-quote, libcurl would try to write to an
  invalid heap memory address. This could allow remote attackers to
  cause a denial of service (crash). This issue only affects the
  upcoming stable (jessie) and unstable (sid) distributions.
• CVE-2015-3148
  When doing HTTP requests using the Negotiate authentication method
  along with NTLM, the connection used would not be marked as
  authenticated, making it possible to reuse it and send requests for
  one user over the connection authenticated as a different user.

For the stable distribution (wheezy), these problems have been fixed in
version 7.26.0-1+wheezy13.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 7.38.0-4+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7.42.0-1.

We recommend that you upgrade your curl packages.