The curl packages provide the libcurl library and the curl utility fordownloading files from servers using various protocols, including HTTP,FTP, and LDAP.It was found that the libcurl library did not correctly handle partialliteral IP addresses when parsing received HTTP cookies. An attacker ableto trick a user into connecting to a malicious server could use this flawto set the user's cookie to a crafted domain, making other cookie-relatedissues easier to exploit. (CVE-2014-3613)A flaw was found in the way the libcurl library performed the duplicationof connection handles. If an application set the CURLOPT_COPYPOSTFIELDSoption for a handle, using the handle's duplicate could cause theapplication to crash or disclose a portion of its memory. (CVE-2014-3707)It was discovered that the libcurl library failed to properly handle URLswith embedded end-of-line characters. An attacker able to make anapplication using libcurl to access a specially crafted URL via an HTTPproxy could use this flaw to inject additional headers to the request orconstruct additional requests. (CVE-2014-8150)It was discovered that libcurl implemented aspects of the NTLM andNegotatiate authentication incorrectly. If an application uses libcurland the affected mechanisms in a specifc way, certain requests to apreviously NTLM-authenticated server could appears as sent by the wrongauthenticated user. Additionally, the initial set of credentials for HTTPNegotiate-authenticated requests could be reused in subsequent requests,although a different set of credentials was specified. (CVE-2015-3143,CVE-2015-3148)Red Hat would like to thank the cURL project for reporting these issues.Bug fixes:Enhancements:All curl users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues and add theseenhancements.