AOSA-2016-0041: UPDATE CURL

DECEMBER 31, 2016

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds

Please update your curl (and curl+32 if using the AMD64/x86_64 port with optenv32 installed) to version 7.52.1.

This security advisory discusses the security vulnerabilities addressed in 7.52.0 and followed by 7.52.1 as an emergency release - to fix a new security regression introduced with version 7.52.0.

Version 7.52.0 addressed the following security vulnerabilities:

CVE-2016-9586, CVE-2016-9952, CVE-2016-9953.

Version 7.52.1 address a security vulnerability described as follows, however, no CVE was assigned at the time of writing:

"libcurl’s (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.

"This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.

“This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit.”

Relevant documentation:

1483186344615