From ${URL} : A vulnerability was found in a way libcurl uses NTLM-authenticated proxy connections. Libcurl will reuse NTLM-authenticated proxy connections without properly making sure, that the connection was authenticated with the same credentials as set for this transfer. Upstream bug report: http://curl.haxx.se/docs/adv_20160127A.html Upstream patch: http://curl.haxx.se/CVE-2016-0755.patch @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This issue is fixed in 7.47.0 release: o NTLM: do not resuse proxy connections without diff proxy credentials [34]
CVE-2016-0755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0755): The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47 by GLSA coordinator Thomas Deutschmann (whissi).