Chapter 3. Security Fixes

This update includes fixes for the following security related issues:

Expand

ID	Impact	Summary
CVE-2016-0718	Moderate	expat: Out-of-bounds heap read on crafted input causing crash
CVE-2016-7167	Low	curl: escape and unescape integer overflows
CVE-2016-8615	Moderate	curl: Cookie injection for other servers
CVE-2016-8616	Low	curl: Case insensitive password comparison
CVE-2016-8617	Moderate	curl: Out-of-bounds write via unchecked multiplication
CVE-2016-8618	Moderate	curl: Double-free in curl_maprintf
CVE-2016-8619	Moderate	curl: Double-free in krb5 code
CVE-2016-8621	Low	curl: curl_getdate out-of-bounds read
CVE-2016-8622	Low	curl: URL unescape heap overflow via integer truncation
CVE-2016-8623	Low	curl: Use-after-free via shared cookies
CVE-2016-8624	Moderate	curl: Invalid URL parsing with '#'
CVE-2016-8625	Moderate	curl: IDNA 2003 makes curl use wrong host
CVE-2016-9598	Moderate	libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS)
CVE-2017-6004	Moderate	pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)
CVE-2017-7186	Moderate	pcre: Invalid Unicode property lookup (8.41/7, 10.24/2)
CVE-2017-7244	Low	pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)
CVE-2017-7245	Low	pcre: stack-based buffer overflow write in pcre32_copy_substring
CVE-2017-7246	Low	pcre: stack-based buffer overflow write in pcre32_copy_substring
CVE-2017-1000254	Moderate	curl: FTP PWD response parser out of bounds read
CVE-2017-1000257	Moderate	curl: IMAP FETCH response out of bounds read
CVE-2018-0500	Moderate	curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP