cURL Multiple Security Vulnerabilities

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

cURL contains the following vulnerabilities:
CVE-2016-8615: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.
CVE-2016-8616: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.
CVE-2016-8617: In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ). On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten.
CVE-2016-8618: The url_maprintf() function doubles an allocated memory area with realloc() and allows the size to wrap and become zero and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path.
CVE-2016-8619: In curl's implementation of the Kerberos authentication mechanism, the function read_data() in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0. This would lead to realloc() getting called with a zero size and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path.
CVE-2016-8620: Glob parser write/read out of bounds when working on a numerical range through which curl will iterate.
CVE-2016-8621: If instead the piece of time that was sent in had the final digit cut off, thus ending with a single-digit, the date parser code would advance its read pointer one byte too much and end up reading out of bounds.
CVE-2016-8622: The URL percent-encoding decode function in libcurl is called curl_easy_unescape. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
CVE-2016-8623: When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That function however only returns a list with references back to the original strings for name, value, path and so on. Therefore, if another thread quickly takes the lock and frees one of the original cookie structs together with its strings, a use-after-free can occur and lead to information disclosure.
CVE-2016-8624: curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host.
CVE-2016-8625: When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems, leading to users potentially and unknowingly issuing network transfer requests to the wrong host.

Affected Versions:
cURL versions prior to 7.51.0

Depending on the vulnerability being exploited, an attacker could cause a denial of service condition, execute arbitrary code or access sensitive information.

Customers are advised to upgrade to cURL 7.51.0 or later versions to remediate these vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

cURL 7.51.0 or later