CVE-2016-8617 Amazon Linux Security Advisory for curl: ALAS-2016-766

This build resolves the following issues:

CVE-2016-8615 : Cookie injection for other servers
CVE-2016-8616 : Case insensitive password comparison
CVE-2016-8617 : Out-of-bounds write via unchecked multiplication
CVE-2016-8618 : Double-free in curl_maprintf
CVE-2016-8619 : Double-free in krb5 code
CVE-2016-8620 : Glob parser write/read out of bounds
CVE-2016-8621 : curl_getdate out-of-bounds read
CVE-2016-8622 : URL unescape heap overflow via integer truncation
CVE-2016-8623 : Use-after-free via shared cookies
CVE-2016-8624 : Invalid URL parsing with '#'

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Please refer to Amazon advisory ALAS-2016-766 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2016-766: Amazon Linux (curl (7.47.1-9.66.amzn1) on i686)

ALAS-2016-766: Amazon Linux (curl (7.47.1-9.66.amzn1) on x86_64)

ALAS-2016-766: Amazon Linux (curl (7.47.1-9.66.amzn1) on src)