Curl released a new version 7.42.0 fixing four vulnerabilities.
Airlock WAF is not affected.
Details:
CVE-2015-3144: Out of bound memory access if a zero-length host name in a URL is processed by curl. Airlock WAF is not affected because zero-length host names in URLs are never forwarded to curl in Airlock WAF.
CVE-2015-3145: Out of boundary memory access if a path element in a set-cookie response contains a single double-quote. This is not relevant for Airlock WAF because back-end cookies are trusted and can not be manipulated from external.
CVE-2015-3148/CVE-2015-3143: Affects the re-using logic of authenticated connection, e.g. in the case of NTLM. Airlock WAF is not affected because for NTLM back-end authentication Airlock WAF forces a new connection with every request (no TCP keep-alive).
no action required