Sicherheit: Mangelnde Prüfung von Zertifikaten in axel

Lesezeichen hinzufügen

openSUSE Security Update: Security update for axel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0785-1
Rating: moderate
References: #1172159
Cross-References: CVE-2020-13614
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for axel fixes the following issues:

axel was updated to 2.17.8:

* CVE-2020-13614: SSL Certificate Hostnames were not verified (boo#1172159)

* Replaced progressbar line clearing with terminal control sequence
* Fixed parsing of Content-Disposition HTTP header
* Fixed User-Agent HTTP header never being included

Update to version 2.17.7:

- Buildsystem fixes
- Fixed release date for man-pages on BSD
- Explicitly close TCP sockets on SSL connections too
- Fixed HTTP basic auth header generation
- Changed the default progress report to "alternate output mode"
- Improved English in README.md

Update to version 2.17.6:

- Fixed handling of non-recoverable HTTP errors
- Cleanup of connection setup code
- Fixed manpage reproducibility issue
- Use tracker instead of PTS from Debian

Update to version 2.17.5:

- Fixed progress indicator misalignment
- Cleaned up the wget-like progress output code
- Improved progress output flushing

Update to version 2.17.4:

- Fixed build with bionic libc (Android)
- TCP Fast Open support on Linux
- TCP code cleanup
- Removed dependency on libm
- Data types and format strings cleanup
- String handling cleanup
- Format string checking GCC attributes added
- Buildsystem fixes and improvements
- Updates to the documentation
- Updated all translations
- Fixed Footnotes in documentation
- Fixed a typo in README.md

Update to version 2.17.3:

- Builds now use canonical host triplet instead of `uname -s`
- Fixed build on Darwin / Mac OS X
- Fixed download loops caused by last byte pointer being off by one
- Fixed linking issues (i18n and posix threads)
- Updated build instructions
- Code cleanup
- Added autoconf-archive to building instructions

Update to version 2.17.2:

- Fixed HTTP request-ranges to be zero-based
- Fixed typo "too may" -> "too many"
- Replaced malloc + memset calls with calloc
- Sanitize progress bar buffer len passed to memset

Update to version 2.17.1:

- Fixed comparison error in axel_divide
- Make sure maxconns is at least 1

Update to version 2.17:

- Fixed composition of URLs in redirections
- Fixed request range calculation
- Updated all translations
- Updated build documentation
- Major code cleanup
- Cleanup of alternate progress output
- Removed global string buffers
- Fixed min and max macros
- Moved User-Agent header to conf->add_header
- Use integers for speed ratio and delay calculation
- Added support for parsing IPv6 literal hostname
- Fixed filename extraction from URL
- Fixed request-target message to proxy
- Handle secure protocol's schema even with SSL disabled
- Fixed Content-Disposition filename value decoding
- Strip leading hyphens in extracted filenames

This update was imported from the openSUSE:Leap:15.1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2020-785=1

Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

axel-2.17.8-bp151.4.3.1

References:

https://www.suse.com/security/cve/CVE-2020-13614.html
https://bugzilla.suse.com/1172159

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org