security-announce: openSUSE-SU-2020:0778-1: moderate: Security update for axel
openSUSE Security Update: Security update for axel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:0778-1
Rating: moderate
References: #1172159
Cross-References: CVE-2020-13614
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for axel fixes the following issues:
axel was updated to 2.17.8:
* CVE-2020-13614: SSL Certificate Hostnames were not verified (boo#1172159)
* Replaced progressbar line clearing with terminal control sequence
* Fixed parsing of Content-Disposition HTTP header
* Fixed User-Agent HTTP header never being included
Update to version 2.17.7:
- Buildsystem fixes
- Fixed release date for man-pages on BSD
- Explicitly close TCP sockets on SSL connections too
- Fixed HTTP basic auth header generation
- Changed the default progress report to "alternate output mode"
- Improved English in README.md
Update to version 2.17.6:
- Fixed handling of non-recoverable HTTP errors
- Cleanup of connection setup code
- Fixed manpage reproducibility issue
- Use tracker instead of PTS from Debian
Update to version 2.17.5:
- Fixed progress indicator misalignment
- Cleaned up the wget-like progress output code
- Improved progress output flushing
Update to version 2.17.4:
- Fixed build with bionic libc (Android)
- TCP Fast Open support on Linux
- TCP code cleanup
- Removed dependency on libm
- Data types and format strings cleanup
- String handling cleanup
- Format string checking GCC attributes added
- Buildsystem fixes and improvements
- Updates to the documentation
- Updated all translations
- Fixed Footnotes in documentation
- Fixed a typo in README.md
Update to version 2.17.3:
- Builds now use canonical host triplet instead of `uname -s`
- Fixed build on Darwin / Mac OS X
- Fixed download loops caused by last byte pointer being off by one
- Fixed linking issues (i18n and posix threads)
- Updated build instructions
- Code cleanup
- Added autoconf-archive to building instructions
Update to version 2.17.2:
- Fixed HTTP request-ranges to be zero-based
- Fixed typo "too may" -> "too many"
- Replaced malloc + memset calls with calloc
- Sanitize progress bar buffer len passed to memset
Update to version 2.17.1:
- Fixed comparison error in axel_divide
- Make sure maxconns is at least 1
Update to version 2.17:
- Fixed composition of URLs in redirections
- Fixed request range calculation
- Updated all translations
- Updated build documentation
- Major code cleanup
- Cleanup of alternate progress output
- Removed global string buffers
- Fixed min and max macros
- Moved User-Agent header to conf->add_header
- Use integers for speed ratio and delay calculation
- Added support for parsing IPv6 literal hostname
- Fixed filename extraction from URL
- Fixed request-target message to proxy
- Handle secure protocol's schema even with SSL disabled
- Fixed Content-Disposition filename value decoding
- Strip leading hyphens in extracted filenames
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-778=1
Package List:
- openSUSE Leap 15.1 (x86_64):
axel-2.17.8-lp151.3.3.1
axel-debuginfo-2.17.8-lp151.3.3.1
axel-debugsource-2.17.8-lp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2020-13614.html
https://bugzilla.suse.com/1172159
A axel security update has been released for openSUSE Leap 15.1.
