SUSE 5181 Published by

A axel security update has been released for openSUSE Leap 15.1.



security-announce: openSUSE-SU-2020:0778-1: moderate: Security update for axel


openSUSE Security Update: Security update for axel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0778-1
Rating: moderate
References: #1172159
Cross-References: CVE-2020-13614
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for axel fixes the following issues:

axel was updated to 2.17.8:

* CVE-2020-13614: SSL Certificate Hostnames were not verified (boo#1172159)

* Replaced progressbar line clearing with terminal control sequence
* Fixed parsing of Content-Disposition HTTP header
* Fixed User-Agent HTTP header never being included

Update to version 2.17.7:

- Buildsystem fixes
- Fixed release date for man-pages on BSD
- Explicitly close TCP sockets on SSL connections too
- Fixed HTTP basic auth header generation
- Changed the default progress report to "alternate output mode"
- Improved English in README.md

Update to version 2.17.6:

- Fixed handling of non-recoverable HTTP errors
- Cleanup of connection setup code
- Fixed manpage reproducibility issue
- Use tracker instead of PTS from Debian

Update to version 2.17.5:

- Fixed progress indicator misalignment
- Cleaned up the wget-like progress output code
- Improved progress output flushing

Update to version 2.17.4:

- Fixed build with bionic libc (Android)
- TCP Fast Open support on Linux
- TCP code cleanup
- Removed dependency on libm
- Data types and format strings cleanup
- String handling cleanup
- Format string checking GCC attributes added
- Buildsystem fixes and improvements
- Updates to the documentation
- Updated all translations
- Fixed Footnotes in documentation
- Fixed a typo in README.md

Update to version 2.17.3:

- Builds now use canonical host triplet instead of `uname -s`
- Fixed build on Darwin / Mac OS X
- Fixed download loops caused by last byte pointer being off by one
- Fixed linking issues (i18n and posix threads)
- Updated build instructions
- Code cleanup
- Added autoconf-archive to building instructions

Update to version 2.17.2:

- Fixed HTTP request-ranges to be zero-based
- Fixed typo "too may" -> "too many"
- Replaced malloc + memset calls with calloc
- Sanitize progress bar buffer len passed to memset

Update to version 2.17.1:

- Fixed comparison error in axel_divide
- Make sure maxconns is at least 1

Update to version 2.17:

- Fixed composition of URLs in redirections
- Fixed request range calculation
- Updated all translations
- Updated build documentation
- Major code cleanup
- Cleanup of alternate progress output
- Removed global string buffers
- Fixed min and max macros
- Moved User-Agent header to conf->add_header
- Use integers for speed ratio and delay calculation
- Added support for parsing IPv6 literal hostname
- Fixed filename extraction from URL
- Fixed request-target message to proxy
- Handle secure protocol's schema even with SSL disabled
- Fixed Content-Disposition filename value decoding
- Strip leading hyphens in extracted filenames

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-778=1


Package List:

- openSUSE Leap 15.1 (x86_64):

axel-2.17.8-lp151.3.3.1
axel-debuginfo-2.17.8-lp151.3.3.1
axel-debugsource-2.17.8-lp151.3.3.1

References:

  https://www.suse.com/security/cve/CVE-2020-13614.html
  https://bugzilla.suse.com/1172159