SUSE 5147 Published by

A civetweb security update has been released for openSUSE Leap 15.2.



openSUSE-SU-2021:1424-1: moderate: Security update for civetweb


openSUSE Security Update: Security update for civetweb
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1424-1
Rating: moderate
References: #1191938
Cross-References: CVE-2020-27304
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for civetweb fixes the following issues:

Version 1.15:

* boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in
the default form-based file upload mechanism
* New configuration for URL decoding
* Sanitize filenames in handle form
* Example ???embedded_c.c???: Do not overwrite files (possible security
issue)
* Remove obsolete examples
* Remove ???experimental??? label for some features
* Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or
earlier
* Modifications to build scripts, required due to changes in the test
environment
* Unix domain socket support fixed
* Fixes for NO_SSL_DL
* Fixes for some warnings / static code analysis

Version 1.14:

* Change SSL default setting to use TLS 1.2 as minimum (set config if you
need an earlier version)
* Add local_uri_raw field (not sanitized URI) to request_info
* Additional API functions and a callback after closing connections
* Allow mbedTLS as OpenSSL alternative (basic functionality)
* Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13)
* Support UNIX/Linux domain sockets
* Fuzz tests and ossfuzz integration
* Compression for websockets
* Restructure some source files
* Improve documentation
* Fix HTTP range requests
* Add some functions for Lua scripts/LSP
* Build system specific fixes (CMake, MinGW)
* Update 3rd party components (Lua, lfs, sqlite)
* Allow Lua background script to use timers, format and filter logs
* Remove WinCE code
* Update version number

Version 1.13:

* Add arguments for CGI interpreters
* Support multiple CGi interpreters
* Buffering HTTP response headers, including API functions
mg_response_header_* in C and Lua
* Additional C API functions
* Fix some memory leaks
* Extended use of atomic operations (e.g., for server stats)
* Add fuzz tests
* Set OpenSSL 1.1 API as default (from 1.0)
* Add Lua 5.4 support and deprecate Lua 5.1
* Provide additional Lua API functions
* Fix Lua websocket memory leak when closing the server
* Remove obsolete "file in memory" implementation
* Improvements and fixes in documentation
* Fixes from static source code analysis
* Additional unit tests
* Various small bug fixes
* Experimental support for some HTTP2 features (not ready for production)
* Experimental support for websocket compression
* Remove legacy interfaces declared obsolete since more than 3 years

Version 1.12

* See   https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed
changelog

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1424=1


Package List:

- openSUSE Leap 15.2 (x86_64):

civetweb-1.15-lp152.2.3.1
civetweb-debuginfo-1.15-lp152.2.3.1
civetweb-debugsource-1.15-lp152.2.3.1
civetweb-devel-1.15-lp152.2.3.1
libcivetweb-cpp1_15_0-1.15-lp152.2.3.1
libcivetweb-cpp1_15_0-debuginfo-1.15-lp152.2.3.1
libcivetweb1_15_0-1.15-lp152.2.3.1
libcivetweb1_15_0-debuginfo-1.15-lp152.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2020-27304.html
  https://bugzilla.suse.com/1191938