openSUSE Security Update: Security update for axel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0778-1
Rating: moderate
References: #1172159
Cross-References: CVE-2020-13614
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for axel fixes the following issues:

axel was updated to 2.17.8:

* CVE-2020-13614: SSL Certificate Hostnames were not verified (boo#1172159)

* Replaced progressbar line clearing with terminal control sequence
* Fixed parsing of Content-Disposition HTTP header
* Fixed User-Agent HTTP header never being included

Update to version 2.17.7:

– Buildsystem fixes
– Fixed release date for man-pages on BSD
– Explicitly close TCP sockets on SSL connections too
– Fixed HTTP basic auth header generation
– Changed the default progress report to “alternate output mode”
– Improved English in README.md

Update to version 2.17.6:

– Fixed handling of non-recoverable HTTP errors
– Cleanup of connection setup code
– Fixed manpage reproducibility issue
– Use tracker instead of PTS from Debian

Update to version 2.17.5:

– Fixed progress indicator misalignment
– Cleaned up the wget-like progress output code
– Improved progress output flushing

Update to version 2.17.4:

– Fixed build with bionic libc (Android)
– TCP Fast Open support on Linux
– TCP code cleanup
– Removed dependency on libm
– Data types and format strings cleanup
– String handling cleanup
– Format string checking GCC attributes added
– Buildsystem fixes and improvements
– Updates to the documentation
– Updated all translations
– Fixed Footnotes in documentation
– Fixed a typo in README.md

Update to version 2.17.3:

– Builds now use canonical host triplet instead of `uname -s`
– Fixed build on Darwin / Mac OS X
– Fixed download loops caused by last byte pointer being off by one
– Fixed linking issues (i18n and posix threads)
– Updated build instructions
– Code cleanup
– Added autoconf-archive to building instructions

Update to version 2.17.2:

– Fixed HTTP request-ranges to be zero-based
– Fixed typo “too may” -> “too many”
– Replaced malloc + memset calls with calloc
– Sanitize progress bar buffer len passed to memset

Update to version 2.17.1:

– Fixed comparison error in axel_divide
– Make sure maxconns is at least 1

Update to version 2.17:

– Fixed composition of URLs in redirections
– Fixed request range calculation
– Updated all translations
– Updated build documentation
– Major code cleanup
– Cleanup of alternate progress output
– Removed global string buffers
– Fixed min and max macros
– Moved User-Agent header to conf->add_header
– Use integers for speed ratio and delay calculation
– Added support for parsing IPv6 literal hostname
– Fixed filename extraction from URL
– Fixed request-target message to proxy
– Handle secure protocol’s schema even with SSL disabled
– Fixed Content-Disposition filename value decoding
– Strip leading hyphens in extracted filenames

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-778=1

Package List:

– openSUSE Leap 15.1 (x86_64):

axel-2.17.8-lp151.3.3.1
axel-debuginfo-2.17.8-lp151.3.3.1
axel-debugsource-2.17.8-lp151.3.3.1

References:

https://www.suse.com/security/cve/CVE-2020-13614.html
https://bugzilla.suse.com/1172159

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org