openSUSE Security Update: Security update for civetweb ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1424-1 Rating: moderate References: #1191938 Cross-References: CVE-2020-27304 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for civetweb fixes the following issues: Version 1.15: * boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism * New configuration for URL decoding * Sanitize filenames in handle form * Example ���embedded_c.c���: Do not overwrite files (possible security issue) * Remove obsolete examples * Remove ���experimental��� label for some features * Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier * Modifications to build scripts, required due to changes in the test environment * Unix domain socket support fixed * Fixes for NO_SSL_DL * Fixes for some warnings / static code analysis Version 1.14: * Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version) * Add local_uri_raw field (not sanitized URI) to request_info * Additional API functions and a callback after closing connections * Allow mbedTLS as OpenSSL alternative (basic functionality) * Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13) * Support UNIX/Linux domain sockets * Fuzz tests and ossfuzz integration * Compression for websockets * Restructure some source files * Improve documentation * Fix HTTP range requests * Add some functions for Lua scripts/LSP * Build system specific fixes (CMake, MinGW) * Update 3rd party components (Lua, lfs, sqlite) * Allow Lua background script to use timers, format and filter logs * Remove WinCE code * Update version number Version 1.13: * Add arguments for CGI interpreters * Support multiple CGi interpreters * Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua * Additional C API functions * Fix some memory leaks * Extended use of atomic operations (e.g., for server stats) * Add fuzz tests * Set OpenSSL 1.1 API as default (from 1.0) * Add Lua 5.4 support and deprecate Lua 5.1 * Provide additional Lua API functions * Fix Lua websocket memory leak when closing the server * Remove obsolete "file in memory" implementation * Improvements and fixes in documentation * Fixes from static source code analysis * Additional unit tests * Various small bug fixes * Experimental support for some HTTP2 features (not ready for production) * Experimental support for websocket compression * Remove legacy interfaces declared obsolete since more than 3 years Version 1.12 * See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1424=1 Package List: - openSUSE Leap 15.2 (x86_64): civetweb-1.15-lp152.2.3.1 civetweb-debuginfo-1.15-lp152.2.3.1 civetweb-debugsource-1.15-lp152.2.3.1 civetweb-devel-1.15-lp152.2.3.1 libcivetweb-cpp1_15_0-1.15-lp152.2.3.1 libcivetweb-cpp1_15_0-debuginfo-1.15-lp152.2.3.1 libcivetweb1_15_0-1.15-lp152.2.3.1 libcivetweb1_15_0-debuginfo-1.15-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-27304.html https://bugzilla.suse.com/1191938