Описание
Security update for civetweb
This update for civetweb fixes the following issues:
Version 1.15:
- boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism
- New configuration for URL decoding
- Sanitize filenames in handle form
- Example “embedded_c.c”: Do not overwrite files (possible security issue)
- Remove obsolete examples
- Remove “experimental” label for some features
- Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier
- Modifications to build scripts, required due to changes in the test environment
- Unix domain socket support fixed
- Fixes for NO_SSL_DL
- Fixes for some warnings / static code analysis
Version 1.14:
- Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version)
- Add local_uri_raw field (not sanitized URI) to request_info
- Additional API functions and a callback after closing connections
- Allow mbedTLS as OpenSSL alternative (basic functionality)
- Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13)
- Support UNIX/Linux domain sockets
- Fuzz tests and ossfuzz integration
- Compression for websockets
- Restructure some source files
- Improve documentation
- Fix HTTP range requests
- Add some functions for Lua scripts/LSP
- Build system specific fixes (CMake, MinGW)
- Update 3rd party components (Lua, lfs, sqlite)
- Allow Lua background script to use timers, format and filter logs
- Remove WinCE code
- Update version number
Version 1.13:
- Add arguments for CGI interpreters
- Support multiple CGi interpreters
- Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua
- Additional C API functions
- Fix some memory leaks
- Extended use of atomic operations (e.g., for server stats)
- Add fuzz tests
- Set OpenSSL 1.1 API as default (from 1.0)
- Add Lua 5.4 support and deprecate Lua 5.1
- Provide additional Lua API functions
- Fix Lua websocket memory leak when closing the server
- Remove obsolete 'file in memory' implementation
- Improvements and fixes in documentation
- Fixes from static source code analysis
- Additional unit tests
- Various small bug fixes
- Experimental support for some HTTP2 features (not ready for production)
- Experimental support for websocket compression
- Remove legacy interfaces declared obsolete since more than 3 years
Version 1.12
- See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog
Список пакетов
openSUSE Leap 15.2
civetweb-1.15-lp152.2.3.1
civetweb-devel-1.15-lp152.2.3.1
libcivetweb-cpp1_15_0-1.15-lp152.2.3.1
libcivetweb1_15_0-1.15-lp152.2.3.1
Ссылки
- E-Mail link for openSUSE-SU-2021:1424-1
- SUSE Security Ratings
- SUSE Bug 1191938
- SUSE CVE CVE-2020-27304 page
Описание
The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal
Затронутые продукты
openSUSE Leap 15.2:civetweb-1.15-lp152.2.3.1
openSUSE Leap 15.2:civetweb-devel-1.15-lp152.2.3.1
openSUSE Leap 15.2:libcivetweb-cpp1_15_0-1.15-lp152.2.3.1
openSUSE Leap 15.2:libcivetweb1_15_0-1.15-lp152.2.3.1
Ссылки
- CVE-2020-27304
- SUSE Bug 1191938