Security update for civetweb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1424-1 Final 1 1 2021-10-31T15:08:27Z current 2021-10-31T15:08:27Z 2021-10-31T15:08:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for civetweb This update for civetweb fixes the following issues: Version 1.15: * boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism * New configuration for URL decoding * Sanitize filenames in handle form * Example “embedded_c.c”: Do not overwrite files (possible security issue) * Remove obsolete examples * Remove “experimental” label for some features * Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier * Modifications to build scripts, required due to changes in the test environment * Unix domain socket support fixed * Fixes for NO_SSL_DL * Fixes for some warnings / static code analysis Version 1.14: * Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version) * Add local_uri_raw field (not sanitized URI) to request_info * Additional API functions and a callback after closing connections * Allow mbedTLS as OpenSSL alternative (basic functionality) * Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13) * Support UNIX/Linux domain sockets * Fuzz tests and ossfuzz integration * Compression for websockets * Restructure some source files * Improve documentation * Fix HTTP range requests * Add some functions for Lua scripts/LSP * Build system specific fixes (CMake, MinGW) * Update 3rd party components (Lua, lfs, sqlite) * Allow Lua background script to use timers, format and filter logs * Remove WinCE code * Update version number Version 1.13: * Add arguments for CGI interpreters * Support multiple CGi interpreters * Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua * Additional C API functions * Fix some memory leaks * Extended use of atomic operations (e.g., for server stats) * Add fuzz tests * Set OpenSSL 1.1 API as default (from 1.0) * Add Lua 5.4 support and deprecate Lua 5.1 * Provide additional Lua API functions * Fix Lua websocket memory leak when closing the server * Remove obsolete 'file in memory' implementation * Improvements and fixes in documentation * Fixes from static source code analysis * Additional unit tests * Various small bug fixes * Experimental support for some HTTP2 features (not ready for production) * Experimental support for websocket compression * Remove legacy interfaces declared obsolete since more than 3 years Version 1.12 * See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1424 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJTZUANR73SYTZDQ6GMWGRR5O4MCEJA4/ E-Mail link for openSUSE-SU-2021:1424-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1191938 SUSE Bug 1191938 https://www.suse.com/security/cve/CVE-2020-27304/ SUSE CVE CVE-2020-27304 page openSUSE Leap 15.2 civetweb-1.15-lp152.2.3.1 civetweb-devel-1.15-lp152.2.3.1 libcivetweb-cpp1_15_0-1.15-lp152.2.3.1 libcivetweb1_15_0-1.15-lp152.2.3.1 civetweb-1.15-lp152.2.3.1 as a component of openSUSE Leap 15.2 civetweb-devel-1.15-lp152.2.3.1 as a component of openSUSE Leap 15.2 libcivetweb-cpp1_15_0-1.15-lp152.2.3.1 as a component of openSUSE Leap 15.2 libcivetweb1_15_0-1.15-lp152.2.3.1 as a component of openSUSE Leap 15.2 The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal CVE-2020-27304 openSUSE Leap 15.2:civetweb-1.15-lp152.2.3.1 openSUSE Leap 15.2:civetweb-devel-1.15-lp152.2.3.1 openSUSE Leap 15.2:libcivetweb-cpp1_15_0-1.15-lp152.2.3.1 openSUSE Leap 15.2:libcivetweb1_15_0-1.15-lp152.2.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJTZUANR73SYTZDQ6GMWGRR5O4MCEJA4/ https://www.suse.com/security/cve/CVE-2020-27304.html CVE-2020-27304 https://bugzilla.suse.com/1191938 SUSE Bug 1191938