Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

openSUSE 15.2: 2021:1424-1 Moderate: Civetweb File Upload Security

opensuse
Calendar Grey October 31, 2021
Dist Opensuse Esm H88
A patch has been released for civetweb addressing a significant vulnerability related to file upload checks on openSUSE 15.2. Secure your system immediately!
An update that fixes one vulnerability is now available

Description

This update for civetweb fixes the following issues:

Version 1.15:

* boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in

the default form-based file upload mechanism

* New configuration for URL decoding

* Sanitize filenames in handle form

* Example ???embedded_c.c???: Do not overwrite files (possible security

issue)

* Remove obsolete examples

* Remove ???experimental??? label for some features

* Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or

earlier

* Modifications to build scripts, required due to changes in the test

environment

* Unix domain socket support fixed

* Fixes for NO_SSL_DL

* Fixes for some warnings / static code analysis

Version 1.14:

* Change SSL default setting to use TLS 1.2 as minimum (set config if you

need an earlier version)

* Add local_uri_raw field (not sanitized URI) to request_info

* Additional API functions and a callback after closing...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate update patch file upload openSUSE civetweb

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1424=1

Package List

- openSUSE Leap 15.2 (x86_64):

civetweb-1.15-lp152.2.3.1

civetweb-debuginfo-1.15-lp152.2.3.1

civetweb-debugsource-1.15-lp152.2.3.1

civetweb-devel-1.15-lp152.2.3.1

libcivetweb-cpp1_15_0-1.15-lp152.2.3.1

libcivetweb-cpp1_15_0-debuginfo-1.15-lp152.2.3.1

libcivetweb1_15_0-1.15-lp152.2.3.1

libcivetweb1_15_0-debuginfo-1.15-lp152.2.3.1

References

https://www.suse.com/security/cve/CVE-2020-27304.html

https://bugzilla.suse.com/1191938

Announcement ID: openSUSE-SU-2021:1424-1
Rating: moderate
Affected Products: openSUSE Leap 15.2 .

Topics%20covered

Topics Covered

security advisory moderate update patch file upload openSUSE civetweb

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here