openSUSE Security Update: Security update for civetweb
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1424-1
Rating:             moderate
References:         #1191938 
Cross-References:   CVE-2020-27304
Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for civetweb fixes the following issues:

   Version 1.15:

   * boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in
     the default form-based file upload mechanism
   * New configuration for URL decoding
   * Sanitize filenames in handle form
   * Example ???embedded_c.c???: Do not overwrite files (possible security
     issue)
   * Remove obsolete examples
   * Remove ???experimental??? label for some features
   * Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or
     earlier
   * Modifications to build scripts, required due to changes in the test
     environment
   * Unix domain socket support fixed
   * Fixes for NO_SSL_DL
   * Fixes for some warnings / static code analysis

   Version 1.14:

   * Change SSL default setting to use TLS 1.2 as minimum (set config if you
     need an earlier version)
   * Add local_uri_raw field (not sanitized URI) to request_info
   * Additional API functions and a callback after closing connections
   * Allow mbedTLS as OpenSSL alternative (basic functionality)
   * Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13)
   * Support UNIX/Linux domain sockets
   * Fuzz tests and ossfuzz integration
   * Compression for websockets
   * Restructure some source files
   * Improve documentation
   * Fix HTTP range requests
   * Add some functions for Lua scripts/LSP
   * Build system specific fixes (CMake, MinGW)
   * Update 3rd party components (Lua, lfs, sqlite)
   * Allow Lua background script to use timers, format and filter logs
   * Remove WinCE code
   * Update version number

   Version 1.13:

   * Add arguments for CGI interpreters
   * Support multiple CGi interpreters
   * Buffering HTTP response headers, including API functions
     mg_response_header_* in C and Lua
   * Additional C API functions
   * Fix some memory leaks
   * Extended use of atomic operations (e.g., for server stats)
   * Add fuzz tests
   * Set OpenSSL 1.1 API as default (from 1.0)
   * Add Lua 5.4 support and deprecate Lua 5.1
   * Provide additional Lua API functions
   * Fix Lua websocket memory leak when closing the server
   * Remove obsolete "file in memory" implementation
   * Improvements and fixes in documentation
   * Fixes from static source code analysis
   * Additional unit tests
   * Various small bug fixes
   * Experimental support for some HTTP2 features (not ready for production)
   * Experimental support for websocket compression
   * Remove legacy interfaces declared obsolete since more than 3 years

   Version 1.12

   * See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed
     changelog


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-1424=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      civetweb-1.15-lp152.2.3.1
      civetweb-debuginfo-1.15-lp152.2.3.1
      civetweb-debugsource-1.15-lp152.2.3.1
      civetweb-devel-1.15-lp152.2.3.1
      libcivetweb-cpp1_15_0-1.15-lp152.2.3.1
      libcivetweb-cpp1_15_0-debuginfo-1.15-lp152.2.3.1
      libcivetweb1_15_0-1.15-lp152.2.3.1
      libcivetweb1_15_0-debuginfo-1.15-lp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-27304.html
   https://bugzilla.suse.com/1191938