File _patchinfo of Package patchinfo.17089
<patchinfo incident="17089"> <issue tracker="bnc" id="1191938">VUL-1: CVE-2020-27304: civetweb: missing uploaded filepath validation in the default form-based file upload mechanism</issue> <issue tracker="cve" id="2020-27304"></issue> <packager>DocB</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for civetweb</summary> <description>This update for civetweb fixes the following issues: Version 1.15: * boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism * New configuration for URL decoding * Sanitize filenames in handle form * Example “embedded_c.c”: Do not overwrite files (possible security issue) * Remove obsolete examples * Remove “experimental” label for some features * Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier * Modifications to build scripts, required due to changes in the test environment * Unix domain socket support fixed * Fixes for NO_SSL_DL * Fixes for some warnings / static code analysis Version 1.14: * Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version) * Add local_uri_raw field (not sanitized URI) to request_info * Additional API functions and a callback after closing connections * Allow mbedTLS as OpenSSL alternative (basic functionality) * Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13) * Support UNIX/Linux domain sockets * Fuzz tests and ossfuzz integration * Compression for websockets * Restructure some source files * Improve documentation * Fix HTTP range requests * Add some functions for Lua scripts/LSP * Build system specific fixes (CMake, MinGW) * Update 3rd party components (Lua, lfs, sqlite) * Allow Lua background script to use timers, format and filter logs * Remove WinCE code * Update version number Version 1.13: * Add arguments for CGI interpreters * Support multiple CGi interpreters * Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua * Additional C API functions * Fix some memory leaks * Extended use of atomic operations (e.g., for server stats) * Add fuzz tests * Set OpenSSL 1.1 API as default (from 1.0) * Add Lua 5.4 support and deprecate Lua 5.1 * Provide additional Lua API functions * Fix Lua websocket memory leak when closing the server * Remove obsolete "file in memory" implementation * Improvements and fixes in documentation * Fixes from static source code analysis * Additional unit tests * Various small bug fixes * Experimental support for some HTTP2 features (not ready for production) * Experimental support for websocket compression * Remove legacy interfaces declared obsolete since more than 3 years Version 1.12 * See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog </description> </patchinfo>
