{"affected":[{"ecosystem_specific":{"binaries":[{"civetweb":"1.15-lp152.2.3.1","civetweb-devel":"1.15-lp152.2.3.1","libcivetweb-cpp1_15_0":"1.15-lp152.2.3.1","libcivetweb1_15_0":"1.15-lp152.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"civetweb","purl":"pkg:rpm/opensuse/civetweb&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.15-lp152.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for civetweb fixes the following issues:\n\nVersion 1.15:\n\n* boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism\n* New configuration for URL decoding\n* Sanitize filenames in handle form\n* Example “embedded_c.c”: Do not overwrite files (possible security issue)\n* Remove obsolete examples\n* Remove “experimental” label for some features\n* Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier\n* Modifications to build scripts, required due to changes in the test environment\n* Unix domain socket support fixed\n* Fixes for NO_SSL_DL\n* Fixes for some warnings / static code analysis\n\nVersion 1.14:\n\n* Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version)\n* Add local_uri_raw field (not sanitized URI) to request_info\n* Additional API functions and a callback after closing connections\n* Allow mbedTLS as OpenSSL alternative (basic functionality)\n* Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13)\n* Support UNIX/Linux domain sockets\n* Fuzz tests and ossfuzz integration\n* Compression for websockets\n* Restructure some source files\n* Improve documentation\n* Fix HTTP range requests\n* Add some functions for Lua scripts/LSP\n* Build system specific fixes (CMake, MinGW)\n* Update 3rd party components (Lua, lfs, sqlite)\n* Allow Lua background script to use timers, format and filter logs\n* Remove WinCE code\n* Update version number \n\nVersion 1.13:\n\n* Add arguments for CGI interpreters\n* Support multiple CGi interpreters\n* Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua\n* Additional C API functions\n* Fix some memory leaks\n* Extended use of atomic operations (e.g., for server stats)\n* Add fuzz tests\n* Set OpenSSL 1.1 API as default (from 1.0)\n* Add Lua 5.4 support and deprecate Lua 5.1\n* Provide additional Lua API functions\n* Fix Lua websocket memory leak when closing the server\n* Remove obsolete 'file in memory' implementation\n* Improvements and fixes in documentation\n* Fixes from static source code analysis\n* Additional unit tests\n* Various small bug fixes\n* Experimental support for some HTTP2 features (not ready for production)\n* Experimental support for websocket compression\n* Remove legacy interfaces declared obsolete since more than 3 years\n\nVersion 1.12 \n\n* See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog\n  \n","id":"openSUSE-SU-2021:1424-1","modified":"2021-10-31T15:08:27Z","published":"2021-10-31T15:08:27Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJTZUANR73SYTZDQ6GMWGRR5O4MCEJA4/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1191938"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-27304"}],"related":["CVE-2020-27304"],"summary":"Security update for civetweb","upstream":["CVE-2020-27304"]}