Bug 26754

Summary: axel new security issue CVE-2020-13614
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: axel-2.16.1-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-06-09 19:46:48 CEST 
openSUSE has issued an advisory on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html

The issue is fixed upstream in 2.17.8.
Comment 1 David GEIGER 2020-06-10 07:28:48 CEST 
Done for mga7!
Comment 2 David Walser 2020-06-10 15:58:56 CEST 
Advisory:
========================

Updated axel package fixes security vulnerability:

An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation
lacks hostname verification (CVE-2020-13614).

The axel package has been updated to version 2.17.8, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13614
https://github.com/axel-download-accelerator/axel/releases/
https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
========================

Updated packages in core/updates_testing:
========================
axel-2.17.8-2.mga7

from axel-2.17.8-2.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Len Lawrence 2020-06-11 15:29:37 CEST 
mga7, x86_64

Tried this out before updating to make sure that basic functions were working.
$ axel -n 4 -s 1024 https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
Initializing download: https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
File size: 10353 bytes
Opening output file msg00030.html
Starting download

[  0%]  ..........
Connection 0 finished
Connection 3 finished

Downloaded 10.1 Kilobyte in 0 seconds. (33.53 KB/s)

The downloaded file could be viewed in a browser.  The actual download took no more than a second even though the requested maximum speed was 1 KB/sec.  Perhaps too small a file for the algorithm to kick in.

Updated axel and tried an image at NASA's APOD.
$ axel -s 2048000 -n 4 https://apod.nasa.gov/apod/image/2006/NGC1300HSTfull.jpg
Initializing download: https://apod.nasa.gov/apod/image/2006/NGC1300HSTfull.jpg
File size: 2851135 bytes
Opening output file NGC1300HSTfull.jpg
Starting download

Connection 1 finished
Connection 2 finished
Connection 0 finished
[100%] [..................................................] [   1.1MB/s] [00:00]

Downloaded 2.71905 Megabyte(s) in 2 second(s). (1150.92 KB/s)

The progress indicator showed that several channels from 0 to 3 were being utilised.  The image was perfect compared with the browser image.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-06-14 01:15:43 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-15 08:55:25 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 5 Mageia Robot 2020-06-15 09:56:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0263.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED