26754 – axel new security issue CVE-2020-13614

Bug 26754 - axel new security issue CVE-2020-13614

Summary: axel new security issue CVE-2020-13614

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-06-09 19:46 CEST by David Walser
Modified:	2020-06-15 09:56 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	axel-2.16.1-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-06-09 19:46:48 CEST

openSUSE has issued an advisory on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html

The issue is fixed upstream in 2.17.8.

Comment 1 David GEIGER 2020-06-10 07:28:48 CEST

Done for mga7!

Comment 2 David Walser 2020-06-10 15:58:56 CEST

Advisory:
========================

Updated axel package fixes security vulnerability:

An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation
lacks hostname verification (CVE-2020-13614).

The axel package has been updated to version 2.17.8, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13614
https://github.com/axel-download-accelerator/axel/releases/
https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
========================

Updated packages in core/updates_testing:
========================
axel-2.17.8-2.mga7

from axel-2.17.8-2.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Len Lawrence 2020-06-11 15:29:37 CEST

mga7, x86_64

Tried this out before updating to make sure that basic functions were working.
$ axel -n 4 -s 1024 https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
Initializing download: https://lists.opensuse.org/opensuse-updates/2020-06/msg00030.html
File size: 10353 bytes
Opening output file msg00030.html
Starting download

[  0%]  ..........
Connection 0 finished
Connection 3 finished

Downloaded 10.1 Kilobyte in 0 seconds. (33.53 KB/s)

The downloaded file could be viewed in a browser.  The actual download took no more than a second even though the requested maximum speed was 1 KB/sec.  Perhaps too small a file for the algorithm to kick in.

Updated axel and tried an image at NASA's APOD.
$ axel -s 2048000 -n 4 https://apod.nasa.gov/apod/image/2006/NGC1300HSTfull.jpg
Initializing download: https://apod.nasa.gov/apod/image/2006/NGC1300HSTfull.jpg
File size: 2851135 bytes
Opening output file NGC1300HSTfull.jpg
Starting download

Connection 1 finished
Connection 2 finished
Connection 0 finished
[100%] [..................................................] [   1.1MB/s] [00:00]

Downloaded 2.71905 Megabyte(s) in 2 second(s). (1150.92 KB/s)

The progress indicator showed that several channels from 0 to 3 were being utilised.  The image was perfect compared with the browser image.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-06-14 01:15:43 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-15 08:55:25 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 5 Mageia Robot 2020-06-15 09:56:03 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0263.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.