Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 725632 (CVE-2020-13614) - <net-misc/axel-2.17.8: Lack of server TLS certificate validation (CVE-2020-13614)
Summary: <net-misc/axel-2.17.8: Lack of server TLS certificate validation (CVE-2020-13...
Status: RESOLVED FIXED
Alias: CVE-2020-13614
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/axel-download-acce...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-27 13:26 UTC by Sam James
Modified: 2020-06-18 03:17 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/axel-2.17.8
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 13:26:46 UTC 
Description:
"An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 13:28:26 UTC 
@maintainer(s), please advise if ready for stabilisation, or call yourself.

If you can, keep an eye on changelogs for such entries, because the CVE has only been assigneed a month and a bit later :(
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-30 14:45:20 UTC 
acked on irc
Comment 3 Rolf Eike Beer archtester 2020-05-31 09:47:03 UTC 
sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-01 08:17:01 UTC 
ppc64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-01 21:42:10 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-04 06:27:29 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-04 06:38:48 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Larry the Git Cow gentoo-dev 2020-06-06 21:17:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9247fcd98b8728fa1aced9119bf5290c19c60254

commit 9247fcd98b8728fa1aced9119bf5290c19c60254
Author:     Piotr Karbowski <slashbeast@gentoo.org>
AuthorDate: 2020-06-06 21:17:05 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2020-06-06 21:17:32 +0000

    net-misc/axel: 2.17.7 drop.
    
    Bug: https://bugs.gentoo.org/725632
    
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-misc/axel/Manifest           |  1 -
 net-misc/axel/axel-2.17.7.ebuild | 48 ----------------------------------------
 2 files changed, 49 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-06 21:49:52 UTC 
Thanks! All done on your end. :)