Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 725632 (CVE-2020-13614)

Summary: <net-misc/axel-2.17.8: Lack of server TLS certificate validation (CVE-2020-13614)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jlec, slashbeast
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/axel-download-accelerator/axel/issues/262
Whiteboard: B3 [noglsa cve]
Package list:
=net-misc/axel-2.17.8
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 13:26:46 UTC
Description:
"An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 13:28:26 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself.

If you can, keep an eye on changelogs for such entries, because the CVE has only been assigneed a month and a bit later :(
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-30 14:45:20 UTC
acked on irc
Comment 3 Rolf Eike Beer archtester 2020-05-31 09:47:03 UTC
sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-01 08:17:01 UTC
ppc64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-01 21:42:10 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-04 06:27:29 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-04 06:38:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Larry the Git Cow gentoo-dev 2020-06-06 21:17:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9247fcd98b8728fa1aced9119bf5290c19c60254

commit 9247fcd98b8728fa1aced9119bf5290c19c60254
Author:     Piotr Karbowski <slashbeast@gentoo.org>
AuthorDate: 2020-06-06 21:17:05 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2020-06-06 21:17:32 +0000

    net-misc/axel: 2.17.7 drop.
    
    Bug: https://bugs.gentoo.org/725632
    
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-misc/axel/Manifest           |  1 -
 net-misc/axel/axel-2.17.7.ebuild | 48 ----------------------------------------
 2 files changed, 49 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-06 21:49:52 UTC
Thanks! All done on your end. :)