An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Axel | Axel_project | * | 2.17.8 (excluding) |
| Axel | Ubuntu | bionic | * |
| Axel | Ubuntu | eoan | * |
| Axel | Ubuntu | esm-apps/bionic | * |
| Axel | Ubuntu | esm-apps/focal | * |
| Axel | Ubuntu | focal | * |
| Axel | Ubuntu | groovy | * |
| Axel | Ubuntu | hirsute | * |
| Axel | Ubuntu | trusty | * |
| Axel | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00010.html
- https://github.com/axel-download-accelerator/axel/issues/262
- https://github.com/axel-download-accelerator/axel/releases/tag/v2.17.8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPZUQSDGV5XDBJGHBWBHWJIBE47Q4QIB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3ECAKIZA2TGBYLUQTLGRMXUFIOGRHG3/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00010.html
- https://github.com/axel-download-accelerator/axel/issues/262
- https://github.com/axel-download-accelerator/axel/releases/tag/v2.17.8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPZUQSDGV5XDBJGHBWBHWJIBE47Q4QIB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3ECAKIZA2TGBYLUQTLGRMXUFIOGRHG3/