Author: ken
Date: Tue Feb 2 10:44:20 2021
New Revision: 1681
Log:
Update advisories to end of October.
Also change severities to Critical/High/Medium/Low to match general usage,
or Uncertain when not yet known.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/lfs/advisories/10.0.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Mon Feb 1 18:08:18 2021
(r1680)
+++ html/trunk/blfs/advisories/10.0.html Tue Feb 2 10:44:20 2021
(r1681)
@@ -24,15 +24,9 @@
after a release -->
books.</i></p>
- <p>The first item is a <b>Test Entry</b> to examine including LFS
advisories
- in this file.<p>
-
- <h3>OpenSSL (LFS)</h3>
-
- <h4>10.0 999 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
- <p>A vulnerability in OpenSSL could be exploited to cause a crash.
- To fix this, update to OpenSSL-1.1.1i or later.
- <a href=consolidated.html#10.0-999>10.0-999</a></p>
+ <p>You may also wish to look for the entries in the Change Log of the
+ relevant book and follow the links to the ticket(s) which the later
+ version(s) fixed in case other relevant changes are noted.</p>
<!-- After a release, copy for next book version, leave just template
stuff
in that, then change these links to point to the released books and note
@@ -56,7 +50,7 @@
<h3>Brotli</h3>
- <h4>10.0 006 Brotli Date: 2020-09-06 Severity: Moderate</h4>
+ <h4>10.0 006 Brotli Date: 2020-09-06 Severity: Medium</h4>
<p>An integer oveflow in brotli before version 1.0.9 can lead to a crash.
Update to brotli-1.0.9 or later
<a href=consolidated.html#10.0-006>10.0-006</a></p>
@@ -94,6 +88,24 @@
<!-- end of Firefox -->
+ <h3>FreeType</h3>
+
+ <h4>10.0 024 FreeType Date: 2020-10-20 Severity: High</h4>
+ <p>In FreeType from 2.6 to 2.10.3 there was a vulnerability in handling
+ embedded PNG bitmaps which was being actively exploited.
+ <a href=consolidated.html#10.0-024>10.0-024</a></p>
+
+<!-- end of FreeType -->
+
+ <h3>Glib</h3>
+
+ <h4>10.0 018 Glib Date: 2020-10-05 Severity: Medium</h4>
+ <p>Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs.
+ Update to Glib-2.66.1 or later.
+ <a href=consolidated.html#10.0-018>10.0-018</a></p>
+
+<!-- end of Glib -->
+
<h3>GnuPG</h3>
<h4>10.0 007 GnuPG Date: 2020-09-06 Severity: Critical</h4>
@@ -114,6 +126,23 @@
<!-- end of GnuTLS -->
+ <h3>The Gstreamer Stack</h3>
+
+ <h4>10.0 026 The Gstreamer stack Date: 2020-10-27 Severity: High</h4>
+ <p>Emergency releases of Gstreamer-1.18.1 packages, and also of 1.16.3,
+ were made to fix several vulnerabilities.
+ <a href=consolidated.html#10.0-026>10.0-026</a></p>
+
+<!-- end of Gstreamer -->
+
+ <h3>Libass</h3>
+
+ <h4>10.0 027 Libass Date: 2020-10-30 Severity: High</h4>
+ <p>In Libasss-0.14.0 there was a vulnerability from a signed integer
overflow.
+ <a href=consolidated.html#10.0-027>10.0-027</a></p>
+
+<!-- end of Libass -->
+
<h3>LibX11</h3>
<h4>10.0 001 LibX11 Date: 2020-09-03 Severity: High</h4>
@@ -123,6 +152,17 @@
<!-- end of LibX11 -->
+ <h3>LXML</h3>
+
+ <a id="10.0-023">
+ <h4>10.0 023 LXML Date: 2020-10-17 Severity: Medium</h4>
+ <p>A remote attacker can trick the victim to follow a specially crafted
+ link and execute arbitrary HTML and script code in the user's browser in
+ the context of a vulnerable website.
+ <a href=consolidated.html#10.0-023>10.0-023</a></p>
+
+<!-- end of LXML -->
+
<h3>Node.js</h3>
<h4>10.0 012 Node.js Date: 2020-09-17 Severity: High</h4>
@@ -132,8 +172,23 @@
<!-- end of Node.js -->
+ <h3>NSS</h3>
+
+ <h4>10.0 022 NSS Date: 2020-10-17 Severity: High</h4>
+ <p>A vulnerability in CSS handling, which could allow a remote attacker to
+ cause a denial of service fore servers linked against NSS, was discovered.
+ Update to NSS-3.58 or later.
+ <a href=consolidated.html#10.0-022>10.0-022</a></p>
+
+<!-- end of NSS -->
+
<h3>Samba</h3>
+ <h4>10.0 028 Samba Date: 2020-10-30 Severity: Medium</h4>
+ <p>Three CVE vulnerabilities were identified in Samba before version
4.13.1,
+ Update to 4.13.1 or later.
+ <a href=consolidated.html#10.0-028>10.0-028</a></p>
+
<h4>10.0 013 Samba Date: 2020-09-26 Severity: Critical</h4>
<p>A critical security vulnerability in Samba was discovered, dubbed
"NetLogon". This vulnerability classifies as an authentication bypass,
and is
@@ -142,6 +197,24 @@
<!-- end of Samba -->
+ <h3>PHP</h3>
+
+ <h4>10.0 019 PHP Date: 2020-10-05 Severity: Medium</h4>
+ <p>PHP before 7.4.11 had two CVE vulnerabilities. To fix these, update
+ to PHP-7.4.11 or later.
+ <a href=consolidated.html#10.0-019>10.0-019</a></p>
+
+<!-- end of PHP -->
+
+ <h3>Ruby</h3>
+
+ <h4>10.0 020 Ruby Date: 2020-10-06 Severity: High</h4>
+ <p>The bundled WEBrick HTTP server in ruby before 2.7.2 had a
vulnerability
+ which could lead to an HTTP Request Smuggling attack.
+ <a href=consolidated.html#10.0-020>10.0-020</a></p>
+
+<!-- end of Ruby -->
+
<h3>Seamonkey</h3>
<h4>10.0 015 Seamonkey Date: 2020-09-23 Severity: Critical</h4>
@@ -151,13 +224,29 @@
<!-- end of Seamonkey -->
+ <h3> Stunnel</h3>
+
+ <h4>10.0 021 Stunnel Date: 2020-10-16 Severity: High</h4>
+ <p>In Stunnel-5.57 the "redirect" option was fixed to properly handle
+ "verifyChain = yes". Update to stunnel-5.57 or later
+ <a href=consolidated.html#10.0-021>10.0-021</a></p>
+
+<!-- end of stunnel -->
+
<h3>Thunderbird</h3>
+
+ <h4>10.0 025 Thunderbird Date: 2020-10-23 Severity: High</h4>
+ <p>Three vulnerabilities rated as High were fixed in thunderbird-78.4.0.
+ To fix these update to thunderbird-78.4.0 or later.
+ <a href=consolidated.html#10.0-025>10.0-025</a></p>
+
<h4>10.0 016 Thunderbird Updated: 2020-09-25 Severity: High</h4>
<p>Five vulnerabilities were fixed in thunderbird-78.3.0 including a
memory
safety bug rated as High. But users of that version of thunderbird
reported
numerous crashes. To fix the vulnerabilities and the crashes update to
thunderbird-78.3.1 or later.
<a href=consolidated.html#10.0-016>10.0-016</a></p>
+
<!-- end of Thunderbird -->
<h3>Qt5 and QtWebEngine</h3>
@@ -191,186 +280,6 @@
<!-- end of Xorg-Server -->
-<!-------- ----------->
-<!--
- <a href="../view/svn/general/nodejs.html">Node.js-14.15.4</a>.</li>
- <li>After release, a critical security vulnerability in Samba was
- discovered, dubbed "NetLogon". This vulnerability classifies as an
- authentication bypass, and is rated a 10.0 on the CVSSv3 scale.
- It's suggested that you upgrade to Samba-4.13.1 immediately if you
- have it installed and configured. Use the instructions in
- <a href="../view/svn/basicnet/samba.html">Samba-4.13.1</a>.</li>
- <li>After release, several vulnerabilities were discovered in
- Thunderbird, one of which is rated high. In addition, a critical
- 0day security vulnerability was discovered in Thunderbird that needs
- to be patched immediately. It is suggested to update
- to thunderbird-78.6.1 or later using the instructions in
- <a
href="../view/svn/xsoft/thunderbird.html">thunderbird-78.6.1</a></li>
- <li>After release, several vulnerabilities in Wireshark that can cause
- the application to crash were discovered. These can be remotely
- exploited to cause Wireshark to crash. To fix these vulnerabilities,
- update to Wireshark-3.4.2 or higher using the instructions in
- <a
href="../view/svn/basicnet/wireshark.html">Wireshark-3.4.2</a>.</li>
- <li>After release, several dozen vulnerabilities were discovered in
- Seamonkey. To fix these vulnerabilities, update to Seamonkey-2.53.6
- or higher. In addition, an urgent 0day vulnerability was discovered
- in the JavaScript engine that is used in Seamonkey. Another urgent
- 0day was discovered in the way Seamonkey handles SMTP requests.
- Update to Seamonkey-2.53.6 using the instructions in
- <a
href="../view/svn/xsoft/seamonkey.html">Seamonkey-2.53.6</a>.</li>
- <li>After release, several vulnerabilities were discovered in PHP. To
fix
- these vulnerabilities, update to PHP-8.0.1 or later using the
- instructions in
- <a href="../view/svn/general/php.html">PHP-8.0.1</a>.</li>
- <li>After release, a high severity security vulnerability was discovered
- in Ruby. To fix this vulnerability, update to ruby-2.7.2 or later
- using the instructions in
- <a href="../view/svn/general/ruby.html">Ruby-2.7.2</a>.</li>
- <li>After release, a security vulnerability was discovered in the way
- that GLib handles URIs. To fix this vulnerability, update to
- GLib-2.66.1 or later using the instructions in
- <a href="../view/svn/general/glib2.html">GLib-2.66.1</a>.</li>
- <li>After release, a security vulnerability was discovered in NSS.
- This was fixed by tighetning CCS handling when the client doesn't
- indicate middlebox compatibilty. To fix this vulnerability, update
to
- NSS-3.58 or higher using the instructions in
- <a href="../view/svn/postlfs/nss.html">NSS-3.58</a>.</li>
- <li>After release, a minor security issue was addressed in stunnel.
- This issue had to do with the 'redirect' option. To fix this issue,
- update to stunnel-5.57 or later using the instructions in
- <a href="../view/svn/postlfs/stunnel.html">stunnel-5.57</a>.</li>
- <li>After release, two security issues were discovered in lxml that
allowed
- it to process JavaScript code. This could potentially lead to
- arbitrary code execution. To fix this vulnerability, update to
- lxml-4.6.2 or later using the instructions in
- <a
href="../view/svn/general/python-modules.html#lxml">lxml-4.6.2</a>.</li>
- <li>After release, a security vulnerability was discovered in freetype
- (all versions since 2.6), a buffer overflow when processing TTF
files
- which include PNG glyphs - this is being actively used in the wild.
- To fix this vulnerability, update to freetype-2.10.4 or later using
- the instructions in
- <a
href="../view/svn/general/freetype2.html">freetype-2.10.4</a>.</li>
- <li>After release, several vulnerabilities were discovered in the
Gstreamer
- Multimedia Stack. To fix these vulnerabilities, update to gstreamer
- and gst-plugins-* 1.16.3 using the same instructions in the book,
but
- with the newer packages.</li>
- <!\-\- Note: I did not list the instructions for 1.18.x because they
will
- cause incompatibilities on older systems. \-\->
- <li>After release, a signed integer overflow vulnerability was
discovered
- in libass. This vulnerability has been assigned CVE-2020-26682. To
- fix this vulnerability, update to libass-0.15.0 using the
- instructions in
- <a href="../view/svn/multimedia/libass.html">libass-0.15.0</a>.</li>
- <li>After release, several security vulnerabilities were discovered in
- the MariaDB database server. These vulnerabilities could lead to
- information disclosure or a repeatable server crash. To fix these
- vulnerabilities, update to MariaDB-10.5.7 or later using the
- instructions in
- <a href="../view/svn/server/mariadb.html">MariaDB-10.5.7</a>.</li>
- <li>After release, several security vulnerabilities were identified in
# out of order?
- xorg-server that can lead to privilege escalation (to root) due to
- input validation failures. To fix these vulnerabilities, update to
- Xorg-Server-1.20.10 using the instructions in
- <a
href="../view/svn/x/xorg-server.html">Xorg-Server-1.20.10</a>.</li>
- <li>After release, several security vulnerabilities were disclosed in
- the Mozilla Firefox web browser. Several of these are rated as High
- or Critical. One of them was an urgent 0day that needed to be dealt
- with urgently (fixed in 78.4.1). Update to Firefox-78.7.0 or later
using the
- instructions in
- <a href="../view/svn/xsoft/firefox.html">Firefox-78.7.0</a>.</li>
- <li>After release, three high severity vulnerabilities were disclosed in
- the PostgreSQL databse server. These vulnerabilities could lead to
- arbitrary execution of SQL commands as the superuser or
- information disclosure. To fix these vulnerabilities, update to
- PostgreSQL-13.1 or later using the instructions in
- <a
href="../view/svn/server/postgresql.html">PostgreSQL-13.1</a>.</li>
- <li>After release, four high severity security vulnerabilities were
- disclosed in the version of c-ares shipped with BLFS 10.0. To fix
- these vulnerabilities, update to c-ares-1.17.1 or higher using the
- instructions in
- <a href="../view/svn/basicnet/c-ares.html">c-ares-1.17.1</a>.
- You should also update Node.js to 14.15.1 after updating c-ares if
- you have it installed.</li>
- <li>After release, a denial of service vulnerability was discovered in
- MIT Kerberos V5. This only affects the server configuration, not the
- client configuration. To fix this vulnerability, update to
- krb5-5.18.3 or later using the instructions in
- <a href="../view/svn/postlfs/mitkrb.html">MIT Kerberos
V5-1.18.3</a>.</li>
- <li>After release, several vulnerabilities were discovered in
WebKitGTK+.
- These vulnerabilities include type confusion issues, use-after-free
- issues, cross-site scripting issues, and arbitrary code execution.
- To fix these vulnerabilities, update to
- WebKitGTK+-2.30.3 or later using the instructions in
- <a href="../view/svn/x/webkitgtk.html">WebKitGTK+-2.30.3</a>.</li>
- <li>After release, several vulnerabilities were discovered in libxml2.
- To fix these, apply the patch from
- <a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libxml2-2.9.10-security_fixes-1.patch";>
- libxml2-2.9.10-security_fixes-1.patch</a> to your build and rebuild
- libxml2.</li>
- <li>After release, several vulnerabilities were discovered in libexif.
- To fix these vulnerabilities, apply the patch from
- <a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libexif-0.6.22-security_fixes-1.patch";>
- libexif-0.6.22-security_fixes-1.patch</a> to your build and rebuild
- libexif.</li>
- <li>After release, a denial of service vulnerability was
- discovered in unbound. The severity is deemed as low.
- The fix is in the newer version
- unbound-1.13.0 (and higher). You can install it by following
- the instructions for
- <a href="../view/svn/server/unbound.html">unbound</a> in
- the development book.</li>
- <li>After release, three security vulnerabilities were discovered in
- cURL as shipped in BLFS. To fix these vulnerabilities, update to
- cURL-7.74.0 or later using the instructions in
- <a href="../view/svn/basicnet/curl.html">curl-7.74.0</a>.</li>
- <li>After release, a security vulnerability in the PNG loader was
- discovered in gdk-pixbuf. To fix this vulnerability, update to
- gdk-pixbuf-2.42.2 or higher using the instructions in
- <a href="../view/svn/x/gdk-pixbuf.html">gdk-pixbuf-2.42.2</a>.</li>
- <li>After release, three security vulnerabilities in the RPC subsystem
- were identified in p11-kit as shipped in BLFS 10.0. To fix these
- vulnerabilities, update to p11-kit-0.23.22 or later using the
- instructions in
- <a href="../view/svn/postlfs/p11-kit.html">p11-kit-0.23.22</a>.</li>
- <li>After release, over a dozen security vulnerabilities were discovered
- in OpenJPEG as shipped in BLFS 10.0. Several of these
vulnerabilities
- are rated as High. To fix these vulnerabilities, update to
- OpenJPEG-2.4.0 or later using the instructions in
- <a
href="../view/svn/general/openjpeg2.html">OpenJPEG-2.4.0</a>.</li>
- <li>After release, several security vulnerabilities were discovered in
- libpcap as shipped with BLFS 10.0. To fix these vulnerabilities,
- update to libpcap-1.10.0 or later using the instructions in
- <a href="../view/svn/basicnet/libpcap.html">libpcap-1.10.0</a>.</li>
- <li>After release, two security vulnerabilities were discovered in the
- Dovecot mail server as shipped with BLFS 10.0. One of these
- vulnerabilities may allow a user to read another users' mail or the
- server's filesystem depending on the configuration on the server.
- To fix these two vulnerabilities, update to Dovecot-2.3.13 or later
- using the instructions in
- <a href="../view/svn/server/dovecot.html">Dovecot-2.3.13</a>.</li>
- <li>After release, a use-after-free security vulnerability was
- discovered in Poppler as shipped with BLFS 10.0. This vulnerability
- can lead to arbitrary code execution via a malicious PDF file. To
fix
- this vulnerability, update to poppler-21.01.0 or higher using the
- instructions in
- <a href="../view/svn/general/poppler.html">poppler-21.01.0</a>.</li>
- <li>After release, multiple security vulnerabilities were discovered in
- Sudo before 1.9.5p1. To fix these vulnerabilities, update to
- Sudo-1.9.5p1 or later using the instructions in
- <a href="../view/svn/postlfs/sudo.html">sudo-1.9.5p1</a>.</li>
- <li>Various vulnerabilities in ImageMagick were found, including various
- things leading to a Denial of Service (crash), and also the
- possibility to inject additional shell commands when accessing a
- password-protected PDF file. To fix these vulnerabilities update to
- ImageMagick-7.0.10-57 or higher using the instructions in
- <a
href="../view/svn/general/imagemagick.html">ImageMagick-7.0.10-57</a>.</li>
- <li>After release, several vulnerabilities were discovered in
vorbis-tools
- as shipped in BLFS 10.0. These vulnerabilities range from memory
leaks
- to potentially arbitrary code execution via malicious OGG files.
- To fix these vulnerabilities, update to vorbis-tools-1.4.2
- or later using the instructions in
- <a
href="../view/svn/multimedia/vorbistools.html">vorbis-tools-1.4.2</a>.</li>
- </ul>-->
<!--#include virtual="/common/footer.html" -->
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Mon Feb 1 18:08:18
2021 (r1680)
+++ html/trunk/blfs/advisories/consolidated.html Tue Feb 2 10:44:20
2021 (r1681)
@@ -25,28 +25,35 @@
<p>The severity ratings are best estimates unless upstream has assigned
a rating. Where a stand-alone application will crash, that will typically
- be assigned a Moderate rating unless it is a security application. If in
+ be assigned a Medium rating unless it is a security application. If in
doubt, read the links.</p>
- <!-- Editors: Commented entry to copy, and reminder about patches -->
-<!--
- <h4>VV.V NNN Package Date: ccyy-mm-dd Severity:
Critical/High/Moderate/Uncertain</h4>
+ <!-- Editors: Commented entry to copy, and reminder about patches
+
+ If there is a CVE, https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNN
+ shows severities.
+
+ <h4>VV.V NNN Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low/Uncertain</h4>
+ or
+ <h4>VV.V NNN (LFS) Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low/Uncertain</h4>
<p>Explain the problem, perhaps offering a workaround, and linking to
relevant CVEs or package advisory notes.
These have been assigned
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-12345";>CVE-2020-12345</a>
.</p>
+ BLFS
<p>To fix this, update to at least Package-VERSION using the instructions
from the development book for
+ BLFS
<a href="../view/svn/path/something.html">Package (sysv)</a> or
<a href="../view/systemd/path/something.html">Package (systemd)</a>.</p>
--->
+ LFS: - usually chapter08
+ <a href="../../lfs/view/development/chapter08/openssl.html">OpenSSL
(sysv)</a> or
+ <a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>-->
<!-- where a fix used a patch, maybe link to it. e.g.
<a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libxml2-2.9.10-security_fixes-1.patch";>
- for clarity.
- -->
- <!-- BLFS10.1 will come here -->
+ for clarity. -->
<a id="BLFS10.0"> <!-- maybe doesn't need to be linked -->
<h2>BLFS-10.0 was released on 2020/09/01</h2></a>
@@ -70,6 +77,144 @@
<a href="../../lfs/view/development/chapter08/openssl.html">OpenSSL
(sysv)</a> or
<a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>-->
+ <a id="10.0-028">
+ <h4>10.0 028 Samba Date: 2020-10-30 Severity: Medium</h4>
+ <p>Three CVE vulnerabilities were identified in Samba before version
4.13.1,
+ see <a href="https://www.samba.org/samba/history/";>Samba History</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14318";>CVE-2020-14318</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14323";>CVE-2020-14323</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14383";>CVE-2020-14383</a>.</p>
+ <p>To fix this, update to at least samba-4.13.1 using the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/samba.html">Samba (sysv)</a> or
+ <a href="../view/systemd/basicnet/samba.html">Samba (systemd)</a>.</p>
+
+ <a id="10.0-027">
+ <h4>10.0 027 Libass Date: 2020-10-30 Severity: High</h4>
+ <p>There was a signed integer overflow in libass-0.14.0. See
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26682";>CVE-2020-26682</a>.</p>
+ <p>To fix this, update to at least libass-0.15.0 using the instructions
+ from the development book for
+ <a href="../view/svn/multimedia/libass.html">Libass (sysv)</a> or
+ <a href="../view/systemd/multimedia/libass.html">Libass (systemd)</a>.</p>
+
+ <a id="10.0-026">
+ <h4>10.0 026 The Gstreamer stack Date: 2020-10-27 Severity: High</h4>
+ <p>Upstream made an emergency release of gstreamer-1.18.1 and its stack
containing
+ important security fixes. At the same time the gstreamer-1.16.3 stack was
released with
+ similar fixes. Limited details are available at
+ <a href="https://gstreamer.freedesktop.org/releases/1.18/#1.18.1";>1.18.1
Release Notes</a>
+ and
+ <a href="https://gstreamer.freedesktop.org/releases/1.16/#1.16.3";>1.16.3
Release Notes</a>
+ .</p>
+ <p>On systems running Gstreamer 1.16 versions, such as BLFS-10.0, update
to the
+ gstreamer-1.16.3 packages (gstreamer, -libav, -plugins, -vaapi) using the
instructions
+ from the BLFS-10.0 book:
+ <a href="../view/10.0/multimedia/gstreamer10.html">Gstreamer 1.16
(sysv)</a>
+ <i>et seq.</i> or
+ <a href="../view/10.0-systemd/multimedia/gstreamer10.html">Gstreamer 1.16
(systemd)</a>
+ <i> et seq.</i></p>
+ <p>On systems running Gstreamer 1.18 versions, update to the
+ gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi
+ using the instructions from the development book for
+ <a href="../view/svn/multimedia/gstreamer10.html">Gstreamer 1.18
(sysv)</a>i
+ <i>et seq.</i> or
+ <a href="../view/systemd/multimedia/gstreamer10.html">Gstreamer 1.18
(systemd)</a>
+ <i> et seq.</i></p>
+
+ <a id="10.0-025">
+ <h4>10.0 025 Thunderbird Date: 2020-10-23 Severity: High</h4>
+ <p>Three vulnerabilities rated as High were fixed in thunderbird-78.4.0.
+ Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-47/";>mfsa2020-47</a>.</p>
+ <p>To fix this, update to Thunderbird-78.4.0 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
+ <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
+
+ <a id="10.0-024">
+ <h4>10.0 024 FreeType Date: 2020-10-20 Severity: High</h4>
+ <!-- CVE originally for chrome, but emergency release of FT because
+ it was being actively exploited -->
+ <p>There was an emergency release fixing a vulnerability in embedded PNG
+ bitmap handling (since FreeType-2.6) which was being actively exploited.
+ The original CVE was raised against Chrome OS and only rated as Medium.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-15999";>CVE-2020-15999</a>
+ and
+ <a
href="https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/";>Sourceforge
- Changes in 2.10.4</a>
+ .</p>
+ <p>To fix this, update to freetype-2.10.4 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/freetype2.html">FreeType (sysv)</a> or
+ <a href="../view/systemd/general/freetype2.html">FreeType
(systemd)</a>.</p>
+
+ <a id="10.0-023">
+ <h4>10.0 023 LXML Date: 2020-10-17 Severity: Medium</h4>
+ <p>A remote attacker can trick the victim to follow a specially crafted
+ link and execute arbitrary HTML and script code in the user's browser in
+ the context of a vulnerable website.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-27783";>CVE-2020-27783</a>
+ and
+ <a
href="https://www.cybersecurity-help.cz/vdb/SB2020120602";>cybersecurity-help.cz</a>
+ .</p>
+ <p>To fix this, update to LXML-4.6.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/python-modules.html#lxml">LXML (sysv)</a> or
+ <a href="../view/systemd/general/python-modules.html#lxml">LXML
(systemd)</a>.</p>
+
+ <a id="10.0-022">
+ <h4>10.0 022 NSS Date: 2020-10-17 Severity: High</h4>
+ <p>A flaw was found in the CCS handling, allowing a remote attacker to
+ cause a denial of service for servers linked against NSS.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25613";>CVE-2020-25613</a>
+ .</p>
+ <p>To fix this, update to at least NSS-3.58 using the instructions
+ from the development book for
+ <a href="../view/svn/postlfs/nss.html">NSS (sysv)</a> or
+ <a href="../view/systemd/postlfs/nss.html">NSS (systemd)</a>.</p>
+
+ <a id="10.0-021">
+ <h4>10.0 021 Stunnel Date: 2020-10-16 Severity: High</h4>
+ <p>In Stunnel-5.57 the "redirect" option was fixed to properly handle
+ "verifyChain = yes". See
+ <a href="https://www.stunnel.org/NEWS.html";>Stunnel NEWS</a>
+ .</p>
+ <p>To fix this, update to at least stunnel-5.57 using the instructions
+ from the development book for
+ <a href="../view/svn/postlfs/stunnel.html">Stunnel (sysv)</a> or
+ <a href="../view/systemd/postlfs/stunnel.html">Stunnel (systemd)</a>.</p>
+
+ <a id="10.0-020">
+ <h4>10.0 020 Ruby Date: 2020-10-06 Severity: High</h4>
+ <p>Ruby before 2.7.2 had a vulnerability in its WEBrick HTTP server.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25613";>CVE-2020-25613</a>
+ .</p>
+ <p>To fix this, update to at least Ruby-2.7.2 using the instructions
+ from the development book for
+ <a href="../view/svn/general/ruby.html">Ruby (sysv)</a> or
+ <a href="../view/systemd/general/ruby.html">Ruby (systemd)</a>.</p>
+
+ <a id="10.0-019">
+ <h4>10.0 019 PHP Date: 2020-10-05 Severity: Medium</h4>
+ <p>PHP before 7.4.11 had two CVE vulnerabilities,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472";>CVE-2020-1472</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472";>CVE-2020-1472</a>.</p>
+ <p>To fix this, update to at least PHP-7.4.11 using the instructions
+ from the development book for
+ <a href="../view/svn/general/php.html">PHP (sysv)</a> or
+ <a href="../view/systemd/general/php.html">PHP (systemd)</a>.</p>
+
+ <a id="10.0-018">
+ <h4>10.0 018 Glib Date: 2020-10-05 Severity: Medium</h4>
+ <!-- this came from oss fuzzing, debian rated urgency as medium -->
+ <p>Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. See
+ <a href="https://gitlab.gnome.org/GNOME/glib/-/releases/2.66.1";>Release
Notes</a>
+ .</p>
+ <p>To fix this, update to at least Glib-2.66.1 using the instructions
+ from the development book for
+ <a href="../view/svn/general/glib2.html">Glib (sysv)</a> or
+ <a href="../view/systemd/general/glib2.html">Glib (systemd)</a>.</p>
+
<a id="10.0-017">
<h4>10.0 017 Wireshark Date: 2020-09-23 Severity: High</h4>
<p>Five Security Advisories (wnpa-sec-2020-11,12,13) which could cause
@@ -86,7 +231,7 @@
<p>Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0
including a memory safety bug rated as High. Details are at
<a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/";>mfsa2020-44</a>.</p>
- <p>But users of that version of thuinderbird reported numerous crashes.
+ <p>But users of that version of thunderbird reported numerous crashes.
To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or
later using the instructions
from the development book for
@@ -163,7 +308,7 @@
<a href="../../lfs/view/systemd/chapter10/kernel.html">Linux Kernel
(systemd)</a>.</p>
<a id="10.0-009">
- <h4>10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Moderate</h4>
+ <h4>10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low</h4>
<p>Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the
generated code should not be affected. See
<a
href="https://lists.gnu.org/archive/html/info-gnu/2020-09/msg00003.html";>The
Release Announcement</a>
@@ -197,7 +342,7 @@
<a href="../view/systemd/postlfs/gnupg.html">GnuPG (systemd)</a>.</p>
<a id="10.0-006">
- <h4>10.0 006 Brotli Date: 2020-09-06 Severity: Moderate</h4>
+ <h4>10.0 006 Brotli Date: 2020-09-06 Severity: Medium</h4>
<p>An integer oveflow in brotli before version 1.0.9 can lead to a crash.
This was assigned
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8927";>CVE-2020-8927</a>.</p>
Modified: html/trunk/lfs/advisories/10.0.html
==============================================================================
--- html/trunk/lfs/advisories/10.0.html Mon Feb 1 18:08:18 2021 (r1680)
+++ html/trunk/lfs/advisories/10.0.html Tue Feb 2 10:44:20 2021 (r1681)
@@ -43,12 +43,12 @@
<!-- End of Linux Kernel -->
- <h3>Linux Kernel</h3>
+ <h3>Bison</h3>
<a id="10.0-009">
- <h4>10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High</h4>
- <p>In Linux kernels before 5.8.8 there is a potential privilege escalation
- in 64-bit kernels.
+ <h4>10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low</h4>
+ <p>Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the
+ generated code should not be affected. See
<a href=../../blfs/advisories/consolidated.html#10.0-009>10.0-009</a></p>
<!-- End of Linux Kernel -->
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
