Author: ken
Date: Tue Feb 2 12:02:28 2021
New Revision: 1682
Log:
make blfs/advisories/index.html into an index.
Modified:
html/trunk/blfs/advisories/index.html
Modified: html/trunk/blfs/advisories/index.html
==============================================================================
--- html/trunk/blfs/advisories/index.html Tue Feb 2 10:44:20 2021
(r1681)
+++ html/trunk/blfs/advisories/index.html Tue Feb 2 12:02:28 2021
(r1682)
@@ -3,401 +3,34 @@
<!--#include virtual="/blfs/menu.html" -->
<div class="main">
- <h1>BLFS Security Advisories from September 2020 onwards</h1>
+ <h1>BLFS Security Advisories</h1>
<p>BLFS used to keep details of Security Vulnerabilities in the Errata,
mostly updating them to point to the latest version in the development
book
and updating the brief text if a subsequent vulnerability was
reported.</p>
<p>Now they are being shown individually with more details. Please note
- that vulnerabilities to package versions before those in the our release
+ that vulnerabilities to package versions before those in our release
are not noted, so if you are running a version of BLFS before 10.0 you
should check the Errata for past releases as well as monitoring the items
here.</p>
- <!-- to link to this from the end of the Errata, add
-+ <p><a href="../advisories/index.html#BLFS10.0">Advisories for
BLFS-10.0</a></p>
- -->
- <a id="BLFS10.0">
- <h2>BLFS-10.0 was released on 2020/09/01</h2></a>
-
- <!-- After a release, change the links to point to the released
- books, and add a header for the release, then point to the
- development books for new advisories. -->
-
- <!-- Editors: Commented entry to copy, and reminder about patches -->
-<!--
- <h3>SA yyyymmNN Package</h3>
- <p>Explain the problem, perhaps offering a workaround, and linking to
- relevant CVEs or package advisory notes.
- These have been assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-12345";>CVE-2020-12345</a>
- .</p>
- <p>To fix this, update to at least Package-VERSION using the instructions
- from the development book for
- <a href="../view/svn/path/something.html">Package (sysv)</a> or
- <a href="../view/systemd/path/something.html">Package (systemd)</a>.</p>
--->
+ <p><b>This is work in progress and NOT up to date. For the moment, also
+ check the Errata for BLFS-10.0 and 10.0-systemd.</b></p>
- <!-- where a fix used a patch, maybe link to it. e.g.
- <a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libxml2-2.9.10-security_fixes-1.patch";>
- for clarity.
+ <!--
+ <p>The advisories for BLFS-10.1 up until BLFS-10.2 is released are at
+ <!\-\- on release, change is to was \-\->
+ <a href="10.0.ntml">BLFS-10.0</a></p>
-->
- <h3>SA 20200901 LibX11</h3>
- <p>In libX11 before version 1.6.12 an integer overflow and double-free
- was found. This has been assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14363";>CVE-2020-14363</a>
- .</p>
- <p>To fix this, update to at least libX11-1.6.12 using the instructions
- from the development book for
- <a href="../view/svn/x/x7lib.html">Xorg Libraries (sysv)</a> or
- <a href="../view/systemd/x/x7lib.html">Xorg Libraries (systemd)</a>.</p>
-
- <h3>BLFS SA 20200902 Xorg-Server</h3>
- <p>In Xorg-Server before version 1.20.9 several input validation failures
- in X server extensions were found. These can lead to local privilege
- escalations (to root) <b>if the X server is running privileged</b>.
- These have been assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14345";>CVE-2020-14345</a>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14346";>CVE-2020-14346</a>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14361";>CVE-2020-14361</a>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14361";>CVE-2020-14362</a>
- .</p>
- <p>To fix this, update to at least Xorg-Server-1.20.9 using the
instructions
- from the development book for
- <a href="../view/svn/x/xorg-server.html">Xorg-Server (sysv)</a> or
- <a href="../view/systemd/x/xorg-server.html">Xorg-Server
(systemd)</a>.</p>
-
- <h3>LFS SA 2020-09-03 GnuTLS</h3>
- <p>A null-pointer dereference causing a remotely-triggerd crash in the
- client application was found and assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-24659";>CVE-2020-24659</a>,
- see also
- <a
href="https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04";>GNUTLS-SA-2020-09-04</a>
- .</p>
- <p>To fix this, update to at least Gnu-TLS-3.6.15 using the instructions
- from the development book for
- <a href="../view/svn/postlfs/gnutls.html">GnuTLS (sysv)</a> or
- <a href="../view/systemd/postlfs/gnutls.html">GnuTLS (systemd)</a>.</p>
-
- <h3>SA 2020-09-04 CIFS-utils</h3>
- <p>The mount.cifs program was invoking a shell when requesting the Samba
- password, which could be used to inject arbitrary commands. An attacker
- able to invoke mount.cifs with special permission, such as via sudo rules,
- could use this flaw to escalate their privileges.
- This was assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14342";>CVE-2020-14342</a>,
- more details at
- <a
href="https://lists.samba.org/archive/samba-technical/2020-September/135747.html";>samba-technical</a>
- .</p>
- <p>To fix this, update to cifs-utils-6.11 or later using the instructions
- from the development book for
- <a href="../view/svn/basicnet/cifsutils.html">CIFS-utils (sysv)</a> or
- <a href="../view/systemd/basicnet/cifsutils.html">CIFS-utils
(systemd)</a>.</p>
-
- <h3>BLFS SA 2020-09-05 BIND</h3>
- <p>A variety of vulnerabilities were found in BIND. Most could cause a
crash
- but one allows privilege escalation by someone with authority to change a
subset
- of the zone's content.
- These were assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8620";>CVE-2020-8620</a>,
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8621";>CVE-2020-8621</a>,
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8622";>CVE-2020-8622</a>,
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8623";>CVE-2020-8623</a> and
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8624";>CVE-2020-8624</a>.
- See also
- <a href="https://kb.isc.org/docs/aa-00913";>BIND 9 Security Vulnerabilty
Matrix #114-8</a>
- .</p>
- <p>To fix this, update to BIND-9.6.16 or later using the instructions
- from the development book for
- <a href="../view/svn/server/bind.html">BIND (sysv)</a> or
- <a href="../view/systemd/server/bind.html">BIND (systemd)</a>.</p>
-
- <h3>SA 2020-09-06 Brotli</h3>
- <p>An integer oveflow in brotli before version 1.0.9 can lead to a crash.
- This was assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8927";>CVE-2020-8927</a>.</p>
- <p>To fix this, update to brotli-1.0.9 or later using the instructions
- from the development book for
- <a href="../view/svn/general/brotli.html">Brotli (sysv)</a> or
- <a href="../view/systemd/general/brotli.html">Brotli (systemd)</a>.</p>
-
- <h3>20200907 GnuPG</h3>
- <p>A critical security bug was dicovered in GnuPG 2.2.21 and 2.2.22 as
- shipped in BLFS 10.0. This vulnerability will trigger whenever a key with
- preference lists for the AEAD algorithms is loaded, and can be exploited.
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25125";>CVE-2020-25125</a>
- has been assigned.</p>
- <p>To fix this, update to GnuPG-2.2.23 or later using the instructions
- from the development book for
- <a href="../view/svn/postlfs/gnupg.html">GnuPG (sysv)</a> or
- <a href="../view/systemd/postlfs/gnupg.html">GnuPG (systemd)</a>.</p>
-
- <h3>SA 20200908 Cryptsetup</h3>
- <p>An out of bounds memory write was discovered in Cryptsetup. Note that
- this only affects 32-bit builds of cryptsetup.
- relevant CVEs or package advisory notes.
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14382";>CVE-2020-14382</a>
- has been assigned.</p>
- <p>To fix this, update to at least cryptsetup-2.3.4 using the instructions
- from the development book for
- <a href="../view/svn/postlfs/cryptsetup.html">Cryptsetup (sysv)</a> or
- <a href="../view/systemd/postlfs/cryptsetup.html">Cryptsetup
(systemd)</a>.</p>
-
- <h3>BLFS SA 2020909 Qt5 and QtWebEngine</h3>
- <p>Many security vulnerabilities were discovered in Qt5-5.15.0 and
QtWebEngine.
- For an overview, including the approximately 50 security fixes from Chrome
- which had CVEs assigned at hte time of hte update, see
- <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14026";>BLFS ticket
#14026</a>
- .</p>
- <p>To fix this, update to at least Qt-5.15.1 and QtWebEngine-5.15.1 using
the
- instructions from the development book for
- <a href="../view/svn/x/qt5.html">Qt5 (sysv)</a> and
- <a href="../view/svn/x/qtwebengine.html">QtWebEngine (sysv)</a>, or
- <a href="../view/systemd/x/qt5.html">Qt5 (systemd)</a> and
- <a href="../view/systemd/x/qtwebengine.html">QtWebEngine
(systemd)</a>.</p>
-
- <h3>LFS SA 20200910 Node.js</h3>
- <p>Multiple security vulnerabilities were discovered in Node.js,
including two
- marked as High. These have been assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8201";>CVE-2020-8201</a> and
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8252";>CVE-2020-8252</a>.</p>
- <p>To fix this, update to Node.js-12.18.4 or later using the instructions
- from the development book for
- <a href="../view/svn/general/nodejs.html">Node.js (sysv)</a> or
- <a href="../view/systemd/general/nodejs.html">Node.js (systemd)</a>.</p>
-
- <h3>BLFS SA 2020-0911 Samba</h3>
- <p>A critical security vulnerability in Samba was discovered, dubbed
- "NetLogon". This vulnerability classifies as an authentication bypass,
and is
- rated a 10.0 on the CVSSv3 scale.
- <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472";>CVE-2020-1472</a>
- has been assigned.</p>
- <p>To fix this, update to Samba-4.12.7 or later using the instructions
- from the development book for
- <a href="../view/svn/basicnet/samba.html">Samba (sysv)</a> or
- <a href="../view/systemd/basicnet/samba.html">Samba (systemd)</a>.</p>
-
- <h3>SA 2020-0912 Firefox</h3>
- <p>Four vulnerabilities with CVE numbers were fixed in firefox-78.3.0
- including a memory safety bug rated as High. Details are at
- <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/";>mfsa2020-43</a>.</p>
- <p>To fix these, update to firefox-78.3.0 or later using the instructions
- from the development book for
- <a href="../view/svn/xsoft/firefox.html">Firefox (sysv)</a> or
- <a href="../view/systemd/xsoft/firefox.html">Firefox (systemd)</a>.</p>
-
- <h3>2020-0913 Seamonkey</h3>
- <p>Security fixes from firefox-60.6 up to firefox ESR-78.1 were included
in
- Seamonkey-2.53.4. Please see
- <a href="https://www.seamonkey-project.org/releases/seamonkey2.53.4/";>The
Release Notes</a>.</p>
- <p>To fix these, update to Seamonkey-2.53.4 or later using the
instructions
- from the development book for
- <a href="../view/svn/xsoft/seamonkey.html">Seamonkey (sysv)</a> or
- <a href="../view/systemd/xsoft/seamonkey.html">Seamonkey
(systemd)</a>.</p>
-
- <h3>2020-0914 Thunderbird</h3>
- <p>Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0
- including a memory safety bug rated as High. Details are at
- <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/";>mfsa2020-44</a>.</p>
- <p>But users of that version of thuinderbird reported numerous crashes.
- To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or
- later using the instructions
- from the development book for
- <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
- <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
-
- <h3>2020-0915 Wireshark</h3>
- <p>Five Security Advisories (wnpa-sec-2020-11,12,13) were fixed in
- Wireshark-3.2.7, detailed at
- <a href="https://www.wireshark.org/security/";>Wireshark Security</a>.</p>
- <p>To fix these, update to wireshark-3.2.7 or later using the instructions
- from the development book for
- <a href="../view/svn/basicnet/wireshark.html">Wireshark (sysv)</a> or
- <a href="../view/systemd/basicnet/wireshark.html">Wireshark
(systemd)</a>.</p>
-
-<!--
- <a href="../view/svn/general/nodejs.html">Node.js-14.15.4</a>.</li>
- <li>After release, a critical security vulnerability in Samba was
- discovered, dubbed "NetLogon". This vulnerability classifies as an
- authentication bypass, and is rated a 10.0 on the CVSSv3 scale.
- It's suggested that you upgrade to Samba-4.13.1 immediately if you
- have it installed and configured. Use the instructions in
- <a href="../view/svn/basicnet/samba.html">Samba-4.13.1</a>.</li>
- <li>After release, several vulnerabilities were discovered in
- Thunderbird, one of which is rated high. In addition, a critical
- 0day security vulnerability was discovered in Thunderbird that needs
- to be patched immediately. It is suggested to update
- to thunderbird-78.6.1 or later using the instructions in
- <a
href="../view/svn/xsoft/thunderbird.html">thunderbird-78.6.1</a></li>
- <li>After release, several vulnerabilities in Wireshark that can cause
- the application to crash were discovered. These can be remotely
- exploited to cause Wireshark to crash. To fix these vulnerabilities,
- update to Wireshark-3.4.2 or higher using the instructions in
- <a
href="../view/svn/basicnet/wireshark.html">Wireshark-3.4.2</a>.</li>
- <li>After release, several dozen vulnerabilities were discovered in
- Seamonkey. To fix these vulnerabilities, update to Seamonkey-2.53.6
- or higher. In addition, an urgent 0day vulnerability was discovered
- in the JavaScript engine that is used in Seamonkey. Another urgent
- 0day was discovered in the way Seamonkey handles SMTP requests.
- Update to Seamonkey-2.53.6 using the instructions in
- <a
href="../view/svn/xsoft/seamonkey.html">Seamonkey-2.53.6</a>.</li>
- <li>After release, several vulnerabilities were discovered in PHP. To
fix
- these vulnerabilities, update to PHP-8.0.1 or later using the
- instructions in
- <a href="../view/svn/general/php.html">PHP-8.0.1</a>.</li>
- <li>After release, a high severity security vulnerability was discovered
- in Ruby. To fix this vulnerability, update to ruby-2.7.2 or later
- using the instructions in
- <a href="../view/svn/general/ruby.html">Ruby-2.7.2</a>.</li>
- <li>After release, a security vulnerability was discovered in the way
- that GLib handles URIs. To fix this vulnerability, update to
- GLib-2.66.1 or later using the instructions in
- <a href="../view/svn/general/glib2.html">GLib-2.66.1</a>.</li>
- <li>After release, a security vulnerability was discovered in NSS.
- This was fixed by tighetning CCS handling when the client doesn't
- indicate middlebox compatibilty. To fix this vulnerability, update
to
- NSS-3.58 or higher using the instructions in
- <a href="../view/svn/postlfs/nss.html">NSS-3.58</a>.</li>
- <li>After release, a minor security issue was addressed in stunnel.
- This issue had to do with the 'redirect' option. To fix this issue,
- update to stunnel-5.57 or later using the instructions in
- <a href="../view/svn/postlfs/stunnel.html">stunnel-5.57</a>.</li>
- <li>After release, two security issues were discovered in lxml that
allowed
- it to process JavaScript code. This could potentially lead to
- arbitrary code execution. To fix this vulnerability, update to
- lxml-4.6.2 or later using the instructions in
- <a
href="../view/svn/general/python-modules.html#lxml">lxml-4.6.2</a>.</li>
- <li>After release, a security vulnerability was discovered in freetype
- (all versions since 2.6), a buffer overflow when processing TTF
files
- which include PNG glyphs - this is being actively used in the wild.
- To fix this vulnerability, update to freetype-2.10.4 or later using
- the instructions in
- <a
href="../view/svn/general/freetype2.html">freetype-2.10.4</a>.</li>
- <li>After release, several vulnerabilities were discovered in the
Gstreamer
- Multimedia Stack. To fix these vulnerabilities, update to gstreamer
- and gst-plugins-* 1.16.3 using the same instructions in the book,
but
- with the newer packages.</li>
- <!\-\- Note: I did not list the instructions for 1.18.x because they
will
- cause incompatibilities on older systems. \-\->
- <li>After release, a signed integer overflow vulnerability was
discovered
- in libass. This vulnerability has been assigned CVE-2020-26682. To
- fix this vulnerability, update to libass-0.15.0 using the
- instructions in
- <a href="../view/svn/multimedia/libass.html">libass-0.15.0</a>.</li>
- <li>After release, several security vulnerabilities were discovered in
- the MariaDB database server. These vulnerabilities could lead to
- information disclosure or a repeatable server crash. To fix these
- vulnerabilities, update to MariaDB-10.5.7 or later using the
- instructions in
- <a href="../view/svn/server/mariadb.html">MariaDB-10.5.7</a>.</li>
- <li>After release, several security vulnerabilities were identified in
# out of order?
- xorg-server that can lead to privilege escalation (to root) due to
- input validation failures. To fix these vulnerabilities, update to
- Xorg-Server-1.20.10 using the instructions in
- <a
href="../view/svn/x/xorg-server.html">Xorg-Server-1.20.10</a>.</li>
- <li>After release, several security vulnerabilities were disclosed in
- the Mozilla Firefox web browser. Several of these are rated as High
- or Critical. One of them was an urgent 0day that needed to be dealt
- with urgently (fixed in 78.4.1). Update to Firefox-78.7.0 or later
using the
- instructions in
- <a href="../view/svn/xsoft/firefox.html">Firefox-78.7.0</a>.</li>
- <li>After release, three high severity vulnerabilities were disclosed in
- the PostgreSQL databse server. These vulnerabilities could lead to
- arbitrary execution of SQL commands as the superuser or
- information disclosure. To fix these vulnerabilities, update to
- PostgreSQL-13.1 or later using the instructions in
- <a
href="../view/svn/server/postgresql.html">PostgreSQL-13.1</a>.</li>
- <li>After release, four high severity security vulnerabilities were
- disclosed in the version of c-ares shipped with BLFS 10.0. To fix
- these vulnerabilities, update to c-ares-1.17.1 or higher using the
- instructions in
- <a href="../view/svn/basicnet/c-ares.html">c-ares-1.17.1</a>.
- You should also update Node.js to 14.15.1 after updating c-ares if
- you have it installed.</li>
- <li>After release, a denial of service vulnerability was discovered in
- MIT Kerberos V5. This only affects the server configuration, not the
- client configuration. To fix this vulnerability, update to
- krb5-5.18.3 or later using the instructions in
- <a href="../view/svn/postlfs/mitkrb.html">MIT Kerberos
V5-1.18.3</a>.</li>
- <li>After release, several vulnerabilities were discovered in
WebKitGTK+.
- These vulnerabilities include type confusion issues, use-after-free
- issues, cross-site scripting issues, and arbitrary code execution.
- To fix these vulnerabilities, update to
- WebKitGTK+-2.30.3 or later using the instructions in
- <a href="../view/svn/x/webkitgtk.html">WebKitGTK+-2.30.3</a>.</li>
- <li>After release, several vulnerabilities were discovered in libxml2.
- To fix these, apply the patch from
- <a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libxml2-2.9.10-security_fixes-1.patch";>
- libxml2-2.9.10-security_fixes-1.patch</a> to your build and rebuild
- libxml2.</li>
- <li>After release, several vulnerabilities were discovered in libexif.
- To fix these vulnerabilities, apply the patch from
- <a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libexif-0.6.22-security_fixes-1.patch";>
- libexif-0.6.22-security_fixes-1.patch</a> to your build and rebuild
- libexif.</li>
- <li>After release, a denial of service vulnerability was
- discovered in unbound. The severity is deemed as low.
- The fix is in the newer version
- unbound-1.13.0 (and higher). You can install it by following
- the instructions for
- <a href="../view/svn/server/unbound.html">unbound</a> in
- the development book.</li>
- <li>After release, three security vulnerabilities were discovered in
- cURL as shipped in BLFS. To fix these vulnerabilities, update to
- cURL-7.74.0 or later using the instructions in
- <a href="../view/svn/basicnet/curl.html">curl-7.74.0</a>.</li>
- <li>After release, a security vulnerability in the PNG loader was
- discovered in gdk-pixbuf. To fix this vulnerability, update to
- gdk-pixbuf-2.42.2 or higher using the instructions in
- <a href="../view/svn/x/gdk-pixbuf.html">gdk-pixbuf-2.42.2</a>.</li>
- <li>After release, three security vulnerabilities in the RPC subsystem
- were identified in p11-kit as shipped in BLFS 10.0. To fix these
- vulnerabilities, update to p11-kit-0.23.22 or later using the
- instructions in
- <a href="../view/svn/postlfs/p11-kit.html">p11-kit-0.23.22</a>.</li>
- <li>After release, over a dozen security vulnerabilities were discovered
- in OpenJPEG as shipped in BLFS 10.0. Several of these
vulnerabilities
- are rated as High. To fix these vulnerabilities, update to
- OpenJPEG-2.4.0 or later using the instructions in
- <a
href="../view/svn/general/openjpeg2.html">OpenJPEG-2.4.0</a>.</li>
- <li>After release, several security vulnerabilities were discovered in
- libpcap as shipped with BLFS 10.0. To fix these vulnerabilities,
- update to libpcap-1.10.0 or later using the instructions in
- <a href="../view/svn/basicnet/libpcap.html">libpcap-1.10.0</a>.</li>
- <li>After release, two security vulnerabilities were discovered in the
- Dovecot mail server as shipped with BLFS 10.0. One of these
- vulnerabilities may allow a user to read another users' mail or the
- server's filesystem depending on the configuration on the server.
- To fix these two vulnerabilities, update to Dovecot-2.3.13 or later
- using the instructions in
- <a href="../view/svn/server/dovecot.html">Dovecot-2.3.13</a>.</li>
- <li>After release, a use-after-free security vulnerability was
- discovered in Poppler as shipped with BLFS 10.0. This vulnerability
- can lead to arbitrary code execution via a malicious PDF file. To
fix
- this vulnerability, update to poppler-21.01.0 or higher using the
- instructions in
- <a href="../view/svn/general/poppler.html">poppler-21.01.0</a>.</li>
- <li>After release, multiple security vulnerabilities were discovered in
- Sudo before 1.9.5p1. To fix these vulnerabilities, update to
- Sudo-1.9.5p1 or later using the instructions in
- <a href="../view/svn/postlfs/sudo.html">sudo-1.9.5p1</a>.</li>
- <li>Various vulnerabilities in ImageMagick were found, including various
- things leading to a Denial of Service (crash), and also the
- possibility to inject additional shell commands when accessing a
- password-protected PDF file. To fix these vulnerabilities update to
- ImageMagick-7.0.10-57 or higher using the instructions in
- <a
href="../view/svn/general/imagemagick.html">ImageMagick-7.0.10-57</a>.</li>
- <li>After release, several vulnerabilities were discovered in
vorbis-tools
- as shipped in BLFS 10.0. These vulnerabilities range from memory
leaks
- to potentially arbitrary code execution via malicious OGG files.
- To fix these vulnerabilities, update to vorbis-tools-1.4.2
- or later using the instructions in
- <a
href="../view/svn/multimedia/vorbistools.html">vorbis-tools-1.4.2</a>.</li>
- </ul>-->
+ <p>The advisories for BLFS-10.0 up until BLFS-10.1 is released are at
+ <!-- on release, change is to was -->
+ <a href="10.0.html">BLFS-10.0</a></p>
+
+ <p>A consolidated list of LFS and BLFS advisories since the release of
+ LFS-10.0 and BLFS-10.0 can be found at
+ <a href="consolidated.html">consolidated.html</a></p>
- <a id="BLFS10.1">
- <h2>Items during the lifetime of BLFS-10.1 would come here.</h2></a>
<!--#include virtual="/common/footer.html" -->
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
