Author: ken
Date: Wed Feb 3 14:11:15 2021
New Revision: 1687
Log:
Security Advisories - to end of November.
If I'm lucky, I've fixed the alphabetical order.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Tue Feb 2 12:29:19 2021
(r1686)
+++ html/trunk/blfs/advisories/10.0.html Wed Feb 3 14:11:15 2021
(r1687)
@@ -29,8 +29,7 @@
version(s) fixed in case other relevant changes are noted.</p>
<!-- After a release, copy for next book version, leave just template
stuff
- in that, then change these links to point to the released books and note
- that later advisories will be in the [next release] version -->
+ ad initially say "There are no known vulnerabilities." -->
<!-- start of list: Order is Alphabetic by package name (create multiple
entries
if more than one package is involved, e.g. for those firefox updates which
@@ -57,6 +56,17 @@
<!-- end of Brotli -->
+ <h3>C-Ares</h3>
+
+ <h4>10.0 039 C-Ares Date: 2020-11-19 Severity: High</h4>
+ <p>An application using C-Ares versions from 1.16.0 to 1.17.1 allows an
+ attacker to trigger a Denial of service by getting the
+ application to resolve a DNS record with an unexpectedly larger number
+ of responses.
+ <a href=consolidated.html#10.0-039>10.0-039</a></p>
+
+<!-- end of C-Ares -->
+
<h3>CIFS-utils</h3>
<h4>10.0 008 Cryptsetup Date: 2020-09-06 Severity: High</h4>
@@ -81,6 +91,16 @@
<h3>Firefox</h3>
+ <h4>10.0 036 Firefox Date: 2020-11-16 Severity: High</h4>
+ <p>Several vulnerabilities were fond in firefox before 78.5.0, of which
two
+ were rated as high. Update to firefox-78.5.0 or later.
+ <a href=consolidated.html#10.0-036>10.0-036</a></p>
+
+ <h4>10.0 030 Firefox Date: 2020-11-09 Severity: Critical</h4>
+ <p>An exploitable use-after-free was found in firefox before 78.4.1.
+ Update to firefox-78.4.1 or later.
+ <a href=consolidated.html#10.0-030>10.0-030</a></p>
+
<h4>10.0 014 Firefox Date: 2020-09-21 Severity: High</h4>
<p>Four vulnerabilities including a memory safety bug rated as High were
fixed in firefox-78.3.0. Update to firefox-78.3.0 or later.
@@ -135,14 +155,49 @@
<!-- end of Gstreamer -->
+ <h3>JS78</h3>
+
+ <h4>10.0 037 JS78 Date: 2020-11-16 Severity: High</h4>
+ <p>Several vulnerabilities were found in firefox before 78.5.0, of which
one
+ was in the javascript (js/src) code. To fix this, update to JS-78.5.0
+ or later.
+ <a href=consolidated.html#10.0-037>10.0-037</a></p>
+
+ <h4>10.0 031 JS78 Date: 2020-11-09 Severity: Critical</h4>
+ <p>An exploitable use-after-free was found in JS78 before 78.4.1.
+ Update to JS-78.4.1 or later.
+ <a href=consolidated.html#10.0-031>10.0-031</a></p>
+
+<!-- end of JS78 -->
+
+ <h3>Kerberos</h3>
+
+ <h4>10.0 040 Kerberos 5 Date: 2020-11-19 Severity: High</h4>
+ <p>A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of
+ Service to be triggered when decoding Kerberos protocol messages.
+ <a href=consolidated.html#10.0-040>10.0-040</a></p>
+
+<!-- end of Kerberos -->
+
<h3>Libass</h3>
<h4>10.0 027 Libass Date: 2020-10-30 Severity: High</h4>
- <p>In Libasss-0.14.0 there was a vulnerability from a signed integer
overflow.
+ <p>In Libass-0.14.0 there was a vulnerability from a signed integer
overflow.
+ To fix this, update to Libass-0.15.0 or later.
<a href=consolidated.html#10.0-027>10.0-027</a></p>
<!-- end of Libass -->
+ <h3>LibEXIF</h3>
+
+ <h4>10.0 045 LibEXIF Date: 2020-11-21 Severity: Critical</h4>
+ <p>Three vulnerabilities were found in LibEXIF-0.6.22.
+ To fix this, apply the libexif-0.6.22-security_fixes-1.patch
+ until a later release is available.
+ <a href=consolidated.html#10.0-045>10.0-045</a></p>
+
+<!-- end of LibEXIF -->
+
<h3>LibX11</h3>
<h4>10.0 001 LibX11 Date: 2020-09-03 Severity: High</h4>
@@ -152,19 +207,52 @@
<!-- end of LibX11 -->
+ <h3>LibXML2</h3>
+
+ <h4>10.0 044 LibXML2 Date: 2020-11-21 Severity: High</h4>
+ <p>Three vulnerabilities leading to Denial of Service were found in
+ LibXML2-2.9.10.
+ <a href=consolidated.html#10.0-044>10.0-044</a></p>
+
+<!-- end of LibXML2 -->
+
<h3>LXML</h3>
<a id="10.0-023">
<h4>10.0 023 LXML Date: 2020-10-17 Severity: Medium</h4>
<p>A remote attacker can trick the victim to follow a specially crafted
link and execute arbitrary HTML and script code in the user's browser in
- the context of a vulnerable website.
+ the context of a vulnerable website. Update to LXML-4.6.2 or later.
<a href=consolidated.html#10.0-023>10.0-023</a></p>
<!-- end of LXML -->
+ <h3>MariaDB</h3>
+ <h4>10.0 029 MariaDB Date: 2020-11-04 Severity: Medium</h4>
+ <p>Four CVE vulnerabilities were identified in MariaDB before version
+ 10.5.7, update to mariadb-10.5.7 or later.
+ <a href=consolidated.html#10.0-029>10.0-029</a></p>
+
+<!-- end of MariaDB -->
+
+ <h3>Mutt</h3>
+
+ <h4>10.0 046 Mutt Date: 2020-11-26 Severity: Medium</h4>
+ <p>Mutt before version 2.0.2 had incorrect error handling when initially
connecting
+ to an IMAP server, which could result in an attempt to authenticate
without enabling
+ TLS. To fix this, update to mutt-2.0.2 or later.
+ <a href=consolidated.html#10.0-046>10.0-046</a></p>
+
+<!-- end of Mutt -->
+
<h3>Node.js</h3>
+ <h4>10.0 038 Node.js Date: 2020-11-19 Severity: High</h4>
+ <p>An attacker could cause a Denial of Service via a DNS request for a
+ host of their choice which resulted in an unexpectedly large number of
+ responses.
+ <a href=consolidated.html#10.0-038>10.0-038</a></p>
+
<h4>10.0 012 Node.js Date: 2020-09-17 Severity: High</h4>
<p>Multiple security vulnerabilities were discovered in Node.js,
including two
marked as High. Update to Node.js-12.18.4 or later.
@@ -176,27 +264,12 @@
<h4>10.0 022 NSS Date: 2020-10-17 Severity: High</h4>
<p>A vulnerability in CSS handling, which could allow a remote attacker to
- cause a denial of service fore servers linked against NSS, was discovered.
+ cause a denial of service for servers linked against NSS, was discovered.
Update to NSS-3.58 or later.
<a href=consolidated.html#10.0-022>10.0-022</a></p>
<!-- end of NSS -->
- <h3>Samba</h3>
-
- <h4>10.0 028 Samba Date: 2020-10-30 Severity: Medium</h4>
- <p>Three CVE vulnerabilities were identified in Samba before version
4.13.1,
- Update to 4.13.1 or later.
- <a href=consolidated.html#10.0-028>10.0-028</a></p>
-
- <h4>10.0 013 Samba Date: 2020-09-26 Severity: Critical</h4>
- <p>A critical security vulnerability in Samba was discovered, dubbed
- "NetLogon". This vulnerability classifies as an authentication bypass,
and is
- rated a 10.0 on the CVSSv3 scale. Update to Samba-4.12.7 or later.
- <a href=consolidated.html#10.0-013>10.0-013</a></p>
-
-<!-- end of Samba -->
-
<h3>PHP</h3>
<h4>10.0 019 PHP Date: 2020-10-05 Severity: Medium</h4>
@@ -206,17 +279,72 @@
<!-- end of PHP -->
+ <h3>PostgreSQL</h3>
+
+ <h4>10.0 034 PostgreSQL Date: 2020-11-12 Severity: High</h4>
+ <p>A number of vulnerabilities were fixed in PostgreSQL-13.1. Update
+ to postgresql-13.1 or later.
+ <a href=consolidated.html#10.0-034>10.0-034</a></p>
+
+<!-- end of PostgreSQL -->
+
+ <h3>Qt5 and QtWebEngine</h3>
+
+ <h4>10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity:
Critical</h4>
+ <p>The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from
Chrome,
+ of which four were 0day fixes. The rest of Qt5 includes many bug fixes,
some of
+ which include heap buffer overflows. Update to at least Qt-5.15.2 and
+ QtWebEngine-5.15.2.
+ <a href=consolidated.html#10.0-042>10.0-042</a></p>
+
+ <h4>10.0 011 Qt5 and QtWebEngine Date: 2020-09-10 Severity:
Critical</h4>
+ <p>Many security vulnerabilities were discovered in Qt5-5.15.0 and
QtWebEngine.
+ Update to at least Qt-5.15.1 and QtWebEngine-5.15.1.
+ <a href=consolidated.html#10.0-011>10.0-011</a></p>
+
+<!-- end of Qt5 and QtWebEngine -->
+
+ <h3>Raptor</h3>
+ <h4>10.0 035 Raptor Date: 2020-11-13 Severity: High</h4>
+ <p>A heap overflow vulnerability in Raptor can lead to an out-of-boundsi
+ write. Patch raptor-2.0.15 with the security_fiexs-1.patch since upstream
+ is inactive.
+ <a href=consolidated.html#10.0-035>10.0-035</a></p>
+
+<!-- end of Raptor -->
+
<h3>Ruby</h3>
<h4>10.0 020 Ruby Date: 2020-10-06 Severity: High</h4>
<p>The bundled WEBrick HTTP server in ruby before 2.7.2 had a
vulnerability
- which could lead to an HTTP Request Smuggling attack.
+ which could lead to an HTTP Request Smuggling attack. Update to ruby-2.7.2
+ or later.
<a href=consolidated.html#10.0-020>10.0-020</a></p>
<!-- end of Ruby -->
+ <h3>Samba</h3>
+
+ <h4>10.0 028 Samba Date: 2020-10-30 Severity: Medium</h4>
+ <p>Three CVE vulnerabilities were identified in Samba before version
4.13.1,
+ Update to 4.13.1 or later.
+ <a href=consolidated.html#10.0-028>10.0-028</a></p>
+
+ <h4>10.0 013 Samba Date: 2020-09-26 Severity: Critical</h4>
+ <p>A critical security vulnerability in Samba was discovered, dubbed
+ "NetLogon". This vulnerability classifies as an authentication bypass,
and is
+ rated a 10.0 on the CVSSv3 scale. Update to Samba-4.12.7 or later.
+ <a href=consolidated.html#10.0-013>10.0-013</a></p>
+
+<!-- end of Samba -->
+
<h3>Seamonkey</h3>
+ <h4>10.0 032 Seamonkey Updated: 2020-11-15 Severity: Critical</h4>
+ <p>The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also
+ applies to seamonkey-2.53.4. Update to seamonkey-2.53.5 or later.
+ <a href=consolidated.html#10.0-032>10.0-032</a></p>
+
<h4>10.0 015 Seamonkey Date: 2020-09-23 Severity: Critical</h4>
<p>Security fixes from firefox-60.6 up to firefox ESR-78.1 were included
in
Seamonkey-2.53.4. Update to Seamonkey-2.53.4 or later.
@@ -235,6 +363,17 @@
<h3>Thunderbird</h3>
+ <h4>10.0 041 Thunderbird Date: 2020-11-19 Severity: High</h4>
+ <p>Several vulnerabilities were fixed in Thunderbird-78.5.0, two were
rated
+ High. To fix these update to thunderbird-78.5.0 or later.
+ <a href=consolidated.html#10.0-041>10.0-041</a></p>
+
+ <a id="10.0-033">
+ <h4>10.0 033 Thunderbird Date: 2020-11-10 Severity: Critical</h4>
+ <p>The javascript vulnerability fixed in firefox-78.4.1 also applies to
+ thunderbird. To fix this update to thunderbird-78.4.2 or later.
+ <a href=consolidated.html#10.0-033>10.0-033</a></p>
+
<h4>10.0 025 Thunderbird Date: 2020-10-23 Severity: High</h4>
<p>Three vulnerabilities rated as High were fixed in thunderbird-78.4.0.
To fix these update to thunderbird-78.4.0 or later.
@@ -249,14 +388,13 @@
<!-- end of Thunderbird -->
- <h3>Qt5 and QtWebEngine</h3>
+ <h3>WebKitGTK</h3>
+ <h4>10.0 043 WebKitGTK Date: 2020-11-25 Severity: High</h4>
+ <p>Five vulnerabilities rated as High were found in WebKitGTK.
+ To fix these upgrade to webkitgtk-2.30.3 or later.
+ <a href=consolidated.html#10.0-043>10.0-043</a></p>
- <h4>10.0 011 Qt5 and QtWebEngine Date: 2020-09-10 Severity:
Critical</h4>
- <p>Many security vulnerabilities were discovered in Qt5-5.15.0 and
QtWebEngine.
- Update to at least Qt-5.15.1 and QtWebEngine-5.15.1.
- <a href=consolidated.html#10.0-011>10.0-011</a></p>
-
-<!-- end of Qt5 and QtWebEngine -->
+<!-- end of WebKitGTK -->
<h3>Wireshark</h3>
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Tue Feb 2 12:29:19
2021 (r1686)
+++ html/trunk/blfs/advisories/consolidated.html Wed Feb 3 14:11:15
2021 (r1687)
@@ -33,11 +33,14 @@
<!-- Editors: Commented entry to copy, and reminder about patches
If there is a CVE, https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNN
- shows severities.
+ shows severities. If not, cve.mitre.org may show some details.
+ But if upstream assigns a severity (often higher than nvd go with that.
<h4>VV.V NNN Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low/Uncertain</h4>
or
<h4>VV.V NNN (LFS) Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low/Uncertain</h4>
+ 'Uncertain' items would need to be reviewed quickly!
+ If in doubt default to High.
<p>Explain the problem, perhaps offering a workaround, and linking to
relevant CVEs or package advisory notes.
These have been assigned
@@ -57,10 +60,18 @@
<a
href="http://www.linuxfromscratch.org/patches/blfs/svn/libxml2-2.9.10-security_fixes-1.patch";>
for clarity. -->
- <a id="BLFS10.0"> <!-- maybe doesn't need to be linked -->
- <h2>BLFS-10.0 was released on 2020/09/01</h2></a>
+ <h2>Items between the releases of the 10.0 and 10.1 books</h2></a>
- <p>For some of these, the effective dates may be slightly adrift.</p>
+ <!-- Editors: This batch of advisories for the 10.0 books point to the
+ development books until we make a release. After a release, new
advisories
+ for 10.1 need to point to the development books, but the existing 10.0
+ advisories need to be changed to point to 10.1 (sic), not 'stable' which
+ is a symlink and can change over time. That might sound odd, but the 10.0
+ advisories wre developed during the build up to 10.1, so in normal
+ circumstances the 'or later' will be valid for the 10.1 release, but over
+ the longer term who knows what will happen to packages (e.g. getting
+ replaced or archived). See the gstreamer links re 1.16 for an example of
+ linking to a released book (old 10.0) -->
<!-- commented until I get to December
<a id="10.0-999">
@@ -79,6 +90,249 @@
<a href="../../lfs/view/development/chapter08/openssl.html">OpenSSL
(sysv)</a> or
<a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>-->
+ <a id="10.0-046">
+ <h4>10.0 046 Mutt Date: 2020-11-26 Severity: Medium</h4>
+ <p>Mutt before version 2.0.2 had incorrect error handling when initially
connecting
+ to an IMAP server, which could result in an attempt to authenticate
without enabling
+ TLS.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-28896";>CVE-2020-28896</a>.</p>
+ <p>To fix this, update to mutt-2.0.2 or later following the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/mutt.html">Mutt (sysv)</a> or
+ <a href="../view/systemd/basicnet/mutt.html">Mutt (systemd)</a>.</p>
+
+ <a id="10.0-045">
+ <h4>10.0 045 LibEXIF Date: 2020-11-21 Severity: Critical</h4>
+ <p>Three vulnerabilities were found in LibEXIF-0.6.22, two are rated as
High
+ and one as Critical. See
+ <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14272"/>BLFS
#14272</a> and
+ the following CVEs:
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-0181";>CVE-2020-0181</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-0198";>CVE-2020-0198</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-0452";>CVE-2020-0452</a>.</p>
+ <p>To fix these, update to a version of LibEXIF after version 0.6.22 if
one is
+ released, or apply the patch
+ <a
href="http://www.linuxfromscratch.org/patches/downloads/libexif/libexif-0.6.22-security_fixes-1.patch";>libexif-0.6.22-security_fixes-1.patch</a>
+ following the instructions
+ from the development book for
+ <a href="../view/svn/general/libexif.html">LibEXIF (sysv)</a> or
+ <a href="../view/systemd/general/libexif.html">LibEXIF (systemd)</a>.</p>
+
+ <a id="10.0-044">
+ <h4>10.0 044 LibXML2 Date: 2020-11-21 Severity: High</h4>
+ <p>Three vulnerabilities leading to Denial of Service were found in
LibXML2-2.9.10,
+ two of these are rated as High. See
+ <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14271"/>BLFS
#14271</a> and
+ the following CVEs:
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-20388";>CVE-2019-20388</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-7595";>CVE-2020-7595</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-24977";>CVE-2020-24977</a>.</p>
+ <p>To fix these, apply the patch
+ <a
href="http://www.linuxfromscratch.org/patches/downloads/libxml2/libxml2-2.9.10-security_fixes-1.patch";>libxml2-2.9.10-security_fixes-1.patch</a>
+ following the instructions
+ from the development book for
+ <a href="../view/svn/general/libxml2.html">LibXML2 (sysv)</a> or
+ <a href="../view/systemd/general/libxml2.html">LibXML2 (systemd)</a>,
+ or update to a later version if one is released.</p>
+
+ <a id="10.0-043">
+ <h4>10.0 043 WebKitGTK Date: 2020-11-25 Severity: High</h4>
+ <p>Five vulnerabilities rated as High were found in WebKitGTK. See
+ <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14281"/>BLFS
#14281</a> and
+ the following CVEs (most were filed against Safari, which uses WebKit):
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9948";>CVE-2020-9948</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9951";>CVE-2020-9951</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9952";>CVE-2020-9952</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9983";>CVE-2020-9983</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-13584";>CVE-2020-13584</a>.</p>
+ <p>To fix this, update to at least webkitgtk-2.30.3 using the instructions
+ from the development book for
+ <a href="../view/svn/x/webkitgtk.html">WebKitGTK (sysv)</a> or
+ <a href="../view/systemd/x/webkitgtk.html">WebKitGTK (systemd)</a>.</p>
+
+ <a id="10.0-042">
+ <h4>10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity:
Critical</h4>
+ <p>The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from
Chrome,
+ of which four were 0day fixes. The rest of Qt5 includes many bug fixes,
some of
+ which include heap buffer overflows.
+ For QtWebEngine see
+ <a
href="https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.15.2/?h=v5.15.2";>QtWebEngine
5.15.2 changes</a>,
+ For the other parts of Qt5 see
+ <a href="https://wiki.qt.io/Qt_5.15.2_Change_Files";>Qt-5.15.2
Changes</a>.</p>
+ To fix these, update to at least Qt-5.15.2 and QtWebEngine-5.15.1 using
the
+ instructions from the development book for
+ <a href="../view/svn/x/qt5.html">Qt5 (sysv)</a> and
+ <a href="../view/svn/x/qtwebengine.html">QtWebEngine (sysv)</a>, or
+ <a href="../view/systemd/x/qt5.html">Qt5 (systemd)</a> and
+ <a href="../view/systemd/x/qtwebengine.html">QtWebEngine
(systemd)</a>.</p>
+
+ <a id="10.0-041">
+ <h4>10.0 041 Thunderbird Date: 2020-11-19 Severity: High</h4>
+ <p>Several vulnerabilities were fixed in Thunderbird-78.5.0, two were
rated
+ High. Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/";>mfsa2020-52</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26951";>CVE-2020-26951</a>.
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26968";>CVE-2020-26968</a>.<p>
+ <p>To fix this, update to Thunderbird-78.5.0 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
+ <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
+
+ <a id="10.0-040">
+ <h4>10.0 040 Kerberos 5 Date: 2020-11-19 Severity: High</h4>
+ <p>A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of
+ Service to be triggered when decoding Kerberos protocol messages. See
+ <a href="https://web.mit.edu/kerberos/krb5-1.18/";>Release Notes</a>.</p>
+ <p>To fix this, update to krb-5.18.3 or later using the instructions
+ from the development book for
+ <a href="../view/svn/postlfs/mitkrb.html">Kerberos (sysv)</a> or
+ <a href="../view/systemd/postlfs/mitkrb.html">Kerberos (systemd)</a>.</p>
+
+ <a id="10.0-039">
+ <h4>10.0 039 C-Ares Date: 2020-11-19 Severity: High</h4>
+ <p>An application using C-Ares versions from 1.16.0 to 1.17.1 allows an
+ attacker to trigger a Denial of service by getting the
+ application to resolve a DNS record with a larger number of responses. See
+ <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8277";>CVE-2020-8277</a>
+ which was initially raised against Node.js.</p>
+ <p>To fix this, update to C-Ares-1.17.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/c-ares.html">C-Ares (sysv)</a> or
+ <a href="../view/systemd/basicnet/c-ares.html">C-Ares (systemd)</a>.</p>
+
+ <a id="10.0-038">
+ <h4>10.0 038 Node.js Date: 2020-11-19 Severity: High</h4>
+ <p>A Node.js application that allows an attacker to trigger a DNS request
+ for a host of their choice could trigger a Denial of service by getting
the
+ application to resolve a DNS record with a larger number of responses.
+ This also applies to C-Ares, which is shipped with Node.js.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8277";>CVE-2020-8277</a>.</p>
+ <p>To fix this, update to Node.js-14.15.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/nodejs.html">Node.js (sysv)</a> or
+ <a href="../view/systemd/general/nodejs.html">Node.js (systemd)</a>
+ Alternatively, if you are still using the v12 series, you may prefer to
+ update to v12.19.1 or later.</p>
+
+ <a id="10.0-037">
+ <h4>10.0 037 JS78 Date: 2020-11-16 Severity: High</h4>
+ <p>Several vulnerabilities were found in firefox before 78.5.0, of which
one
+ was in the javascript (js/src) code. Summary details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/";>mfsa2020-51</a>
+ .</p>
+ <p>To fix this, update to JS-78.5.0 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/js78.html">JS78 (sysv)</a> or
+ <a href="../view/systemd/general/js78.html">JS78 (systemd)</a>.</p>
+
+ <a id="10.0-036">
+ <h4>10.0 036 Firefox Date: 2020-11-16 Severity: High</h4>
+ <p>Several vulnerabilities were fond in firefox before 78.5.0, of which
two
+ were rated as high by upstream. Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/";>mfsa2020-51</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26951";>CVE-2020-26951</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26968";>CVE-2020-26968</a>.</p>
+ <p>To fix this, update to firefox-78.5.0 or later using the instructions
+ from the development book for
+ <a href="../view/svn/xsoft/firefox.html">Firefox (sysv)</a> or
+ <a href="../view/systemd/xsoft/firefox.html">Firefox (systemd)</a>.</p>
+
+ <a id="10.0-035">
+ <h4>10.0 035 Raptor Date: 2020-11-13 Severity: High</h4>
+ <p>A heap overflow vulnerability in Raptor can lead to an out-of-bounds
write.
+ Details are at
+ <a
href="https://www.openwall.com/lists/oss-security/2017/06/07/1";>oss-security</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-18926";>CVE-2017-18926</a>.</p>
+ <p>To fix this, patch raptor-2.0.15 using
+ <a
href="http://www.linuxfromscratch.org/patches/downloads/raptor/raptor-2.0.15-security_fixes-1.patch";>raptor-2.0.15-security_fixes-1.patch</a>
+ and the instructions
+ from the development book for
+ <a href="../view/svn/general/raptor.html">Raptor (sysv)</a> or
+ <a href="../view/systemd/general/raptor.html">Raptor (systemd)</a>.</p>
+
+ <a id="10.0-034">
+ <h4>10.0 034 PostgreSQL Date: 2020-11-12 Severity: High</h4>
+ <p>Three vulnerabilities rated as High were found in PostgreSQL before
13.1.
+ Details are at
+ <a
href="https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/";>PostgreSQL</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25694";>CVE-2020-25694</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25695";>CVE-2020-25695</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25696";>CVE-2020-25696</a>.</p>
+ <p>To fix this, update to PostgreSQL-13.1 or later, using the instructions
+ from the development book for
+ <a href="../view/svn/server/postgresql.html">PostgreSQL (sysv)</a> or
+ <a href="../view/systemd/server/postgresql.html">PostgrSQL
(systemd)</a>.</p>
+
+ <a id="10.0-033">
+ <h4>10.0 033 Thunderbird Date: 2020-11-10 Severity: Critical</h4>
+ <p>The javascript vulnerability fixed in firefox-78.4.1 also applies to
+ thunderbird. Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/";>mfsa2020-49</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26950";>CVE-2020-26950</a>.
+ <p>To fix this, update to Thunderbird-78.4.2 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
+ <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
+
+ <a id="10.0-032">
+ <h4>10.0 032 Seamonkey Updated: 2020-11-21 Severity: Critical</h4>
+ <p>The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also
+ applies to seamonkey-2.53.4. In BLFS this was initially partly fixed
+ by patching Seamonkey-2.53.4 using
+ <a
href="http://www.linuxfromscratch.org/patches/downloads/seamonkey/seamonkey-2.53.4-security_fixes-1.patch";>seamonkey-2.53.4-security_fixes-1.patch</a>
+ but was later revised to use Seamonkey-2.53.5 when that became available.
+ And then Seamonkey-2.53.5.1 had further fixes for this.
+ <p>To fix these, update to Seamonkey-2.53.5.1 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/seamonkey.html">Seamonkey (sysv)</a> or
+ <a href="../view/systemd/xsoft/seamonkey.html">Seamonkey
(systemd)</a>.</p>
+
+ <a id="10.0-031">
+ <h4>10.0 031 JS78 Date: 2020-11-09 Severity: Critical</h4>
+ <p>An exploitable use-after-free was found in JS78 before 78.4.1.
+ Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/";>mfsa2020-49</a>
+ <!-- NB on 2021-02-02 mozilla bug 1675905 is still not viewable -->
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26950";>CVE-2020-26950</a>.
+ <p>To fix this, update to JS-78.4.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/js78.html">JS78 (sysv)</a> or
+ <a href="../view/systemd/general/js78.html">JS78 (systemd)</a>.</p>
+
+ <a id="10.0-030">
+ <h4>10.0 030 Firefox Date: 2020-11-09 Severity: Critical</h4>
+ <p>An exploitable use-after-free was found in firefox before 78.4.1.
+ Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/";>mfsa2020-49</a>
+ <!-- NB on 2021-02-02 mozilla bug 1675905 is still not viewable -->
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26950";>CVE-2020-26950</a>.
+ <p>To fix this, update to firefox-78.4.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/xsoft/firefox.html">Firefox (sysv)</a> or
+ <a href="../view/systemd/xsoft/firefox.html">Firefox (systemd)</a>.</p>
+
+ <a id="10.0-029">
+ <h4>10.0 029 MariaDB Date: 2020-11-04 Severity: Medium</h4>
+ <p>Four CVE vulnerabilities were identified in MariaDB before version
10.5.7,
+ as well as a high security vulnerability only applicable to windows.
+ See <a
href="https://mariadb.com/kb/en/mariadb-1057-release-notes/";>Release Notes</a>
and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14812";>CVE-2020-14812</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14765";>CVE-2020-14765</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14776";>CVE-2020-14776</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14789";>CVE-2020-14789</a>.</p>
+ <p>To fix this, update to at least mariadb-10.5.7 using the instructions
+ from the development book for
+ <a href="../view/svn/server/mariadb.html">MariaDB (sysv)</a> or
+ <a href="../view/systemd/server/mariadb.html">MariaDB (systemd)</a>.</p>
+
+ <a id="10.0-027">
<a id="10.0-028">
<h4>10.0 028 Samba Date: 2020-10-30 Severity: Medium</h4>
<p>Three CVE vulnerabilities were identified in Samba before version
4.13.1,
@@ -151,7 +405,7 @@
<a href="../view/systemd/general/freetype2.html">FreeType
(systemd)</a>.</p>
<a id="10.0-023">
- <h4>10.0 023 LXML Date: 2020-10-17 Severity: Medium</h4>
+ <h4>10.0 023 LXML Updated: 2020-11-28 Severity: Medium</h4>
<p>A remote attacker can trick the victim to follow a specially crafted
link and execute arbitrary HTML and script code in the user's browser in
the context of a vulnerable website.
@@ -159,7 +413,8 @@
and
<a
href="https://www.cybersecurity-help.cz/vdb/SB2020120602";>cybersecurity-help.cz</a>
.</p>
- <p>To fix this, update to LXML-4.6.1 or later using the instructions
+ <p>This was thought to be fixed in LXML-4.6.1, but that fix was
inadequate.
+ To fix this, update to LXML-4.6.2 or later using the instructions
from the development book for
<a href="../view/svn/general/python-modules.html#lxml">LXML (sysv)</a> or
<a href="../view/systemd/general/python-modules.html#lxml">LXML
(systemd)</a>.</p>
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
