Author: ken
Date: Wed Feb 3 15:29:17 2021
New Revision: 1688
Log:
Advisories up to OpenSSL.
I see I also had alphabetical-order problems in the LFS page.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/lfs/advisories/10.0.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Wed Feb 3 14:11:15 2021
(r1687)
+++ html/trunk/blfs/advisories/10.0.html Wed Feb 3 15:29:17 2021
(r1688)
@@ -89,6 +89,16 @@
<!-- end of Crypt-setup -->
+ <h3>cURL</h3>
+
+ <h4>10.0 050 cURL Date: 2020-12-11 Severity: High</h4>
+ <p>cURL before version 7.74.0 has two vulnerabilities rated as High, an
+ uncontrolled recursion and an improper check for certificate revocation,
as
+ well as one rated as Low. To fix these, upgrade to curl-7.74.0 or later.
+ <a href=consolidated.html#10.0-050>10.0-050</a></p>
+
+<!-- end of cURL -->
+
<h3>Firefox</h3>
<h4>10.0 036 Firefox Date: 2020-11-16 Severity: High</h4>
@@ -117,6 +127,17 @@
<!-- end of FreeType -->
+ <h3>Gdk-Pixbuf</h3>
+
+ <h4>10.0 049 Gdk-Pixbuf Date: 2020-12-08 Severity: Medium</h4>
+ <p>Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service
+ (infinite loop) which can, for example, be triggered using a crafted GIF
+ image with LZW compression. To fix this, update to gdk-pixbuf-2.42.2 or
+ later.
+ <a href=consolidated.html#10.0-049>10.0-049</a></p>
+
+<!-- end of Gdk-Pixbuf -->
+
<h3>Glib</h3>
<h4>10.0 018 Glib Date: 2020-10-05 Severity: Medium</h4>
@@ -288,6 +309,15 @@
<!-- end of PostgreSQL -->
+ <h3>Python</h3>
+
+ <h4>10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High</h4>
+ <p>Python-3.9.1 includes three security fixes. Update to Python-3.9.1
+ or later.
+ <a href=consolidated.html#10.0-051>10.0-051</a></p>
+
+<!-- end of Python -->
+
<h3>Qt5 and QtWebEngine</h3>
<h4>10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity:
Critical</h4>
@@ -388,6 +418,15 @@
<!-- end of Thunderbird -->
+ <h3>Unbound</h3>
+
+ <h4>10.0 047 Unbound Updated: 2020-12-05 Severity: Medium</h4>
+ <p>Unbound up to and including version 1.12.0 contains a local
vulnerability
+ that would allow for a local symlink attack.
+ <a href=consolidated.html#10.0-047>10.0-047</a></p>
+
+<!-- end of Unbound -->
+
<h3>WebKitGTK</h3>
<h4>10.0 043 WebKitGTK Date: 2020-11-25 Severity: High</h4>
<p>Five vulnerabilities rated as High were found in WebKitGTK.
@@ -409,6 +448,13 @@
<h3>Xorg-Server</h3>
+ <h4>10.0 048 Xorg-Server Date 2020-12-05 Severity: High</h4>
+ <p>In Xorg-Server before version 1.20.10 two input validation failures
+ in X server extensions were found. These can lead to local privilege
+ escalations (to root) <b>if the X server is running privileged</b>.
+ Update to Xorg-Server-1.20.10 or later.
+ <a href=consolidated.html#10.0-048>10.0-048</a></p>
+
<h4>10.0 002 Xorg-Server Date 2020-09-03 Severity: High</h4>
<p>In Xorg-Server before version 1.20.9 several input validation failures
in X server extensions were found. These can lead to local privilege
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Wed Feb 3 14:11:15
2021 (r1687)
+++ html/trunk/blfs/advisories/consolidated.html Wed Feb 3 15:29:17
2021 (r1688)
@@ -73,11 +73,8 @@
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
-<!-- commented until I get to December
- <a id="10.0-999">
- <h4>10.0 999 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
- <p><b>This is an LFS advisory, to examine the possibility of using this
- page to cover both LFS and BLFS.</b> It is experimental.</p>
+ <a id="10.0-052">
+ <h4>10.0 052 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
<p>The EDIPARTYNAME NULL pointer de-reference allows an attacker who can
trick a client or server into checking a malicious X509 certificate could
trigger a crash. This is rated High.
@@ -88,7 +85,69 @@
<p>To fix this, update to at least OpenSSL-1.1.1i using the instructions
from the LFS development book for
<a href="../../lfs/view/development/chapter08/openssl.html">OpenSSL
(sysv)</a> or
- <a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>-->
+ <a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>
+
+ <a id="10.0-051">
+ <h4>10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High</h4>
+ <p>Python-3.9.1 includes three security fixes. See
+ <a href="https://bugs.python.org/issue40791";>bpo-40791</a>,
+ <a href="https://bugs.python.org/issue42051";>bpo-42051</a>,
+ <a href="https://bugs.python.org/issue42103";>bpo-42103</a>.</p>
+ <p>To fix this, update to at least Python-3.9.1 using the instructions
+ from the <b>BLFS</b> development book for
+ <a href="../view/svn/general/python3.html">Python (sysv)</a> or
+ <a href="../view/systemd/general/python3.html">Python (systemd)</a>.</p>
+
+ <a id="10.0-050">
+ <h4>10.0 050 cURL Date: 2020-12-11 Severity: High</h4>
+ <p>cURL before version 7.74.0 has two vulnerabilities rated as High, an
+ uncontrolled recursion and an improper check for certificate revocation,
as
+ well as one rated as Low. See
+ <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14363"/>BLFS
#14363</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8284";>CVE-2020-8284</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8285";>CVE-2020-8285</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8286";>CVE-2020-8286</a>.</p>
+ <p>To fix these, update to cURL-7.74.0 or later following the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/curl.html">cURL (sysv)</a> or
+ <a href="../view/systemd/basicnet/curl.html">cURL (systemd)</a>.</p>
+
+ <a id="10.0-049">
+ <h4>10.0 049 Gdk-Pixbuf Date: 2020-12-08 Severity: Medium</h4>
+ <p>Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service
+ (infinite loop) which can, for example, be triggered using a crafted GIF
+ image with LZW compression.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-29385";>CVE-2020-29385</a>.</p>
+ <p>To fix this, update to Gdk-Pixbuf-2.42.2 or later following the
instructions
+ from the development book for
+ <a href="../view/svn/x/gdk-pixbuf.html">Gdk-Pixbuf (sysv)</a> or
+ <a href="../view/systemd/x/gdk-pixbuf.html">Gdk-Pixbuf (systemd)</a>.</p>
+
+ <a id="10.0-048">
+ <h4>10.0 048 Xorg-Server Date 2020-12-05 Severity: High</h4>
+ <p>In Xorg-Server before version 1.20.10 two input validation failures
+ in X server extensions were found. These can lead to local privilege
+ escalations (to root) <b>if the X server is running privileged</b>.
+ These have been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14360";>CVE-2020-14360</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25712";>CVE-2020-25712</a>
+ .</p>
+ <p>To fix this, update to at least Xorg-Server-1.20.10 using the
instructions
+ from the development book for
+ <a href="../view/svn/x/xorg-server.html">Xorg-Server (sysv)</a> or
+ <a href="../view/systemd/x/xorg-server.html">Xorg-Server
(systemd)</a>.</p>
+
+ <a id="10.0-047">
+ <h4>10.0 047 Unbound Updated: 2020-12-05 Severity: Medium</h4>
+ <p>Unbound up to and including version 1.12.0 contains a local
vulnerability
+ that would allow for a local symlink attack. Severity downgraded following
+ availability of analysis.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-28935";>CVE-2020-28935</a>.</p>
+ <p>To fix this, update to Unbound-1.13.0 or later following the
instructions
+ from the development book for
+ <a href="../view/svn/server/unbound.html">Unbound (sysv)</a> or
+ <a href="../view/systemd/server/unbound.html">Unbound (systemd)</a>.</p>
<a id="10.0-046">
<h4>10.0 046 Mutt Date: 2020-11-26 Severity: Medium</h4>
@@ -371,7 +430,7 @@
<a href="../view/10.0-systemd/multimedia/gstreamer10.html">Gstreamer 1.16
(systemd)</a>
<i> et seq.</i></p>
<p>On systems running Gstreamer 1.18 versions, update to the
- gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi
+ gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi)
using the instructions from the development book for
<a href="../view/svn/multimedia/gstreamer10.html">Gstreamer 1.18
(sysv)</a>i
<i>et seq.</i> or
@@ -662,7 +721,7 @@
in X server extensions were found. These can lead to local privilege
escalations (to root) <b>if the X server is running privileged</b>.
These have been assigned
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14345";>CVE-2020-14345</a>
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14360";>CVE-2020-14360</a>
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14346";>CVE-2020-14346</a>
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14361";>CVE-2020-14361</a>
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14361";>CVE-2020-14362</a>
@@ -672,6 +731,7 @@
<a href="../view/svn/x/xorg-server.html">Xorg-Server (sysv)</a> or
<a href="../view/systemd/x/xorg-server.html">Xorg-Server
(systemd)</a>.</p>
+
<a id="10.0-001">
<h4>10.0 001 LibX11 Date: 2020-09-03 Severity: High</h4>
<p>Effective 2020-09-03</p>
Modified: html/trunk/lfs/advisories/10.0.html
==============================================================================
--- html/trunk/lfs/advisories/10.0.html Wed Feb 3 14:11:15 2021 (r1687)
+++ html/trunk/lfs/advisories/10.0.html Wed Feb 3 15:29:17 2021 (r1688)
@@ -19,23 +19,24 @@
after a release -->
books.</i></p>
-<!-- comment OpenSSL until I get to mid December
- <h3>OpenSSL (LFS)</h3>
-
- <h4>10.0 999 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
- <p>A vulnerability in OpenSSL could be exploited to cause a crash.
- To fix this, update to OpenSSL-1.1.1i or later.
- <a href=../../consolidated.html#10.0-999>10.0-999</a></p>-->
-
<!-- After a release, copy for next book version, leave just template
stuff
in that, then change these links to point to the released books and note
that later advisories will be in the [next release] version -->
<!-- Editors - do the consolidated page first, to get the next advisory
number -->
+
+ <h3>Bison</h3>
+
+ <h4>10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low</h4>
+ <p>Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the
+ generated code should not be affected. See
+ <a href=../../blfs/advisories/consolidated.html#10.0-009>10.0-009</a></p>
+
+ <!-- End of Bison -->
+
<h3>Linux Kernel</h3>
- <a id="10.0-010">
<h4>10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High</h4>
<p>In Linux kernels before 5.8.8 there is a potential privilege escalation
in 64-bit kernels.
@@ -43,15 +44,22 @@
<!-- End of Linux Kernel -->
- <h3>Bison</h3>
+ <h3>OpenSSL (LFS)</h3>
- <a id="10.0-009">
- <h4>10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low</h4>
- <p>Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the
- generated code should not be affected. See
- <a href=../../blfs/advisories/consolidated.html#10.0-009>10.0-009</a></p>
+ <h4>10.0 053 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
+ <p>A vulnerability in OpenSSL could be exploited to cause a crash.
+ To fix this, update to OpenSSL-1.1.1i or later.
+ <a href=../../consolidated.html#10.0-999>10.0-053</a></p>
- <!-- End of Linux Kernel -->
+ <!-- end of OpenSSL -->
+
+ <h3>Python</h3>
+
+ <h4>10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High</h4>
+ <p>Python-3.9.1 includes three security fixes. Update to Python-3.9.1
+ or later <i>using the BLFS instructions</i>.
+ <a href=consolidated.html#10.0-051>10.0-051</a></p>
+ <!-- End of Python -->
<!--#include virtual="/common/footer.html" -->
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
