Author: ken
Date: Thu Feb 4 05:09:34 2021
New Revision: 1690
Log:
Advisories - to end of December.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Wed Feb 3 15:31:57 2021
(r1689)
+++ html/trunk/blfs/advisories/10.0.html Thu Feb 4 05:09:34 2021
(r1690)
@@ -24,9 +24,10 @@
after a release -->
books.</i></p>
- <p>You may also wish to look for the entries in the Change Log of the
- relevant book and follow the links to the ticket(s) which the later
- version(s) fixed in case other relevant changes are noted.</p>
+ <p>In general, the severity is taken from upstream, if supplied, or from
+ NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there,
+ but individual severity ratings at NVD can change over time. If no other
+ information is available, 'High' will normally be assumed.</p>
<!-- After a release, copy for next book version, leave just template
stuff
ad initially say "There are no known vulnerabilities." -->
@@ -94,13 +95,18 @@
<h4>10.0 050 cURL Date: 2020-12-11 Severity: High</h4>
<p>cURL before version 7.74.0 has two vulnerabilities rated as High, an
uncontrolled recursion and an improper check for certificate revocation,
as
- well as one rated as Low. To fix these, upgrade to curl-7.74.0 or later.
+ well as one rated as Low. To fix these, update to curl-7.74.0 or later.
<a href=consolidated.html#10.0-050>10.0-050</a></p>
<!-- end of cURL -->
<h3>Firefox</h3>
+ <h4>10.0 053 Firefox Date: 2020-12-15 Severity: Critical</h4>
+ <p>Several vulnerabilities were found in firefox before 78.6.0, of which
one
+ was rated as critical. Update to firefox-78.6.1 or later.
+ <a href=consolidated.html#10.0-053>10.0-053</a></p>
+
<h4>10.0 036 Firefox Date: 2020-11-16 Severity: High</h4>
<p>Several vulnerabilities were fond in firefox before 78.5.0, of which
two
were rated as high. Update to firefox-78.5.0 or later.
@@ -291,6 +297,26 @@
<!-- end of NSS -->
+ <h3>OpenJPEG</h3>
+
+ <h4>10.0 058 OpenJPEG Date: 2020-12-15 Severity: High</h4>
+ <p>In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high
+ (heap-based buffer overflows) and two rated as Medium (crashes on crafted
+ files) as well as several other security fixes.
+ <a href=consolidated.html#10.0-058>10.0-058</a></p>
+
+<!-- end of OpenJPEG -->
+
+ <h3>P11-Kit</h3>
+
+ <h4>10.0 054 P11-Kit Date: 2020-12-15 Severity: High</h4>
+ <p>In P11-Kit up to 0.23.21 there are multiple integer overflows in the
+ array allocatons, and a heap-based buffer overflow. Update to
+ p11-kit-0.23.22 or later.
+ <a href=consolidated.html#10.0-054>10.0-054</a></p>
+
+<!-- end of P11-Kit -->
+
<h3>PHP</h3>
<h4>10.0 019 PHP Date: 2020-10-05 Severity: Medium</h4>
@@ -393,6 +419,17 @@
<h3>Thunderbird</h3>
+ <!-- to save putting this in each thunderbird advisory: -->
+ <p><i>In general, flaws in Mozilla advisories for Thunderbird cannot be
+ exploited through email in the Thunderbird product because scripting is
+ disabled when reading mail, but are potentially risks in browser or
+ browser-like contexts.</i></p>
+
+ <h4>10.0 056 Thunderbird Date: 2020-11-19 Severity: Critical</h4>
+ <p>Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated
+ as Critical. To fix hese update to Thunderbird-78.6.0 or later.
+ <a href=consolidated.html#10.0-056>10.0-056</a></p>
+
<h4>10.0 041 Thunderbird Date: 2020-11-19 Severity: High</h4>
<p>Several vulnerabilities were fixed in Thunderbird-78.5.0, two were
rated
High. To fix these update to thunderbird-78.5.0 or later.
@@ -437,8 +474,22 @@
<h3>Wireshark</h3>
+ <h4>10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid</h4>
+ <p>A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1
+ was raised and allocated a CVE, but it was later determined that the
+ bug was not present in any released version of Wireshark. No action is
+ necessary.
+ <a href=consolidated.html#10.0-057>10.0-057</a></p>
+
+ <h4>10.0 055 Wireshark Date: 2020-09-23 Severity: High</h4>
+ <p>Four Medium Security Advisories which could cause Wireshark to crash
were
+ fixed in Wireshark-3.4.1, but in addition the editors had overlooked a
High
+ severity item fixed in Wireshark-3.4.0. To fix all of these, update to
+ Wireshark-3.4.1.
+ <a href=consolidated.html#10.0-055>10.0-055</a></p>
+
<h4>10.0 017 Wireshark Date: 2020-09-23 Severity: High</h4>
- <p>Five Security Advisories (wnpa-sec-2020-11,12,13) were fixed in
+ <p>Three Security Advisories (wnpa-sec-2020-11,12,13) were fixed in
Wireshark-3.2.7, detailed at
<a href="https://www.wireshark.org/security/";>Wireshark Security</a>.
To fix these, update to wireshark-3.2.7 or later.
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Wed Feb 3 15:31:57
2021 (r1689)
+++ html/trunk/blfs/advisories/consolidated.html Thu Feb 4 05:09:34
2021 (r1690)
@@ -73,6 +73,94 @@
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
+ <a id="10.0-058">
+ <h4>10.0 058 OpenJPEG Date: 2020-12-15 Severity: High</h4>
+ <p>In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high,
and
+ another two rated as medium. See
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-6988";>CVE-2019-6988</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12973";>CVE-2019-12793</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-6851";>CVE-2020-6851</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-8112";>CVE-2020-8112</a>.</p>
+ <p>To fix these, update to OpenJPEG-2.4.0 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/openjpeg2.html">OpenJPEG2 (sysv)</a> or
+ <a href="../view/systemd/general/openjpeg2.html">OpenJPEG2
(systemd)</a>.</p>
+
+ <a id="10.0-057">
+ <h4>10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid</h4>
+ <p>A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1
+ was raised and allocated
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26422";>CVE-2020-26422</a>,
+ but it was later determined that the bug was not present in any released
+ version of Wireshark:
+ <a
href="https://www.wireshark.org/security/wnpa-sec-2020-20.html";>wnpa-sec-2020-20</a>
+ so no action is necessary.</p>
+
+ <a id="10.0-056">
+ <h4>10.0 056 Thunderbird Date: 2020-11-19 Severity: Critical</h4>
+ <p>Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated
+ as Critical. Details are at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/";>mfsa2020-56</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-16042";>CVE-2020-16042</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26971";>CVE-2020-26971</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26973";>CVE-2020-26973</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26974";>CVE-2020-26974</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26978";>CVE-2020-26978</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-35113";>CVE-2020-35113</a>.</p>
+ <p>To fix this, update to Thunderbird-78.6.0 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
+ <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
+
+ <a id="10.0-055">
+ <h4>10.0 055 Wireshark Date: 2020-09-23 Severity: High</h4>
+ <p>Four Medium Security Advisories for items which could cause Wireshark
+ to crash were fixed in Wireshark-3.4.1, detailed at
+ <a href="https://www.wireshark.org/security/";>Wireshark Security</a>,
+ but in addition the editors had overlooked a High severity item fixed in
+ Wireshark-3.4.0.
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26418";>CVE-2020-26418</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26419";>CVE-2020-26419</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26420";>CVE-2020-26420</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26421";>CVE-2020-26421</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26575";>CVE-2020-26575</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-28030";>CVE-2020-28030</a>.</p>
+ <p>To fix these, update to wireshark-3.4.1 or later using the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/wireshark.html">Wireshark (sysv)</a> or
+ <a href="../view/systemd/basicnet/wireshark.html">Wireshark
(systemd)</a>.</p>
+
+ <a id="10.0-054">
+ <h4>10.0 054 P11-Kit Date: 2020-12-15 Severity: High</h4>
+ <p>In P11-Kit up to 0.23.21 there are two vulnerabilities rated as high,
and
+ another rated as medium. See
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-29361";>CVE-2020-29361</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-29362";>CVE-2020-29362</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-29363";>CVE-2020-29363</a>.</p>
+ <p>To fix this, update to p11-kit-0.23.22 or later using the instructions
+ from the development book for
+ <a href="../view/svn/postlfs/p11-kit.html">P11-Kit (sysv)</a> or
+ <a href="../view/systemd/postlfs/p11-kit.html">P11-Kit (systemd)</a>.</p>
+
+ <a id="10.0-053">
+ <h4>10.0 053 Firefox Date: 2020-12-15 Severity: Critical</h4>
+ <p>Several vulnerabilities were found in firefox before 78.6.0, of which
one
+ was rated as critical and four as high by upstream, as well as one rated
low
+ (but ratedas Medium by NVD) where internal network hosts and services on
the
+ user's machine could have been probed by a malicious webpage. Details are
at
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/";>mfsa2020-55</a>
+ and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-16042";>CVE-2020-16042</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26971";>CVE-2020-26971</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26973";>CVE-2020-26973</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26974";>CVE-2020-26974</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26978";>CVE-2020-26978</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-35113";>CVE-2020-35113</a>.</p>
+ <p>To fix this, update to firefox-78.5.0 or later using the instructions
+ from the development book for
+ <a href="../view/svn/xsoft/firefox.html">Firefox (sysv)</a> or
+ <a href="../view/systemd/xsoft/firefox.html">Firefox (systemd)</a>.</p>
+
<a id="10.0-052">
<h4>10.0 052 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
<p>The EDIPARTYNAME NULL pointer de-reference allows an attacker who can
@@ -230,8 +318,7 @@
<p>Several vulnerabilities were fixed in Thunderbird-78.5.0, two were
rated
High. Details are at
<a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/";>mfsa2020-52</a>,
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26951";>CVE-2020-26951</a>.
- and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26951";>CVE-2020-26951</a>,
<a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-26968";>CVE-2020-26968</a>.<p>
<p>To fix this, update to Thunderbird-78.5.0 or later using the
instructions
from the development book for
@@ -287,7 +374,7 @@
<a id="10.0-036">
<h4>10.0 036 Firefox Date: 2020-11-16 Severity: High</h4>
- <p>Several vulnerabilities were fond in firefox before 78.5.0, of which
two
+ <p>Several vulnerabilities were found in firefox before 78.5.0, of which
two
were rated as high by upstream. Details are at
<a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/";>mfsa2020-51</a>
and
@@ -533,9 +620,12 @@
<a id="10.0-017">
<h4>10.0 017 Wireshark Date: 2020-09-23 Severity: High</h4>
- <p>Five Security Advisories (wnpa-sec-2020-11,12,13) which could cause
+ <p>Three Security Advisories (wnpa-sec-2020-11,12,13) which could cause
Wireshark to crash were fixed in Wireshark-3.2.7, detailed at
- <a href="https://www.wireshark.org/security/";>Wireshark Security</a>.</p>
+ <a href="https://www.wireshark.org/security/";>Wireshark Security</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25862";>CVE-2020-25862</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25863";>CVE-2020-25863</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-25863";>CVE-2020-25866</a>.</p>
<p>To fix these, update to wireshark-3.2.7 or later using the instructions
from the development book for
<a href="../view/svn/basicnet/wireshark.html">Wireshark (sysv)</a> or
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
