Author: ken
Date: Sat Feb 6 11:53:48 2021
New Revision: 1699
Log:
Advisories as far as firefox-78.7.1,
mozilla now say that only affects Windows systems
so reduce the current errata advisories to say 78.7.0 or later.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/blfs/errata/10.0-systemd/index.html
html/trunk/blfs/errata/10.0/index.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Fri Feb 5 14:16:09 2021
(r1698)
+++ html/trunk/blfs/advisories/10.0.html Sat Feb 6 11:53:48 2021
(r1699)
@@ -110,6 +110,12 @@
<h3>Firefox</h3>
+ <a id="10.0-081">
+ <h4>10.0 081 Firefox UpDated: 2021-02-07 Severity: None</h4>
+ <p>In firefox before 78.7.1 a vulnerability in the Angle graphics library
+ was rated as Critical and a CVE was requested. It has now been clarified
+ that this only affected Windows operating systems.</p>
+
<h4>10.0 071 Firefox Date: 2021-01-26 Severity: High</h4>
<p>In firefox 78.7.0 several vulnerabilities rated as High were fixed.
Update to firefox-78.7.0 or later.
@@ -165,6 +171,13 @@
<h3>Glib</h3>
+ <h4>10.0 079 Glib Date: 2021-02-04 Severity: High</h4>
+ <p>Glib before 2.66.6 was vulnerable to integer truncation leading to
+ potentially exploitable heap-overflow vulnerabilities. The issue was
+ raised in a <i>public</i> report, so this is now classed as a zero-day
+ vulnerability requiring urgent update to Glib-2.66.1 or later.
+ <a href=consolidated.html#10.0-079>10.0-079</a></p>
+
<h4>10.0 018 Glib Date: 2020-10-05 Severity: Medium</h4>
<p>Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs.
Update to Glib-2.66.1 or later.
@@ -222,6 +235,17 @@
<!-- end of ImageMagick -->
+ <h3>Jasper</h3>
+
+ <h4>10.0 080 JasPer Date: 2021-02-04 Severity: High</h4>
+ <p>BLFS had been using JasPer-2.0.14, not aware that the upsteam location
had
+ moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were
+ present, mostly either causing a crash or otherwise rated as high. To fix
+ these, update to JasPer-2.0.24 or later.
+ <a href=consolidated.html#10.0-080>10.0-080</a></p>
+
+<!-- end of JasPer -->
+
<h3>JS78</h3>
<h4>10.0 072 JS78 Date: 2021-01-26 Severity: High</h4>
@@ -389,6 +413,17 @@
<!-- end of P11-Kit -->
+ <h3>Perl</h3>
+
+ <h4>10.0 077 Perl (using cpan) Date: 2021-01-30 Severity: High</h4>
+ <p>If you use the 'cpan' command to build perl modules, the perl.com domain
+ was stolen and is currently hosted at an address associated with malware.
+ Anyone who uses the 'cpan' command should ensure that www.cpan.org is used
+ to provide the urllist.
+ <a href=consolidated.html#10.0-077>10.0-077</a></p>
+
+<!-- end of Perl -->
+
<h3>PHP</h3>
<h4>10.0 064 PHP Upated: 2021-02-04 Severity: Medium</h4>
@@ -534,6 +569,11 @@
disabled when reading mail, but are potentially risks in browser or
browser-like contexts.</i></p>
+ <h4>10.0 078 Thunderbird Date: 2021-01-31 Severity: High</h4>
+ <p>In thunderbird before 78.7.0 there were various vulnerabilities rated
+ as High. To fix these update to Thunderbird-78.7.0 or later.
+ <a href=consolidated.html#10.0-078>10.0-078</a></p>
+
<h4>10.0 066 Thunderbird Date: 2021-01-12 Severity: Critical</h4>
<p>In thunderbird before 78.6.1 a malicious peer could have modified a
COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a
@@ -608,6 +648,11 @@
<h3>Wireshark</h3>
+ <h4>10.0 076 Wireshark Date: 2021-01-30 Severity: High</h4>
+ <p>Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash.
+ To fix these update to Wireshard-3.4.3 or later.
+ <a href=consolidated.html#10.0-076>10.0-076</a></p>
+
<h4>10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid</h4>
<p>A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1
was raised and allocated a CVE, but it was later determined that the
@@ -619,7 +664,7 @@
<p>Four Medium Security Advisories which could cause Wireshark to crash
were
fixed in Wireshark-3.4.1, but in addition the editors had overlooked a High
severity item fixed in Wireshark-3.4.0. To fix all of these, update to
- Wireshark-3.4.1.
+ Wireshark-3.4.1 or later.
<a href=consolidated.html#10.0-055>10.0-055</a></p>
<h4>10.0 017 Wireshark Date: 2020-09-23 Severity: High</h4>
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Fri Feb 5 14:16:09
2021 (r1698)
+++ html/trunk/blfs/advisories/consolidated.html Sat Feb 6 11:53:48
2021 (r1699)
@@ -28,7 +28,8 @@
<p>The severity ratings are best estimates unlessi either upstream
or NVD has assigned a rating. If no other analysis is available,
- High will usually be assumed. If in doubt, read the links.</p>
+ High will usually be assumed and similarly if a crash can be triggered
+ LFS and BLFS will normallt rate that as High. If in doubt, read the
links.</p>
<!-- Editors: Commented entry to copy, and reminder about patches
@@ -38,6 +39,10 @@
'Reserved'. If upstream assigns a severity (often higher than nvd)
go with that. If in doubt, usually default to High.
+ Start the id with the latest book version, then next number - reset number
+ to 1 after we release.
+
+ <a id="10.0-NNN">
<h4>VV.V NNN Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low</h4>
or
<h4>VV.V NNN (LFS) Package Date: ccyy-mm-dd Severity:
Critical/High/Medium/Low</h4>
@@ -71,6 +76,75 @@
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
+ <a id="10.0-081">
+ <h4>10.0 081 Firefox UpDated: 2021-02-07 Severity: None</h4>
+ <p>In firefox before 78.7.1 a vulnerability in the Angle graphics library
+ was rated as Critical and a CVE was requested. It has now been clarified
+ that this only affected Windows operating systems.</p>
+
+ <a id="10.0-080">
+ <h4>10.0 080 JasPer Date: 2021-02-04 Severity: High</h4>
+ <p>BLFS had been using JasPer-2.0.14, not aware that the upsteam location
had
+ moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were
+ present, mostly either causing a remotely triggered crash (Denial of
Service)
+ or otherwise rated as high. For an overview of these see
+ <a href="http://wiki.linuxfromscratch.org/blfs/ticket/14599"/>BLFS
#14599</a>.
+ The most-recent included
+ <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-9055";>CVE-2018-9055</a>,
+ <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-9252";>CVE-2018-9252</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-19540";>CVE-2018-19540</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-19541";>CVE-2018-19541</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-19543";>CVE-2018-19543</a>,
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-27828";>CVE-2020-27828</a>.</p>
+ <p>To fix this, update to at least JasPer-2.0.24 using the instructions
+ from the development book for
+ <a href="../view/svn/general/jasper.html">JasPer (sysv)</a> or
+ <a href="../view/systemd/general/jasper.html">JasPer (systemd)</a>.</p>
+
+ <a id="10.0-079">
+ <h4>10.0 079 Glib Date: 2021-02-04 Severity: High</h4>
+ <p>Glib before 2.66.6 was vulnerable to integer truncation leading to
+ potentially exploitable heap-overflow vulnerabilities. The issue was
+ raised in a <i>public</i> report, so this is now classed as a zero-day
+ vulnerability requiring urgent update.
+ <a
href="https://gitlab.gnome.org/GNOME/glib/-/issues/2319";>GHSL-2021-045</a>
+ .</p>
+ <p>To fix this, update to at least Glib-2.66.6 using the instructions
+ from the development book for
+ <a href="../view/svn/general/glib2.html">Glib (sysv)</a> or
+ <a href="../view/systemd/general/glib2.html">Glib (systemd)</a>.</p>
+
+ <a id="10.0-078">
+ <h4>10.0 078 Thunderbird Date: 2021-01-31 Severity: High</h4>
+ <p>In thunderbird before 78.7.0 there were various vulnerabilities rated
as High. See
+ <a
href="https://www.mozilla.org/en-US/security/advisories/mfsa2021-05/";>mfsa2021-05</a>
+ CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-20201-23960,
+ CVE-2021-23964) but details are not yet public.</p>
+ <p>To fix this, update to Thunderbird-78.7.0 or later using the
instructions
+ from the development book for
+ <a href="../view/svn/xsoft/thunderbird.html">Thunderbird (sysv)</a> or
+ <a href="../view/systemd/xsoft/thunderbird.html">Thunderbird
(systemd)</a>.</p>
+
+ <a id="10.0-077">
+ <h4>10.0 077 Perl (using cpan) Date: 2021-01-30 Severity: High</h4>
+ <p>If you use the 'cpan'i command to build perl modules, the perl.com
domain
+ was stolen and is currently hosted at an address associated with malware.
+ Anyone who uses the 'cpan' command should ensure that www.cpan.org is used
+ to provide the urllist, see the details at
+ <a
href="http://lists.linuxfromscratch.org/pipermail/blfs-support/2021-January/082465.html";>blfs-support
archive</a>.</p>
+
+ <a id="10.0-076">
+ <h4>10.0 076 Wireshark Date: 2021-01-30 Severity: High</h4>
+ <p>Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash,
+ <a
href="https://www.wireshark.org/security/wnpa-sec-2021-01.html";>wnpa-sec-2020-20</a>,
+ <a
href="https://www.wireshark.org/security/wnpa-sec-2021-02.html";>wnpa-sec-2020-20</a>.
+ According to Redhat these have been allocated CVE-2021-22173 and
CVE-2021-22174
+ but these are currently 'Reserved'.</p>
+ <p>To fix these, update to wireshark-3.4.3 or later using the instructions
+ from the development book for
+ <a href="../view/svn/basicnet/wireshark.html">Wireshark (sysv)</a> or
+ <a href="../view/systemd/basicnet/wireshark.html">Wireshark
(systemd)</a>.</p>
+
<a id="10.0-075">
<h4>10.0 075 VLC Media Player Date: 2021-01-30 Severity: High</h4>
<p>In VLC Media Player up to and including version 3.0.11 a remote user
Modified: html/trunk/blfs/errata/10.0-systemd/index.html
==============================================================================
--- html/trunk/blfs/errata/10.0-systemd/index.html Fri Feb 5 14:16:09
2021 (r1698)
+++ html/trunk/blfs/errata/10.0-systemd/index.html Sat Feb 6 11:53:48
2021 (r1699)
@@ -179,8 +179,7 @@
<a
href="../../view/systemd/server/mariadb.html">MariaDB-10.5.7</a>.</li>
<li>After release, several security vulnerabilities were disclosed in
the Mozilla Firefox web browser. Several of these are rated as High
- or Critical. A critical vulnerability was fixed in 78.7.1, to fix
- to fix this update to Firefox-78.7.1 or later using the
+ or Critical. To fix these update to Firefox-78.7.0 or later using
the
instructions in
<a
href="../../view/systemd/xsoft/firefox.html">Firefox-78.7.0</a>.</li>
<li>After release, three high severity vulnerabilities were disclosed in
Modified: html/trunk/blfs/errata/10.0/index.html
==============================================================================
--- html/trunk/blfs/errata/10.0/index.html Fri Feb 5 14:16:09 2021
(r1698)
+++ html/trunk/blfs/errata/10.0/index.html Sat Feb 6 11:53:48 2021
(r1699)
@@ -178,8 +178,7 @@
<a
href="../../view/svn/server/mariadb.html">MariaDB-10.5.7</a>.</li>
<li>After release, several security vulnerabilities were disclosed in
the Mozilla Firefox web browser. Several of these are rated as High
- or Critical. A critical vulnerability was fixed in 78.7.1, to fix
- to fix this update to Firefox-78.7.1 or later using the
+ or Critical. To fix these update to Firefox-78.7.0 or later using
the
instructions in
<a href="../../view/svn/xsoft/firefox.html">Firefox-78.7.0</a>.</li>
<li>After release, three high severity vulnerabilities were disclosed in
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
