Author: ken
Date: Sat Feb 6 17:52:33 2021
New Revision: 1700
Log:
Advisories: up to date.
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/lfs/advisories/10.0.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Sat Feb 6 11:53:48 2021
(r1699)
+++ html/trunk/blfs/advisories/10.0.html Sat Feb 6 17:52:33 2021
(r1700)
@@ -426,6 +426,13 @@
<h3>PHP</h3>
+ <h4>10.0 083 PHP Updated: 2021-02-07 Severity: Medium</h4>
+ <p>In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash
+ with a SIGSEGV via null-pointer dereference whenever an XML is provided to
+ the SoapClient query() function without an existing field. To fix this,
+ update to PHP-8.0.2 or later (or 7.4.15 or later if using the old series).
+ <a href=consolidated.html#10.0-083>10.0-083</a></p>
+
<h4>10.0 064 PHP Upated: 2021-02-04 Severity: Medium</h4>
<p>In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with
invalid userinfo. To fix this, update to PHP-8.0.1 or later (or
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Sat Feb 6 11:53:48
2021 (r1699)
+++ html/trunk/blfs/advisories/consolidated.html Sat Feb 6 17:52:33
2021 (r1700)
@@ -76,6 +76,51 @@
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
+ <a id="10.0-083">
+ <h4>10.0 083 PHP Updated: 2021-02-07 Severity: Medium</h4>
+ <p>In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash
+ with a SIGSEGV via null-pointer dereference whenever an XML is provided to
+ the SoapClient query() function without an existing field. CVE-2020-7071
has
+ been allocated but for the moment that is "reserved". See
+ <a href="https://security.archlinux.org/CVE-2021-21702";>Arch
CVE-2021-21702</a>
+ where the severity is rated as Medium.</p>
+ <p>To fix this, update to PHP-8.0.2 or later using the instructions
+ from the development book for
+ <a href="../view/svn/general/php.html">PHP (sysv)</a> or
+ <a href="../view/systemd/general/php.html">PHP (systemd)</a>.</p>
+
+ <a id="10.0-082">
+ <h4>10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High</h4>
+
+ <p>In Glibc before 2.33 there are four vulnerabilities in iconv which can
lead
+ to a crash when processing less-common character encodings.<p>
+ <p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-25013";>CVE-2019-25013</a>:
+ According to Red Hat this can be worked around by not processing untrusted
input
+ in the (uncommon) EUC-KR character set
+ <a href="https://access.redhat.com/security/cve/cve-2019-25013";>Red
Hat</a>.</p>
+ <p>CVE-2020-27618 is currently marked as 'Reserved'. According to Red Hat
an
+ infinite loop can be encountered when processing data in certain IBM
character
+ sets containing redundant shift sequences. They rate the severity as Low
because
+ an attacker would need either local privileges, or to depend on an
application
+ feeding untrusted encoding input to iconv.
+ <a href="https://access.redhat.com/security/cve/cve-2020-27618";>Red
Hat</a>.</p>
+ <p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-29562";>CVE-2020-29562</a>:
+ When processing UCS4 text containing an irreversible character, iconv
fails an
+ assertion and aborts, resulting in a denial of service. A workaround
appears to
+ be to avoid processing UCS4 input (constant 32-bit width characters) in
iconv.
+ For most users of LFS aand BLFS it is expected that UCS4 input is
uncommon.</p>
+ <p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-3326";>CVE-2021-3326</a>:
+ When processing invalid input sequences in the ISO-2022-JP-3 encoding,
iconv
+ fails an assertion and aborts, resulting in a denial of service. According
to
+ Red Hat this can be worked around by not processing untrusted input in this
+ encoding:
+ <a href="https://access.redhat.com/security/cve/cve-2021-3326";>Red
Hat</a>.</p>
+ <p>To fix these, build a new version of LFS. <i>If you have usable backups
and
+ have tested a way to restore them via a rescue stick or similar, it might
be
+ possible to build glibc-2.33 in place and then immediately make an unclean
+ shutdown, e.g. using MagicSysRQ if that is enabled in your kernel. <b>Such
a
+ procedure is not recommended, nor has it been tested.</b><i></p>
+
<a id="10.0-081">
<h4>10.0 081 Firefox UpDated: 2021-02-07 Severity: None</h4>
<p>In firefox before 78.7.1 a vulnerability in the Angle graphics library
Modified: html/trunk/lfs/advisories/10.0.html
==============================================================================
--- html/trunk/lfs/advisories/10.0.html Sat Feb 6 11:53:48 2021 (r1699)
+++ html/trunk/lfs/advisories/10.0.html Sat Feb 6 17:52:33 2021 (r1700)
@@ -35,6 +35,20 @@
<!-- End of Bison -->
+ <h3>Glibc</h3>
+
+ <p><i>In LFS the only safe way to update Glibc is to build a new
system.</i></p>
+
+ <h4>10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High</h4>
+
+ <p>In Glibc before 2.33 there are four vulnerabilities in iconv which can
lead
+ to a crash when processing less-common character encodings.<p>
+ Please read the link to assess the severity of this for your use case, and
what
+ action to take.
+ <a href=../../blfs/advisories/consolidated.html#10.0-082>10.0-082</a></p>
+
+ <!-- End of GLibc -->
+
<h3>Linux Kernel</h3>
<h4>10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High</h4>
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
