Author: renodr
Date: Fri Feb 12 14:14:20 2021
New Revision: 1713
Log:
Security Advisories: Add 10.0-087 for Jinja2
Security Advisories: Add 10.0-088 for xterm
Security Advisories: Add 10.0-089 for gnome-autoar
Security Advisories: Add 10.0-090 for PostgreSQL
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Wed Feb 10 18:44:49 2021
(r1712)
+++ html/trunk/blfs/advisories/10.0.html Fri Feb 12 14:14:20 2021
(r1713)
@@ -202,6 +202,16 @@
<!-- end of GnuPG -->
+ <h3>gnome-autoar</h3>
+
+ <h4>10.0 089 gnome-autoar Date: 2021-02-12 Severity: Medium</h4>
+ <p>gnome-autoar before 0.3.0 was vulnerable to a directory traversal
+ vulnerability due to insufficent checks on symbolic links.
+ Update to gnome-autoar-0.3.0 or later.
+ <a href=consolidated.html#10.0-089">10.0-089</a></p>
+
+<!-- end of gnome-autoar -->
+
<h3>GnuTLS</h3>
<h4>10.0 003 GnuTLS Date: 2020-09-03 Severity: High</h4>
@@ -257,6 +267,16 @@
<!-- end of JasPer -->
+ <h3>Jinja2</h3>
+
+ <h4>10.0 087 Jinja2 Date: 2021-02-12 Severity: Medium</h4>
+ <p>In Jinja2 before 2.11.3, a denial-of-service attack was possible via a
+ malformed regex string. This vulnerability exists from 0.0.1 all the way
+ to 2.11.3. Update to Jinja2-2.11.3 or later.
+ <a href=consolidated.html#10.0-087">10.0-087</a></p>
+
+<!-- end of Jinja2 -->
+
<h3>JS78</h3>
<h4>10.0 072 JS78 Date: 2021-01-26 Severity: High</h4>
@@ -481,6 +501,12 @@
to postgresql-13.1 or later.
<a href=consolidated.html#10.0-034>10.0-034</a></p>
+ <h4>10.0 090 PostgreSQL Date: 2021-02-12 Severity: Medium</h4>
+ <p>Two vulnerabilities were fixed in PostgreSQL-13.2 that could lead to
+ unauthorized users acquiring data from a database. Update to
+ postresql-13.2 or later.
+ <a href=consolidated.html#10.0-090>10.0-090</a></p>
+
<!-- end of PostgreSQL -->
<h3>Python</h3>
@@ -711,14 +737,14 @@
<h3>Xorg-Server</h3>
- <h4>10.0 048 Xorg-Server Date 2020-12-05 Severity: High</h4>
+ <h4>10.0 048 Xorg-Server Date: 2020-12-05 Severity: High</h4>
<p>In Xorg-Server before version 1.20.10 two input validation failures
in X server extensions were found. These can lead to local privilege
escalations (to root) <b>if the X server is running privileged</b>.
Update to Xorg-Server-1.20.10 or later.
<a href=consolidated.html#10.0-048>10.0-048</a></p>
- <h4>10.0 002 Xorg-Server Date 2020-09-03 Severity: High</h4>
+ <h4>10.0 002 Xorg-Server Date: 2020-09-03 Severity: High</h4>
<p>In Xorg-Server before version 1.20.9 several input validation failures
in X server extensions were found. These can lead to local privilege
escalations (to root) <b>if the X server is running privileged</b>.
@@ -727,6 +753,14 @@
<!-- end of Xorg-Server -->
+ <h3>xterm</h3>
+
+ <h4>10.0 088 xterm Date: 2021-02-12 Severity: Medium</h4>
+ <p>In xterm before 366, a denial of service vulnerability was found
+ that could lead to a crash with certain UTF-8 characters.
+ Update to xterm-366 or later.
+ <a href=consolidated.html#10.0-088">10.0-088</a></p>
+<!-- end of xterm -->
<!--#include virtual="/common/footer.html" -->
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Wed Feb 10 18:44:49
2021 (r1712)
+++ html/trunk/blfs/advisories/consolidated.html Fri Feb 12 14:14:20
2021 (r1713)
@@ -75,6 +75,56 @@
the longer term who knows what will happen to packages (e.g. getting
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
+ <a id="10.0-090">
+ <h4>10.0 090 PostgreSQL Date: 2021-02-12 Severity: Medium</h4>
+ <p>In PostgreSQL-13.2, two vulnerabilities were fixed that could lead to
+ unauthorized users leaking information from a database. One of them
+ relates to users with the UPDATE privilege but without the SELECT
privilege,
+ and the other relates to users who have SELECT privileges for only a single
+ column being able to read all columns of the table.
+ These have been assigned
+ <a
href="https://access.redhat.com/security/cve/cve-2021-3393";>CVE-2021-3393</a>
and
+ <a
href="https://access.redhat.com/security/cve/cve-2021-20229";>CVE-2021-20229</a>.</p>
+ <p>To fix this, update to at least postgresql-13.2 using the instructions
in
+ <a href="../view/svn/server/postgresql.html">PostgreSQL (sysv)</a> or
+ <a href="../view/systemd/server/postgresql.html">PostgreSQL
(systemd)</a>.</p>
+
+ <a id="10.0-089">
+ <h4>10.0 089 gnome-autoar Date: 2021-02-12 Severity: Medium</h4>
+ <p>In gnome-autoar-0.2.4, a security vulnerability was found that
+ allows for directory traversal during extraction of an archive due to
+ a lack of proper checks for whether a file's parent is a symlink to a
+ directory outside of the intended extraction location.
+ This has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-36241";>CVE-2020-36241</a>.</p>
+ <p>To fix this, update to at least gnome-autoar-0.3.0 using the
instructions in
+ <a href="../view/svn/gnome/gnome-autoar.html">gnome-autoar (sysv)</a> or
+ <a href="../view/systemd/gnome/gnome-autoar.html">gnome-autoar
(systemd)</a>.</p>
+
+ <a id="10.0-088">
+ <h4>10.0 088 xterm Date: 2021-02-12 Severity: Medium</h4>
+ <p>In xterm-366, a security vulnerability was fixed that allows for a
+ crash via usage of certain UTF-8 characters. The vulnerability was
+ originally discovered in 'Screen', but was found to affect xterm as well.
+ The vulnerability was originally found exploited via Minecraft servers,
+ so as a result of it's exploitation in the wild, BLFS has decided to
+ apply a severity of Medium to this vulnerability.
+ This has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-26937";>CVE-2021-26937</a>.</p>
+ <p>To fix this, update to at least xterm-366 using the instructions in
+ <a href="../view/svn/x/xterm.html">xterm (sysv)</a> or
+ <a href="../view/systemd/x/xterm.html">xterm (systemd)</a>.</p>
+
+ <a id="10.0-087">
+ <h4>10.0 087 Jinja2 Date: 2021-02-12 Severity: Medium</h4>
+ <p>In Jinja2-2.11.2, a security vulnerability was found that allows for a
+ repeatable denial-of-service attack via malformed regex.
+ This has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-28493";>CVE-2020-28493</a>.</p>
+ <p>To fix this, update to at least Jinja2-2.11.3 using the instructions
+ from the development book for
+ <a href="../view/svn/general/python-modules.html#Jinja2">Jinja2 (sysv)</a>
or
+ <a href="../view/systemd/general/python-modules.html#Jinja2">Jinja2
(systemd)</a>.</p>
<a id="10.0-086">
<h4>10.0 086 Subversion Date: 2021-02-10 Severity: Medium</h4>
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
