Author: renodr
Date: Fri Feb 19 13:28:08 2021
New Revision: 1719
Log:
Security Advisories: Add security advisory 10.0-095 for OpenSSL
Security Advisories: Add security advisory 10.0-096 for Screen
Modified:
html/trunk/blfs/advisories/10.0.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/lfs/advisories/10.0.html
Modified: html/trunk/blfs/advisories/10.0.html
==============================================================================
--- html/trunk/blfs/advisories/10.0.html Fri Feb 19 10:52:28 2021
(r1718)
+++ html/trunk/blfs/advisories/10.0.html Fri Feb 19 13:28:08 2021
(r1719)
@@ -586,6 +586,18 @@
<!-- end of Samba -->
+ <h3>Screen</h3>
+
+ <h4>10.0 096 Screen Date: 2021-02-19 Severity: Critical</h4>
+ <p>In screen-4.8.0, a security vulnerability was found that could
potentially
+ lead to shell injection or a denial-of-service via processing a crafted
+ UTF-8 character sequence. This was originally discovered being used to
+ compromise Minecraft servers. Apply the patch in the advisory
+ to Screen and recompile it.
+ <a href="consolidated.html#10.0-096">10.0-096</a></p>
+
+<!-- end of Screen -->
+
<h3>Seamonkey</h3>
<h4>10.0 069 Seamonkey Updated: 2021-01-26 Severity: Critical</h4>
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Fri Feb 19 10:52:28
2021 (r1718)
+++ html/trunk/blfs/advisories/consolidated.html Fri Feb 19 13:28:08
2021 (r1719)
@@ -75,6 +75,35 @@
the longer term who knows what will happen to packages (e.g. getting
replaced or archived). See the gstreamer links re 1.16 for an example of
linking to a released book (old 10.0) -->
+ <a id="10.0-096">
+ <h4>10.0 096 Screen Date: 2021-02-19 Severity: Critical</h4>
+ <p>In Screen-4.8.0, a security vulnerability was fixed that allows for a
+ crash via usage of certain UTF-8 characters. The vulnerability was
+ originally found exploited via Minecraft servers, and is currently being
+ exploited in the wild. The vulnerability can also allow shell injection.
+ <!-- NVD marked it as Critical -->
+ This has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-26937";>CVE-2021-26937</a>.</p>
+ <p>To fix this, apply the patch in
+ <a
href="http://www.linuxfromscratch.org/patches/downloads/screen/screen-4.8.0-upstream_fixes-1.patch";>screen-4.8.0-upstream_fixes-1.patch</a>
+ to your build and recompile Screen using the instructions in
+ <a href="../view/svn/general/screen.html">Screen (sysv)</a> or
+ <a href="../view/systemd/general/screen.html">Screen (systemd)</a>.</p>
+
+ <a id="10.0-095">
+ <h4>10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High</h4>
+ <p>In OpenSSL-1.1.1j, two security vulnerabilities were fixed that could
+ lead to a potential denial-of-service attack due to integer overflows
+ and null pointer derefererences.
+ These have been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-23841";>CVE-2021-23841</a> and
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-23840";>CVE-2021-23840</a>.
+ Additional details can be found in
+ <a href="https://www.openssl.org/news/secadv/20210216.txt";>OpenSSL</a>.</p>
+ <p>To fix this, update to at least OpenSSL-1.1.1j using the instructions in
+ <a href="../../lfs/view/development/chapter08/openssl.html">OpenSSL
(sysv)</a> or
+ <a href="../../lfs/view/systemd/chapter08/openssl.html">OpenSSL
(systemd)</a>.</p>
+
<a id="10.0-094">
<h4>10.0 094 Intel Microcode Date: 2021-02-19 Severity: Medium</h4>
<p>On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated
Modified: html/trunk/lfs/advisories/10.0.html
==============================================================================
--- html/trunk/lfs/advisories/10.0.html Fri Feb 19 10:52:28 2021 (r1718)
+++ html/trunk/lfs/advisories/10.0.html Fri Feb 19 13:28:08 2021 (r1719)
@@ -66,6 +66,11 @@
<h3>OpenSSL (LFS)</h3>
+ <h4>10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High</h4>
+ <p>Two vulnerabilities in OpenSSL could be exploited to cause a crash.
+ To fix this, update to OpenSSL-1.1.1j or later.
+ <a href="../../blfs/advisories/consolidated.html#10.0-095">10.0-095</a></p>
+
<h4>10.0 053 OpenSSL (LFS) Date: 2020-12-15 Severity: High</h4>
<p>A vulnerability in OpenSSL could be exploited to cause a crash.
To fix this, update to OpenSSL-1.1.1i or later.
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
