[website] r1730 - html/trunk/blfs/advisories

Wed, 03 Mar 2021 19:24:30 -0800 

Author: renodr
Date: Wed Mar  3 18:55:10 2021
New Revision: 1730

Log:
Security Advisories: Add 10.1-001 for OpenSSH

I expect there will probably be some errors in the template that might need to 
be corrected

Modified:
   html/trunk/blfs/advisories/10.1.html
   html/trunk/blfs/advisories/consolidated.html

Modified: html/trunk/blfs/advisories/10.1.html
==============================================================================
--- html/trunk/blfs/advisories/10.1.html        Mon Mar  1 09:06:55 2021        
(r1729)
+++ html/trunk/blfs/advisories/10.1.html        Wed Mar  3 18:55:10 2021        
(r1730)
@@ -10,20 +10,20 @@
 
      <!-- Editors: Do not remove this entry, just comment it out. -->
 
+<!--
      <ul>
        <li>There are currently no known security vulnerabilities for 
BLFS-10.1.</li>
      </ul>
-
+-->
     <!-- Editors: do the consolidated file first, to get the next number -->
 
-<!-- comment the rest until we have something to report
     <p><i>This page is in alphabetical order of packages, and if a package has
     multiple advisories the newer come first.</i></p>
 
     <p> The links at the end of each item point to fuller details which have
     links to the
-    development <!\-\- change to 'released' when links in consolidated are 
changed
-    after a release \-\->
+    development <!-- change to 'released' when links in consolidated are 
changed
+    after a release -->
     books.</i></p>
 
     <p>In general, the severity is taken from upstream, if supplied, or from
@@ -31,22 +31,32 @@
     but individual severity ratings at NVD can change over time. If no other
     information is available, 'High' will normally be assumed.</p>
 
-    <!\-\- After a release, copy for next book version, leave just template 
stuff
-     and initially say "There are no known vulnerabilities." \-\->
+    <!-- After a release, copy for next book version, leave just template stuff
+     and initially say "There are no known vulnerabilities." -->
 
-<!\-\- start of list: Order is Alphabetic by package name (create multiple 
entries
+<!-- start of list: Order is Alphabetic by package name (create multiple 
entries
      if more than one package is involved, e.g. for those firefox updates which
      also require JS to be updated.  Within each package, latest update first
      and link to the consolidated page, e.g.
-     <a href=consolidated.html#10.0-001>10.0-001</a> \-\->
+     <a href=consolidated.html#10.0-001>10.0-001</a> -->
 
+<!--
     <h3>PackageName</h3>
 
     <h4>10.1 NNN PackageName  Date: 2021-03-02  Severity: High</h4>
     <p>Brief explanatory text, followed by link to the consolidated page.
     <a href="consolidated.html#10.1-NNN">10.1-NNN</a></p>
+-->
+<!-- end of PackageName -->
+
+    <h3>OpenSSH</h3>
+
+    <h4>10.1 001 OpenSSH      Date: 2021-03-03  Severity: Medium</h4>
+    <p>A difficult to exploit double-free security vulnerability was
+    discovered in OpenSSH. Update to OpenSSH-8.5p1 if you use
+    the "ssh-agent" program.
+    <a href=consolidated.html#10.1-001">10.1-001</a></p>
 
-<!\-\- end of PackageName \-\->
- end of commenting out everything until something to report -->
+    <!-- end of OpenSSH -->
 
 <!--#include virtual="/common/footer.html" -->

Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html        Mon Mar  1 09:06:55 
2021        (r1729)
+++ html/trunk/blfs/advisories/consolidated.html        Wed Mar  3 18:55:10 
2021        (r1730)
@@ -76,9 +76,26 @@
 
     <!-- when we do have advisories, comment this for next time -->
 
+    <!--
     <p>There are currently no known security vulnerabilities for the latest
     releases of the books.</p>
+    -->
 
+    <a id="10.1-001">
+    <h4>10.0 001 OpenSSH Date: 2021-03-03 Severity: Medium</h4>
+    <p>OpenSSH-8.2p1 through OpenSSH-8.4p1 included a security vulnerability
+    (double free) in the 'ssh-agent' program. This could lead to memory
+    corruption and is potentially exploitable, and may lead to potential
+    privilege escalation. This bug is only reachable by those with access
+    to the agent socket, which is why the BLFS team has decided to rate this
+    vulnerability as Medium severity. There is no CVE assigned for this
+    vulnerability.
+    Additional information can be found at
+    <a href="https://seclists.org/oss-sec/2021/q1/190";>
+    OpenSSH 8.5 release announcement</a>.</p>
+    <p>To fix this, update to OpenSSH-8.5p1 or later using the instructions in
+    <a href="../view/svn/postlfs/openssh.html">OpenSSH (sysv)</a> or
+    <a href="../view/systemd/postlfs/openssh.html">OpenSSH (systemd)</a>.</p>
 
     <h2>Items between the releases of the 10.0 and 10.1 books</h2></a>
 
-- 
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to