Author: renodr
Date: Sat Mar 27 14:55:27 2021
New Revision: 1754
Log:
Security Advisories: Add 10.1-014 for lxml
Security Advisories: Add 10.1-013 for Nettle
Modified:
html/trunk/blfs/advisories/10.1.html
html/trunk/blfs/advisories/consolidated.html
Modified: html/trunk/blfs/advisories/10.1.html
==============================================================================
--- html/trunk/blfs/advisories/10.1.html Fri Mar 26 11:56:47 2021
(r1753)
+++ html/trunk/blfs/advisories/10.1.html Sat Mar 27 14:55:27 2021
(r1754)
@@ -85,6 +85,16 @@
<a href="consolidated.html#10.1-009">10.1-009</a></p>
<!-- end of JS78 -->
+ <h3>lxml</h3>
+ <h4>10.1 014 lxml Date: 2021-03-27 Severity: Medium</h4>
+ <p>Improper input sanitization may lead to cross-site-scripting via
+ JavaScript code being inserted into the output of an HTML file. This was
+ fixed by adding proper input sanitization for the HTML5 formaction
attribute.
+ To fix this, update to lxml-4.6.3.
+ <a href="consolidated.html#10.1-014">10.1-014</a>.</p>
+
+ <!-- end of lxml -->
+
<h3>MuPDF</h3>
<h4>10.1 003 MuPDF Date: 2021-03-10 Severity: Medium</h4>
@@ -94,6 +104,15 @@
<!-- end of MuPDF -->
+ <h3>Nettle</h3>
+ <h4>10.1 013 Nettle Date: 2021-03-27 Severity: High</h4>
+ <p>A serious bug was found in the way that Nettle handles ECDSA signature
+ verification that can lead to crashes, improper output, or other
unspecified
+ impacts. Update to Nettle-3.7.2 as soon as possible.
+ <a href="consolidated.html#10.1-013">10.1-013</a>.</p>
+
+ <!-- end of Nettle -->
+
<h3>OpenSSH</h3>
<h4>10.1 001 OpenSSH Date: 2021-03-03 Severity: Medium</h4>
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Fri Mar 26 11:56:47
2021 (r1753)
+++ html/trunk/blfs/advisories/consolidated.html Sat Mar 27 14:55:27
2021 (r1754)
@@ -80,6 +80,31 @@
<p>There are currently no known security vulnerabilities for the latest
releases of the books.</p>
-->
+ <a id="10.1-014">
+ <h4>10.1 014 lxml Date: 2021-03-27 Severity: Medium</h4>
+ <p>In lxml-4.6.3, a security vulnerability was fixed in the HTML Cleaner
+ that could lead to JavaScript code being passed into the output. This
+ vulnerability is classified as "Cross Site Scripting". It does not properly
+ sanitize the input from the HTML5 formaction attribute, leading to
+ JavaScript code being inserted into the output. This vulnerability
+ has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-28957";>CVE-2021-28957</a>.</p>
+ <p>To fix this, update to lxml-4.6.3 using the instructions for
+ <a href="../view/svn/general/python-modules.html#lxml">lxml (sysv)</a> or
+ <a href="../view/systemd/general/python-modules.html#lxml">lxml
(systemd)</a>.</p>
+
+ <a id="10.1-013">
+ <h4>10.1 013 Nettle Date: 2021-03-27 Severity: High</h4>
+ <p>In Nettle-3.7.2, a security vulnerability was fixed that could allow for
+ improper results or crashes with assertion failures when processing some
+ ECDSA signatures. This has to do with the secp224r1 and secp521r1 curves,
+ and the maintainer suggests upgrading immediately because of the severity
+ of the bug. More information can be found here:
+ <a
href="http://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009457.html";>ANNOUNCE:
Serious bug in Nettle's ecdsa_verify</a>.</p>
+ <p>To fix this, update to Nettle-3.7.2 or later using the instructions for
+ <a href="../view/svn/postlfs/nettle.html">Nettle (sysv)</a> or
+ <a href="../view/systemd/postlfs/nettle.html">Nettle (systemd)</a>.</p>
+
<a id="10.1-012">
<h4>10.1 012 Thunderbird Date: 2021-02-26 Severity: High</h4>
<p>In Thunderbird before 78.9.0 there were two vulnerabilities rated as
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
