Author: renodr
Date: Mon Mar 29 21:47:43 2021
New Revision: 1759
Log:
Errata: Add errata for the libgweather TOS violation from the Norweigan
Meteorology Society's API
Security Advisories: Add 10.1-017 for glib2
10.1 Security Advisories: Formatting tweaks for 'end of package'
Modified:
html/trunk/blfs/advisories/10.1.html
html/trunk/blfs/advisories/consolidated.html
html/trunk/blfs/errata/10.1-systemd/index.html
html/trunk/blfs/errata/10.1/index.html
Modified: html/trunk/blfs/advisories/10.1.html
==============================================================================
--- html/trunk/blfs/advisories/10.1.html Mon Mar 29 10:04:38 2021
(r1758)
+++ html/trunk/blfs/advisories/10.1.html Mon Mar 29 21:47:43 2021
(r1759)
@@ -58,6 +58,15 @@
<a href="consolidated.html#10.1-008">10.1-008</a></p>
<!-- end of Firefox -->
+ <h3>glib2</h3>
+ <h4>10.1 017 glib2 Date: 2021-03-29 Severity: Medium</h4>
+ <p>A medium severity security vulnerability was discovered in glib2
+ that may allow for arbitrary file overwrites to happen via a symlink
attack.
+ To fix this, update to glib2-2.66.8 or later.
+ <a href="consolidated.html#10.1-017">10-1-017</a></p>
+
+<!-- end of glib2 -->
+
<h3>GnuTLS</h3>
<h4>10.1 004 GnuTLS Date: 2021-03-12 Severity: Low</h4>
@@ -65,6 +74,7 @@
result in dereferencing a pointer no longer valid after realloc().
To fix this, upgrade to GnuTLS 3.7.1 or later versions.
<a href="consolidated.html#10.1-004">10.1-004</a></p>
+
<!-- end of GnuTLS -->
<h3>Gstreamer</h3>
@@ -75,7 +85,7 @@
to 1.18.4 or later.
<a href="consolidated.html#10.1-007">10.1-007</a></p>
- <!-- end of gstreamer -->
+<!-- end of gstreamer -->
<h3>JS78</h3>
<a id="10.1-009">
@@ -83,7 +93,8 @@
<p>In the javascript code of firefox-78.9.0 there are hardening fixes
against Spectre attacks. To apply these, upgrade to JS-78.9.0 or later.
<a href="consolidated.html#10.1-009">10.1-009</a></p>
- <!-- end of JS78 -->
+
+<!-- end of JS78 -->
<h3>lxml</h3>
<h4>10.1 014 lxml Date: 2021-03-27 Severity: Medium</h4>
@@ -93,7 +104,7 @@
To fix this, update to lxml-4.6.3.
<a href="consolidated.html#10.1-014">10.1-014</a>.</p>
- <!-- end of lxml -->
+<!-- end of lxml -->
<h3>MuPDF</h3>
@@ -102,7 +113,7 @@
consequences. To fix this, apply the patch in the link.
<a href="consolidated.html#10.1-003">10.1-003</a></p>
- <!-- end of MuPDF -->
+<!-- end of MuPDF -->
<h3>Nettle</h3>
<h4>10.1 013 Nettle Date: 2021-03-27 Severity: High</h4>
@@ -111,7 +122,7 @@
impacts. Update to Nettle-3.7.2 as soon as possible.
<a href="consolidated.html#10.1-013">10.1-013</a>.</p>
- <!-- end of Nettle -->
+<!-- end of Nettle -->
<h3>OpenSSH</h3>
@@ -121,7 +132,7 @@
the "ssh-agent" program.
<a href="consolidated.html#10.1-001">10.1-001</a></p>
- <!-- end of OpenSSH -->
+<!-- end of OpenSSH -->
<h3>PDFBox (FOP)</h3>
@@ -133,7 +144,7 @@
FOP installed.
<a href="consolidated.html#10.1-010">10.1-010</a></p>
- <!-- end of PDFBox -->
+<!-- end of PDFBox -->
<h3>Thunderbird</h3>
@@ -149,7 +160,7 @@
High. To fix these update to 78.9.0 or later.
<a href="consolidated.html#10.1-012">10.1-012</a></p>
- <!-- end of Thunderbird -->
+<!-- end of Thunderbird -->
<h3>QtWebEngine</h3>
@@ -172,6 +183,8 @@
Samba-4.14.2 or 4.13.7 as soon as possible.
<a href="consolidated.html#10.1-016">10.1-016</a></p>
+<!-- end of Samba -->
+
<h3>WebKitGTK+</h3>
<a id="10.1-015">
<h4>10.1 015 WebKitGTK+ Date: 2021-03-28 Severity: Critical</h4>
@@ -182,6 +195,8 @@
as possible.
<a href="consolidated.html#10.1-015">10.1-015</a></p>
+<!-- end of WebKitGTK+ -->
+
<h3>Wireshark</h3>
<a id="10.1-006">
@@ -191,6 +206,6 @@
This vulnerability existed for 17 years. Update to Wireshark-3.4.4.
<a href="consolidated.html#10.1-005">10.1-006</a></p>
- <!-- end of Wireshark -->
+<!-- end of Wireshark -->
<!--#include virtual="/common/footer.html" -->
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Mon Mar 29 10:04:38
2021 (r1758)
+++ html/trunk/blfs/advisories/consolidated.html Mon Mar 29 21:47:43
2021 (r1759)
@@ -80,6 +80,23 @@
<p>There are currently no known security vulnerabilities for the latest
releases of the books.</p>
-->
+ <a id="10.1-017">
+ <h4>10.1 017 glib2 Date: 2021-03-29 Severity: Medium</h4>
+ <p>In glib-2.66.8, a medium-severity security vulnerability was fixed
+ that allowed a malicious archive to create files elsewhere in the
filesystem
+ via a symlink attack. The malicious archive may also be able to overwrite
+ existing files when extracted with file-roller.
+ This vulnerability has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-28153";>CVE-2021-28153</a>,
+ and additional information can be found at
+ <a href="https://gitlab.gnome.org/GNOME/glib/-/issues/2325";>file-roller
symlink attack (#2325)</a>.</p>
+ <p>To fix this vulnerability, update to glib-2.66.8 or later using the
+ instructions for
+ <a href="../view/svn/general/glib2.html">glib (sysv)</a> or
+ <a href="../view/systemd/general/glib2.html">glib (systemd)</a>.</p>
+ <!-- When glib-2.68.0 goes in, we should probably adjust that to pull
+ from 10.1. -->
+
<a id="10.1-016">
<h4>10.1 016 Samba Date: 2021-03-28 Severity: High</h4>
<p>In Samba-4.14.2, two security vulnerabilities were fixed that could
Modified: html/trunk/blfs/errata/10.1-systemd/index.html
==============================================================================
--- html/trunk/blfs/errata/10.1-systemd/index.html Mon Mar 29 10:04:38
2021 (r1758)
+++ html/trunk/blfs/errata/10.1-systemd/index.html Mon Mar 29 21:47:43
2021 (r1759)
@@ -19,6 +19,10 @@
This problem is due to the seccomp syscall filtering functionality
added to OpenSSH-8.4p1. To fix this, run the command in this
<a
href="http://lists.linuxfromscratch.org/pipermail/lfs-support/2021-March/054201.html";>Mailing
List Post</a>.</li>
+ <li>The version of libgweather shipped with BLFS 10.1 violates the
+ Norweigan Meteorology Society's API terms of service. Update to
+ libgweather-3.38.2 using the existing instructions in BLFS 10.1 to
+ fix this problem.</li>
</ul>
<h2>Known Security Vulnerabilities</h2>
Modified: html/trunk/blfs/errata/10.1/index.html
==============================================================================
--- html/trunk/blfs/errata/10.1/index.html Mon Mar 29 10:04:38 2021
(r1758)
+++ html/trunk/blfs/errata/10.1/index.html Mon Mar 29 21:47:43 2021
(r1759)
@@ -19,6 +19,10 @@
This problem is due to the seccomp syscall filtering functionality
added to OpenSSH-8.4p1. To fix this, run the command in this
<a
href="http://lists.linuxfromscratch.org/pipermail/lfs-support/2021-March/054201.html";>Mailing
List Post</a>.</li>
+ <li>The version of libgweather shipped with BLFS 10.1 violates the
+ Norweigan Meteorology Society's API terms of service. Update to
+ libgweather-3.38.2 using the existing instructions in BLFS 10.1 to
+ fix this problem.</li>
</ul>
<h2>Known Security Vulnerabilities</h2>
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
