Author: renodr
Date: Wed Apr 14 15:04:08 2021
New Revision: 1792
Log:
Security Advisories: Modify SA-10.1-027 to read Medium instead of Moderate,
matching other advisories
Security Advisories: Add 10.1-028 for Avahi
Security Advisories: Add 10.1-029 for NetworkManager
Security Advisories: Add 10.1-030 for cifs-utils
Security Advisories: Add 10.1-031 for librsvg
Modified:
html/trunk/blfs/advisories/10.1.html
html/trunk/blfs/advisories/consolidated.html
Modified: html/trunk/blfs/advisories/10.1.html
==============================================================================
--- html/trunk/blfs/advisories/10.1.html Wed Apr 14 14:29:29 2021
(r1791)
+++ html/trunk/blfs/advisories/10.1.html Wed Apr 14 15:04:08 2021
(r1792)
@@ -49,6 +49,28 @@
-->
<!-- end of PackageName -->
+ <h3>Avahi</h3>
+ <a id="sa-10.1-028"/>
+ <h4>10.1 028 Avahi Date: 2021-04-14 Severity: Medium</h4>
+ <p>A security vulnerability was discovered in Avahi that could allow a
+ local attacker to trigger an infinite loop by writing long lines to
+ /run/avahi-daemon/socket. To fix this, apply a sed in the Avahi page.
+ For more details, see the advisory linked here:
+ <a href="conslidated.html#sa-10.1-028">10.1-028</a></p>
+
+<!-- end of Avahi -->
+
+ <h3>cifs-utils</h3>
+ <a id="sa-10.1-030"/>
+ <h4>10.1 030 cifs-utils Date: 2021-04-13 Severity: Medium</h4>
+ <p>In cifs-utils-6.13, a security vulnerability was fixed that could lead
+ to privilege escalation or authentication credential leaks when running
+ the "cifs.upcall" command when Kerberos support is enabled. Update to
+ cifs-utils-6.13 or later.
+ <a href="consolidated.html#sa-10.1-030">10.1-030</a></p>
+
+<!-- end of cifs-utils -->
+
<h3>cURL</h3>
<a id="sa-10.1-020"/>
<h4>10.1 020 cURL Date: 2021-03-31 Severity: Medium</h4>
@@ -118,6 +140,16 @@
<!-- end of JS78 -->
+ <h3>librsvg</h3>
+ <h4>10.1 031 librsvg Date: 2021-04-14 Severity: Medium</h4>
+ <p>In librsvg-2.50.4, a security vulnerability in a bundled rust crate
+ was fixed that could lead to variables lasting for longer than originally
+ expected, leading to memory corruption scenarios. Update to librsvg-2.50.4
+ or later.
+ <a href="conslidated.html#sa-10.1-031">10.1-031</a>.</p>
+
+<!-- end of librsvg -->
+
<h3>Libssh2</h3>
<h4>10.1 023 Libssh2 Date: 2021-04-02 Severity: High</h4>
<p>In Libssh2-1.9.0 and earlier, a crafted SSH server may be able to
disclose
@@ -157,6 +189,16 @@
<!-- end of Nettle -->
+ <h3>NetworkManager</h3>
+ <h4>10.1 029 NetworkManager Date: 2021-04-14 Severity: Low</h4>
+ <p>In NetworkManager-1.30.2, a security vulnerability was discovered that
+ could result in an attacker crashing NetworkManager by setting a
+ 'match.path' value in a Network file. To fix this, apply the sed in BLFS
+ linked in the advisory.
+ <a href="consolidated.html#sa-10.1-029">10.1-029</a></p>
+
+<!-- end of NetworkManager -->
+
<h3>Node.js</h3>
<h4>10.1 025 node.js Date: 2021-04-09 Severity: High</h4>
<p>Node.JS-14.16.1 fixed three security vulnerabilities. Two are in
OpenSSL
@@ -252,7 +294,7 @@
in browser or browser-like contexts.</p>
<a id="sa-10.1-027"/>
- <h4>10.1 027 Thunderbird Date: 2021-04-11 Severity: Moderate</h4>
+ <h4>10.1 027 Thunderbird Date: 2021-04-11 Severity: Medium</h4>
<p>In Thunderbird before 78.9.1 there were three vulnerabilities rated as
Moderate. To fix these update to 78.9.1 or later.
<a href="consolidated.html#sa-10.1-027">10.1-027</a></p>
Modified: html/trunk/blfs/advisories/consolidated.html
==============================================================================
--- html/trunk/blfs/advisories/consolidated.html Wed Apr 14 14:29:29
2021 (r1791)
+++ html/trunk/blfs/advisories/consolidated.html Wed Apr 14 15:04:08
2021 (r1792)
@@ -80,8 +80,62 @@
<p>There are currently no known security vulnerabilities for the latest
releases of the books.</p>
-->
+ <a id="sa-10.1-031"/>
+ <h4>10.1 031 librsvg Date: 2021-04-14 Severity: Medium</h4>
+ <p>A security vulnerability was fixed in librsvg-2.50.4 that applied to one
+ of the rust crates involved with building the librsvg library. This
+ vulnerability existed within the generic-array crate, and allowed for
+ variables to stick around for longer than their expected lifetime. This
+ could lead to memory corruption scenarios.
+ This vulnerability has been assigned
+ <a
href="https://rustsec.org/advisories/RUSTSEC-2020-0146.html";>RUSTSEC-2020-0146</a>.</p>
+ <p>To fix this, update to librsvg-2.50.4 or later using the instructions in
+ <a href="../view/svn/general/librsvg.html">librsvg (sysv)</a>, or
+ <a href="../view/systemd/general/librsvg.html">librsvg (systemd)</a>.</p>
+
+ <a id="sa-10.1-030"/>
+ <h4>10.1 030 cifs-utils Date: 2021-04-14 Severity: Medium</h4>
+ <p>A security vulnerability was discovered in cifs-utils before 6.13.
+ When using kerberos authentication, it is possible for a leak of
+ authentication credentials when running the cifs.upcall command.
+ This same vulnerability can also permit privilege escalation
+ of a local user.
+ This vulnerability has been assigned
+ <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-20208";>CVE-2021-20208</a>.</p>
+ <p>To fix this, update to cifs-utils-6.13 or later using the instructions
in
+ <a href="../view/svn/basicnet/cifsutils.html">cifs-utils (sysv)</a>, or
+ <a href="../view/systemd/basicnet/cifsutils.html">cifs-utils
(systemd)</a>.</p>
+
+ <a id="sa-10.1-029"/>
+ <h4>10.1 029 NetworkManager Date: 2021-04-14 Severity: Low</h4>
+ <p>A security vulnerability was found in NetworkManager where a local or
+ remote attacker could set a "match.path" statement in a Network file, which
+ would cause NetworkManager to crash. The root cause of this vulnerability
+ is improper input validation.
+ This vulnerability has been assigned
+ <a
href="https://access.redhat.com/security/cve/cve-2021-20297";>CVE-2021-20297</a>.</p>
+ <p>To fix this, apply a sed to NetworkManager using the instructions in
+ <a href="../view/svn/basicnet/networkmanager.html">NetworkManager
(sysv)</a>, or
+ <a href="../view/systemd/basicnet/networkmanager.html">NetworkManager
(systemd)</a>.</p>
+ <!-- Pulling the CVE from RedHat because it is "Reserved" at MITRE and
+ unavailable at NVD. -->
+
+ <a id="sa-10.1-028"/>
+ <h4>10.1 028 Avahi Date: 2021-04-14 Severity: Medium</h4>
+ <p>A security vulnerability was found in Avahi that could allow an infinite
+ loop to be triggered when an attacker writes a long line to
+ /run/avahi-daemon/socket. The event used to signal the termination of a
+ client connection was not correctly handled.
+ This vulnerability has been assigned
+ <a
href="https://access.redhat.com/security/cve/cve-2021-3468";>CVE-2021-3468</a>.</p>
+ <p>To fix this, apply a sed to Avahi using the instructions in
+ <a href="../view/svn/basicnet/avahi.html">Avahi (sysv)</a>, or
+ <a href="../view/systemd/basicnet/avahi.html">Avahi (systemd)</a>.</p>
+ <!-- Pulling the CVE from RedHat because it is "Reserved" at MITRE and
+ unavailable at NVD. -->
+
<a id="sa-10.1-027"/>
- <h4>10.1 027 Thunderbird Updated: 2021-04-11 Severity: Moderate</h4>
+ <h4>10.1 027 Thunderbird Updated: 2021-04-11 Severity: Medium</h4>
<p>Three security vulnerabilities were fixed in Thunderbird-78.9.1. All
three of them affect systems that have OpenPGP keys configured for
encrypted email. These vulnerabilities have been rated Moderate, and have
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
