Changeset 41f721e


Ignore:
Timestamp:
04/02/2021 05:54:32 PM (4 years ago)
Author:
Ken Moffat <ken@…>
Branches:
11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 12.2, gimp3, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/for-12.3, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/spidermonkey128, xry111/test-20220226, xry111/xf86-video-removal
Children:
9d31900
Parents:
b5bd147
Message:

Security fixes for flac and libssh2.
Also note the unfixed vulnerability in xdg-utils mailto
(thanks to Arch for noticing this).

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24429 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
4 edited

Legend:

Unmodified
Added
Removed
  • general/genlib/libssh2.xml

    rb5bd147 r41f721e  
    7171    </itemizedlist>
    7272
     73    <itemizedlist spacing="compact">
     74      <listitem>
     75        <para>
     76          Required patch:
     77          <ulink url="&patch-root;/libssh2-&libssh2-version;-security_fixes-1.patch"/>
     78        </para>
     79      </listitem>
     80    </itemizedlist>
     81
    7382    <bridgehead renderas="sect3">libssh2 Dependencies</bridgehead>
    7483
     
    93102    </para>
    94103
    95 <screen><userinput>./configure --prefix=/usr --disable-static &amp;&amp;
     104<screen><userinput>patch -Np1 -i ../libssh2-&libssh2-version;-security_fixes-1.patch &amp;&amp;
     105./configure --prefix=/usr --disable-static            &amp;&amp;
    96106make</userinput></screen>
    97107
  • introduction/welcome/changelog.xml

    rb5bd147 r41f721e  
    4646      <itemizedlist>
    4747        <listitem>
     48          <para>[ken] - Add a warning in xdg-utils about an unfixed
     49          security vulnerability.</para>
     50        </listitem>
     51        <listitem>
     52          <para>[ken] - Patch libssh2-1.9.0 for a security vulnerability. Fixes
     53          <ulink url="&blfs-ticket-root;14853">#14853</ulink>.</para>
     54        </listitem>
     55        <listitem>
     56          <para>[ken] - Patch flac-1.3.3 for a security vulnerability. Fixes
     57          <ulink url="&blfs-ticket-root;14852">#14852</ulink>.</para>
     58        </listitem>
     59        <listitem>
    4860          <para>[timtas] - Update to xscreensaver-6.00. Fixes
    4961          <ulink url="&blfs-ticket-root;14851">#14851</ulink>.</para>
  • multimedia/libdriv/flac.xml

    rb5bd147 r41f721e  
    6868        <para>
    6969          Estimated build time: &flac-time;
     70        </para>
     71      </listitem>
     72    </itemizedlist>
     73
     74    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
     75
     76    <itemizedlist spacing="compact">
     77      <listitem>
     78        <para>
     79          Required patch:
     80          <ulink url="&patch-root;/flac-&flac-version;-security_fixes-1.patch"/>
    7081        </para>
    7182      </listitem>
     
    97108    </para>
    98109
    99 <screen><userinput>./configure --prefix=/usr \
    100             --disable-thorough-tests \
    101             --docdir=/usr/share/doc/flac-&flac-version; &amp;&amp;
     110<screen><userinput>patch -Np1 -i ../flac-&flac-version;-security_fixes-1.patch      &amp;&amp;
     111./configure --prefix=/usr                                \
     112            --disable-thorough-tests                     \
     113            --docdir=/usr/share/doc/flac-&flac-version;          &amp;&amp;
    102114make</userinput></screen>
    103115
  • xsoft/other/xdg-utils.xml

    rb5bd147 r41f721e  
    3636      It is required for Linux Standards Base (LSB) conformance.
    3737    </para>
     38
     39    <warning>
     40      <para>
     41        A security vulnerability exists in all versions of
     42        <application>xdg-utils</application> from version 1.1.0rc1 when handling
     43        mailto: URIs. An attacker could potentially send a victim a URI that
     44        automatically attaches a sensitive file to a new email. If a victim user
     45        does not notice that an attachment was added and sends the email, this
     46        could result in sensitive information disclosure.
     47      </para>
     48
     49      <para>
     50        To mitigate this flaw, either do not use mailto links at all, or always
     51        double-check in the user interface that there are no unwanted attachments
     52        before sending emails, especially when the email originates from clicking
     53        on a mailto link.
     54      </para>
     55    </warning>
    3856
    3957    &lfs101_checked;
Note: See TracChangeset for help on using the changeset viewer.