Context Navigation

Changeset 41f721e

Timestamp:

04/02/2021 05:54:32 PM (3 years ago)

Author:

Ken Moffat <ken@…>

Branches:

Children:

9d31900

Parents:

b5bd147

Message:

Security fixes for flac and libssh2.
Also note the unfixed vulnerability in xdg-utils mailto
(thanks to Arch for noticing this).

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24429 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

-              rb5bd147
+              r41f721e
     </itemizedlist>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Required patch:
+          <ulink url="&patch-root;/libssh2-&libssh2-version;-security_fixes-1.patch"/>
+        </para>
+      </listitem>
+    </itemizedlist>
     <bridgehead renderas="sect3">libssh2 Dependencies</bridgehead>
 …
     </para>
+<screen><userinput>./configure --prefix=/usr --disable-static &amp;&amp;
+<screen><userinput>patch -Np1 -i ../libssh2-&libssh2-version;-security_fixes-1.patch &amp;&amp;
+./configure --prefix=/usr --disable-static            &amp;&amp;
 make</userinput></screen>

-              rb5bd147
+              r41f721e
       <itemizedlist>
         <listitem>
+          <para>[ken] - Add a warning in xdg-utils about an unfixed
+          security vulnerability.</para>
+        </listitem>
+        <listitem>
+          <para>[ken] - Patch libssh2-1.9.0 for a security vulnerability. Fixes
+          <ulink url="&blfs-ticket-root;14853">#14853</ulink>.</para>
+        </listitem>
+        <listitem>
+          <para>[ken] - Patch flac-1.3.3 for a security vulnerability. Fixes
+          <ulink url="&blfs-ticket-root;14852">#14852</ulink>.</para>
+        </listitem>
+        <listitem>
           <para>[timtas] - Update to xscreensaver-6.00. Fixes
           <ulink url="&blfs-ticket-root;14851">#14851</ulink>.</para>

-              rb5bd147
+              r41f721e
         <para>
           Estimated build time: &flac-time;
+        </para>
+      </listitem>
+    </itemizedlist>
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Required patch:
+          <ulink url="&patch-root;/flac-&flac-version;-security_fixes-1.patch"/>
         </para>
       </listitem>
 …
     </para>
+<screen><userinput>./configure --prefix=/usr \
+            --disable-thorough-tests \
+            --docdir=/usr/share/doc/flac-&flac-version; &amp;&amp;
+<screen><userinput>patch -Np1 -i ../flac-&flac-version;-security_fixes-1.patch      &amp;&amp;
+./configure --prefix=/usr                                \
+            --disable-thorough-tests                     \
+            --docdir=/usr/share/doc/flac-&flac-version;          &amp;&amp;
 make</userinput></screen>

-              rb5bd147
+              r41f721e
       It is required for Linux Standards Base (LSB) conformance.
     </para>
+    <warning>
+      <para>
+        A security vulnerability exists in all versions of
+        <application>xdg-utils</application> from version 1.1.0rc1 when handling
+        mailto: URIs. An attacker could potentially send a victim a URI that
+        automatically attaches a sensitive file to a new email. If a victim user
+        does not notice that an attachment was added and sends the email, this
+        could result in sensitive information disclosure.
+      </para>
+      <para>
+        To mitigate this flaw, either do not use mailto links at all, or always
+        double-check in the user interface that there are no unwanted attachments
+        before sending emails, especially when the email originates from clicking
+        on a mailto link.
+      </para>
+    </warning>
     &lfs101_checked;

Note: See TracChangeset for help on using the changeset viewer.