other

ken--- via blfs-book Fri, 02 Apr 2021 11:15:31 -0700

Author: ken
Date: Fri Apr  2 10:54:32 2021
New Revision: 24429

Log:
Security fixes for flac and libssh2.
Also note the unfixed vulnerability in xdg-utils mailto
(thanks to Arch for noticing this).


Modified:
   trunk/BOOK/general/genlib/libssh2.xml
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/multimedia/libdriv/flac.xml
   trunk/BOOK/xsoft/other/xdg-utils.xml

Modified: trunk/BOOK/general/genlib/libssh2.xml
==============================================================================
--- trunk/BOOK/general/genlib/libssh2.xml       Fri Apr  2 09:14:08 2021        
(r24428)
+++ trunk/BOOK/general/genlib/libssh2.xml       Fri Apr  2 10:54:32 2021        
(r24429)
@@ -70,6 +70,15 @@
       </listitem>
     </itemizedlist>
 
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Required patch:
+          <ulink 
url="&patch-root;/libssh2-&libssh2-version;-security_fixes-1.patch"/>
+        </para>
+      </listitem>
+    </itemizedlist>
+
     <bridgehead renderas="sect3">libssh2 Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Optional</bridgehead>
@@ -92,7 +101,8 @@
       commands:
     </para>
 
-<screen><userinput>./configure --prefix=/usr --disable-static &amp;&amp;
+<screen><userinput>patch -Np1 -i 
../libssh2-&libssh2-version;-security_fixes-1.patch &amp;&amp;
+./configure --prefix=/usr --disable-static            &amp;&amp;
 make</userinput></screen>
 
     <para>

Modified: trunk/BOOK/introduction/welcome/changelog.xml
==============================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml       Fri Apr  2 09:14:08 
2021        (r24428)
+++ trunk/BOOK/introduction/welcome/changelog.xml       Fri Apr  2 10:54:32 
2021        (r24429)
@@ -45,6 +45,18 @@
       <para>April 2nd, 2021</para>
       <itemizedlist>
         <listitem>
+          <para>[ken] - Add a warning in xdg-utils about an unfixed
+          security vulnerability.</para>
+        </listitem>
+        <listitem>
+          <para>[ken] - Patch libssh2-1.9.0 for a security vulnerability. Fixes
+          <ulink url="&blfs-ticket-root;14853">#14853</ulink>.</para>
+        </listitem>
+        <listitem>
+          <para>[ken] - Patch flac-1.3.3 for a security vulnerability. Fixes
+          <ulink url="&blfs-ticket-root;14852">#14852</ulink>.</para>
+        </listitem>
+        <listitem>
           <para>[timtas] - Update to xscreensaver-6.00. Fixes
           <ulink url="&blfs-ticket-root;14851">#14851</ulink>.</para>
         </listitem>

Modified: trunk/BOOK/multimedia/libdriv/flac.xml
==============================================================================
--- trunk/BOOK/multimedia/libdriv/flac.xml      Fri Apr  2 09:14:08 2021        
(r24428)
+++ trunk/BOOK/multimedia/libdriv/flac.xml      Fri Apr  2 10:54:32 2021        
(r24429)
@@ -71,6 +71,17 @@
       </listitem>
     </itemizedlist>
 
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Required patch:
+          <ulink 
url="&patch-root;/flac-&flac-version;-security_fixes-1.patch"/>
+        </para>
+      </listitem>
+    </itemizedlist>
+
     <bridgehead renderas="sect3">FLAC Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Optional</bridgehead>
@@ -96,9 +107,10 @@
       following commands:
     </para>
 
-<screen><userinput>./configure --prefix=/usr \
-            --disable-thorough-tests \
-            --docdir=/usr/share/doc/flac-&flac-version; &amp;&amp;
+<screen><userinput>patch -Np1 -i ../flac-&flac-version;-security_fixes-1.patch 
     &amp;&amp;
+./configure --prefix=/usr                                \
+            --disable-thorough-tests                     \
+            --docdir=/usr/share/doc/flac-&flac-version;          &amp;&amp;
 make</userinput></screen>
 
     <para>

Modified: trunk/BOOK/xsoft/other/xdg-utils.xml
==============================================================================
--- trunk/BOOK/xsoft/other/xdg-utils.xml        Fri Apr  2 09:14:08 2021        
(r24428)
+++ trunk/BOOK/xsoft/other/xdg-utils.xml        Fri Apr  2 10:54:32 2021        
(r24429)
@@ -36,6 +36,24 @@
       It is required for Linux Standards Base (LSB) conformance.
     </para>
 
+    <warning>
+      <para>
+        A security vulnerability exists in all versions of
+        <application>xdg-utils</application> from version 1.1.0rc1 when 
handling
+        mailto: URIs. An attacker could potentially send a victim a URI that
+        automatically attaches a sensitive file to a new email. If a victim 
user
+        does not notice that an attachment was added and sends the email, this
+        could result in sensitive information disclosure.
+      </para>
+
+      <para>
+        To mitigate this flaw, either do not use mailto links at all, or always
+        double-check in the user interface that there are no unwanted 
attachments
+        before sending emails, especially when the email originates from 
clicking
+        on a mailto link.
+      </para>
+    </warning>
+
     &lfs101_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

[blfs-book] r24429 - in trunk/BOOK: general/genlib introduction/welcome multimedia/libdriv xsoft/other

Reply via email to