Author: ken Date: Fri Apr 2 10:54:32 2021 New Revision: 24429 Log: Security fixes for flac and libssh2. Also note the unfixed vulnerability in xdg-utils mailto (thanks to Arch for noticing this).
Modified: trunk/BOOK/general/genlib/libssh2.xml trunk/BOOK/introduction/welcome/changelog.xml trunk/BOOK/multimedia/libdriv/flac.xml trunk/BOOK/xsoft/other/xdg-utils.xml Modified: trunk/BOOK/general/genlib/libssh2.xml ============================================================================== --- trunk/BOOK/general/genlib/libssh2.xml Fri Apr 2 09:14:08 2021 (r24428) +++ trunk/BOOK/general/genlib/libssh2.xml Fri Apr 2 10:54:32 2021 (r24429) @@ -70,6 +70,15 @@ </listitem> </itemizedlist> + <itemizedlist spacing="compact"> + <listitem> + <para> + Required patch: + <ulink url="&patch-root;/libssh2-&libssh2-version;-security_fixes-1.patch"/> + </para> + </listitem> + </itemizedlist> + <bridgehead renderas="sect3">libssh2 Dependencies</bridgehead> <bridgehead renderas="sect4">Optional</bridgehead> @@ -92,7 +101,8 @@ commands: </para> -<screen><userinput>./configure --prefix=/usr --disable-static && +<screen><userinput>patch -Np1 -i ../libssh2-&libssh2-version;-security_fixes-1.patch && +./configure --prefix=/usr --disable-static && make</userinput></screen> <para> Modified: trunk/BOOK/introduction/welcome/changelog.xml ============================================================================== --- trunk/BOOK/introduction/welcome/changelog.xml Fri Apr 2 09:14:08 2021 (r24428) +++ trunk/BOOK/introduction/welcome/changelog.xml Fri Apr 2 10:54:32 2021 (r24429) @@ -45,6 +45,18 @@ <para>April 2nd, 2021</para> <itemizedlist> <listitem> + <para>[ken] - Add a warning in xdg-utils about an unfixed + security vulnerability.</para> + </listitem> + <listitem> + <para>[ken] - Patch libssh2-1.9.0 for a security vulnerability. Fixes + <ulink url="&blfs-ticket-root;14853">#14853</ulink>.</para> + </listitem> + <listitem> + <para>[ken] - Patch flac-1.3.3 for a security vulnerability. Fixes + <ulink url="&blfs-ticket-root;14852">#14852</ulink>.</para> + </listitem> + <listitem> <para>[timtas] - Update to xscreensaver-6.00. Fixes <ulink url="&blfs-ticket-root;14851">#14851</ulink>.</para> </listitem> Modified: trunk/BOOK/multimedia/libdriv/flac.xml ============================================================================== --- trunk/BOOK/multimedia/libdriv/flac.xml Fri Apr 2 09:14:08 2021 (r24428) +++ trunk/BOOK/multimedia/libdriv/flac.xml Fri Apr 2 10:54:32 2021 (r24429) @@ -71,6 +71,17 @@ </listitem> </itemizedlist> + <bridgehead renderas="sect3">Additional Downloads</bridgehead> + + <itemizedlist spacing="compact"> + <listitem> + <para> + Required patch: + <ulink url="&patch-root;/flac-&flac-version;-security_fixes-1.patch"/> + </para> + </listitem> + </itemizedlist> + <bridgehead renderas="sect3">FLAC Dependencies</bridgehead> <bridgehead renderas="sect4">Optional</bridgehead> @@ -96,9 +107,10 @@ following commands: </para> -<screen><userinput>./configure --prefix=/usr \ - --disable-thorough-tests \ - --docdir=/usr/share/doc/flac-&flac-version; && +<screen><userinput>patch -Np1 -i ../flac-&flac-version;-security_fixes-1.patch && +./configure --prefix=/usr \ + --disable-thorough-tests \ + --docdir=/usr/share/doc/flac-&flac-version; && make</userinput></screen> <para> Modified: trunk/BOOK/xsoft/other/xdg-utils.xml ============================================================================== --- trunk/BOOK/xsoft/other/xdg-utils.xml Fri Apr 2 09:14:08 2021 (r24428) +++ trunk/BOOK/xsoft/other/xdg-utils.xml Fri Apr 2 10:54:32 2021 (r24429) @@ -36,6 +36,24 @@ It is required for Linux Standards Base (LSB) conformance. </para> + <warning> + <para> + A security vulnerability exists in all versions of + <application>xdg-utils</application> from version 1.1.0rc1 when handling + mailto: URIs. An attacker could potentially send a victim a URI that + automatically attaches a sensitive file to a new email. If a victim user + does not notice that an attachment was added and sends the email, this + could result in sensitive information disclosure. + </para> + + <para> + To mitigate this flaw, either do not use mailto links at all, or always + double-check in the user interface that there are no unwanted attachments + before sending emails, especially when the email originates from clicking + on a mailto link. + </para> + </warning> + &lfs101_checked; <bridgehead renderas="sect3">Package Information</bridgehead> -- http://lists.linuxfromscratch.org/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page