Fix mdbook script injection (CVE-2020-26297)

This patch fixes a script injection bug in mdbook that affects people
who publish documentation rendered using mdbook.
This commit is contained in:
Eric Kidd 2021-01-07 07:39:41 -05:00
parent 0dab4b64c7
commit 42159c2334
2 changed files with 7 additions and 1 deletions

View file

@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security are discovered in a library.
## 2021-01-07
### Fixed
- SECURITY: Update `mdbook` to 0.4.5 to fix [CVE-2020-26297](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297), as [described on the Rust blog](https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html). Thank you to Kyle McCarthy. This potentially affects people who use the bundled `mdbook` to build and publish their documentation.
## 2021-01-04
This release contains a number of major changes, including dropping our ancient and incomplete ARM support and supporting building as `root` as a first step towards better supporting GitHub Actions.

View file

@ -22,7 +22,7 @@ ARG OPENSSL_VERSION=1.1.1i
#
# We're stuck on PostgreSQL 11 until we figure out
# https://github.com/emk/rust-musl-builder/issues.
ARG MDBOOK_VERSION=0.4.4
ARG MDBOOK_VERSION=0.4.5
ARG CARGO_ABOUT_VERSION=0.2.3
ARG CARGO_DENY_VERSION=0.8.5
ARG ZLIB_VERSION=1.2.11