Fix mdbook script injection (CVE-2020-26297)
This patch fixes a script injection bug in mdbook that affects people who publish documentation rendered using mdbook.
This commit is contained in:
parent
0dab4b64c7
commit
42159c2334
|
@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security are discovered in a library.
|
||||
|
||||
## 2021-01-07
|
||||
|
||||
### Fixed
|
||||
|
||||
- SECURITY: Update `mdbook` to 0.4.5 to fix [CVE-2020-26297](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297), as [described on the Rust blog](https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html). Thank you to Kyle McCarthy. This potentially affects people who use the bundled `mdbook` to build and publish their documentation.
|
||||
|
||||
## 2021-01-04
|
||||
|
||||
This release contains a number of major changes, including dropping our ancient and incomplete ARM support and supporting building as `root` as a first step towards better supporting GitHub Actions.
|
||||
|
|
|
@ -22,7 +22,7 @@ ARG OPENSSL_VERSION=1.1.1i
|
|||
#
|
||||
# We're stuck on PostgreSQL 11 until we figure out
|
||||
# https://github.com/emk/rust-musl-builder/issues.
|
||||
ARG MDBOOK_VERSION=0.4.4
|
||||
ARG MDBOOK_VERSION=0.4.5
|
||||
ARG CARGO_ABOUT_VERSION=0.2.3
|
||||
ARG CARGO_DENY_VERSION=0.8.5
|
||||
ARG ZLIB_VERSION=1.2.11
|
||||
|
|
Loading…
Reference in a new issue