From 42159c2334b0fdf145e825cadbf0125c9ec6572e Mon Sep 17 00:00:00 2001
From: Eric Kidd <git@randomhacks.net>
Date: Thu, 7 Jan 2021 07:39:41 -0500
Subject: [PATCH] Fix mdbook script injection (CVE-2020-26297)

This patch fixes a script injection bug in mdbook that affects people
who publish documentation rendered using mdbook.
---
 CHANGELOG.md | 6 ++++++
 Dockerfile   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e53319..ca29220 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security are discovered in a library.
 
+## 2021-01-07
+
+### Fixed
+
+- SECURITY: Update `mdbook` to 0.4.5 to fix [CVE-2020-26297](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297), as [described on the Rust blog](https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html). Thank you to Kyle McCarthy. This potentially affects people who use the bundled `mdbook` to build and publish their documentation.
+
 ## 2021-01-04
 
 This release contains a number of major changes, including dropping our ancient and incomplete ARM support and supporting building as `root` as a first step towards better supporting GitHub Actions.
diff --git a/Dockerfile b/Dockerfile
index cd9e3be..f70277f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,7 @@ ARG OPENSSL_VERSION=1.1.1i
 #
 # We're stuck on PostgreSQL 11 until we figure out
 # https://github.com/emk/rust-musl-builder/issues.
-ARG MDBOOK_VERSION=0.4.4
+ARG MDBOOK_VERSION=0.4.5
 ARG CARGO_ABOUT_VERSION=0.2.3
 ARG CARGO_DENY_VERSION=0.8.5
 ARG ZLIB_VERSION=1.2.11