From 42159c2334b0fdf145e825cadbf0125c9ec6572e Mon Sep 17 00:00:00 2001 From: Eric Kidd Date: Thu, 7 Jan 2021 07:39:41 -0500 Subject: [PATCH] Fix mdbook script injection (CVE-2020-26297) This patch fixes a script injection bug in mdbook that affects people who publish documentation rendered using mdbook. --- CHANGELOG.md | 6 ++++++ Dockerfile | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e53319..ca29220 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security are discovered in a library. +## 2021-01-07 + +### Fixed + +- SECURITY: Update `mdbook` to 0.4.5 to fix [CVE-2020-26297](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297), as [described on the Rust blog](https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html). Thank you to Kyle McCarthy. This potentially affects people who use the bundled `mdbook` to build and publish their documentation. + ## 2021-01-04 This release contains a number of major changes, including dropping our ancient and incomplete ARM support and supporting building as `root` as a first step towards better supporting GitHub Actions. diff --git a/Dockerfile b/Dockerfile index cd9e3be..f70277f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ ARG OPENSSL_VERSION=1.1.1i # # We're stuck on PostgreSQL 11 until we figure out # https://github.com/emk/rust-musl-builder/issues. -ARG MDBOOK_VERSION=0.4.4 +ARG MDBOOK_VERSION=0.4.5 ARG CARGO_ABOUT_VERSION=0.2.3 ARG CARGO_DENY_VERSION=0.8.5 ARG ZLIB_VERSION=1.2.11