important: unoconv/librepo security update
important
An update for unoconv/librepo is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
unoconv: unoconv converts between any document format that LibreOffice understands. It uses LibreOffice's UNO bindings for non-interactive conversion of documents. Supported document formats include Open Document Format (.odf), MS Word (.doc), MS Office Open/MS OOXML (.xml), Portable Document Format (.pdf), HTML, XHTML, RTF, Docbook (.xml), and more.
librepo: A library providing C and Python (libcURL like) API to downloading repository metadata.
Security Fix(es):
unoconv: The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.(CVE-2019-17400)
unoconv: bugfix
librepo: A flaw was found in librepo. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.(CVE-2020-14352)
librepo: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F11B5.