LFS Security Advisories for LFS 12.0 and the current development books.
LFS-12.0 was released on 2023-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
Glibc
In LFS the only safe way to update Glibc
is to build a new system, but reinstall the same Glibc version with
patches provided in security advisories should be safe.
Updating Glibc on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.
12.0 085 Glibc Date: 2024-02-02 Severity: High
In Glibc 2.38, 2.37, and 2.36 (if
SA
11.2-075 has been applied), there are three vulnerabilities
in the syslog
function and one of them can allow an
local privilege escalation.
Please read the link and fix the vulnerability immediately if you are running LFS 11.2, 11.3, or 12.0. 12.0-085
12.0 018 Glibc Date: 2023-10-03 Severity: High
In Glibc 2.34 through 2.38, there is a vulnerability in the dynamic linker which can lead to a trivially exploitable local privilege escalation.
Please read the link and fix the vulnerability immediately if you are running LFS 11.0, 11.1, 11.2, 11.3, or 12.0. 12.0-018
12.0 012 Glibc Date: 2023-09-24 Severity: Low
In Glibc ?? (at least 2.17) through 2.35, there is a vulnerability in
getaddrinfo() which can lead to a denial of service with an unsupported
configuration in /etc/nsswitch.conf
.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-012
12.0 005 Glibc Date: 2023-09-13 Severity: Low
In Glibc ?? (at least 2.17) through 2.38, there is a vulnerability in
getaddrinfo() which can lead to a denial of service with custom NSS
modules in /etc/nsswitch.conf
and extremely rare
situations.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-005
12.0 004 Glibc Date: 2023-09-12 Severity: Medium
In Glibc-2.36, 2.37, and 2.38 there is a vulnerability in the DNS
resolver which can lead to a denial of service or information
disclosure processing long DNS responses if no-aaaa
is
enabled.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-004
Coreutils
12.0 075 Coreutils (LFS) Date: 2024-01-21 Severity: Medium
In Coreutils-9.4, a security vulnerability was found in the split program. A heap overflow may potentially leading to an application crash and denial of service. 12.0-075
Expat
12.0 091 Expat (LFS) Date: 2024-02-13 Severity: High
In Expat-2.6.0, a security vulnerability was fixed that could allow for a denial of service because many full reparsings are required in the case of a large token which requires multiple buffer fills. 12.0-091
Jinja2
12.0 077 Jinja2 (LFS) Date: 2024-01-21 Severity: Medium
In Jinja2-3.1.3, a security vulnerability was fixed that could allow a cross-site scripting attack if Jinja2 is used in a Web service. 12.0-077
Ncurses
12.0 076 Ncurses (LFS) Date: 2024-01-21 Severity: Medium
In Ncurses-20230520, a security vulnerability was fixed that could allow local users to trigger security-relevant memory corruption via malformed data. 12.0-076
OpenSSL
12.0 083 OpenSSL (LFS) Date: 2024-02-01 Severity: Low
In OpenSSL-3.2.1, two security vulnerability was fixed that could allow for Denial of Service attacks. Update to OpenSSL-3.2.1 or later. 12.0-083
12.0 050 OpenSSL (LFS) Date: 2023-12-01 Severity: Low
In OpenSSL-3.2.0, a security vulnerability was fixed that could allow for performance to be very slow when generating excessively long X9.42 DH keys, as well as when checking excessively long X9.42 DH keys or parameters. Update to OpenSSL-3.2.0 or later. 12.0-050
12.0 035 OpenSSL Date: 2023-11-01 Severity: Medium
In openssl-3.1.4, a security vulnerability was fixed that could lead to potential truncation or overruns during the initialization of some symmetric ciphers. 12.0-035
Perl
12.0 049 Perl (LFS) Date: 2023-12-01 Severity: Medium
In Perl-5.38.2, a security vulnerability was fixed that could allow for writing past the end of a buffer when a user passes an illegal Unicode property in a regular expression. Update to Perl-5.38.2. 12.0-049
Procps
12.0 106 Procps (LFS) Date: 2024-02-27 Severity: Low
In Procps-ng-4.0.4, one security vulnerability was fixed that might
allow for a denial-of-service (application crash) when running
ps
with a very long value for the -C
option.
Only 32-bit systems are affected. Update to Procps-ng-4.0.4 or later if
running a service which may invoke ps -C
with unsanitized
input on a 32-bit system.
12.0-106
Python3
12.0 092 Python3 Date: 2024-02-13 Severity: High
In Python-3.12.2, a security vulnerability was fixed that could allow for silent execution of arbitrary code via hidden *.pth files. *.pth files are executed automatically, unlike normal Python files which need explicit importing or passing as an argument to the Python interpreter. The issue was fixed upstream by skipping *.pth files with names starting with a dot (or the hidden file attribute on other systems). Update to Python-3.12.2 (or Python-3.11.8 if you prefer to stay on that series). 12.0-092
12.0 001 Python3 Date: 2023-09-03 Severity: Medium
In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. Update to python-3.11.5. 12.0-001
systemd
12.0 068 systemd Date: 2023-12-30 Severity: Medium
A security vulnerability was found in systemd-resolved that could allow systemd-resolved to accept records of DNSSEC-signed domains, even when they have no signature. Note that you must have DNSSEC support enabled on your system to be vulnerable to this vulnerability, and that support is not turned enabled by default. If you do have DNSSEC support enabled, rebuild systemd with the new 'sed' using the instructions from BLFS. If you do not have DNSSEC support enabled, no action is necessary. 12.0-068