LFS Security Advisories for LFS 11.2 and the current development books.

LFS-11.2 was released on 2022-09-01

dbus

11.2 018 dbus (LFS and BLFS) Date: 2022-10-28 Severity: Medium

In dbus-1.14.4, three security vulnerabilities were fixed that could allow for unprivileged attackers to cause denial-of-service conditions (system dbus-daemon crashes, as well as crashes of any programs which use the libdbus library). Update to dbus-1.14.4 or later. 11.2-018

e2fsprogs

11.2 083 e2fsprogs (LFS) Date: 2023-02-07 Severity: High

In e2fsprogs-1.46.6, a security vulnerability was fixed that could allow for arbitrary code execution or segmentation faults when mounting or checking a specially crafted filesystem. Update to e2fsprogs-1.46.6. 11.2-083

Expat

11.2 030 Expat Date: 2022-11-01 Severity: High

In expat-2.5.0, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service when a system is running low on memory while processing a DTD. Update to expat-2.5.0. 11.2-030

11.2 009 Expat Date: 2022-09-23 Severity: Critical

In expat-2.4.9, a critical security vulnerability was fixed in the doContent function that could allow for arbitrary code execution or denial of service. Update to expat-2.4.9 immediately. 11.2-009

Glibc

In LFS the only safe way to update Glibc is to build a new system.

11.2 075 Glibc (LFS) Date: 2021-02-07 Severity: High

In Glibc 2.36 there is a vulnerability in syslog function which may leak sensitive information into system journal if a very long (> 1024 bytes) message is passed.

Please read the link to assess the severity of this for your use case, and what action to take. 11.2-075

Inetutils

11.2 031 Inetutils (LFS) Date: 2022-11-01 Severity: High

In inetutils-2.4, two security vulnerabilities were fixed that could allow for denial of service or remote code execution. Note that additional bugfixes were implemented as well which fix crashes with the 'ftp' and 'tftp' programs. Update to inetutils-2.4 if you use telnet, telnetd, ftp, or tftp. 11.2-031

Linux Kernel

11.2 081 Linux Kernel (LFS) Date: 2023-02-07 Severity: High

In Linux-6.1.9 (and Linux-5.15.91), three security vulnerabilities were fixed in the Netfilter subsystem, NTFS3 driver, and IPv6 subsystem that could allow for full system crashes, privilege escalation, remote code execution, and heap/stack address leakage. Update to Linux-6.1.9 or Linux-5.15.91 (LTS) if you use IPv6, NTFS3, or Netfilter. 11.2-081

11.2 070 Linux Kernel (LFS) Date: 2023-01-19 Severity: Critical

In Linux-6.1.6 (and Linux-5.15.89), several security vulnerabilities were fixed in a variety of subsystems, including drivers, core networking, multimedia, /proc filesystem, networking daemons, and the sysctl subsystem. Update to Linux-6.1.6 or Linux-5.15.89 (LTS) immediately. 11.2-070

11.2 049 Linux Kernel (LFS) Date: 2022-12-04 Severity: Medium

In Linux-6.0.11, a security vulnerability was fixed, which affects 12th gen intel processors integrated graphics. It allows an attacker to get unauthorized access to physical memory through the GPU. Update to Linux-6.0.11 or Linux-5.15.81 (LTS). 11.2-049

11.2 047 Linux Kernel (LFS) Date: 2022-11-23 Severity: Medium

In Linux-6.0.8, three security vulnerabilities were fixed including one that allows local unprivileged attackers to cause a kernel panic (and potential arbitary code execution if KASLR is disabled or bypassed) with a malicious USB device. Update to Linux-6.0.8 or Linux-5.15.78 (LTS). 11.2-047

11.2 029 Linux Kernel (LFS) Date: 2022-11-01 Severity: Medium

In Linux-6.0.6, a security vulnerability was fixed that allows local unprivileged attackers to cause a kernel panic when using an ext4 filesystem. Update to Linux-6.0.6 or Linux-5.15.76 (LTS). 11.2-020

11.2 016 Linux Kernel (LFS) Date: 2022-10-28 Severity: Critical

In Linux-6.0.2, several security vulnerabilities were fixed that could allow for denial of service, arbitrary code execution (especially when using WiFi networks), and the ability to read memory from anywhere on the system. Update to Linux-6.0.2 or Linux-5.15.75 (LTS) immediately. 11.2-016

OpenSSL

11.2 082 OpenSSL (LFS) Date: 2023-02-07 Severity: High

In OpenSSL-3.0.8, eight security vulnerabilities were fixed that could allow for leakage of sensitive information, denial of service, plaintext data recovery, and more. Update to OpenSSL-3.0.8 (or 1.1.1t on older systems, such as LFS 11.1) immediately on all systems which have OpenSSL installed. 11.2-082

11.2 032 OpenSSL (LFS) Date: 2022-11-01 Severity: High

In OpenSSL-3.0.7, three security vulnerabilities were fixed which could allow for remote code execution, denial of service, and for NULL encryption. Update to OpenSSL-3.0.7 immediately on ANY system which has OpenSSL-3 installed. 11.2-032

Python3

11.2 060 Python3 (LFS and BLFS) Date: 2022-12-26 Severity: High or Critical

In Python-3.11.1 five vulnerabilities were fixed, with one rated as High. Because updating from an old Python3 series to a new one requires rebuilding all the modules, if you are remaining on Python-3.10 you should update to Python-3.10.9 which includes a Critical fix as well as an additional fix rated as High and already fixed in 3.11.0. Update to 3.11.1 or later, or 3.10.9 or later as appropriate. 11.2-060

11.2 021 Python3 (LFS and BLFS) Date: 2022-10-28 Severity: High

In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection when some modules are used. Update to Python-3.10.8 or later. 11.2-021

11.2 005 Python3 (LFS and BLFS) Date: 2022-09-14 Severity: High

In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005

systemd

11.2 061 systemd (LFS and BLFS) Date: 2022-12-28 Severity: High

In systemd-241 and higher, a security vulnerability was discovered that could allow for a local information leak and privilege escalation due to systemd-coredump not respecting a kernel option. Rebuild systemd with the patch. 11.2-061

zlib

11.2 036 zlib (LFS) Date: 2022-11-09 Severity: Critical

In zlib-1.2.13, a security vulnerability was fixed that could allow for trivial arbitrary code execution due to a buffer-overflow when calling inflateGetHeader. Update to zlib-1.2.13 immediately and take note of the special instructions for stripping. 11.2-036