LFS Security Advisories for LFS 10.0 and the current development books.
LFS-10.0 was released on 2020-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
Bison
10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low
Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See 10.0-009
Glibc
In LFS the only safe way to update Glibc is to build a new system.
10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High
In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.
Please read the link to assess the severity of this for your use case, and what action to take. 10.0-082
Linux Kernel
10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High
In Linux kernels before 5.8.8 there is a potential privilege escalation in 64-bit kernels. 10.0-010
OpenSSL (LFS)
10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High
Two vulnerabilities in OpenSSL could be exploited to cause a crash. To fix this, update to OpenSSL-1.1.1j or later. 10.0-095
10.0 053 OpenSSL (LFS) Date: 2020-12-15 Severity: High
A vulnerability in OpenSSL could be exploited to cause a crash. To fix this, update to OpenSSL-1.1.1i or later. 10.0-053
Python
10.0 097 Python (LFS and BLFS) Date: 2021-02-22 Severity: Critical
Python-3.9.2 contains fixes for a critical security vulnerability as well as a medium-level security vulnerability. The critical vulnerability can lead to remote code execution. Update to Python-3.9.2 or later using the BLFS instructions. 10.0-097
10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High
Python-3.9.1 includes three security fixes. Update to Python-3.9.1 or later using the BLFS instructions. 10.0-051
systemd
10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High
In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.0/systemd-246. See the advisory linked for more information. The patch replaces the current systemd-246-security_fix-1.patch. 10.1-081
10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Moderate
systemd-249 fixed a security vulnerability that could allow for a remote attacker to reconfigure the network settings on your computer. Because of it's severity and the ease of exploitation, a patch has been prepared for LFS 10.0/systemd-246. See the advisory linked for more information. 10.1-072