LFS Security Advisories for LFS 11.0 and the current development books.

LFS-11.0 was released on 2021-09-01

Expat

11.0 086 Expat Date: 2022-02-24 Severity: Critical

In expat-2.4.5, five security vulnerabilities have been fixed which can allow for trivial remote code execution and for denial of service. Update to expat-2.4.6 as soom as possible. See 11.0-086

11.0 068 Expat Date: 2022-02-13 Severity: Critical

Two signed integer overflow vulnerabilities, both of which rated as Critical, have been fixed in expat-2.4.4. Update as soon as possible. See 11.0-068

11.0 064 Expat Date: 2022-02-01 Severity: Critical

Several vulnerabilities, three rated as Critical, have been fixed in expat-2.4.3. See 11.0-064

glibc

11.0 069 glibc Date: 2022-02-13 Severity: Critical

In glibc-2.35, four security vulnerabilities were fixed that could lead to remote code execution, denial of service, privilege escalation and information disclosure when running applications that use the SunRPC module or use getcwd() to get the current working directory. Updating glibc with the patch can be tricky, and making a full system backup is advised before attempting to update it. See 11.0-069 for more details.

Linux kernel

11.0 065 Linux Kernel (LFS) Date: 2022-02-01 Severity: High

Some privilege escalation vulnerabilities have been reported in the linux kernel. These can be fixed by upgrading to linux-5.16.4 or later, or equivalent long-term stable releases. 11.0-065

Python 3

11.0 007 Python (LFS and BLFS) Date: 2021-09-22 Severity: Moderate

In Python3 before 3.9.7, three security vulnerabilities exist that could allow for crashes, resource exhaustion, and SMTP command injection. Update to Python-3.9.7 or later. 11.0-007

systemd

11.0 054 systemd Date: 2022-01-13 Severity: High

In systemd-249 (and systemd-250), a security vulnerability was discovered that allows for symlink attacks and infinite recursion (leading to a crash of systemd-tmpfiles). The BLFS Editors have developed patches for 249 and 250. See the advisory for instructions on updating your system. 11.0-054

util-linux

11.0 082 util-linux Date: 2022-02-24 Severity: Moderate

In util-linux-2.37.4, a security vulnerability was fixed that could allow for local unprivileged users to gain access to privileged information or for privilege escalation. Update to util-linux-2.37.4. For additional information, please read the advisory. 11.0-082

11.0 062 util-linux Date: 2021-06-28 Severity: High

Two bugs in libmount since version 2.33 have been discovered. These require the use of fuse and can be used to unmount /tmp. To fix these, please read the advisory. 11.0-062

VIM

11.0 081 VIM (LFS and BLFS) Date: 2022-02-22 Severity: High

Another heap-based buffer overflow, causing a crash when repeatedly using :retab, was fixed in vim-8.2.4359. To fix this update to vim-8.2.4383 or later. 11.0-081

11.0 063 VIM (LFS and BLFS) Date: 2022-02-01 Severity: High

Many security vulnerabilities in vim have been fixed in versions up to vim-8.2.4236. Fifteen of these have been rated as High by the NVD. Unfortunately, the details are minimal. 11.0-063

11.0 015 VIM (LFS and BLFS) Date: 2021-10-18 Severity: High

In vim-8.2.3508, three security vulnerabilities were fixed that could allow for crashes or arbitrary code execution. Updating to VIM-8.2.3508 is suggested if you use UTF-8 encoded files or modify XML files. 11.0-015