LFS Security Advisories for LFS 11.2 and the current development books.
LFS-11.2 was released on 2022-09-01
dbus
11.2 018 dbus (LFS and BLFS) Date: 2022-10-28 Severity: Medium
In dbus-1.14.4, three security vulnerabilities were fixed that could allow for unprivileged attackers to cause denial-of-service conditions (system dbus-daemon crashes, as well as crashes of any programs which use the libdbus library). Update to dbus-1.14.4 or later. 11.2-018
e2fsprogs
11.2 083 e2fsprogs (LFS) Date: 2023-02-07 Severity: High
In e2fsprogs-1.46.6, a security vulnerability was fixed that could allow for arbitrary code execution or segmentation faults when mounting or checking a specially crafted filesystem. Update to e2fsprogs-1.46.6. 11.2-083
Expat
11.2 030 Expat Date: 2022-11-01 Severity: High
In expat-2.5.0, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service when a system is running low on memory while processing a DTD. Update to expat-2.5.0. 11.2-030
11.2 009 Expat Date: 2022-09-23 Severity: Critical
In expat-2.4.9, a critical security vulnerability was fixed in the doContent function that could allow for arbitrary code execution or denial of service. Update to expat-2.4.9 immediately. 11.2-009
Glibc
In LFS the only safe way to update Glibc is to build a new system.
11.2 075 Glibc (LFS) Date: 2021-02-07 Severity: High
In Glibc 2.36 there is a vulnerability in syslog function
which may leak sensitive information into system journal if a very long
(> 1024 bytes) message is passed.
Please read the link to assess the severity of this for your use case, and what action to take. 11.2-075
Inetutils
11.2 031 Inetutils (LFS) Date: 2022-11-01 Severity: High
In inetutils-2.4, two security vulnerabilities were fixed that could allow for denial of service or remote code execution. Note that additional bugfixes were implemented as well which fix crashes with the 'ftp' and 'tftp' programs. Update to inetutils-2.4 if you use telnet, telnetd, ftp, or tftp. 11.2-031
Linux Kernel
11.2 081 Linux Kernel (LFS) Date: 2023-02-07 Severity: High
In Linux-6.1.9 (and Linux-5.15.91), three security vulnerabilities were fixed in the Netfilter subsystem, NTFS3 driver, and IPv6 subsystem that could allow for full system crashes, privilege escalation, remote code execution, and heap/stack address leakage. Update to Linux-6.1.9 or Linux-5.15.91 (LTS) if you use IPv6, NTFS3, or Netfilter. 11.2-081
11.2 070 Linux Kernel (LFS) Date: 2023-01-19 Severity: Critical
In Linux-6.1.6 (and Linux-5.15.89), several security vulnerabilities were fixed in a variety of subsystems, including drivers, core networking, multimedia, /proc filesystem, networking daemons, and the sysctl subsystem. Update to Linux-6.1.6 or Linux-5.15.89 (LTS) immediately. 11.2-070
11.2 049 Linux Kernel (LFS) Date: 2022-12-04 Severity: Medium
In Linux-6.0.11, a security vulnerability was fixed, which affects 12th gen intel processors integrated graphics. It allows an attacker to get unauthorized access to physical memory through the GPU. Update to Linux-6.0.11 or Linux-5.15.81 (LTS). 11.2-049
11.2 047 Linux Kernel (LFS) Date: 2022-11-23 Severity: Medium
In Linux-6.0.8, three security vulnerabilities were fixed including one that allows local unprivileged attackers to cause a kernel panic (and potential arbitary code execution if KASLR is disabled or bypassed) with a malicious USB device. Update to Linux-6.0.8 or Linux-5.15.78 (LTS). 11.2-047
11.2 029 Linux Kernel (LFS) Date: 2022-11-01 Severity: Medium
In Linux-6.0.6, a security vulnerability was fixed that allows local unprivileged attackers to cause a kernel panic when using an ext4 filesystem. Update to Linux-6.0.6 or Linux-5.15.76 (LTS). 11.2-020
11.2 016 Linux Kernel (LFS) Date: 2022-10-28 Severity: Critical
In Linux-6.0.2, several security vulnerabilities were fixed that could allow for denial of service, arbitrary code execution (especially when using WiFi networks), and the ability to read memory from anywhere on the system. Update to Linux-6.0.2 or Linux-5.15.75 (LTS) immediately. 11.2-016
OpenSSL
11.2 082 OpenSSL (LFS) Date: 2023-02-07 Severity: High
In OpenSSL-3.0.8, eight security vulnerabilities were fixed that could allow for leakage of sensitive information, denial of service, plaintext data recovery, and more. Update to OpenSSL-3.0.8 (or 1.1.1t on older systems, such as LFS 11.1) immediately on all systems which have OpenSSL installed. 11.2-082
11.2 032 OpenSSL (LFS) Date: 2022-11-01 Severity: High
In OpenSSL-3.0.7, three security vulnerabilities were fixed which could allow for remote code execution, denial of service, and for NULL encryption. Update to OpenSSL-3.0.7 immediately on ANY system which has OpenSSL-3 installed. 11.2-032
Python3
11.2 060 Python3 (LFS and BLFS) Date: 2022-12-26 Severity: High or Critical
In Python-3.11.1 five vulnerabilities were fixed, with one rated as High. Because updating from an old Python3 series to a new one requires rebuilding all the modules, if you are remaining on Python-3.10 you should update to Python-3.10.9 which includes a Critical fix as well as an additional fix rated as High and already fixed in 3.11.0. Update to 3.11.1 or later, or 3.10.9 or later as appropriate. 11.2-060
11.2 021 Python3 (LFS and BLFS) Date: 2022-10-28 Severity: High
In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection when some modules are used. Update to Python-3.10.8 or later. 11.2-021
11.2 005 Python3 (LFS and BLFS) Date: 2022-09-14 Severity: High
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005
systemd
11.2 061 systemd (LFS and BLFS) Date: 2022-12-28 Severity: High
In systemd-241 and higher, a security vulnerability was discovered that could allow for a local information leak and privilege escalation due to systemd-coredump not respecting a kernel option. Rebuild systemd with the patch. 11.2-061
zlib
11.2 036 zlib (LFS) Date: 2022-11-09 Severity: Critical
In zlib-1.2.13, a security vulnerability was fixed that could allow for trivial arbitrary code execution due to a buffer-overflow when calling inflateGetHeader. Update to zlib-1.2.13 immediately and take note of the special instructions for stripping. 11.2-036