LFS Security Advisories for LFS 12.0 and the current development books.

LFS-12.0 was released on 2023-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the released books.

Glibc

In LFS the only safe way to update Glibc is to build a new system, but reinstall the same Glibc version with patches provided in security advisories should be safe.

Updating Glibc on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

12.0 085 Glibc Date: 2024-02-02 Severity: High

In Glibc 2.38, 2.37, and 2.36 (if SA 11.2-075 has been applied), there are three vulnerabilities in the syslog function and one of them can allow an local privilege escalation.

Please read the link and fix the vulnerability immediately if you are running LFS 11.2, 11.3, or 12.0. 12.0-085

12.0 018 Glibc Date: 2023-10-03 Severity: High

In Glibc 2.34 through 2.38, there is a vulnerability in the dynamic linker which can lead to a trivially exploitable local privilege escalation.

Please read the link and fix the vulnerability immediately if you are running LFS 11.0, 11.1, 11.2, 11.3, or 12.0. 12.0-018

12.0 012 Glibc Date: 2023-09-24 Severity: Low

In Glibc ?? (at least 2.17) through 2.35, there is a vulnerability in getaddrinfo() which can lead to a denial of service with an unsupported configuration in /etc/nsswitch.conf.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-012

12.0 005 Glibc Date: 2023-09-13 Severity: Low

In Glibc ?? (at least 2.17) through 2.38, there is a vulnerability in getaddrinfo() which can lead to a denial of service with custom NSS modules in /etc/nsswitch.conf and extremely rare situations.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-005

12.0 004 Glibc Date: 2023-09-12 Severity: Medium

In Glibc-2.36, 2.37, and 2.38 there is a vulnerability in the DNS resolver which can lead to a denial of service or information disclosure processing long DNS responses if no-aaaa is enabled.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-004

Coreutils

12.0 075 Coreutils (LFS) Date: 2024-01-21 Severity: Medium

In Coreutils-9.4, a security vulnerability was found in the split program. A heap overflow may potentially leading to an application crash and denial of service. 12.0-075

Expat

12.0 091 Expat (LFS) Date: 2024-02-13 Severity: High

In Expat-2.6.0, a security vulnerability was fixed that could allow for a denial of service because many full reparsings are required in the case of a large token which requires multiple buffer fills. 12.0-091

Jinja2

12.0 077 Jinja2 (LFS) Date: 2024-01-21 Severity: Medium

In Jinja2-3.1.3, a security vulnerability was fixed that could allow a cross-site scripting attack if Jinja2 is used in a Web service. 12.0-077

Ncurses

12.0 076 Ncurses (LFS) Date: 2024-01-21 Severity: Medium

In Ncurses-20230520, a security vulnerability was fixed that could allow local users to trigger security-relevant memory corruption via malformed data. 12.0-076

OpenSSL

12.0 083 OpenSSL (LFS) Date: 2024-02-01 Severity: Low

In OpenSSL-3.2.1, two security vulnerability was fixed that could allow for Denial of Service attacks. Update to OpenSSL-3.2.1 or later. 12.0-083

12.0 050 OpenSSL (LFS) Date: 2023-12-01 Severity: Low

In OpenSSL-3.2.0, a security vulnerability was fixed that could allow for performance to be very slow when generating excessively long X9.42 DH keys, as well as when checking excessively long X9.42 DH keys or parameters. Update to OpenSSL-3.2.0 or later. 12.0-050

12.0 035 OpenSSL Date: 2023-11-01 Severity: Medium

In openssl-3.1.4, a security vulnerability was fixed that could lead to potential truncation or overruns during the initialization of some symmetric ciphers. 12.0-035

Perl

12.0 049 Perl (LFS) Date: 2023-12-01 Severity: Medium

In Perl-5.38.2, a security vulnerability was fixed that could allow for writing past the end of a buffer when a user passes an illegal Unicode property in a regular expression. Update to Perl-5.38.2. 12.0-049

Procps

12.0 106 Procps (LFS) Date: 2024-02-27 Severity: Low

In Procps-ng-4.0.4, one security vulnerability was fixed that might allow for a denial-of-service (application crash) when running ps with a very long value for the -C option. Only 32-bit systems are affected. Update to Procps-ng-4.0.4 or later if running a service which may invoke ps -C with unsanitized input on a 32-bit system. 12.0-106

Python3

12.0 092 Python3 Date: 2024-02-13 Severity: High

In Python-3.12.2, a security vulnerability was fixed that could allow for silent execution of arbitrary code via hidden *.pth files. *.pth files are executed automatically, unlike normal Python files which need explicit importing or passing as an argument to the Python interpreter. The issue was fixed upstream by skipping *.pth files with names starting with a dot (or the hidden file attribute on other systems). Update to Python-3.12.2 (or Python-3.11.8 if you prefer to stay on that series). 12.0-092

12.0 001 Python3 Date: 2023-09-03 Severity: Medium

In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. Update to python-3.11.5. 12.0-001

systemd

12.0 068 systemd Date: 2023-12-30 Severity: Medium

A security vulnerability was found in systemd-resolved that could allow systemd-resolved to accept records of DNSSEC-signed domains, even when they have no signature. Note that you must have DNSSEC support enabled on your system to be vulnerable to this vulnerability, and that support is not turned enabled by default. If you do have DNSSEC support enabled, rebuild systemd with the new 'sed' using the instructions from BLFS. If you do not have DNSSEC support enabled, no action is necessary. 12.0-068