LFS Security Advisories for LFS 10.0 and the current development books.

LFS-10.0 was released on 2020-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the released books.

Bison

10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low

Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See 10.0-009

Glibc

In LFS the only safe way to update Glibc is to build a new system.

10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High

In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.

Please read the link to assess the severity of this for your use case, and what action to take. 10.0-082

Linux Kernel

10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High

In Linux kernels before 5.8.8 there is a potential privilege escalation in 64-bit kernels. 10.0-010

OpenSSL (LFS)

10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High

Two vulnerabilities in OpenSSL could be exploited to cause a crash. To fix this, update to OpenSSL-1.1.1j or later. 10.0-095

10.0 053 OpenSSL (LFS) Date: 2020-12-15 Severity: High

A vulnerability in OpenSSL could be exploited to cause a crash. To fix this, update to OpenSSL-1.1.1i or later. 10.0-053

Python

10.0 097 Python (LFS and BLFS) Date: 2021-02-22 Severity: Critical

Python-3.9.2 contains fixes for a critical security vulnerability as well as a medium-level security vulnerability. The critical vulnerability can lead to remote code execution. Update to Python-3.9.2 or later using the BLFS instructions. 10.0-097

10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High

Python-3.9.1 includes three security fixes. Update to Python-3.9.1 or later using the BLFS instructions. 10.0-051

systemd

10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High

In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.0/systemd-246. See the advisory linked for more information. The patch replaces the current systemd-246-security_fix-1.patch. 10.1-081

10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Moderate

systemd-249 fixed a security vulnerability that could allow for a remote attacker to reconfigure the network settings on your computer. Because of it's severity and the ease of exploitation, a patch has been prepared for LFS 10.0/systemd-246. See the advisory linked for more information. 10.1-072