LFS-12.0 was released on 2023-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In LFS the only safe way to update Glibc
is to build a new system, but reinstall the same Glibc version with
patches provided in security advisories should be safe.
Updating Glibc on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.
In Glibc 2.38, 2.37, and 2.36 (if
SA
11.2-075 has been applied), there are three vulnerabilities
in the syslog function and one of them can allow an
local privilege escalation.
Please read the link and fix the vulnerability immediately if you are running LFS 11.2, 11.3, or 12.0. 12.0-085
In Glibc 2.34 through 2.38, there is a vulnerability in the dynamic linker which can lead to a trivially exploitable local privilege escalation.
Please read the link and fix the vulnerability immediately if you are running LFS 11.0, 11.1, 11.2, 11.3, or 12.0. 12.0-018
In Glibc ?? (at least 2.17) through 2.35, there is a vulnerability in
getaddrinfo() which can lead to a denial of service with an unsupported
configuration in /etc/nsswitch.conf.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-012
In Glibc ?? (at least 2.17) through 2.38, there is a vulnerability in
getaddrinfo() which can lead to a denial of service with custom NSS
modules in /etc/nsswitch.conf and extremely rare
situations.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-005
In Glibc-2.36, 2.37, and 2.38 there is a vulnerability in the DNS
resolver which can lead to a denial of service or information
disclosure processing long DNS responses if no-aaaa is
enabled.
Please read the link to assess the severity of this for your use case, and what action to take. 12.0-004
In Coreutils-9.4, a security vulnerability was found in the split program. A heap overflow may potentially leading to an application crash and denial of service. 12.0-075
In Expat-2.6.0, a security vulnerability was fixed that could allow for a denial of service because many full reparsings are required in the case of a large token which requires multiple buffer fills. 12.0-091
In Jinja2-3.1.3, a security vulnerability was fixed that could allow a cross-site scripting attack if Jinja2 is used in a Web service. 12.0-077
In Ncurses-20230520, a security vulnerability was fixed that could allow local users to trigger security-relevant memory corruption via malformed data. 12.0-076
In OpenSSL-3.2.1, two security vulnerability was fixed that could allow for Denial of Service attacks. Update to OpenSSL-3.2.1 or later. 12.0-083
In OpenSSL-3.2.0, a security vulnerability was fixed that could allow for performance to be very slow when generating excessively long X9.42 DH keys, as well as when checking excessively long X9.42 DH keys or parameters. Update to OpenSSL-3.2.0 or later. 12.0-050
In openssl-3.1.4, a security vulnerability was fixed that could lead to potential truncation or overruns during the initialization of some symmetric ciphers. 12.0-035
In Perl-5.38.2, a security vulnerability was fixed that could allow for writing past the end of a buffer when a user passes an illegal Unicode property in a regular expression. Update to Perl-5.38.2. 12.0-049
In Procps-ng-4.0.4, one security vulnerability was fixed that might
allow for a denial-of-service (application crash) when running
ps with a very long value for the -C option.
Only 32-bit systems are affected. Update to Procps-ng-4.0.4 or later if
running a service which may invoke ps -C with unsanitized
input on a 32-bit system.
12.0-106
In Python-3.12.2, a security vulnerability was fixed that could allow for silent execution of arbitrary code via hidden *.pth files. *.pth files are executed automatically, unlike normal Python files which need explicit importing or passing as an argument to the Python interpreter. The issue was fixed upstream by skipping *.pth files with names starting with a dot (or the hidden file attribute on other systems). Update to Python-3.12.2 (or Python-3.11.8 if you prefer to stay on that series). 12.0-092
In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. Update to python-3.11.5. 12.0-001
A security vulnerability was found in systemd-resolved that could allow systemd-resolved to accept records of DNSSEC-signed domains, even when they have no signature. Note that you must have DNSSEC support enabled on your system to be vulnerable to this vulnerability, and that support is not turned enabled by default. If you do have DNSSEC support enabled, rebuild systemd with the new 'sed' using the instructions from BLFS. If you do not have DNSSEC support enabled, no action is necessary. 12.0-068