LFS has not reported Security Vulnerabilities in the Errata, at least recently, but tickets for some new versions have had details.
BLFS used to keep details of Security Vulnerabilities in the Errata, mostly updating them to point to the latest version in the development book and updating the brief text if a subsequent vulnerability was reported.
This page is a consolidated list for both LFS and BLFS.
This list contains summary details and links to upstreams or CVEs where available. Please note that vulnerabilities to package versions before those in our 10.0 releases are not noted, so if you are running a version of BLFS before 10.0 you should check the Errata for past releases as well as monitoring the items here.
This page is ordered like the Changelog of the books, with newest items first.
The severity ratings are best estimates unless either upstream or NVD has assigned a rating. If no other analysis is available, High will usually be assumed and similarly if a crash can be triggered LFS and BLFS will normally rate that as High. If in doubt, read the links.
In vim-9.1.1016, a security vulnerability was fixed that could allow for a crash or arbitrary code execution when using visual mode. The issue is caused by a heap-based buffer overflow when using the :all command while visual mode is still active, because Vim does not end visual mode and will try to access beyond the end of a line in a buffer. The updated version of Vim willl correctly reset visual mode before opening other windows and buffers, and will also verify that it won't try to access a position if the position is greater than the corresponding buffer line. This vulnerability has been assigned CVE-2025-22134.
To fix this vulnerability, update to vim-9.1.1016 or later using the instructions from vim (sysv) or vim (systemd).
In git-2.48.1, two security vulnerabilities were fixed that could allow for users to be mislead into typing in passwords for trusted sites, which could be sent to untrusted sites instead. This happens because Git used to print unsanitized URLs when asking for credentials, which (in submodules and recursive clones) could allow for users to be susceptible to crafted URLs. The other vulnerability occurs because Git used to pass on Carriage Returns via the credential protocol to credential helpers, some of which may use line-reading functions that interpret Carriage Returns as line endings. You should update Git if you use it to checkout repositories with submodules in them. These vulnerabiliities have been assigned CVE-2024-50349 and CVE-2024-52006.
To fix these vulnerabilities, update to git-2.48.1 or later using the instructions from git (sysv) or git (systemd).
In rsync-3.4.0, six security vulnerabilities were fixed that could allow for remote code execution, information disclosure, arbitrary leaking of files on an rsync client, path traversal (allowing a server to write files to paths on a client outside of the intended destiation directory), and for privilege escalation. This update should be considered URGENT, and needs to be applied immediately to any system that has the rsync package installed, regardless of if it is a server or a client. The most severe CVE can be exploited on *any* rsync server, and the attacker only requires anonymous read access to execute arbitrary code on the machine the server is running on. The information leak happens when verifying file checksums, and allows for uninitialized stack contents to be leaked one byte at a time. The arbitrary leaking of client files vulnerability allows for any file from the client to be exfiltrated when a client is uploading files to a server, and the path traversal vulnerabilities occur when using the --safe-links or --inc-recursive options, and the privilege escalation vulnerability occurs due to a race condition that allows when handling symbolic links. There are proof of concept exploits available as well which read SSH private keys from a user's home directory on a client, and additional proof of concepts exist which allow for ~/.bashrc to be overwritten for malicious code execution. ALL users who have rsync installed need to update IMMEDIATELY. These vulnerabilities have been assigned CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747.
To fix these vulnerabilities, update to rsync-3.4.0 or later using the instructions from rsync (sysv) or rsync (systemd).
In Libreoffice-24.8.4.2, two security vulnerabilities were fixed that could allow for unauthorized information disclosure and for arbitrary writing of files to the filesystem. The information disclosure vulnerability occurs when URLs are constructed which expand environment variables or INI file values. These could be exfiltrated to a remote server when opening a document containing these links. The issue was fixed by removing the expansion feature from document hosted URLs. The arbitrary file write vulnerability occurs because of a path traversal issue, but only files with a .ttf file extension can be written. It can be exploited by a crafted document with embedded font file path names within it. These vulnerabilities have been assigned CVE-2024-12426 and CVE-2024-12425.
To fix these vulnerabilities, update to Libreoffice-24.8.4.2 or later using the instructions from Libreoffice (sysv) or Libreoffice (systemd).
In Thunderbird-128.6.0esr, seven security vulnerabilities were fixed that could allow for potentially exploitable crashes, remote code execution, ALPN validation failures when using redirects with Alt-Svc, and for privilege escalation attacks when using WebChannel APIs (also known as a confused deputy attack). These vulnerabilities have been assigned CVE-2025-0237, CVE-2025-0238, CVE-2025-0239, CVE-2025-0240, CVE-2025-0241, CVE-2025-0242, and CVE-2025-0243.
To fix these vulnerabilities, update to Thunderbird-128.6.0esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-128.6.0esr, seven security vulnerabilities were fixed that could allow for potentially exploitable crashes, remote code execution, ALPN validation failures when using redirects with Alt-Svc, and for privilege escalation attacks when using WebChannel APIs (also known as a confused deputy attack). These vulnerabilities have been assigned CVE-2025-0237, CVE-2025-0238, CVE-2025-0239, CVE-2025-0240, CVE-2025-0241, CVE-2025-0242, and CVE-2025-0243.
To fix these vulnerabilities, update to Firefox-128.6.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In Spidermonkey-128.6.0esr, two security vulnerabilities were fixed that could allow for a potentially explotiable crash or arbitrary code execution. These occur when parsing a JavaScript module as JSON (which could allow cross-compartment access, leading to arbitrary code execution), or when segmenting specially crafted text (leading to memory corruption). These vulnerabilities have been assigned CVE-2025-0240 and CVE-2025-0241.
To fix these vulnerabilities, update to Spidermonkey-128.6.0esr or later using the instructions from Spidermonkey (sysv) or Spidermonkey (systemd).
If you update this package, you need to update Gjs to gjs-1.82.0 or later using the instructions from Gjs (sysv) or Gjs (systemd).
If you wish to stay on Spidermonkey-115, please update to Spidermonkey-115.19.0esr instead using the same instructions as used in BLFS 12.2. You do not need to update Gjs if you take this approach.
In Seamonkey-2.53.20, fifteen security vulnerabilities were fixed that could allow for remote code execution, unauthorized information disclosure, applications to be mistakenly opened, remotely exploitable crashes, sandbox escapes, access to PDF and JSON objects as well as video frames cross origin, permission leaks, content security policy bypasses, and cross-site scripting exposure. One of these vulnerabilities is known to be exploited in the wild. This brings Seamonkey up to date with the security issues fixed in Firefox 128.6.0/115.19.0. If you are using Seamonkey, you should update to this version immediately. Please pay special attention to the build instructions as some options and dependencies were changed. These vulnerabilities were assigned CVE-2024-8381, CVE-2024-8382, CVE-2024-8383, CVE-2024-8384, CVE-2024-9392, CVE-2024-9393, CVE-2024-9394, CVE-2024-9401, CVE-2024-9680, CVE-2024-10458, CVE-2024-10459, CVE-2024-10463, CVE-2024-11694, CVE-2025-0238, and CVE-2025-0242.
To fix these vulnerabilities, update to Seamonkey-2.53.20 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In cURL-8.11.1, a security vulnerability was fixed that could allow for cURL to leak the password for hosts to redirected hosts under certain conditions when being asked to use a .netrc file, and when also asked to follow HTTP redirects. If you do not use a .netrc file, this vulnerability does not affect you, and there is no reason to upgrade. If you do use one though, please update to cURL-8.11.1. This vulnerability has been assigned CVE-2024-11053.
To fix this vulnerability, update to cURL-8.11.1 or later using the instructions from cURL (sysv) or cURL (systemd).
In WebKitGTK-2.46.5, four security vulnerabilities were fixed that could allow for remotely exploitable crashes and remote code execution. All four of the issues were resolved with improved checks and memory handling, and the issues are exploitable with maliciously crafted web content. These vulnerabilities have been assigned CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, and CVE-2024-54508.
To fix this vulnerability, update to WebKitGTK-2.46.5 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In Thunderbird-128.5.2esr, a security vulnerability was fixed which could allow for client-side path traversal when using the Matrix chatroom functionality in Thunderbird's chat client. The vulnerability occurs when using malicious MXC URIs, and allows a malicious room member to issue arbirtary authenticated GET requests to the client's homeserver (in this context, that would be Thunderbird). If you use the Matrix chatroom functionality, you should update Thunderbird. This vulnerability has been assigned CVE-2024-50336.
To fix this vulnerability, update to Thunderbird-128.5.2esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Jinja2-3.1.5, two security vulnerabilities were fixed that could allow for sandbox escapes and execution of arbitrary Python code. One of these issues happens due to an oversight in how the Jinja sandboxed environment detects calls to str.format, and the other occurs due to a bug in the Jinja2 compiler that allows an attacker which controls both the content and filename of a template to execute arbitrary Python code outside of the sandbox. These vulnerabilities have been assigned CVE-2024-56201 and CVE-2024-56326.
To fix these vulnerabilities, update to Jinja2-3.1.5 or later using the instructions from the LFS book for Jinja2 (sysv) or Jinja2 (systemd).
In Subversion-1.14.5, a security vulnerability was fixed that could allow for a denial of service when a revision property which contains control characters is committed to a repository. This is a repeat of CVE-2013-1968, and only affects the mod_dav_svn module (which you would use to allow access to a repository over HTTP). Local repositories, and those served by svnserve, are unaffected. The disruption can also allow for repository corruption, but it will take some time as a full dump/load cycle will be required depending on the corruption. This vulnerability has been assigned CVE-2024-46901.
To fix this vulnerability, update to Subversion-1.14.5 or later using the instructions from Subversion (sysv) or Subversion (systemd).
In Python 3.13.1 (and 3.12.8), three security vulnerabilities were fixed that could allow for unauthorized command execution when spawning a virtual environment, for filtering bypassses (because IPv4-mapped IPv6 addess properties were highly inconsistent), and for pyrepl to read local files unexpectedly (which is known to cause inconsistent behavior and arbitrary code execution). This update has caused some issues with other packages, namely Firefox and Thunderbird. If you install this security update, make sure to use the instructions from the development book for Firefox and Thunderbird (which include applying a patch to fix the build issues). Only one of these vulnerabilities has been assigned a CVE. It has been assigned CVE-2024-9287. Additional information about the other two vulnerabilities can be found at Python Issue #125140 and Python Issue #122792.
To fix these vulnerabilities, update to Python-3.13.1 (or 3.12.8 if you are on 3.12.x) using the instructions from Python (sysv) or Python (systemd).
In the 1.24.10 release of the gstreamer stack, over 40 security vulnerabilities were resolved. These issues occur in a variety of plugins, including the MP4/MOV playback support, the ID3v2 tag parser, the JPEG decoder, the WebM demuxer, the Vorbis decoder, the SSA subtitle parser, the Opus decoder, the gdk-pixbuf decoder, the WAV parser, the AVI subtitle parser, and the LRC subtitle parser, as well as in the gst-discoverer-1.0 utility. Because of the amount of these vulnerabilities as well as the plugins that they impact, you should update the gstreamer stack immediately if you have it installed. All of these issues can allow for crashes, but many of them also allow for arbitrary code execution, or remote code execution (in the context of using a web browser playing WebM/MP4/MOV videos or WAV sounds on web pages). Most of these vulnerabilities have CVEs, but all of them have additional information from the GitHub Security Lab. These vulnerabilities have been assigned CVE-2024-47537, CVE-2024-47598, CVE-2024-47539, CVE-2024-47542, CVE-2024-47543, CVE-2024-47545, CVE-2024-47544, CVE-2024-47597, CVE-2024-47546, CVE-2024-47606, CVE-2024-47596, CVE-2024-47599, CVE-2024-47540, CVE-2024-47600, CVE-2024-47602, CVE-2024-47601, CVE-2024-47603, CVE-2024-47538, CVE-2024-47541, CVE-2024-47607, CVE-2024-47613, CVE-2024-47615, CVE-2024-47778, CVE-2024-47777, CVE-2024-47776, CVE-2024-47775, CVE-2024-47774, CVE-2024-47835, and CVE-2024-47834.
Additional information about these vulnerabilities can be found at Gstreamer Security Advisories.
To fix these vulnerabilities, update the entire gstreamer stack to 1.24.10 by building through the packages starting with gstreamer (sysv) or gstreamer (systemd).
In QtWebEngine-6.8.1, seventeen security vulnerabilities were fixed that could allow for remote code execution, unauthorized access to data, UI spoofing, and remotely exploitable crashes. These vulnerabilities are in a variety of subsystems in Chromium, including Mojo, Dawn, V8, Extensions, DevTools, Navigation, Web Authentication, Paint, FileSystem, Blink, Media, Views, and Serial; and all of them are exploitable via maliciously crafted web pages (and in some cases, malicious advertisements on web pages). These vulnerabilities have been assigned CVE-2024-9369, CVE-2024-10487, CVE-2024-10230, CVE-2024-10231, CVE-2024-10229, CVE-2024-9965, CVE-2024-9966, CVE-2024-9959, CVE-2024-9955, CVE-2024-9602, CVE-2024-9603, CVE-2024-11116, CVE-2024-11117, CVE-2024-11110, CVE-2024-11112, CVE-2024-11114, and CVE-2024-10827.
To fix these vulnerabilities, update to QtWebEngine-6.8.1 or later using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In WebKitGTK-2.46.4, two security vulnerabilities were fixed that could allow for remote code execution and cross site scripting attacks. These issues can occur when processing maliciously crafted web content, and there are numerous reports of the issues being exploited in the wild. They were fixed with improved checks and improved state management. If you have WebKitGTK installed, you need to update to 2.46.4 or later immediately. These vulnerabilities have been assigned CVE-2024-44308 and CVE-2024-44309.
To fix these vulnerabilities, update to WebKitGTK-2.46.4 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In libjxl-0.11.1, two security vulnerabilities were fixed that could allow for arbitrary code execution or a denial of service condition (stack exhaustion leading to an out-of-memory condition). Both of these issues can be exploited by opening/loading a malicious JXL image, but the arbitrary code execution problem can occur when calling JxlEncoderAddJPEGFrame to encode a frame into a JXL file. These vulnerabilities have been assigned CVE-2024-11403 and CVE-2024-11498.
To fix these vulnerabilities, update to libjxl-0.11.1 or later using the instructions from libjxl (sysv) or libjxl (systemd).
In Thunderbird-128.5.0esr, six security vulnerabilities were fixed that could allow for select list elements to be shown over another site (leading to website spoofing), content security policy bypasses, cross-site scripting, URL bar spoofing, remotely exploitable crashes, improper keypress handling when executing files, and for remote code execution. These vulnerabilities have been assigned CVE-2024-11692, CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE_2024-11697, and CVE-2024-11699.
To fix these vulnerabilities, update to Thunderbird-128.5.0esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-128.5.0esr, six security vulnerabilities were fixed that could allow for select list elements to be shown over another site (leading to website spoofing), content security policy bypasses, cross-site scripting, URL bar spoofing, remotely exploitable crashes, improper keypress handling when executing files, and for remote code execution. These vulnerabilities have been assigned CVE-2024-11692, CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE_2024-11697, and CVE-2024-11699.
To fix these vulnerabilities, update to Firefox-128.5.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In libsoup-3.6.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling, arbitrary code execution, and remotely exploitable crashes (and out-of-memory conditions). The HTTP Request Smuggling vulnerability occurs because '\0' characters at the end of header names are ignored in some configurations. The arbitrary code execution vulnerability occurs in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict due to a buffer overflow, but note that input received over the network cannot trigger this (and thus the issue is not exploitable remotely). The remotely exploitable crashes (and out-of-memory conditions) are caused by an infinite loop during the reading of certain patterns of WebSocket data from clients. These vulnerabilities have been assigned CVE-2024-52530, CVE-2024-52531, and CVE-2024-52532.
To fix these vulnerabilities, update to libsoup-3.6.1 or later using the instructions from libsoup (sysv) or libsoup (systemd).
In Wireshark-4.4.2, two security vulnerabilities were fixed that could allow for a denial of service condition (application crash and out-of-memory condition) when dissecting FiveCo RAP and ECMP packets. These issues can be exploited by crafted PCAP files, but users do not need to update if they are not capturing packets that use either of those protocols. These vulnerabilities have been assigned CVE-2024-11595 and CVE-2024-11596.
To fix these vulnerabilities, update to Wireshark-4.4.2 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In PHP-8.4.1 (or 8.3.14), five security vulnerabilities were fixed that could allow for remote code execution (when using the CLI interface to SAPI), remote code execution when using LDAP on a 32-bit system, unauthorized disclosure of MySQL query responses, remote code execution when using the Firebird and dblib quoters, CRLF injection when configuring a proxy in a stream context (leading to HTTP request smuggling attacks), and for remotely exploitable crashes when using the convert.quoted-printable-decode filter in a program. Proof of concept exploits for these vulnerabilities were made public with the release of the new versions of PHP. The vulnerabilities are in a variety of subsystems, including Streams, PDO DBLIB, PDO Firebird, MySQLnd, LDAP, and the CLI, and the BLFS team thus recommends updating PHP on any system that is used as a server. These vulnerabilities have been assigned CVE-2024-8932, CVE-2024-8929, CVE-2024-11236, CVE-2024-11234, and CVE-2024-11233.
To fix these vulnerabilities, update to PHP-8.4.1 (or 8.3.14) or later using the instructions from PHP (sysv) or PHP (systemd).
In PostgreSQL-17.1, four security vulnerabilities were fixed that could allow for users to complete unauthoried reads and modifications, for man-in-the-middle attackers to send fabricated error messages, for SET ROLE and SET SESSION AUTHORIZATION to be set to wrong user IDs, and for an unprivileged database user to change sensitive process environment variables to achieve arbitrary code execution. A proof of concept exploit exists for the arbitrary code execution vulnerability, but note that it requires use of the PostgreSQL PL/Perl functionality. The PostgreSQL-17.1 update introduced some regressions relating to these security fixes that required a follow-up release, and the BLFS team recommends using PostgreSQL-17.2 as a result. These vulnerabilities have been assigned CVE-2024-10976, CVE-2024-10977, CVE-2024-10978, and CVE-2024-10979.
To fix these vulnerabilities, update to PostgreSQL-17.2 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In glib-2.82.1, a security vulnerability was fixed that could allow for a buffer overflow in the SOCKS4 proxy support within glib. The issue occurs due to an off-by-one error and then buffer overflow because SOCKS4_CONN_MSG_LEN in gio/gsocks4aproxy.c is not sufficient for a trailing '\0' character that set_connect_msg() appends after a hostname. This vulnerability has been assigned CVE-2024-52533.
To fix this vulnerability, update to glib-2.82.1 or later using the instructions from glib (sysv) or glib (systemd).
In Thunderbird-128.4.3esr, one security vulnerability was fixed that could allow for messages encrypted with OpenPGP to be sent in plain text. This vulnerability has been assigned CVE-2024-11159.
To fix these vulnerabilities, update to Thunderbird-128.4.3esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Expat-2.6.4, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when using the XML_ResumeParser function due to a NULL pointer dereference. It was fixed by not allowing XML_StopParser to stop or suspend an unstarted parser. Note that an application may crash with an XML_ERROR_NOT_STARTED if an exploitation is attempted. This vulnerability has been assigned CVE-2024-50602.
To fix these vulnerabilities, update to Expat-2.6.4 or later using the instructions from the LFS book for Expat (sysv) or Expat (systemd).
Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In wget-1.25.0, a security vulnerability was fixed that could allow for server-side request forgery, phishing, data leakage, and man in the middle attacks when using shorthand FTP URLs. The vulnerability occurs when a semicolon is used in a FTP URL (which allows for skipping credentials). The vulnerability can be complex to exploit, but does allow for a variety of attacks to occur when successfully exploited, so it is rated High by upstream. The issue was fixed by disallowing shorthand FTP URLs. This vulnerability has been assigned CVE-2024-10524.
To fix this vulnerability, update to wget-1.25.0 or later using the instructions from wget (sysv) or wget (systemd).
In cURL-8.11.0, a security vulnerability was fixed that could allow for a minor potential Denial of Service problem when trying to use HTTPS when that no longer works, or a cleartext transmission of data that was otherwise intended to be protected. It occurs when the expiry time for a subdomain overwrites a parent domain's cache entry, making it end sooner or later than what was originally intended. The issue is due to a comparison using incorrect factors, and is classified as Low by upstream. This vulnerability has been assigned CVE-2024-9681.
To fix this vulnerability, update to cURL-8.11.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In fop-2.10, a security vulnerability was fixed that could allow for a remote attacker to execute arbitrary code on a system while processing a crafted FO file. This occurs due to an XML External Entity Reference attack, and can happen without informing the user. The attack complexity for this vulnerability is low. This vulnerability has been assigned CVE-2024-28168.
To fix this vulnerability, update to fop-2.10 or later using the instructions from fop (sysv) or fop (systemd).
In OpenJDK-23.0.1, five security vulnerabilities were fixed that could allow for a remote attacker (with no privileges required) to cause a denial of service condition (application crash) or possibly write/delete/access information on a system running a Java application. These vulnerabilities occur in the Hotspot, Networking, Compiler, and Serialization components of OpenJDK, but are rather challenging to exploit. Because of this, upstream has primarily rated these vulnerabilities as Low, with one Medium severity. These vulnerabilities have been assigned CVE-2024-21235, CVE-2024-21210, CVE-2024-21211, CVE-2024-21208, and CVE-2024-21217.
To fix these vulnerabilities, update to OpenJDK-23.0.1 or later using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
If you want to use the pre-built binaries, update to Java-23.0.1 using the instructions from Java (sysv) or Java (systemd).
In WebKitGTK-2.46.3, two security vulnerabilities were fixed that could allow for unexpected process crashes and content security policy bypasses. These both happen when processing maliciously crafted web content, and were resolved with improved input validation and other checks. These vulnerabilities have been assigned CVE-2024-44244 and CVE-2024-44296.
To fix these vulnerabilities, update to WebKitGTK-2.46.3 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In fetchmail-6.5.0, a security vulnerability was resolved where users could have another user's passwords due to insufficient permissions on a user's .netrc file. This has been resolved by not allowing .netrc to have any more than 0700 permissions if it contains passwords. If a .netrc file does have more than 0700 permissions, fetchmail will now output a warning and ignore the file. No CVE has been assigned to this vulnerability, but more details can be found at Fetchmail Sourceforge Page.
To fix this vulnerability, update to fetchmail-6.5.0 or later using the instructions from fetchmail (sysv) or fetchmail (systemd).
In libarchive-3.7.7, three security vulnerabilities were fixed that could allow for a denial of service (out-of-memory condition or application crash) when processing crafted GZIP or TAR files. The gzip issue occurs when processing a malformed gzip file inside of another gzip file, and the two tar issues occur when processing headers and truncated tar archives. These vulnerabilities have been documented upstream, but no CVEs have been assigned for them. More details can be found at the release notes for this package at libarchive 3.7.7 release notes.
To fix these vulnerabilities, update to libarchive-3.7.7 or later using the instructions from libarchive (sysv) or libarchive (systemd).
In Thunderbird-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. These vulnerabilities have been assigned CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, and CVE-2024-10467.
To fix these vulnerabilities, update to Thunderbird-128.4.0esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. These vulnerabilities have been assigned CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, and CVE-2024-10467.
To fix these vulnerabilities, update to Firefox-128.4.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
If you wish to stay on Firefox 115esr, update to Firefox-115.17.0esr using the same instructions.
In mpg123-1.32.8, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when decoding streams where output properties are changed, together with certain use of libmpg123. The vulnerability needs seeking around in the stream (including scanning it before actual decoding) to occur, but there are use cases where this could apply, such as concatenating several MP3 files together with varying formats or leading Info frames past the first track. This has been named as "Frankenstein's Monster", and has been classified as a buffer overflow. This vulnerability has been assigned CVE-2024-10573, and more details can be found at oss-security mailing list.
To fix this vulnerability, update to mpg123-1.32.8 or later using the instructions from mpg123 (sysv) or mpg123 (systemd).
In Xwayland-24.1.4, a security vulnerability was fixed that could allow for denial of service. On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. The heap buffer overflow occurs because the function attempts to resize the sym_interpret buffer, but only updates the number rather than the size of the buffer. It can be triggered by providing a modified bitmap to the server. This vulnerability has been assigned CVE-2024-9632.
To fix this vulnerability, update to Xwayland-24.1.4 or later using the instructions from Xwayland (sysv) or Xwayland (systemd).
In Xorg-Server-21.1.14, a security vulnerability was fixed that could allow for denial of service or remote code execution (if the server is run over VNC or with SSH X Forwarding). On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. The heap buffer overflow occurs because the function attempts to resize the sym_interpret buffer, but only updates the number rather than the size of the buffer. It can be triggered by providing a modified bitmap to the server. This vulnerability has been assigned CVE-2024-9632.
To fix this vulnerability, update to Xorg-Server-21.1.14 or later using the instructions from Xorg-Server (sysv) or Xorg-Server (systemd).
In addition, if you have TigerVNC installed, upgrade TigerVNC to handle this vulnerability using the instructions from TigerVNC (sysv) or TigerVNC (systemd).
In Wireshark-4.4.1, two security vulnerabilities were fixed that could allow for denial of service conditions (application crashes) via capturing faulty packets, or opening a crafted capture file. The issues occur in the AppleTalk, RELOAD, and ITS packet dissectors. If you use any of these three protocols, you should update Wireshark to prevent crashes. These vulnerabilities have been assigned CVE-2024-9780 and CVE-2024-9781.
To fix these vulnerabilities, update to Wireshark-4.4.1 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In Spidermonkey-128.3.1esr, a security vulnerability was fixed that could allow for memory corruption due to the JavaScript garbage collector mis-coloring cross-compartment objects if an Out Of Memory condition was detected at the right point between two passes. Note that if you do not wish to upgrade to 128.3.1esr (and thus also update gjs), you can use Spidermonkey-115.16.1esr. This vulnerability has been assigned CVE-2024-8384.
To fix this vulnerability, update to Spidermonkey-128.3.1esr or later using the instructions from Spidermonkey (sysv) or Spidermonkey (systemd).
If you update this package, you need to update Gjs to gjs-1.82.0 or later using the instructions from Gjs (sysv) or Gjs (systemd).
If you wish to stay on Spidermonkey-115, please update to Spidermonkey-115.16.1esr instead using the same instructions as used in BLFS 12.2. You do not need to update Gjs if you take this approach.
In Thunderbird-128.3.2esr, a security vulnerability was fixed that could allow for remote code execution. The vulnerability occurs in the Animation component of the shared Gecko component, and thus could be exploited by a malicious HTML email. Due to the critical nature of this vulnerability, it is highly recommended that you update Thunderbird immediately. The issue is being actively exploited in the wild. This vulnerability has been assigned CVE-2024-9680.
To fix this vulnerability, update to Thunderbird-128.3.2esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In QtWebEngine-6.8.0, three security vulnerabilities were fixed that could allow for remote code execution. These vulnerabilities occur in the bundled copy of Chromium, and are in the Skia, V8, and Dawn components. The Skia issue is due to an out-of-bounds write, the V8 issue is due to type confusion leading to out-of-bounds memory access, and the Dawn issue allows for heap corruption due to a use after free. If you have QtWebEngine installed, it's highly recommended to update to this version. These vulnerabilities have been assigned CVE-2024-9123, CVE-2024-9122, and CVE-2024-9120.
To fix these vulnerabilities, update to QtWebEngine-6.8.0 or later using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In Thunderbird-128.3.0esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. These vulnerabilities have been assigned CVE-2024-9392, CVE-2024-9393, CVE-2024-9394, CVE-2024-8900, CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400, CVE-2024-9401, and CVE-2024-9402.
To fix these vulnerabilities, update to Thunderbird-128.3.0esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-128.3.1esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. One of these issues is known to be exploited in the wild and is rated as critical. It is highly recommend that you update Firefox immediately. These vulnerabilities have been assigned CVE-2024-9392, CVE-2024-9393, CVE-2024-9394, CVE-2024-8900, CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400, CVE-2024-9401, CVE-2024-9402, and CVE-2024-9680.
To fix these vulnerabilities, update to Firefox-128.3.1esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
If you wish to stay on Firefox 115esr, update to Firefox-115.16.1esr using the same instructions.
Several security vulnerabilities were discovered in libcupsfilters, libppd, and cups-browsed, which have been chained together to allow for remote code execution. Previously, upstream releases did not exist for these packages. On 2024-10-21, BLFS was updated to handle these vulnerabilities. The vulnerabilities allow for information leakage, remote code execution, and remotely exploitable crashes. These vulnerabilities are currently being actively exploited. The vulnerabilities require no user interaction to exploit, and they do not require any authentication. If you run a CUPS server that is accessible from the internet, or if you use a public WiFi network, you should update the packages immediately. These vulnerabilities have been assigned CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177, and CVE-2024-47850.
To fix these vulnerabilities, update libppd, libcupsfilters, and cups-browsed to 2.1.0 using the instructions from libppd (sysv) or libppd (systemd), libcupsfilters (sysv) or libcupsfilters (systemd), and cups-browsed (sysv) or cups-browsed (systemd).
In WebKitGTK-2.46.1, three security vulnerabilities were fixed that could allow for universal cross site scripting, address bar spoofing, and cross-origin data exfiltration. In addition,the 0.0.0.0 day security vulnerability was fixed. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Some examples of this attack being exploited include eBay performing port scans on systems upon loading a page. Note that when you update WebKitGTK, you must update Epiphany to version 46.4 or later due to key event handling changes in this version of WebKitGTK. These vulnerabilities have been assigned CVE-2024-40857, CVE-2024-40866, and CVE-2024-44187.
To fix these vulnerabilities, update to WebKitGTK-2.46.1 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
After this update is installed, you must update to Epiphany-46.4 or later using the instructions from Epiphany (sysv) or Epiphany (systemd).
In Unbound-1.21.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service. It can be exploited by the attacker by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query, it will try to apply name compression, which had no boundaries until this update, and would lock the CPU until the packet was done compressing. This vulnerability has been assigned CVE-2024-8508.
To fix this vulnerability, update to Unbound-1.21.1 or later using the instructions from Unbound (sysv) or Unbound (systemd).
In xdg-desktop-portal-1.18.4, a security vulnerability was fixed that allows for a sandbox escape via the RequestBackground portal. This also allows for arbitrary command execution, in some cases with privileges escalated to root. This can occur when an attacker manipulates the --command argument to the org.freedesktop.portal.Background.RequestBackground interface, as the commands are misinterpreted as options for Bubblewrap. This is known to lead to unauthorized data access, system compromise, and in one case so far, establishing persistence on a system. This update should be considered urgent, especially if you are opening files provided by untrusted sources. This update also requires an update to Bubblewrap at the same time to be effective. There are proof of concept exploits that exist for several GNOME and KDE applications. This vulnerability has been assigned CVE-2024-32462.
Note that most vulnerability websites track this as an issue in Flatpak. BLFS does not carry Flatpak, but is vulnerable still because of the flaw in xdg-desktop-portal.
To fix these vulnerabilities, update to Bubblewrap-0.10.0 or later using the instructions from Bubblewrap (sysv) or Bubblewrap (systemd).
After this is done, update to xdg-desktop-portal-1.18.4 or later using the instructions from xdg-desktop-portal (sysv) or xdg-desktop-portal (systemd).
In libgsf-1.14.53, two security vulnerabilities were fxied that could allow for arbitrary code execution when processing a malicious file in compound document binary file format. Both of these issues are heap buffer overflows caused by integer overflows. The issues can be exploited without interaction if Tumbler (from XFCE) or tracker-miners (from GNOME) is installed, as the only requirement is having a malicious file somewhere in the user's home directory (such as via a drive-by download). Because of this, it's highly recommended that you update libgsf immediately if you have it installed. Both proof of concept exploits have also been made public. Note that exploitation is also possible in BLFS via Gnumeric and AbiWord, and CDF formats are commonly used in things like Microsoft Office documents. These vulnerabilities have been assigned CVE-2024-42415 and CVE-2024-36474.
To fix these vulnerabilities, update to libgsf-1.14.53 or later using the instructions from libgsf (sysv) or libgsf (systemd).
In QtWebEngine-6.7.3, 45 security vulnerabilities were fixed that could allow for remote code execution, sandbox escapes, information disclosure, UI spoofing, policy bypasses, and arbitrary reading/writing of files on the system. These can all be exploited by malicious extensions, malicious HTML files, malicious PDF files, or in some cases malicious fonts. The issues are all in the bundled copy of Chromium, and they impact the ANGLE, V8, WebAudio, Frames, CSS, FedCM, Dawn, Loader, Navigation, Screen Capture, WebAssembly, Swiftshader, CORS, Audio, PDFium, Skia, Permissions, Fonts, and Scheduling components. Because of the amount of vulnerabilities and the severity of them, all users who have this package installed should update to QtWebEngine-6.7.3 immediately. These vulnerabilities have been assigned CVE-2024-7532, CVE-2024-7550, CVE-2024-7536, CVE-2024-7535, CVE-2024-6996, CVE-2024-7000, CVE-2024-6999, CVE-2024-6992, CVE-2024-6991, CVE-2024-6989, CVE-2024-6779, CVE-2024-6777, CVE-2024-6774, CVE-2024-6101, CVE-2024-6103, CVE-2024-5836, CVE-2024-6291, CVE-2024-6293, CVE-2024-6292, CVE-2024-6290, CVE-2024-5840, CVE-2024-5841, CVE-2024-5845, CVE-2024-5847, CVE-2024-5846, CVE-2024-5831, CVE-2024-5832, CVE-2024-8362, CVE-2024-8198, CVE-2024-8193, CVE-2024-7969, CVE-2024-7972, CVE-2024-7974, CVE-2024-7975, CVE-2024-7966, CVE-2024-7973, CVE-2024-7967, CVE-2024-7971, CVE-2024-7965, CVE-2024-8636, CVE-2024-8905, CVE-2024-5160, CVE-2024-5159, CVE-2024-5158, and CVE-2024-5157.
To fix these vulnerabilities, update to QtWebEngine-6.7.3 or later using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In Qt6-6.7.3, a security vulnerability was fixed in the HTTP/2 component that could cause decisions regarding encryption on an established connection to execute too early, because the encrypted() signal was not yet emitted and processed. This could allow for data to accidentally end up unencrypted when transmitted over HTTP/2 using an application that uses Qt. Qt was updated to delay any communications whatsoever until encrypted() can be processed for HTTP/2 only. This vulnerability has been assigned CVE-2024-39936.
To fix this vulnerability, update to Qt6-6.7.3 or later using the instructions from Qt6 (sysv) or Qt6 (systemd).
In intel-microcode-20240910, two hardware vulnerabilities are fixed. The first one may allow for information disclosure when using 3rd Generation Intel Xeon Scalable CPUs. For more information on this vulnerability, please read Intel-SA-01103. The second vulnerability may allow for a denial of service when using 10th-14th Generation Core processors, as well as the Intel Xeon D line of processors and the 3rd Generation Intel Xeon Scalable processors. For more details and a complete list of affected processors, please read Intel-SA-01097. These vulnerabilities have been assigned CVE-2024-23984 and CVE-2024-24968.
Check if your CPU is affected by running lscpu
and
comparing the outputted family, model, and stepping values with the
values provided above and in Intel-SA-01097 and Intel-SA-01103.
If your system is vulnerable, update to intel-microcode-20240910 or later
using the instructions for
About Firmware (sysv) or
About Firmware (systemd).
Also note that this microcode release does not contain the fix for the notorious stability issue of the 13th and 14th Intel Core processors. Considering this issue can cause permanent CPU damage under a heavy workload, the LFS editors recommend to update the BIOS to a version embedding microcode revision 0x129 or later ASAP if you are using a 13th or 14th Core processor (especially an i9), even if you are not running a LFS system. The issue is not resolvable without a BIOS update.
In PHP-8.3.12, three security vulnerabilities were fixed that could allow for unauthorized modification of logs, bypass of the force_redirect configuration, and for data integrity violations when processing multipart form data. The unauthorized modification of logs vulnerability occurs in the FPM module, and the vulnerability can also be used to remove data from system logs if PHP is confused to use syslog. The data integrity violation vulnerability occurs in the SAPI module, and the bypass of the force_redirect configuration happens in the CGI module. This issue occurs due to an environment variable collision. These vulnerabilities have been assigned CVE-2024-8297, CVE-2024-8925, and CVE-2024-9026.
To fix these vulnerabilities, update to PHP-8.3.12 or later using the instructions from PHP (sysv) or PHP (systemd).
In cURL-8.10.0, a security vulnerability was fixed that, when cURL is built with gnutls, could allow for a failure in OCSP stapling, which means that an invalid server certificate might wrongly be considered valid instead of being treated as a bad certificate. This vulnerability has been assigned CVE-2024-8096.
To fix this vulnerability, update to cURL-8.10.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In Ghostscript-10.04.0, six security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution while processing crafted PostScript and PDF documents. This can also be exploited via a malicious print job. Additional details on the security vulnerabilities have not been made public at this time by upstream. These vulnerabilities have been assigned CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, and CVE-2024-46956.
To fix these vulnerabilities, update to Ghostscript-10.04.0 or later using the instructions from Ghostscript (sysv) or Ghostscript (systemd).
In Seamonkey-2.53.19, 37 security vulnerabilities were fixed that could allow for remote code execution, decryption of data to plaintext (on Intel Sandy Bridge machines), memory corruption, remotely exploitable application crashes, cross-site scripting, sandbox escapes, information disclosure, and bypass of the content security policy. The 0.0.0.0 day security issue is also resolved in Seamonkey, though it has not been resolved in QtWebEngine or Firefox yet. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Some examples of this attack being exploited include eBay performing port scans on systems upon loading a page. The port scan was performed via JavaScript. This update brings Seamonkey up to the level of Firefox 115.14.0esr for security fixes. These vulnerabilities have been assigned CVE-2024-29944, CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609, CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, CVE-2024-3864, CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4777, CVE-2024-5702, CVE-2024-5688, CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5696, CVE-2024-5700, CVE-2024-7652, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603, CVE-2024-6604, CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7529, and CVE-2024-7531.
For more information on the 0.0.0.0 day security vulnerability, please visit the Oligo Security blog post about the issue.
To fix these vulnerabilities, update to Seamonkey-2.53.19 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In tiff-4.7.0, two security vulnerabilities were fixed that could allow for a denial of service (application crash via a segmentation fault) when processing crafted TIFF files. This occurs in the TIFFReadRGBATileExt() function, as well as in tir_difinfo.c. Both of these flaws can be exploited via a web browser or an image viewer. These vulnerabilities have been assigned CVE-2023-52356 and CVE-2024-7006.
To fix these vulnerabilities, update to tiff-4.7.0 or later using the instructions from libtiff (sysv) or libtiff (systemd).
Note that this release of tiff also restores all of the utilities that were removed in tiff-4.6.0.
In libarchive-3.7.5, four security vulnerabilities were fixed that could allow for remote code execution when processing crafted RAR4 archives. For at least one of these issues, a proof of concept exploit has been made public. All of the vulnerabilities are classified as heap buffer overflows. These vulnerabilities have been assigned CVE-2024-20696, CVE-2024-26256, CVE-2024-48957, and CVE-2024-48958.
To fix these vulnerabilities, update to libarchive-3.7.5 or later using the instructions from libarchive (sysv) or libarchive (systemd).
In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. The HTTP issue occurs while parsing "-quoted" cookie values with backslashes by http.cookies. It's a quadractic complexity problem. The tarfile header parsing issue occurs due to backtracking, and happens when parsing hdrcharset, PAX, and GNU sparse headers. The ZIP issue causes infinite loops, and was fixed by sanitizing names in zipfile.Path. Note that the fix for CVE-2023-27043, a remote code execution issue in the email module, was improved significantly in this update as well. These vulnerabilities have been assigned CVE-2024-7592, CVE-2024-6232, and CVE-2024-8088.
To fix these vulnerabilities, update to Python-3.12.6 or later using the instructions from Python3 (sysv) or Python3 (systemd).
In OpenSSL-3.3.2, a security vulnerability was fixed that could allow for a denial of service (application crash) while performing certificate name checks on X.509 certificates. Applications performing these checks may attempt to read an invalid memory address, which will result in termination of the program. This occurs when comparing the expected name with an 'otherName' subject alternative name in a certificate. This vulnerability has been assigned CVE-2024-6119.
To fix this vulnerability, update to OpenSSL-3.3.2 or later using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
In Expat-2.6.3, three critical security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution. Two of the issues only affect 32-bit installations of LFS, while one issue affects all architectures. The highest priority security vulnerability causes memory corruption, and achieveing arbitrary code execution with it is trivial since XML_ParseBuffer will not notice that there is an issue with arguments passed to it. The other two issues are the 32-bit specific issues, and these are both classified as integer overflows. They occur in the internal functions dtdCopy and nextScaffoldPart. The LFS team recommends updating Expat as soon as possible to protect your system. These vulnerabilities have been assigned CVE-2024-45490, CVE-2024-45491, and CVE-2024-45492.
To fix these vulnerabilities, update to Expat-2.6.3 or later using the instructions from the LFS book for Expat (sysv) or Expat (systemd).
Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In Thunderbird-128.2.0esr, eight security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, remotely exploitable type confusion vulnerabilities, and remotely exploitable crashes. These vulnerabilities have been assigned CVE-2024-8394, CVE-2024-8385, CVE-2024-8381, CVE-2024-8382, CVE-2024-8383, CVE-2024-8384, CVE-2024-8386, and CVE-2024-8387.
To fix these vulnerabilities, update to Thunderbird-128.2.0esr or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-128.2.0esr, seven security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, and for remotely exploitable type confusion vulnerabilities. These vulnerabilities have been assigned CVE-2024-8385, CVE-2024-8381, CVE-2024-8382, CVE-2024-8383, CVE-2024-8384, CVE-2024-8386, and CVE-2024-8387.
To fix these vulnerabilities, update to Firefox-128.2.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In Ruby-3.3.5, four security vulnerabilities were fixed that could allow for a denial of sercice (application crash) when processing crafted XML files with the REXML gem which is built into Ruby. This can occur with specific characters (such as <, 0, %>, >], ]>, and the whitespace character), as well as when processing XML that has many entity expansions or XML that has many deep elements that have the same local name attributes. If you process untrusted XML with Ruby, it's highly recommended that you update immediately. These vulnerabilities have been assigned CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, and CVE-2024-43398.
To fix these vulnerabilities, update to Ruby-3.3.5 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In apr-1.7.5, a security vulnerability was fixed that allows local users to have read access to named shared memory segments, potentially revealing sensitive application data. This occurs due to lax permissions being set by the apr library at runtime. If you are using an application which uses apr (e.g. subversion, serf, or Apache HTTPD) that also utilizes sensitive data, it is highly recommended that you update apr as soon as possible. This vulnerability has been assigned CVE-2023-49582.
To fix this vulnerability, update to apr-1.7.5 or later using the instructions from apr (sysv) or apr (systemd).
In libpcap-1.10.5, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when an application uses the pcap_findalldevs_ex() function. One of the arguments can be a filesystem path, which normally means a directory with input data files. However, when the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer dereference. Note that the feature required for this, remote packet capture support, is disabled by default. This vulnerability has been assigned CVE-2024-8006.
To fix this vulnerability, update to libpcap-1.10.5 or later using the instructions from libpcap (sysv) or libpcap (systemd).
In WebKitGTK-2.44.3, six security vulnerabilities were fixed that could allow for unexpected process crashes that are remotely exploitable. These issues are mostly due to out-of-bounds reads and use-after-free issues. One issue though allows a remote attacker to potentially exploit heap corruption via a crafted HTML page due to a use-after-free in ANGLE. Because of this, it is recommended that you update to WebKitGTK-2.44.3 as soon as possible. These vulnerabilities have been assigned CVE-2024-40776, CVE-2024-40779, CVE-2024-40780, CVE-2024-40782, CVE-2024-40789, and CVE-2024-4458.
To fix these vulnerabilties, update to WebKitGTK-2.44.3 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In p7zip-17.04, two security vulnerabilities were discovered that could allow for remote code execution via buffer overflows and out-of-bounds reads when processing NTFS volumes. The vulnerabilities were patched by OpenSUSE, and the BLFS team has adapted their patch for use in the book. If you process NTFS volumes using p7zip, it's recommended that you rebuild p7zip with the patch now in the book as soon as possible. These vulnerabilities have been assigned CVE-2023-52168 and CVE-2023-52169.
To fix these vulnerabilities, apply the patch to p7zip using the instructions from p7zip (sysv) or p7zip (systemd).
In Dovecot-2.3.19.1, two security vulnerabilities were fixed that could allow for resource exhaustion when processing large email headers. One of these issues happens when eeeessing very large email headers, while the other issue occurs when there are a large number of Address headers in particular. The large number of address headers issue was observed in a customer's production environment, where it would take 18+ minutes to process a single email. Upgrading Dovecot is highly recommended if you are using Dovecot in a production environment. These vulnerabilities have been assigned CVE-2024-23185 and CVE-2023-23184.
To fix these vulnerabilities, update to Dovecot-2.3.19.1 or later using the instructions from Dovecot (sysv or Dovecot (systemd).
In Unbound-1.21.0, three security vulnerabilities were fixed that could allow for DNS Cache Poisoning attacks and remotely exploitable crashes. The DNS Cache Poisoning attack is known as CacheFlush, while the CAMP attack allows for remotely exploitable crashes on most DNS server implementations. Only one CVE for these vulnerabilities has been issued, but two papers were published on CAMP and CacheFlush. This vulnerability has been assigned CVE-2024-43167.
Additional information can be found in the papers from the 33rd USENIX Security symposium. They can be found at CAMP Paper and CacheFlush Paper.
To fix these vulnerabilities, update to Unbound-1.21.0 or later using the instructions from Unbound (sysv) or Unbound (systemd).
In intel-microcode-20240813, four hardware vulnerabilities are fixed. The first one may allow a escalation of privilege when using Intel 7th to 12th Generation Core processors, as well as many Celeron, Pentium Gold, and Xeon processors; read Intel-SA-01083 for the precise list of affected processors. The second one may allow a denial of service when using Intel 3rd Generation Intel Xeon Scalable Processors (using the microcode file 06-55-0b). The third one may allow a escalation of privilege on 3rd Generation Intel Xeon D Processor, and 3rd, 4th, or 5th Generation Intel Xeon Scalable Processors (with microcode files 06-6a-06, 06-6c-01, 06-8f-07, 06-8f-08, or 06-cf-02). The fourth one may allow a escalation of privilege when using Intel Core Ultra processors based on the Meteor Lake micro architecture (using the microcode file 06-aa-04). These vulnerabilities have been assigned CVE-2024-24853, CVE-2024-25939, CVE-2024-24980, and CVE-2023-42667. The release note of this microcode release also mentions CVE-2023-49141 (Intel-SA-01046) but it was already fixed with intel-microcode-20240514.
Check if your CPU is affected by running lscpu
and
comparing the outputted family, model, and stepping values with the
values provided above and in Intel-SA-01083. If vulnerable, update to
intel-microcode-20240813 or later using the instructions for
About Firmware (sysv) or
About Firmware (systemd)
to fix these vulnerabilities.
Note that the initial 20240813 release lacks the update for the 06-a5-03 microcode file and the release has been silently remade without a version bump. So if you are using this microcode file, make sure the microcode revision is updated to 0xfc. If it's updated to 0xfa instead, you need to download the microcode again, and install it again.
Also note that this microcode release does not contain the fix for the notorious stability issue of the 13th and 14th Intel Core processors. Considering this issue can cause permanent CPU damage under a heavy workload, the LFS editors recommend to update the BIOS to a version embedding microcode revision 0x129 or later ASAP if you are using a 13th or 14th Core processor (especially an i9), even if you are not running a LFS system. As at now it's unsure if a future microcode release can address the issue without a BIOS update.
In urllib3-2.2.2, two security vulnerabilities were fixed that could allow for unintentional information disclosure via the 'Cookie' HTTP header, and for the contents of HTTP request bodies to be unintentionally leaked after redirects. These vulnerabilities are both difficult to exploit and require several uncommon conditions to be set. These vulnerabilities have been assigned CVE-2023-45803 and CVE-2023-45804.
To fix these vulnerabilities, update to urllib3-2.2.2 or later using the instructions from urllib3 (sysv) or urllib3 (systemd).
In idna-3.7, a security vulnerability was fixed that could allow for a specially crafted invalid input to cause an exceptionally large amount of resource consumption, increasing quadratically depending on the complexity of the input. This applies to the idna.encode() function. This vulnerability has been assigned CVE-2024-3651.
To fix this vulnerability, update to idna-3.7 or later using the instructions from idna (sysv) or idna (systemd).
In PostgreSQL-16.4, a security vulnerability was fixed that could allow for relation replacement during pg_dump, which will execute arbitrary SQL commands. An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, upstream has added a new server parameter called "restrict_nonsystem_relation_kind" that can disable expansion of non-builtin views, as well as access to foreign tables, and upstream modified pg_dump to set it when available. Note that you must have both pg_dump *and* the server it was dumped from updated to have this fix. The issue is classified as a TOCTOU issue. This vulnerability has been assigned CVE-2024-7348.
To fix this vulnerability, update to PostgreSQL-16.4 (or 15.8, 14.13, 13.16, or 12.20) or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In Thunderbird-128.1.0esr, ten security vulnerabilities were fixed that could allow for fullscreen notification dialogs to be obscured, remote code execution, information disclosure, sandbox escapes, remotely exploitable crashes, cross-site scrripting, permission bypasses, and for security prompt obscuring. These vulnerabilities have been assigned CVE-2024-7518, CVE-2024-7519, CVE-2024-7520, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, and CVE-2024-7529.
To fix these vulnerabilities, update to Thunderbird-128.1.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In Firefox-128.1.0esr (or 115.14.0), twelve security vulnerabilities were fixed that could allow for fullscreen notification dialogs to be obscured, remote code execution, information disclosure, sandbox escapes, remotely exploitable crashes, cross-site scrripting, content security policy bypasses, permission bypasses, security prompt obscuring, and for accidental decryption of data (on Sandy Bridge processors). These vulnerabilities have been assigned CVE-2024-7518, CVE-2024-7519, CVE-2024-7520, CVE-2024-7521, CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, and CVE-2024-7531.
To fix these vulnerabilities, update to Firefox-128.1.0esr (or 115.14.0) or later using the instructions from Firefox (sysv) or Firefox (systemd).
In SpiderMonkey-115.14.0, a security vulnerability was fixed that could allow for a remotely exploitable crash caused by a use-after-free when unexpected marking work at the start of sweeping during garbage collection occurs. The vulnerability was also fixed in Firefox and Thunderbird. This vulnerability has been assigned CVE-2024-7527.
To fix this vulnerability, update to SpiderMonkey-115.14.0 or later using the instructions from SpiderMonkey (sysv) or SpiderMonkey (systemd).
In cURL-8.9.1, a security vulnerability was fixed that could allow for a crash or potentially leaking the contents of heap memory to the application when CURLINFO_CERTINFO is used. This occurs because libcurl's GTime2str() function, which is used for parsing an ASN.1 Generalized Time field, may return a -1 for the length of the time fraction, leading to a strlen() call getting performed on a pointer to a heap buffer area that is not NULL terminated. The default BLFS configuration is unaffected unless you used GnuTLS as your TLS backend instead of OpenSSL. This vulnerability has been assigned CVE-2024-7264.
To fix this vulnerability, update to cURL-8.9.1 or later using the instructions from cURL (sysv) or cURL (systemd).
In libxml2-2.13.3, a security vulnerability was fixed that could allow for XML External Entity injection attacks. This was noted in at least one downstream project, but further details aren't available to the public at the time of this advisory. This vulnerability has been assigned CVE-2024-40896.
To fix this vulnerability, update to libxml2-2.13.3 or later using the instructions from libxml2 (sysv) or libxml2 (systemd).
In OpenJDK-22.0.2, five security vulnerabilities were fixed that could allow for unauthorized modification, disclosure, and deletion of data accessible by OpenJDK. Four of these vulnerabilities are present in the Hotspot component, and the other vulnerability is present in the 2D component. All of these are exploitable remotely and without authentication. These vulnerabilities have been assigned CVE-2024-21147, CVE-2024-21145, CVE-2024-21140, CVE-2024-21131, and CVE-2024-21138.
To fix these vulnerabilities, update to OpenJDK-22.0.2 (or use the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In cURL-8.9.0, a security vulnerability was fixed that could allow for a crash that occurs when a server provides a specially crafted TLS certificate. This occurs in the utf8asn1str() function in the ASN.1 parser. Note that in some circumstances where the malloc implementation does not detect this error, this could potentially allow for remote code execution. This vulnerability has been assigned CVE-2024-6197.
To fix this vulnerability, update to cURL-8.9.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In BIND-9.18.28, four security vulnerabilities were fixed that could allow for an attacker to remotely crash the DNS server. Note that this only impacts the server, and not the utilities. One of these vulnerabilities is in the SIG0 support, which was removed entirely in this release. All users who run a publicly accessible DNS server are advised to upgrade to this release as soon as possible. These vulnerabilities have been assigned CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076.
To fix these vulnerabilities, update to BIND-9.18.28 or later using the instructions from BIND (sysv) or BIND (systemd).
In vorbis-tools-1.4.2, a security vulnerability was discovered that can allow for arbitrary code execution or a denial of service when processing a crafted WAV file and converting it to an OGG using the 'oggenc' command. The issue has been classified as a buffer overflow. This vulnerability has been assigned CVE-2023-43361.
To fix this vulnerability, rebuild vorbis-tools with the sed command that fixes this issue using the instructions from vorbis-tools (sysv) or vorbis-tools (systemd).
In Exiv2-0.28.3, a security vulnerability was fixed that could allow for a denial of service (out-of-bounds read) when parsing the metadata of a crafted ASF video file. This vulnerability has been assigned CVE-2024-39695.
To fix this vulnerability, update to Exiv2-0.28.3 or later using the instructions from Exiv2 (sysv) or Exiv2 (systemd).
In Wireshark-4.2.6, a security vulnerability was fixed that could allow for the application to crash when processing a malformed SPRT packet. This can happen while capturing packets on the wire, or when viewing a pcap file. No CVE has been assigned for this vulnerability, but more details can be found at Wireshark Security Advisory.
To fix this vulnerability, update to Wireshark-4.2.6 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In Thunderbird-128.0esr (and 115.13.0esr), several security vulnerabilities were fixed that could alow for remote code execution, user confusion allowing for unauthorized permissions to be granted, moving the cursor outside of the Thunderbird window, crashes, blocking exit from fullscreen mode, Content Security Policy bypasses, and for cookies to be sent inadvertedly. Nore that most of these vulnerabilities only affect HTML mail. These vulnerabilities have been assigned CVE-2024-6606, CVE-2024-6607, CVE-2024-6608, CVE-2024-6609, CVE-2024-6610, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603, CVE-2024-6611, CVE-2024-6612, CVE-2024-6613, CVE-2024-6614, CVE-2024-6604, CVE-2024-6615.
To fix these vulnerabilities, update to Thunderbird-128.0esr (or 115.13.0esr) or later by using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Node.js 20.15.1 three security vulnerabilities (on Linux) were fixed that could allow for changing the owner or permissions of a file when using the --allow-fs-write or --allow-fs-read flags; and bypass the security of data imports from the url bar, allowing for arbitrary code execution. These vulnerabilites have been assigned CVE-2024-20220, CVE-2024-36137, and CVE-2024-22018.
To fix these update to Node.js-20.15.1 or later using the instructions for: Node.js (sysv) or Node.js (systemd).
In Firefox-128.0esr (and 115.13.0esr), several security vulnerabilities were fixed that could alow for remote code execution, user confusion allowing for unauthorized permissions to be granted, moving the cursor outside of the Firefox window, crashes, blocking exit from fullscreen mode, Content Security Policy bypasses, and for cookies to be sent inadvertedly. These vulnerabilities have been assigned CVE-2024-6606, CVE-2024-6607, CVE-2024-6608, CVE-2024-6609, CVE-2024-6610, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603, CVE-2024-6611, CVE-2024-6612, CVE-2024-6613, CVE-2024-6614, CVE-2024-6604, CVE-2024-6615.
To fix these vulnerabilities, update to Firefox-128.0esr (or 115.13.0esr) or later by using the instructions from Firefox (sysv) or Firefox (systemd).
In GTK+-3.24.43, a security vulnerability was fixed that could allow for library injection from the current working directory if certain environment variables were set. There is a public proof of concept that uses the filename of a common GTK+ library and an environment variable. This vulnerability has been assigned CVE-2024-6655.
To fix this vulnerability, update to GTK+-3.24.43 or later using the instructions from GTK+-3 (sysv) or GTK+-3 (systemd).
In MIT Kerberos V5 1.21.3, two security vulnerabilities were fixed that could allow for an attacker to modify the plaintext Extra Count field of a confidential GSS token, and for an attacker to cause invalid memory reads during GSS message token handling (by sending messages with invalid length fields). Updating is recommended if you are using the server component. These vulnerabilities have been assigned CVE-2024-37370 and CVE-2024-37371.
To fix these vulnerabilities, update to MIT Kerberos V5 1.21.3 or later using the instructions from MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd).
In Emacs-29.4, a security vulnerability was fixed that could allow for arbitrary shell commands to be run while in Org mode (the built-in email client). There is a public proof of concept available, and this vulnerability is trivial to exploit. If you are using the Org mode in Emacs, you need to update Emacs immediately. No CVE has been assigned for this vulnerability, but details are available at oss-security posting.
To fix this vulnerability, update to Emacs-29.4 or later using the instructions from Emacs (sysv) or Emacs (systemd).
In QtWebEngine-6.7.2, seven security vulnerabilities were fixed that could allow for remote code execution. All of these issues occur in the bundled version of Chromium, and happen in the WebRTC, Dawn, Media Session, Streams API, and V8 components within Chromium. Several of these issues are known to be actively exploited, so it is recommended that you update as soon as possible. These vulnerabilities have been assigned CVE-2024-5493, CVE-2024-5494, CVE-2024-5495, CVE-2024-5496, CVE-2024-5499, CVE-2024-5274, and CVE-2024-4948.
To fix these vulnerabilities, update to QtWebEngine-6.7.2 or later using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In Python-3.12.4, a security vulnerability was fixed that could allow for incorrect information to be returned about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This occured due to inaccurate information from the IANA Special-Purpose Address Registries. Note that this only impacts you if you use the "ipaddress" Python module, included with the Python standard library. Python 3.12.4 fixes this by updating the information from the IANA Special-Purpose Address Registry to the latest version. This vulnerability has been assigned CVE-2024-4032.
To fix this vulnerability, update to Python-3.12.4 or later using the instructions from Python3 (sysv) or Python3 (systemd).
If you are maintaining an older system, you will need to backport CPython PR 113179 to your version of Python and then rebuild it.
In OpenSSL-3.3.1, three security vulnerabilities were fixed that could allow for a denial of service (application crash, unbounded resource access, and excessive time spent in a function) to occur. The application crash occurs when using the SSL_free_buffers() function, and it causes a use after free because it can access memory that has been previously freed in some situations. The excessive time vulnerability occurs when checking DSA keys and parameters. The unbounded resource access occurs with session handling in TLS 1.3 connections. These vulnerabilities have been assigned CVE-2024-2511, CVE-2024-4603, and CVE-2024-4741.
To fix these vulnerabilities, update to OpenSSL-3.3.1 or later using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
If you are maintaining an older system, please use OpenSSL-3.1.6, OpenSSL-3.2.2, or OpenSSL-3.0.14 instead, as those have the same fixes and were released at the same time as this update.
In httpd-2.4.62, eight security vulnerabilities were fixed. More details at Changes with Apache 2.4.60. These vulnerabilities have been assigned CVE-2024-39573, CVE-2024-38477 and CVE-2024-38476 and CVE-2024-38475 and CVE-2024-38474 and CVE-2024-38473 and CVE-2024-38472 and CVE-2024-36387.
To fix these vulnerabilities, update to httpd-2.4.62 or later using the instructions from Apache HTTPD (sysv) or Apache HTTPD (systemd).
In OpenSSH-9.8p1, a security vulnerability was fixed that could allow for arbitrary remote code execution with root privileges through exploiting a race condition in the authentication functions. Thus bypassing all authentication. The vulnerability has already been proven to work on 32-bit (i686) systems and is theoretically possible on 64-bit (x86_64) systems as well. This vulnerability is codenamed RegreSSHion and has been assigned CVE-2024-6387.
To fix this vulnerability, either update to OpenSSH-9.8p1 or later using the instructions from OpenSSH (sysv) or OpenSSH (systemd), or apply a temporary mitigation by setting LoginGraceTime to 0 in /etc/ssh/sshd_config.
In cryptsetup-2.7.3, various security vulnerabilities, relating to Opal based hardware encryption, were fixed. These vulnerabilities could result in a drive being partially unencrypted or destroying the data on the disk due to bad firmware on some drives. These vulnerabilites have not been assigned any CVEs, but additional information can be found at the Release Notes.
To fix these vulnerabilites, update to cryptsetup-2.7.3 or later using the instructions from cryptsetup (sysv) or cryptsetup (systemd)
In SpiderMonkey-115.12.0, a security vulnerability was fixed that could allow for a potentially exploitable crash if garbage collection was triggered at the right time. The vulnerability occurs due to a use-after-free during object transplant. This vulnerability has been assigned CVE-2024-5688
To fix this vulnerability, update to SpiderMonkey-115.12.0 or later using the instructions from SpiderMonkey (sysv) or SpiderMonkey (systemd)
In Firefox-115.12.0esr, seven security vulnerabilities were fixed that could allow for potentially exploitable crashes, sandbox restriction bypasses, leakage of external protocol handlers, memory corruption, remote code execution, and cross-origin image leaks. These vulnerabilities have been assigned CVE-2024-5702, CVE-2024-5688, CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5696, and CVE-2024-5700.
To fix these vulnerabilities, update to Firefox-115.12.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In CUPS-2.4.9, a security vulnerability was fixed that could allow for privilege escalation and allows for world-writable files in special configurations. If a Listen option in the configuration files point to a symbolic link, CUPS will perform an arbitrary chmod to 0140777 of that location. There is a proof-of-concept inside of the vulnerability report which is now public. If you are using a symbolic link in the Listen option, please update to CUPS-2.4.9 as soon as possible, especially if you are using IPP. This vulnerability has been assigned CVE-2024-35235
To fix this vulnerability, update to CUPS-2.4.9 or later using the instructions from CUPS (sysv) or CUPS (systemd).
In libaom-3.9.1, a security vulnerability was fixed that could allow for arbitrary code execution when playing a crafted video file. This is primarily exploitable remotely via web browsers. This issue is classified as a heap corruption problem, and is known to be exploited in Chromium. This vulnerability has been assigned CVE-2024-5493.
To fix this vulnerability, update to libaom-3.9.1 or later using the instructions from libaom (sysv) or libaom (systemd).
In VTE-0.76.3, a security vulnerability was fixed that allows an attacker to cause a denial of service (memory consumption) issue via a window resize escape sequence. The vulnerability was fixed by adding limits for XTERM_WM and sanitizing the VteTerminal size request to just under the limit. The issue was originally exploited in XFCE Terminal, but was later exploited in gnome-terminal as well. This is similar to CVE-2000-0476. This vulnerability has been assigned CVE-2024-37535.
To fix this vulnerability, update to VTE-0.76.3 or later using the instructions from VTE (sysv) or VTE (systemd).
In Libreoffice-24.2.4.2, a security vulnerability was fixed that could allow for unchecked script execution in the Graphics on-click binding. This allows an attacker to create a document which, without prompt, will execute scripts built-into the document when clicking on graphics. These scripts were previously deemed trusted, but are now deemed untrusted. Another two bugs were fixed that could allow for crashes when opening or processing documents, due to integer overflows and out-of-bounds accesses. This vulnerability has been assigned CVE-2024-3044.
To fix this vulnerability, update to Libreoffice-24.2.4.2 or later using the instructions from Libreoffice (sysv) or Libreoffice (systemd).
In VLC-3.0.21, a security vulnerability was fixed in it's implementation of the MMS protocol that allows for an integer overflow to occur. When playing a crafted stream, this can allow for a denial-of-service or other impacts such as arbitrary code execution. This vulnerability has not been assigned a CVE yet, but upstream has declared it as a security fix.
To fix this vulnerability, update to VLC-3.0.21 using the instructions from VLC (sysv) or VLC (systemd).
In PHP-8.3.8, four security vulnerabilities were fixed that could allow for argument injection when using CGI, for a filter bypass in filter_var FILTER_VALIDATE_URL, for a OpenSSL Marvin Attack, and for operating system command injection. The Operating System Command Injection and Argument Injection vulnerabilities are known to be actively exploited, and proof of concept exploits are available to the public. It is recommended that you update PHP immediately if you are running it on a public-facing web server. These vulnerabilities have been assigned CVE-2024-5585, CVE-2024-2408, CVE-2024-5458, and CVE-2024-4577.
To fix these vulnerabilities, update to PHP-8.3.8 or later using the instructions from PHP (sysv) or PHP (systemd).
In libvpx-1.14.1, a security vulnerability was fixed that could allow for integer overflows in the calculations of buffer sizes and offsets when calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameters. This may result in invalid fields being returned in the vpx_image_t struct, and can cause a denial of service or remote code execution. This vulnerability has been assigned CVE-2024-5197.
To fix this vulnerability, update to libvpx-1.14.1 or later using the instructions from libvpx (sysv) or libvpx (systemd).
In plasma-workspace-6.0.5.1 (and 5.27.11.1), a security vulnerability was fixed that could allow unauthorized connections due to incorrectly allowing connections via ICE on the same host as Plasma is running on. This allows another user on the same machine to gain access to the session manager, and can be exploited to execute arbitrary code execution in the context of the current user on the next logon to the machine. This vulnerability has been assigned CVE-2024-36041.
Because the development books have moved to Plasma 6, you should upgrade to plasma-workspace-5.27.11.1 by downloading and manually installing it after Plasma 5 if you are on BLFS 12.1.
If you are using the current development books, please update to plasma-workspace-6.0.5.1 using the instructions from Plasma (sysv) or Plasma (systemd).
In MariaDB-10.11.8, a security vulnerability was fixed that could allow for unauthorized creation, modification, or deletion of data stored in a MySQL instance. The vulnerability itself is difficult to exploit, but can be performed locally with no special privileges required. This vulnerability has been assigned CVE-2024-21096.
To fix this vulnerability, update to MariaDB-10.11.8 or later using the instructions from MariaDB (sysv) or MariaDB (systemd).
In Thunderbird-115.11.0, six security vulnerabilities were fixed that could allow for arbitrary code execution, arbitrary JavaScript execution, potential permissions bypasses, cross-origin reponse leakage, and crashes when saving pages to PDFs. The arbitrary JavaScript execution vulnerability is in PDF.js, and is known to be actively exploited. These vulnerabilities have been assigned CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, and CVE-2024-4777.
To fix these vulnerabilities, update to Thunderbird-115.11.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-115.11.0esr, six security vulnerabilities were fixed that could allow for arbitrary code execution, arbitrary JavaScript execution, potential permissions bypasses, cross-origin reponse leakage, and crashes when saving pages to PDFs. The arbitrary JavaScript execution vulnerability is in PDF.js, and is known to be actively exploited. These vulnerabilities have been assigned CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, and CVE-2024-4777.
To fix these vulnerabilities, update to Firefox-115.11.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In SpiderMonkey-115.11.0, a security vulnerability was fixed that could allow for arbitrary code execution when calling the IsDiamondPattern function. This vulnerability was recently exploited in pdf.js, and allowed for arbitrary JavaScript code execution when processing a crafted PDF file. This vulnerability is relevant to two CVE numbers: CVE-2024-4367 and CVE-2024-4777.
To fix this vulnerability, update to SpiderMonkey-115.11.0 or later using the instructions from SpiderMonkey (sysv) or SpiderMonkey (systemd).
In WebKitGTK-2.42.2, a security vulnerability was fixed that could allow for an attacker with arbitrary read and write capabilities to bypass Pointer Authentication. The vulnerability was addressed with improved checks, and is known to be exploited in the wild. This vulnerability has been assigned CVE-2024-27834.
To fix this vulnerability, update to WebKitGTK-2.42.2 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In OpenJDK-22.0.1, four security vulnerabilities were fixed that could allow for a denial of service (application crash) or for unauthorized reading, modification, and deletion of data. These vulnerabilities are all network exploitable with no authentication or user interaction required, and they are in the Hotspot and Networking components. These vulnerabilities have been assigned CVE-2024-21011, CVE-2024-21068, CVE-2024-21094, and CVE-2024-21012.
To fix these vulnerabilities, update to OpenJDK-22.0.1 (or use the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In PostgreSQL-16.3 (as well as 15.7 and 14.12), a security vulnerability was fixed that could allow for an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands executed by other users. The most common values will reveal column values that the eavesdropped could not otherwise read, or results of functions that they cannot execute. However, installing an unaffected version only fixes fresh PostgreSQL installations, namely those created with the initdb utility after installing that version. Because of this, modifications to any databases that you may have will need to be run. These modifications are described later in this advisory. This vulnerability has been assigned CVE-2024-4317.
To fix this vulnerability, update to PostgreSQL-16.3 (or 15.7 or 14.12) using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
After installing the new version of the package, existing databases will need to be updated to fix the vulnerability, as well as the template databases. The following commands assume that you are using the 'test' database created in the book, so you will need to change the name for any new databases that you have created. Run the following commands as the root user.
echo "\i /usr/share/postgresql/fix-CVE-2024-4317.sql" | (su - postgres -c '/usr/bin/psql test') echo "ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;" | (su - postgres -c '/usr/bin/psql template0') echo "\i /usr/share/postgresql/fix-CVE-2024-4317.sql" | (su - postgres -c '/usr/bin/psql template0') echo "ALTER DATABASE template0 with ALLOW_CONNECTIONS false;" | (su - postgres -c '/usr/bin/psql template0') echo "ALTER DATABASE template1 with ALLOW_CONNECTIONS true;" | (su - postgres -c '/usr/bin/psql template1') echo "\i /usr/share/postgresql/fix-CVE-2024-4317.sql" | (su - postgres -c '/usr/bin/psql template1') echo "ALTER DATABASE template1 with ALLOW_CONNECTIONS false;" | (su - postgres -c '/usr/bin/psql template1')
In QtWebEngine-6.7.1, seventeen security vulnerabilities were fixed that could allow for remote code execution through crafted HTML pages, for a remotely exploitable sandbox escape, for arbitrary reading/writing of files via malicious HTML pages, for remotely exploitable crashes, content security policy bypasses, and for sensitive information disclosure. Several of these vulnerabilities have been exploited in the wild recently and it is recommended that you update to this version of QtWebEngine immediately. If you are still using a Qt5-based version of QtWebEngine, the BLFS team recommends that you migrate to Qt6, the Qt6 version of QtWebEngine, and the latest version of Falkon as soon as possible. These vulnerabilities have been assigned CVE-2024-3516, CVE-2024-3157, CVE-2024-3159, CVE-2024-2887, CVE-2024-2885, CVE-2024-2626, CVE-2024-2625, CVE-2024-7104, CVE-2024-4060, CVE-2024-4058, CVE-2024-3840, CVE-2024-3914, CVE-2024-3837, CVE-2024-3839, CVE-2024-4671, CVE-2024-4368, and CVE-2024-4331.
To fix these vulnerabilities, update to QtWebEngine-6.7.1 using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In Qt6-6.7.1, two security vulnerabilities were resolved that could allow for stack modification as well as for predictable encryption to occur when using Network Authentication in Qt. The stack modification vulnerability occurs in QtBase, and in some circumstances can allow for a remote attacker to modify the state of an application while running if the application uses QStringDecoder (and if an attacker can tell the application to use a specific codec). The predictable encryption vulnerability occurs because QAbstractOAuth only uses time to seed the PRNG. These vulnerabilities have been assigned CVE-2024-33861 and CVE-2024-36048.
To fix these vulnerabilities, update to Qt-6.7.1 or later using the instructions from Qt6 (sysv) or Qt6 (systemd).
In intel-microcode-20240514, four hardware vulnerabilities are fixed. One of them may allow for a denial of service when using Intel Core Ultra processors that belong to the Meteor Lake platform due to an invalid sequence of processor instructions. Another one of these vulnerabilities allows for information disclosure in certain circumstances due to race conditions in hardware logic. This impacts processors that belong to the Meteor Lake (Intel Core Ultra family) as well as the Alder Lake, Raptor Lake, and Arizona Beach processors. This includes the 12th Generation family of Intel CPUs as well as the 13th Generation, the Intel Core Processor N family, the Pentium Gold Processor Family, and the Atom C Series of processors. The other security vulnerabilities impact Intel Xeon Scalable servers with Trust Domain Extensions support. In this case, an elevation of privileges may occur. These vulnerabilities have been assigned CVE-2023-46103, CVE-2023-45733, CVE-2023-45745, and CVE-2023-47855.
Check if your CPU is affected by running lscpu
and
comparing the outputted family, model, and stepping values with the
values provided above. If vulnerable, update to
intel-microcode-20240514 or later using the instructions for
About Firmware (sysv) or
About Firmware (systemd)
to fix these vulnerabilities.
In glib-2.80.2, a security vulnerability was fixed that could allow for unicast spoofing to occur with services that use GDBus. This includes several system services, including NetworkManager and others. This allows for other users of a shared computer to send spoofed D-Bus signals which a GDBus-based client will incorrectly interpret as having been sent by the trusted system service, which will cause incorrect behavior with an application-dependent impact. This vulnerability has been assigned CVE-2024-34397.
To fix this vulnerability, update to glib-2.80.2 or later using the instructions from glib2 (sysv) or glib2 (systemd).
In ghostscript-10.03.1, five security vulnerabilities were fixed that could allow for crashes, shell injection, and remote code execution when processing PostScript files (including print jobs). These vulnerabilities can be exploited using a variety of drivers within GhostScript to send print jobs, as well as when using GhostScript to convert and display PostScript files. These vulnerabilities have been assigned CVE-2024-33869, CVE-2024-52722, CVE-2024-33870, CVE-2024-33871, and CVE-2024-29510.
To fix these vulnerabilities, update to ghostscript-10.03.1 or later using the instructions from ghostscript (sysv) or ghostscript (systemd).
In gdk-pixbuf-2.42.12, a security vulnerability was fixed that could allow for heap memory corruption (and thus arbitrary code execution or a crash) when processing chunks in a crafted ANI file. ANI files are Animated Cursors for Windows, but can be indexed by Tracker and can be viewed in some applications. This vulnerability has been assigned CVE-2022-48622.
To fix this vulnerability, update to gdk-pixbuf-2.42.12 or later using the instructions from gdk-pixbuf (sysv) or gdk-pixbuf (systemd).
In Wireshark-4.2.5, three security vulnerabilities were fixed that could allow for infinite loops when processing MONGO and ZigBee TLV packets, as well as for crashes when editing crafted packets using the 'editcap' utility. In the 'editcap' utility, the vulnerabilities occur when injecting secrets while writing multiple files, and when chopping bytes from the beginning of a packet. If you use the 'editcap' utility or process MONGO and ZigBee TLV packets, the BLFS team recommends that you update Wireshark. These vulnerabilities have been assigned CVE-2024-4854, CVE-2024-4853, and CVE-2024-4855.
To fix these vulnerabilities, update to Wireshark-4.2.5 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In libxml2-2.12.7, a security vulnerability was fixed that could allow for a buffer over-read when formatting error messages with 'xmllint --htmlout'. This only affects the xmllint utility, and the vulnerability occurs in the xmlHTMLPrintFileContext() function in xmllint.c. The xmllint utility will crash when processing a malicious file, and upstream has thus rated the vulnerability as low. This vulnerability has been assigned CVE-2024-34459.
To fix this vulnerability, update to libxml2-2.12.7 or later using the instructions from libxml2 (sysv) or libxml2 (systemd).
In gst-plugins-base-1.24.3, a security vulnerability was fixed that could allow for a heap-based buffer overflow in the EXIF image tag parser when processing a certain malformed file. This would allow a malicious third party to trigger a crash in the application, as well as achieve code execution through heap manipulation. Because of the way gstreamer is packaged, the entire stack must be updated to fix this vulnerability. This vulnerability has been assigned CVE-2024-4453.
To fix this vulnerability, update the gstreamer stack to 1.24.3 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In git-2.45.0, four security vulnerability were fixed that allowed a maliciously crafted repository execute malicious code at cloning time and create hardlinks to files outside the cloned repository. These vulnerability have been assigned CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, and CVE-2024-32021.
To fix these vulnerability, update to git-2.45.1 or later using the instructions from git (sysv) or git (systemd).
In an iconv module of Glibc-2.39 and earlier, a security vulnerability was found which may allow a remote code execution via network services running on the system (an exploit via PHP-based web applications have been demonstrated). And, in the Name Service Cache Daemon, or NSCD of Glibc, four vulnerabilities were found which may at least allow a denial of service. NSCD has been disabled in Glibc build since LFS 12.1 but earlier LFS releases may be still running a vulnerable NSCD. The iconv vulnerability has been assigned CVE-2024-2961, and the NSCD vulnerabilities have been assigned CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, and CVE-2024-33602.
To fix the iconv vulnerability, update to Glibc-2.39 or later
using the instructions from the LFS book for
Glibc (sysv) or
Glibc (systemd),
but apply another patch after applying
glibc-2.39-fhs-1.patch
.
To update Glibc from 2.38 or earlier to 2.39 safely on a running
system, some extra precautions are needed as documented in an
"Important" box in the book section for Glibc. Follow it strictly or
you may render the system completely unusable. YOU ARE WARNED.
For LFS 12.0 and earlier, the update process will also disable and
remove NSCD to get rid of the NSCD vulnerabilities.
In libarchive-3.7.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted RAR archive due to an Out-Of-Bounds read. It happens in the RAR e8 filter, and occurs when the archive is decompressed or when it is viewed. This vulnerability has been assigned CVE-2024-26256.
To fix this vulnerability, update to libarchive-3.7.4 or later using the instructions from libarchive (sysv) or libarchive (systemd).
In Ruby-3.3.1, three security vulnerabilities were fixed that could allow for arbitrary memory address reading and remote code execution. The arbitrary memory reading vulnerabilities occur in StringIO and also in the Regex search functionality. If attacker supplied data is passed to the Ruby regex compiler, it's possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. When it comes to StringIO, the ungetbyte() and ungetc() methods can read past the end of a string, and a subsequent call to StringIO.gets may return a value from memory. The remote code execution vulnerability is in RDoc, and it happens when processing the .rdoc_options file as a YAML file since there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there was a crafted cache. These vulnerabilities have been assigned CVE-2024-27280, CVE-2024-27281, and CVE-2024-27282.
To fix these vulnerabilities, update to Ruby-3.3.1 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In Node.js-20.12.2, a vulnerability was fixed on Windows where commands could be injected through a Windows only argument library. (B)LFS is seemingly unaffected by this vulnerability but updating is still recommended This vulnerability has been assigned CVE-2024-27980.
To (potentially) fix this update to Node.js-20.12.2 or later using the instructions for: Node.js (sysv) or Node.js (systemd).
In Thunderbird-115.10.0, eight security vulnerabilities were fixed that could allow for arbitrary code execution, remotely exploitable denial of service conditions (using HTTP/2 CONTINUATION frames), remotely exploitable crashes, and clickjacking. Some of these vulnerabilities occur when using the JIT compiler, but one of the vulnerabilities is 32-bit specific and allows for an Integer Overflow when processing a crafted OpenType font. Updating Thunderbird is recommended due to the HTTP/2 CONTINUATION attack, since some HTML mails may use this protocol. These vulnerabilities have been assigned CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609, CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, and CVE-2024-3864.
To fix these vulnerabilities, update to Thunderbird-115.10.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-115.10.0esr, eight security vulnerabilities were fixed that could allow for arbitrary code execution, remotely exploitable denial of service conditions (using HTTP/2 CONTINUATION frames), remotely exploitable crashes, and clickjacking. Some of these vulnerabilities occur when using the JIT compiler, but one of the vulnerabilities is 32-bit specific and allows for an Integer Overflow when processing a crafted OpenType font. Updating Firefox is recommended due to the HTTP/2 CONTINUATION attack. These vulnerabilities have been assigned CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609, CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, and CVE-2024-3864.
To fix these vulnerabilities, update to Firefox-115.10.0esr or later using the instructions from Firefox (sysv) or Firefox (systemd).
In SpiderMonkey/mozjs-115.10.0, three security vulnerabilities were fixed in the JIT compiler which could allow for GetBoundName to return the wrong object, for crashes after a mis-optimized switch statement, and for incorrect JITting of arguments to lead for crashes during garbage collection. This could allow for unexpected crashes in some applications. These vulnerabilities have been assigned CVE-2024-3852, CVE-2024-3854, and CVE-2024-3857.
To fix these vulnerabilities, update to SpiderMonkey/mozjs-115.10.0 or later using the instructions from SpiderMonkey (sysv) or SpiderMonkey (systemd).
In PHP-8.3.6, three security vulnerabilities were fixed that could allow for insecure cookies to be set and thus a bypass of __Host/__Secure cookies, as well as for an attacker to trivially compromise a victim's account if a password is started with a null byte, and for an infinite loop when using the mb_encode_mimeheader function with certain crafted inputs. If you use PHP to run a website that accepts passwords, you should update immediately. These vulnerabilities have been assigned CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
To fix these vulnerabilities, update to PHP-8.3.6 or later using the instructions from PHP (sysv) or PHP (systemd).
In Linux-6.8.5, an insufficient mitigation against the hardware
vulnerability known as Branch History Injection, or BHI (see
11.1-011 for details) on some Intel
processors was fixed. This vulnerability may allow an sensitive
information leakage even if the BHI mitigation is deployed.
A demonstration has been made where an unprivileged user exploits
this vulnerability to get the content of /etc/shadow
.
Read
the
homepage of this vulnerability for the details.
This vulnerability has been assigned
CVE-2024-2201.
If you are running LFS on an Intel CPU affected by BHI, to fully
mitigate it, update to at least linux-6.8.5 (or 6.6.26, 6.1.85,
5.15.154 for older systems using LTS stable kernels) using the
instructions from the LFS book for
Linux Kernel (sysv) or
Linux Kernel (systemd) with the configuration option SPECTRE_BHI_ON=y
,
and still keep unprivileged eBPF disabled following
11.1-011. Then reboot and run
lscpu | grep 'BHI'
to verify if the mitigation
is in-effect. If the output contains "BHI: Vulnerable" or there is no
output at all, it means the mitigation is not correctly applied and
you need to recheck.
The mitigation may have a significant performance impact on some kernel microbenchmarks, but it's unlikely to make any noticeable difference for real workloads (for example building packages from source). And, if you are running LFS on an Intel processor based on the Alder Lake or Catlow microarchitectures, the LFS editors recommend to update to the latest Intel microcode using the instructions in About Firmware (sysv) or About Firmware (systemd) to reduce the performance impact.
In FontForge-20230101, two security vulnerabilities were discovered that could allow for Command Injection via malicious filenames and malicious archives. The vulnerabilities were resolved via modifying the code to use the g_spawn_sync/async() functions instead of the system() functions, which causes commands to not be executed through a shell. Upstream has a patch which the BLFS team has added into the book. These vulnerabilities have been assigned CVE-2024-25081 and CVE-2024-25082.
To fix these vulnerabilities, apply the patch to FontForge and rebuild the package using the instructions from FontForge (sysv) or FontForge (systemd).
In Seamonkey-2.53.18.2, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, content spoofing, cookie injection, arbitrary code execution, timing attacks, and content security policy bypasses. These are the same vulnerabilities fixed in Firefox and Thunderbird 115.8.0 and 115.9.0. These vulnerabilities have been assigned CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1553, CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2024-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, and CVE-2024-2614.
To fix these vulnerabilities, update to Seamonkey-2.53.18.2 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
The QtWebengine-6 releases do not provide any summary of bug fixes. The Security Fixes (including CVEs) are listed in the appropriate git submodule, but some of the 'Update Chromium' commits in the QtWebEngine-6 branches do not specify which items were fixed and the submodule commits have many varying dates (typically the original chromium commit date, unless it had to be amended for Qt). The commits in QtWebEngine-6.6.3 include some rated as Critical by NVD. BLFS has now moved to QtWebEngine-6.7.0 which includes similar commits. This is expected to be the final advisory for QtWebEngine, you should move to the latest version as soon as it is present in BLFS QtWebEngine (sysv) or QtWebEngine (systemd).
In libarchive-3.7.3, a possible security vulnerability was fixed that could allow for command injection via terminal escape sequences when decompressing or viewing an archive. This vulnerability occurs when reporting errors from libarchive's tar command. No CVE has been assigned for this issue, but more details and a proof of concept can be found in the comments of Libarchive PR #1609.
To fix this vulnerability, update to libarchive-3.7.3 or later using the instructions from libarchive (sysv) or libarchive (systemd).
In the QtWebEngine-5.15-20240403 snapshot 16 vulnerabilities, of which 2 were rated Critical by NVD, have been fixed. These vulnerabilities have been assigned CVE-2024-0808, CVE-2024-0807, CVE-2024-0519, CVE-2024-0518, CVE-2024-0333, CVE-2024-0224, CVE-2024-0222, CVE-2023-7104, CVE-2023-7024, CVE-2023-6702, CVE-2023-6510, CVE-2023-6347, CVE-2023-1283, CVE-2023-1077, CVE-2023-1060, and CVE-2023-1059.
As always with QtWebEngine, the vulnerabilities originate in Google Chrome
and are later backported by Qt, who prioritise their newer branches. BLFS
development has now moved to using Qt6 and what is there may change before our
next release. As a service to those who have installed QtWebEngine-5, the
following items are now available:
A tarball of the snapshot, with README.BUILD
qtwebengine-5.15-20240403.tar.xz
size 310 MB md5sum e83b2ac629ae059c6ad0f02d67fb7998
A required patchset to enable it to build on BLFS
qtwebengine-5.15-20240403-build_fixes-1.patch
size 106 KB md5sum f22e1753412936fbdd35dab0532e3f9e
A recommended patch to enable it to build against system ffmpeg-5 or
ffmpeg-6
qtwebengine-5.15-20240403-ffmpeg5_fixes-1.patch
size 8.7 KB md5sum bfa30d1044f118d70164d0a04a76173e
Qt-5.15.17 is expected to release this month (the BLFS-12.1 version was an early snapshot). The final release of 5.15.18 is expected in October. The source is usually only ready to pull just before a planned upstream release and it is unlikely there will be any further BLFS snapshots for 5.15. You should plan to move to Qt-6. In the meantime, the tarball linked above contains a README.BUILD file detailing how to compile it (some of the details have changed since BLFS-12.1) and the patches continue to document where they came from, and what they are supposed to do.
In httpd-2.4.59, three security vulnerabilities were fixed that could allow for denial-of-service and HTTP Response Splitting. One of these vulnerabilities is the "HTTP/2 CONTINUATION attack", and allows for remotely exploitable memory exhaustion. The HTTP Response Splitting vulnerabilities occur due to bugs that allow an attacker to inject malicious response headers due to faulty input validation, and that causes an HTTP desynchronization attack. If you are running a web server, it is highly recommended to update to httpd-2.4.59 immediately to protect yourself against the "HTTP/2 CONTINUATION" attack. These vulnerabilities have been assigned CVE-2023-38709, CVE-2024-24795, and CVE-2024-27316.
Additional details can be found at CERT Vulnerability Note VU#421644.
To fix these vulnerabilities, update to httpd-2.4.59 or later using the instructions from Apache HTTPD (sysv) or Apache HTTPD (systemd).
In nghttp2-1.61.0, a security vulnerability was fixed that could allow for an denial-of-service (excessive CPU usage and OOM crash) because nghttp2 continues reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This vulnerability was recently fixed in Node.js as well as httpd, and is a vulnerability in the HTTP/2 standard itself. If you host a server, it's recommended that you update this package immediately to protect yourself against DoS attacks which are occuring in the wild. The issue was fixed in nghttp2 by limiting the number of CONTINUATION frames accepted per stream. This vulnerability has been assigned CVE-2024-28182.
Additional details can be found at CERT Vulnerability Note VU#421644.
To fix this vulnerability, update to nghttp2-1.61.0 or later using the instructions from nghttp2 (sysv) or nghttp2 (systemd).
In Xwayland-23.2.5, three security vulnerabilities were fixed that could allow for memory leakage, exploitable crashes (segmentation faults), and arbitrary code execution to occur. The crash and memory leak vulnerabilities are due to heap-based buffer over-reads in a variety of functions, such as ProcXIGetSelectedEvents() and ProcXIPassiveGrabDevice(). Note that the vulnerabilities that use these functions require byte swapping to occur, which is normally used on platforms where the byte order is not the same between systems. The arbitrary code execution vulnerability occurs in the ProcRenderAddGlyphs() function, and is due to a use-after-free. This allows an attacker to send a crafted request that causes attacker-controlled code to be executed. After the release of these updates, some regressions were discovered, and it is thus recommended to use 23.2.6 instead. These vulnerabilities have been assigned CVE-2024-31080, CVE-2024-31081, and CVE-2024-31083.
To fix these vulnerabilities, update to Xwayland-23.2.6 or later using the instructions from Xwayland (sysv) or Xwayland (systemd).
In Xorg-Server-21.1.12, four security vulnerabilities were fixed that could allow for memory leakage, exploitable crashes (segmentation faults), and arbitrary code execution to occur. The crash and memory leak vulnerabilities are due to heap-based buffer over-reads in a variety of functions, such as ProcXIGetSelectedEvents(), ProcXIPassiveGrabDevice(), and ProcAppleDRICreatePixmap(). Note that the vulnerabilities that use these functions require byte swapping to occur, which is normally used on platforms where the byte order is not the same between systems. The arbitrary code execution vulnerability occurs in the ProcRenderAddGlyphs() function, and is due to a use-after-free. This allows an attacker to send a crafted request that causes attacker-controlled code to be executed, and can be exploited remotely on systems which have SSH X Forwarding enabled. Regressions were found in the 21.1.12 update and it is thus recommended to use 21.1.13 instead. These vulnerabilities have been assigned CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, and CVE-2024-31083.
To fix these vulnerabilities, update to Xorg-Server-21.1.13 or later using the instructions from Xorg-Server (sysv) or Xorg-Server (systemd).
If you have TigerVNC installed, you should rebuild it against Xorg-Server-21.1.13 using the instructions from Tigervnc (sysv) or Tigervnc (systemd).
In Node.js-20.12.1, two vulnerabilities were fixed. One could allow for a server crash via an assertion failure in the http server. And the other could lead to "request smuggling" through obfuscating the content length of a request. These vulnerabilties have been assigned CVE-2024-27983, and CVE-2024-27982.
To fix these update to Node.js 20.12.1 or later using the instructions for: Node.js (sysv) or Node.js (systemd).
In Samba-4.20.0, a vulnerability was fixed by updating the built in version of MIT Kerberos 5 to a newer version. This vulnerability could allow escalation of privileges through altering Privilege Attribute Certificate (PAC) signatures. This vulnerability has been assigned CVE-2022-37967.
To fix this update to Samba-4.20.0 or later using the instructions for: Samba (sysv) or Samba (systemd). Or rebuild Samba --with-system-mitkrb5 option with an MIT Kerberos version newer than 1.21 using the instructions for: MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd).
In intel-microcode-20240312, two hardware vulnerabilities are fixed. One of them may allow denial of service via network access, affecting Intel CPUs with family 6, models 191, 190, 183 (stepping 1 only, and except Xeon E processors), 154 (except Atom processors), 151, or 143 (except processors code named "Sapphire Rapids Edge Enhanced"). Another may allow information disclosure via local access, affecting Intel CPUs with family 6, models 191, 183, 154, 151, or 143 (except processors code named "Sapphire Rapids Edge Enhanced"). These vulnerabilities have been assigned CVE-2023-39368 and CVE-2023-38575.
Check if your CPU is affected by running lscpu
and
comparing the outputted family, model, and stepping values with the
values provided above. If vulnerable, update to
intel-microcode-20240312 or later using the instructions for
About Firmware (sysv) or
About Firmware (systemd)
to fix these vulnerabilities.
This microcode update also fixes CVE-2023-28746, CVE-2023-22655, and CVE-2023-43490. For CVE-2023-28746 (known as "RFDS") consult 12.1-009. The other two vulnerabilites only affect Intel SGX and TDX, and LFS does not support utilizing them.
In Wireshark 4.2.0 to 4.2.3 and 4.0.0 to 4.0.13 a T.38 dissector crash allows denial of service via packet injection or a crafted capture file. This vulnerability has been assigned CVE-2024-2955.
To fix this update to Wireshark-4.2.4 or later using the instructions for: Wireshark (sysv) or Wireshark (systemd).
In cURL-8.6.0 and older, if libcurl aborts a HTTP/2 server push due to excessive headers, it will not free all memory. It will also not report the error to the caller. This vulnerability has been assigned CVE-2024-2398.
To fix it, update to cURL-8.7.1 or later using the instructions from cURL (sysv) or cURL (systemd).
In Emacs-29.3, four security vulnerabilities were fixed that could allow for arbitrary Lisp code execution, arbitrary code execution via displaying a LaTeX preview for email attachments, and for untrusted content to be displayed in Org mode and when processing emails. If you use Emacs for displaying email or use the Org functionality for document editing, formatting, or organizing, you should update to Emacs-29.3 immediately. These vulnerabilities have been assigned CVE-2024-30205, CVE-2024-30204, CVE-2024-30203, and CVE-2024-30202.
To fix these vulnerabilities, update to Emacs-29.3 or later using the instructions from Emacs (sysv) or Emacs (systemd).
In firefox 115.9.1 one critical vulnerability revealed at this week's pwn2own was fixed. Details at mfsa-2024-16. Details at CVE-2024-29944.
To fix this update to firefox-115.9.1esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In gnutls-3.8.4, two security vulnerabilities were fixed. One fixed a bug where certtool crashed when verifying a certificate chain with more than 16 certificates and the other fixes a side-channel in the deterministic ECDSA. These vulnerabilities have been assigned CVE-2024-28834, CVE-2024-28835.
To fix these vulnerabilities, update to gnutls-3.8.4 or later using the instructions from gnutls (sysv) or gnutls (systemd).
In Thunderbird-115.9.0, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, clickjacking (allowing a user to accidentally grant permissions), RSA decryption timing attacks, content security bypasses, and arbitrary code execution. Note that if you are using Thunderbird on a system with an ARMv7-A CPU, updating to this version is critical due to an easily exploitable vulnerability that allows for return registers to be overwrote. These vulnerabilities have been assigned CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2024-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, and CVE-2024-2614.
To fix these vulnerabilities, update to Thunderbird-115.9.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Expat-2.6.2, a security vulnerability was fixed that could allow for denial of service via an XML Entity Expansion attack when there is isolated use of external parsers (created using the XML_ExternalEntityParserCreate function). The issue has been classified as a "billion laughs" attack, also known as an XML bomb attack. This vulnerability has been assigned CVE-2024-28757.
To fix this vulnerability, update to Expat-2.6.2 using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In intel-microcode-20240312, a mitigation for a hardware security vulnerability known as RFDS, or Register File Data Sampling has been provided. This vulnerability may allow a malicious actor who can locally execute code on a system to infer the values of secret data which is otherwise protected by architectural mechanisms if the data was previously stored in a register of some Intel Atom processors, or an E core of the Intel Core, Pentium Gold, or Celeron processors based on Alder Lake or Raptor Lake microarchitectures. This vulnerability has been assigned CVE-2023-28746.
Note that the microcode update only provides the mitigation and
it must be enabled by the kernel to be really useful. To mitigate
this vulnerability, update to intel-microcode-20240312 or later using
the instructions for
About Firmware (sysv) or
About Firmware (systemd),
and a latest kernel stable or 6.x LTS release (as at Mar. 20,
2024 they are 6.8.1, 6.7.10, 6.6.22, and 6.1.82; note that the
mitigation isn't available for 4.x or 5.x LTS releases) using the
instructions for
Linux Kernel (sysv) or
Linux Kernel (systemd) (consult an earlier version of the LFS book if you are
building 6.7.x or earlier) with CONFIG_MITIGATION_RFDS
enabled, and reboot the system. After rebooting, run
lscpu | grep 'Reg file data sampling'
to check if the
mitigation is in effect. If it outputs nothing or the output contains
"Vulnerable", it means the mitigation is not correctly deployed and
you need to recheck.
In firefox 115.9.0 eight vulnerabilities applicable to linux X86 were fixed. Details at mfsa-2024-13. Details will appear at CVE-2023-5388, CVE-2024-0743, CVE-2024-2608, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614, and CVE-2024-2616.
The NSS vulnerabilities apply to the shipped version of nss which was updated to 3.90.2. CVE-2023-5388 was fixed in nss-3.98 used in BLFS-12.1. The ticket for CVE-2024-0743 BMO-1867408 is currently not public, but this is not listed among the vulnerabilities fixed in firefox-124.0 (which shipped with included nss-3.98) and is therefore assumed to not apply to BLFS where system-nss-3.98 was used.
To fix these update to firefox-115.9.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Unbound-1.19.3, a security vulnerability was fixed that could allow an attack to cause a denial of service attack (DoS) exploting a code path that can lead to an infinite loop due to faulty code in the feature that removes EDE records. This vulnerability has been assigned CVE-2024-1931.
To fix this vulnerability, update to Unbound-1.19.3 or later using the instructions from Unbound (sysv) or Unbound (systemd).
In ghostscript-10.03.0, a security vulnerability was fixed that could allow for arbitrary code execution in the shipped fork of the tesseract library used for OCR. From reading The gs blog re OCR it appears that ghostscript might need to be recompiled if OCR is to be used. If that is true, the vulnerability will not apply to BLFS unless you had followed those instructions.
To be certain of avoiding this vulnerability, update to ghostscript-10.03.0 or later using the instructions from ghostscript (sysv) or ghostscript (systemd).
In Seamonkey-2.53.18.1, several security vulnerabilities were fixed that could allow for remote code execution, exploitable crashes, sandbox escapes, S/MIME signatures being accepted in circumstances where they are not valid, undefined behavior, spoofed messages to be accepted when processing PGP/MIME payloads, HSTS policy bypasses, privilege escalation, phishing, permissions request bypassing, and a crash when listing printers on a system. These vulnerabilities are all identical to those fixed in Firefox/Thunderbird 115.6 and 115.7.0esr. If you use Seamonkey, it's highly recommended that you update to this release. These vulnerabilities have been assigned CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE_2024-0753, CVE-2024-0755, CVE-2023-50762, CVE-2023-50761, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE_2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, and CVE-2023-6864.
To fix these vulnerabilities, update to Seamonkey-2.53.18.1 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In Thunderbird-115.8.1, a security vulnerability was fixed that could allow for leaking an encrypted email subject to another conversation. When this issue occurs, a user might accidentally leak the confidential subject to a third party. This update fixes this particular bug, but if you have been impacted, you will need to use the Repair Folder functionality, which is available from the context menu of an email folder, which will erase these invalid subject assignments. This vulnerability has been assigned CVE-2024-1936.
To fix this vulnerability, update to Thunderbird-115.8.1 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In OpenJPEG-2.5.2, a security vulnerability was fixed that could allow for arbitrary code execution with the permissions of the application which uses OpenJPEG. This issue occurs due to a heap buffer overflow, and happens when decompressing a crafted .j2k file. The vulnerability exists in the sycc420_to_rgb() function in the OpenJPEG library. This vulnerability has been assigned CVE-2021-3575.
To fix this vulnerability, update to OpenJPEG-2.5.2 or later using the instructions from OpenJPEG (sysv) or OpenJPEG (systemd).
In c-ares-1.27.0, a security vulnerability was fixed that could allow for a crash when reading a malformed /etc/resolv.conf, /etc/nsswitch.conf, or HOSTALIASES files. This occurs when any of those configuration files have an embedded NULL character as the first character in a new line, and occurs because c-ares will attempt to read memory prior to the start of a buffer, which will result in a crash. This vulnerability has been assigned CVE-2024-25629.
To fix this vulnerability, update to c-ares-1.27.0 or later using the instructions from c-ares (sysv) or c-ares (systemd).
In giflib-5.2.2, two security vulnerabilities were fixed that could allow for a local attacker to obtain sensitive information and for a crash. These vulnerabilities exist in the DumpScreen2RGB() function in the gif2rgb utility, so they only impact users if they run that utility. The issues are due to heap buffer overflows. These vulnerabilities have been assigned CVE-2022-28506 and CVE-2023-48161.
To fix these vulnerabilities, update to giflib-5.2.2 or later using the instructions from giflib (sysv) or giflib (systemd).
In Procps-ng-4.0.4, one security vulnerability was fixed that might
allow for a denial-of-service (application crash) when running
ps
with a very long value for the -C
option.
Only 32-bit systems are affected.
This vulnerabilities have been assigned
CVE-2023-4016.
You only need to fix this vulnerability if you are running a 32-bit
system where a service may invoke ps -C
with some
unsanitized input. In this case, update to Procps-ng-4.0.4 or later
using the instructions for
Procps (sysv) or
Procps (systemd).
In Thunderbird-115.8.0, several security vulnerabilities were fixed that could allow for spoofing, notifications being hidden, obscuring the permissions dialog, unintentional permission granting, response header injection, and for arbitrary code execution. These vulnerabilities are similar to the ones that were resolved in Firefox. These vulnerabilities were assigned CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, and CVE-2024-1553.
To fix these vulnerabilities, update to Thunderbird-115.8.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In firefox 115.8.0 seven vulnerabilities were fixed. Details at mfsa-2024-06. Details will appear at CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, and CVE-2024-1553.
To fix these update to firefox-115.8.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Qt6-6.6.2, two security vulnerabilities were fixed that could allow for a denial of service and arbitrary code execution. One of these issues occurs when loading KTX images, and is classified as a buffer overflow. The other vulnerability is classified as an integer overflow and is in the HTTP/2 implementation in QtBase. Due to the severity of the HTTP/2 issue, it is recommended that you update this package immediately if you have it installed. These vulnerabilities have been assigned CVE-2023-51714 and CVE-2024-25580.
To fix these vulnerabilities, update to Qt6-6.6.2 or later using the instructions from Qt6 (sysv) or Qt6 (systemd).
In node.js-20.11.1, eight vulnerabilities were fixed, some of which could allow for an attacker to crash the server from resource exhaustion, or will allow an attacker to do a DoS attack on a server, or could allow for code injection into the server. These vulnerabilities have been assigned CVE-2024-21892, CVE-2024-22019, CVE-2024-21816, CVE-2024-22017, CVE-2024-46809, CVE-2024-21891, CVE-2024-21890, and CVE-2024-22025.
To fix these vulnerabilities, update to node.js-20.11.1 or later using the instructions from node.js (sysv) or node.js (systemd).
In Qt5-5.15.12, a security vulnerability was discovered that could allow for a buffer overflow when reading a crafted KTX image file. This issue exists in qtbase, and will lead to a denial of service or possibly other impacts when reading the crafted file in an application. The Qt5 developers have released an official patch on their FTP site which has been adapted for use in BLFS. This vulnerability has been assigned CVE-2024-25580.
For more information, please see the Qt Security Advisory.
To fix this vulnerability, rebuild Qt5 with the patch using the instructions from Qt5 (sysv) or Qt5 (systemd).
If you prefer to use qt-alternate, please use the instructions from qt5-alternate (sysv) or qt5-alternate (systemd).
In NSS-3.98, a security vulnerability was fixed that could allow for RSA cryptography information to be leaked, such as whether the high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger attack against all RSA decryption operations. It affects all padding modes and happens before any padding operations. The vulnerability has been classified as a timing attack. This vulnerability has been assigned CVE-2023-5388.
To fix this vulnerability, update to NSS-3.98 or later using the instructions from NSS (sysv) or NSS (systemd).
ImageMagick appears to have become its own CVE Numbering Authority. The changelog between 7.1.1-15 and 7.1.1-28 at ChangeLog.md. mentions at least two GHSA advisories, but those are either missing or inaccessible. The site's github security/advisories page contains nothing for versions newer than 7.1.1-13. There is one earlier CVE raised by RedHat with a fix in 7.1.1-19, as well as several others without a git commit in the links from NVD, so perhaps not agreed. This known vulnerability has been assigned: CVE-2023-5341.
Update to ImageMagick-7.1.1-28 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd). You may wish to review the above ChangeLog.md link from time to time, because BLFS only updates this package if somebody becomes aware of a vulnerability, or else before a BLFS release (because ImageMagick releases are so frequent).
In Exiv2-0.28.2, two security vulnerabilities were fixed that could allow for a denial-of-service (application crash and excessive resource consumption) when processing QuickTime Videos. The vulnerabilities occur in the QuickTimeVideo::NikonTagsDecoder() and QuickTimeVideo::multipleEntriesDecoder() functions, and can occur if Exiv2 is used to read the metadata of a crafted video file. These vulnerabilities have been assigned CVE-2024-24826 and CVE-2024-25112.
To fix these vulnerabilities, update to Exiv2-0.28.2 or later using the instructions for Exiv2 (sysv) or Exiv2 (systemd).
In wpa_supplicant-2.10, a security vulnerability was discovered that could allow for an attacker to trick a victim into connecting to a malicious clone of an enterprise WiFi network, and in turn allow them to intercept all traffic. The BLFS developers have created a patch for this vulnerability based upon an upstream fix. This vulnerability has been assigned CVE-2023-52160.
Additional details can be found at the Blog Post from the team of researchers who discovered the vulnerability, and a Phoronix article on the subject.
To fix this vulnerability, apply the patch using the instructions for wpa_supplicant (sysv) or wpa_supplicant (systemd).
In Unbound-1.19.1, two security vulnerabilities were fixed that allow for DNSSEC verification to be exploited to crash an instance (Keytrap). And an vulnerability in the NSEC3 existence proof could exhaust and crash the instance. These vulnerabilities have been assigned CVE-2023-50387 CVE-2023-50868.
To fix these vulnerabilities, update to Unbound-1.19.1 using the instructions for Unbound (sysv) or Unbound (systemd).
In BIND-9.18.24, 6 security vulnerabilities were fixed that could allow for excessive CPU utilization or crashing when parsing large DNS packets; Assertion failures when nxdomain-redirect is being used which could allow for crashing; Assertion failures on recursive lookups when DNS64 and server-stale are enabled; An out-of-memory exploit caused by specific recursive query patterns; Extreme CPU utilization when attempting to validate DNSSEC (Keytrap); A bug where when attempting to prepare a proof, high CPU utilization could cause a crash. These vulnerabilities have been assigned CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6156 CVE-2023-50387 CVE-2023-50868.
To fix these vulnerabilities, update to BIND-9.18.24 or later using the instructions from BIND (sysv) or BIND (systemd).
In libuv-1.48.0, a security vulnerability was fixed that could allow for attackers to craft payloads that resolve to unintended IP addresses, which bypass developer checks. The vulnerability arises due to how the 'hostname_ascii' variable is handled in uv_getaddrinfo() and subsequently the uv__idna_toascii() function. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result, attackers may be able to access internal APIs for websites, and services that crawl or cache these pages can be exposed to Server-Side Request Forgery if a malicious user chooses a long vulnerable username. This vulnerability has been assigned CVE-2024-24806.
To fix this vulnerability, update to libuv-1.48.0 or later using the instructions from libuv (sysv) or libuv (systemd).
In xdg-utils-1.2.1, a security vulnerability was fixed that could allow for attachments to be discretely added to emails sent via the 'xdg-email' command. An attacker could send a victim a URI that automatically attaches a sensitive file to an email, and if the user does not notice that the attachment was added, this could result in sensitive information disclosure. The vulnerability exists in the code that handles mailto: URIs. This vulnerability has been issued CVE-2020-27748.
To fix this vulnerability, update to xdg-utils-1.2.1 or later using the instructions from xdg-utils (sysv) or xdg-utils (systemd).
In Python-3.12.2, a security vulnerability was fixed that could allow for silent execution of arbitrary code via hidden *.pth files. *.pth files are executed automatically, unlike normal Python files which need explicit importing or passing as an argument to the Python interpreter. The issue was fixed upstream by skipping *.pth files with names starting with a dot (or the hidden file attribute on other systems). This vulnerability has not been issued a CVE yet, but more details can be found at Github Issue 113659.
To fix this vulnerability, update to Python-3.12.2 or later using the instructions from Python3 (sysv) or Python3 (systemd).
If you want to stay on Python-3.11.x, please update to Python-3.11.8 using the same instructions, substituting 3.12.2 for 3.11.8.
In Expat-2.6.0, a security vulnerability was fixed that could allow for a denial of service because many full reparsings are required in the case of a large token which requires multiple buffer fills. This is classified as a quadratic runtime issue, and this issue is more comon when dealing with compressed input. Note that applications which only call XML_Parse/XML_ParseBuffer a single time are not affected. This vulnerability has been assigned CVE-2023-52425.
To fix this vulnerability, update to Expat-2.6.0 using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In PostgreSQL-16.2 a vulnerability was fixed that could allow for arbitrary command execution through luring a user into running a command (check the CVE for the command). Due to this it is highly recommended to update to PostgreSQL on any older system. The assigned CVE is CVE-2024-0985. Information about the issue can be found at: PostgreSQL's site.
To fix this, update to PostgreSQL-16.2 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In WebKitGTK-2.42.5, three security vulnerabilities were fixed that could allow for trivial remote code execution and for a webpage to fingerprint a user. The remote code execution vulnerabilities occur due to type confusion issues, and one of them is known to be exploited in the wild. Both of these were handled with improved checks and memory handling. The fingerprinting vulnerability was addressed with improved access restrictions. Due to the remote code execution vulnerabilities it is highly recommended that you update WebKitGTK immediately to protect your system. These vulnerabilities have been assigned CVE-2024-23222, CVE-2024-23206, and CVE-2024-23213.
To fix these vulnerabilities, update to WebKitGTK-2.42.5 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In OpenLDAP-2.6.7, a security vulnerability was fixed that could allow for an attacker to malform an LDAP search query thereby giving them a higher access mask than they should have. This vulnerability has been assigned ITS#10139.
To fix this vulnerability, update to OpenLDAP-2.6.7 using the instructions from OpenLDAP (sysv) or OpenLDAP (systemd).
In libxml2-2.12.5, a security vulnerability was fixed that could allow for a denial-of-service (application crash) when using the XML Reader interface with DTD validation and XInclude expansion enabled. The issue occurs when processing a crafted XML document, and leads to a use-after-free in xmlValidatePopElement. This vulnerability has been assigned CVE-2024-25062.
To fix this vulnerability, update to libxml2-2.12.5 using the instructions from libxml2 (sysv) or libxml2 (systemd).
In sendmail-8.18.2, a security vulnerability was fixed that allows for SMTP smuggling on publicly-accessible mail servers. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which also allows bypassing SPF protection mechanisms. Similar to Exim and Postfix, this is also due to a difference in the way Sendmail handles line endings. If you maintain a public-facing mail server which uses Sendmail, it's highly recommended that you update Sendmail to 8.18.2 as soon as possible. The new settings that protect against this security vulnerability are enabled by default. This vulnerability has been assigned CVE-2023-51765.
To fix this vulnerability, update to sendmail-8.18.2 or later using the instructions from sendmail (sysv) or sendmail (systemd).
In Glibc-2.39, two heap buffer overflow vulnerabilities and one
integer overflow vulnerability in the syslog
function was
fixed. All of them may result a denial of service (application
crash). More seriously, one of the heap buffer overflow
vulnerabilities may allow a local privilege escalation with setuid
applications, and field tests have shown it can be successfully
exploited on various distros.
These vulnerablity has been assigned CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780. They affect Glibc 2.38, 2.37, and 2.36 (if a patch to fix CVE-2022-39046 has been applied as SA 11.2-075 suggests).
To fix these vulnerabilities, update to Glibc-2.39 or later using the instructions from the LFS book for Glibc (sysv) or Glibc (systemd). To update Glibc safely on a running system, some extra precautions are needed as documented in an "Important" box in the book section for Glibc. Follow it strictly or you may render the system completely unusable. YOU ARE WARNED.
In cURL-8.6.0, a security vulnerability was fixed that could allow for an OCSP verification bypass due to TLS session reuse. This vulnerability occurs because cURL inadvertently kept the SSL session ID for connections in it's cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which skips the verify status check. Note that this issue is limited to only using TLS 1.2, using TLS 1.3 will not trigger this problem. This vulnerability has been assigned CVE-2024-0853.
To fix this vulnerability, update to cURL-8.6.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In OpenSSL-3.2.1, two security vulnerabilities was fixed. One of them could cause applications loading files in the PKCS12 format from untrusted sources to terminate abruptly. Another could cause applications checking the RSA public keys with the function EVP_PKEY_public_check() to experience long delays. Both may lead to a Denial of Service if processing PKCS12 files or RSA public keys from untrusted sources. These vulnerabilities has been assigned CVE-2024-0727 and CVE-2023-6237.
To fix these vulnerabilities, update to OpenSSL-3.2.1 or later using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd). Note that CVE-2024-0727 also affects OpenSSL-1.1.1 and 1.0.2 series, but they are no longer publicly supported by the OpenSSL developers. So if you are still running a system with OpenSSL-1.1.1 or 1.0.2 and you want to get CVE-2024-0727 fixed, you need to update to OpenSSL-3.2.1 and rebuild everything linked against OpenSSL.
In GnuPG-2.4.4, a security flaw was fixed where Smartcard generation was keeping an unprotected backup copy of the key on disk. Upstream says that all possibly affected users should check whether an unintended copy of a Smartcard key exists and delete it. If you generated a key with the --edit-key switch using either GnuPG-2.4.2, 2.4.3, or 2.2.42, please look for an unprotected backup copy of the key with the gpg-card checkkeys command. If you do not get any output, you are not affected. If you do get output where the word 'clear' is mentioned for a key, you should run gpg-card checkkeys --delete-clear-copy to remove it.
For more information, please see the GnuPG Security Advisory.
Note that only users who have used GnuPG to generate a smartcard using the --edit-key switch are affected.
To fix this vulnerability, update to GnuPG-2.4.4 or later, and then use the instructions above to check for unprotected copies of keys. To update GnuPG, use the instructions from GnuPG (sysv) or GnuPG (systemd).
In gst-plugins-bad-1.22.9, a security vulnerability was fixed that could allow for remote code execution or crashes when processing AV1-encoded video files with malformed streams. The vulnerability occurs due to a heap buffer overflow. Note that this vulnerability can be exploited via a web browser. Because of the way gstreamer plugins are handled, you will need to upgrade the entire gstreamer stack to fix this vulnerability. This vulnerability has been assigned CVE-2024-0444.
To fix this vulnerability, update the gstreamer stack to 1.22.9 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In Thunderbird-115.7.0, nine security vulnerabilities were fixed that could allow for remotely exploitable crashes, arbitrary code execution, HSTS policy bypasses, privilege escalation, permissions request bypassing, phishing, and a bypass of the Content Security Policy if one is set. Most of these vulnerabilities are only exploitable through HTML mail, but one of the crash vulnerabilities can occur when attempting to list printers on a system, and another vulnerability is exploitable when providing input to a dialog box. These vulnerabilities have been assigned CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, and CVE-2024-0755.
To fix these vulnerabilities, update to Thunderbird-115.7.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In firefox 115.7.0 nine vulnerabilities were fixed. Upstream rate the vulnerability in Angle as High, but the previous Angle vulnerability in mfsa-2021-06 was later amended to only apply to MS Windows where Angle is a backend for Open GL so it appears that this one too will only apply to MS Windows, Prevously, mozilla rated memory safety bugs as high impact, with this release they now describe them as moderate impact. However, NVD has now analysed that CVE and rates it as High severity. Details at mfsa-2024-02. Details are at CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, and CVE-2024-0755.
To fix these update to firefox-115.7.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Postfix-3.8.5 (and 3.7.10, 3.6.14, and 3.5.24), improvements to the fix for CVE-2023-51764 (SMTP smuggling) were made that allow for more compatibility with some existing SMTP clients and for better logging. In addition, patches are now available for some unsupported versions of Postfix. For most users, the fixes in Postfix-3.8.4 (and 3.7.9, 3.6.13, and 3.5.24) will be sufficient, but if you encounter problems, upgrading to these improved versions is highly recommended.
To apply the improved fix for the SMTP smuggling attack, update to Postfix-3.8.5 or later using the instructions from Postfix (sysv) or Postfix (systemd).
In addition to updating Postfix, you must also add the following lines to your /etc/postfix/main.cf configuration file if you haven't yet:
smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks
In postfix-3.8.5, the previous recommended value for smtpd_forbid_bare_newline ('yes') is now an alias for 'normalize' to accomodate mailservers which include bare newlines only in the message body. Alternatively, the value can now be set to 'reject' to continue to reject such messages as happened with the recommended 'yes' setting in 3.8.4.
On systems running Postfix 3.7, 3.6, or 3.5, please update to Postfix 3.7.10, 3.6.14, or 3.5.24.
In Jinja2-3.1.3, a security vulnerability in the XML attribute filter was fixed that could allows a cross-site scripting attack if you are running a service accepting user inputs and rendering them with Jinja2. This vulnerability has been assigned CVE-2024-22195.
To fix this vulnerability, update to Jinja2-3.1.3 using the
instructions from the LFS book for
Jinja2 (sysv) or
Jinja2 (systemd).
Note that the --upgrade
option must be passed to
pip3 install
when upgrading a Python module.
In Ncurses-6.4-20230520, a security vulnerability was fixed that could allow local users to trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable when Ncurses is used by a setuid application (for example GNU Screen). In theory a local privilege escalation is possible but very difficult, and no such an attack has been really developed. This vulnerability has been assigned CVE-2023-29491.
To fix this vulnerability, update to Ncurses-6.4-20230520 using the instructions from the LFS book for Ncurses (sysv) or Ncurses (systemd).
In Coreutils-9.4, a security vulnerability was found in the split program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur, potentially leading to an application crash and denial of service. Coreutils-9.3 as provided by LFS 12.0 is also affected. This vulnerability has been assigned CVE-2024-0684.
To fix this vulnerability, rebuild Coreutils-9.4 or 9.3 using the
instructions from the LFS book for
Coreutils-9.4 (sysv) or
Coreutils-9.4 (systemd); or
Coreutils-9.3 (sysv) or
Coreutils-9.3 (systemd); and make sure the following command is issued before
running the autoreconf -fiv
command to fix up the code:
sed -e '/n_out += n_hold/,+4 s|.*bufsize.*|//&|' \ -i src/split.c
In OpenJDK-21.0.2, five security vulnerabilities have been fixed in the Hotspot and Security components that could allow for unauthorized creation, modification, and deleation of data on a system, as well as for information disclosure, denial of service, and remote code execution. Four of these vulnerabilities are exploitable via the network, with no provileges required and no user interaction required either. The fifth vulnerability is only exploitable locally, and requires some privileges (though still without any user interaction being required). These vulnerabilities have been assigned CVE-2024-20918, CVE-2024-20952, CVE-2024-20919, CVE-2024-20921, and CVE-2024-20945.
To fix these vulnerabilities, update to OpenJDK-21.0.2 (or use the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In Linux-PAM-1.6.0, a security vulnerability was fixed that could allow for a local denial of service (crash) when using the pam_namespace.so PAM module. Note that a standard BLFS installation will not use this module, so most systems are unaffected unless a user has added this module into the system on their own. If you use this module, updating is recommended. This vulnerability has been assigned CVE-2024-22365.
To fix this vulnerability, update to Linux-PAM-1.6.0 or later using the instructions from Linux-PAM (sysv) or Linux-PAM (systemd).
In Xwayland-23.2.4, four security vulnerabilities were fixed that could allow for crashes and privilege escalation. These vulnerabilities are classified as heap buffer overflows and out-of-bounds memory accesses. The heap buffer overflows occur in the DisableDevice(), XISendDeviceHierarchyEvent(), DeviceFocusEvent(), and ProcXIQueryPointer() functions, while the out-of-bounds memory access happens when reattaching to a different master device. These vulnerabilities have been assigned CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, and CVE-2024-21886.
For more information, please see X.Org Security Advisory.
To fix these vulnerabilities, update to Xwayland-23.2.4 or later using the instructions from Xwayland (sysv) or Xwayland (systemd).
In xorg-server-21.1.11, four security vulnerabilities were fixed that could allow for crashes, privilege escalation, and remote code execution on systems where X11 forwarding is in use. These vulnerabilities are classified as heap buffer overflows and out-of-bounds memory accesses. The heap buffer overflows occur in the DisableDevice(), XISendDeviceHierarchyEvent(), DeviceFocusEvent(), and ProcXIQueryPointer() functions, while the out-of-bounds memory access happens when reattaching to a different master device. These vulnerabilities have been assigned CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, and CVE-2024-21886.
For more information, please see X.Org Security Advisory.
To fix these vulnerabilities, update to xorg-server-21.1.11 or later using the instructions from xorg-server (sysv) or xorg-server (systemd).
In GnuTLS-3.8.3, two security vulnerabilities were fixed that could allow for a timing side-channel attack (leading to the leakage of sensitive data), and for an application crash. The timing side-channel attack occurs when response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding, and allows for a remote attacker to perform a timing side-channel attack during the RSA-PSK key exchange. This vulnerability is the result of an incomplete fix for CVE-2023-5981. The other vulnerability allows for a remote client or attacker to crash applications running GnuTLS because of an assertion failure that occurs when verifying a certificate chain with a cycle of cross signatures. These vulnerabilities have been assigned CVE-2024-0553 and CVE-2024-0567.
To fix these vulnerabilities, update to GnuTLS-3.8.3 or later using the instructions from GnuTLS (sysv) or GnuTLS (systemd).
In jasper-4.1.2, a security vulnerability was fixed that could allow for arbitrary code execution or crashes when processing a crafted image that use the JPEG-2000 codec. This problem occurs when processing the ICC profile, and is classified as an invalid memory write. There is a proof of concept available to the public. This vulnerability has been assigned CVE-2023-51257.
To fix this vulnerability, update to jasper-4.1.2 or later using the instructions from jasper (sysv) or jasper (systemd).
A security vulnerability was found in systemd-resolved that could allow systemd-resolved to accept records of DNSSEC-signed domains, even when they have no signature. This would allow a man-in-the-middle attacker (or the upstream DNS resolver) to manipulate DNS records in a way that the system would accept them, even though they are invalid. The default settings for systemd-resolved do not enable DNSSEC support though, so to be vulnerable, you must have already enabled DNSSEC support in your system's configuration. This vulnerability has been assigned CVE-2023-7008.
If you have enabled DNSSEC support in systemd-resolved, you should rebuild systemd using the instructions from systemd (systemd).
If you have not enabled DNSSEC support on your system, no action is necessary.
In Postfix-3.8.4 (as well as 3.7.9, 3.6.13, and 3.5.23), a security vulnerability was fixed that allows for SMTP smuggling on public-facing mail servers. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which also allows bypassing SPF protection mechanisms. Similar to Exim, this is also due to a difference in the way Postfix handles line endings. If you maintain a public-facing mail server which uses Postfix, it's highly recommended that you update Postfix to 3.8.4 (or the other versions described above) as soon as possible. Note that the feature that fixes this vulnerability must be turned on with additional configuration. This vulnerability has been assigned CVE-2023-51764.
To fix this vulnerability, update to Postfix-3.8.4 or later using the instructions from Postfix (sysv) or Postfix (systemd).
In addition to updating Postfix, you must also add the following lines to your /etc/postfix/main.cf configuration file:
smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks
On systems running Postfix 3.7, 3.6, or 3.5, please update to Postfix 3.7.9, 3.6.13, or 3.5.23.
In Exim-4.97.1, a security vulnerability was fixed that allows for SMTP smuggling in certain configurations. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which will allow bypassing the SPF protection mechanisms. This is due to a difference in the way Exim (and other mail servers) handle line endings, and affects most implementations of the SMTP protocol due to it being a weakness in the SMTP standard itself. This vulnerability has been assigned CVE-2023-51766.
For more information, please see SMTP Smuggling Blog Post.
To fix this vulnerability, update to Exim-4.97.1 or later using the instructions from Exim (sysv) or Exim (systemd).
In gst-plugins-bad-1.22.8, a security vulnerability was fixed that could allow for remote code execution or crashes when processing AV1-encoded video files with malformed streams. The vulnerability occurs due to a heap buffer overflow. Note that this vulnerability can be exploited via a web browser. Because of the way gstreamer plugins are handled, you will need to upgrade the entire gstreamer stack to fix this vulnerability. This vulnerability has not been assigned a CVE yet, but does have a ZDI CAN number, which is ZDI-CAN-22300. More details can be found at Gstreamer Security Advisory.
To fix this vulnerability, update the gstreamer stack to 1.22.8 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In SpiderMonkey/mozjs-115.6.0, a security vulnerability was fixed that could allow for memory safety issues. This vulnerability could allow for arbitrary code execution and crashes due to memory corruption. Note that this vulnerability can only be exploited through a malicious JavaScript file. This vulnerability has been assigned CVE-2023-6864.
To fix this vulnerability, update to SpiderMonkey-115.6.0 or later using the instructions from SpiderMonkey (sysv) or SpiderMonkey (systemd).
In Thunderbird-115.6.0, eleven security vulnerabilities were fixed that could allow for remote code execution, exploitable crashes, sandbox escapes, S/MIME signatures being accepted despite mismatching message dates, undefined behavior, and for spoofed messages to be accepted when processing PGP/MIME payloads. These vulnerabilities have been assigned CVE-2023-50762, CVE-2023-50761, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, and CVE-2023-6864.
To fix these vulnerabilities, update to Thunderbird-115.6.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In libssh2-1.11.0, a vulnerability has been discovered that allows for silent encryption downgrades due to MITM attacks. This vulnerability has been rated as Critical, and is also known as the "Terrapin" attack. Most implementations of the SSH protocol are impacted and have to be updated on both the client and server side. The libssh2 developers have fixed the vulnerability, but have not done a new release yet. The BLFS team has backported a patch with a fix for the vulnerability, and this advisory will be updated once a new release is made. For more implementation, see the OpenSSH and ProFTPd advisories listed below. This vulnerability has been assigned CVE-2023-48795.
To fix this vulnerability, rebuild libssh2 with the patch in the book using the instructions from libssh2 (sysv) or libssh2 (systemd).
In OpenSSH-9.6p1, two security vulnerabilities were fixed that could allow for a MITM attack to cause a silent encryption downgrade, and for arbitrary command injection in some circumstances (such as when using git submodules). The MITM attack is rated as Critical and has been codenamed the 'Terrapin' attack. In order to protect your system, both the client and server side must be updated. Terrapin allows a remote attacker to inject SSH messages both before and after key negotiation begins, and the problem is in the ChaCha20-Poly1305 and the Encrypt-then-MAC implementations. It is highly recommended that you update to OpenSSH-9.6p1 or later as soon as possible. These vulnerabilities have been assigned CVE-2023-48795 and CVE-2023-51385. More details can be found at Terrapin Attack website.
To fix these vulnerabilities, update to OpenSSH-9.6p1 or later using the instructions from OpenSSH (sysv) or OpenSSH (systemd).
In ProFTPD 1.3.8b, a critical level security vulnerability codenamed Terrapin (SSH) was fixed. This could in theory allow for an attacker to downgrade the security within the SSH connection leading to a less secure connection from the 'Man in the Middle' attack. This vulnerability has been assigned CVE-2023-48975.
To fix this vulnerability, update to ProFTPD-1.3.8b or later using the instructions from ProFTPD (sysv) or ProFTPD (systemd).
In Seamonkey-2.53.18, several security vulnerabilities were fixed that could allow for clickjacking, address bar spoofing, crashes, extensions opening arbitrary URLs, out-of-bounds memory access, clipboard contents stealing, and path traversal. These vulnerabilities are identical to the ones solved in Firefox-115.4.0 and Firefox-115.5.0. These vulnerabilities have been assigned CVE-2023-5721, CVE-2023-5732, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5730, CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, and CVE-2023-6212.
To fix these vulnerabilities, update to Seamonkey-2.53.18 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In WebKitGTK-2.42.4, a security vulnerability was fixed that could allow for an application crash when processing a large SVG image. The issue was resolved with improved memory handling. This vulnerability has been assigned CVE-2023-42883.
To fix this vulnerability, update to WebKitGTK-2.42.4 or later using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In firefox 115.6.0 eleven vulnerabilities were fixed. Upstream rate three of these as High. Details at mfsa-2023-54. Details may appear at CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, and CVE-2023-6867.
To fix these update to firefox-115.6.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Xwayland-23.2.2 and earlier, querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved. Another security vulnerability was also fixed that allows for information disclosure when something calls the RRChangeOutputProperty and RRChangeProviderProperty functions. These vulnerabilities have been assigned CVE-2023-6377 and CVE-2023-6478.
To fix this, update to Xwayland-23.2.3 or later using the instructions for Xwayland (sysv) or Xwayland (systemd).
In xorg-server-21.1.9 and earlier, querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved. Another security vulnerability was also fixed that allows for information disclosure when something calls the RRChangeOutputProperty and RRChangeProviderProperty functions. These vulnerabilities have been assigned CVE-2023-6377 and CVE-2023-6478.
To fix this, update to xorg-server-21.1.10 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In Libreoffice-7.6.4.1, three security vulnerabilites were fixed. One of these was in in the bundled copy of Skia. This vulnerability is identical to the QtWebEngine/Chromium vulnerability that allows for remote code execution by processing an image that is too large for a buffer. In this case, the attack vector would be a malicious image inside of a document. Additionally, a security vulnerability was fixed that could allow for Gstreamer pipeline injection due to improper input validation, and a security vulnerability was fixed that could allow for arbitrary script execution when processing a link's target. Both of these can be exploited when processing documents. Updating to Libreoffice-7.6.4.1 is recommended as soon as possible. These vulnerabilities have been assigned CVE-2023-6345, CVE-2023-6185, and CVE-2023-6186.
To fix these vulnerabilities, update to Libreoffice-7.6.4.1 or later using the instructions from Libreoffice (sysv) or Libreoffice (systemd).
In cURL-8.5.0 two security vulnerabilities were fixed; one that could allow for curl cookies to be passed to another domain or site, thus allowing for cookie hijacking; and another that deletes the HSTS data if curl is writing to a file with a long name, thus making subsequent requests unaware of the HSTS status. These vulnerabilities have been assigned CVE-2023-46218 and CVE-2023-46219.
To fix these vulnerabilities, update to cURL-8.5.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In WebKitGTK-2.42.3, two security vulnerabilities were fixed that could allow for information disclosure and arbitrary code execution. Both of these vulnerabilities are exploitable when processing crafted web content, and are known to be actively exploited. The information disclosure vulnerability is due to an out-of-bounds read, and was addressed with improved input validation. The arbitrary code execution vulnerability is due to memory corruption, and was addressed with improved locking. These vulnerabilities have been assigned CVE-2023-42916 and CVE-2023-42917.
To fix these vulnerabilities, update to WebKitGTK-2.42.3 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In MariaDB-10.11.6, a security vulnerability was fixed that could allow for any attacker with network access to the server to effectively DOS (crash through too many requests) the server. This vulnerability has been assigned CVE-2023-22084.
To fix this vulnerability, update to MariaDB-10.11.6 or later using the instructions from MariaDB (sysv) or MariaDB (systemd).
In OpenSSL-3.2.0, a security vulnerability was fixed that could allow for performance to be very slow when generating excessively long X9.42 DH keys, as well as when checking excessively long X9.42 DH keys or parameters. This happens because DH_ckeck_pub_key() does not perform size checking on P and Q parameters. As a result of this, an application which uses the DH_generate_key() or DH_check_pub_key() functions, and supplies a key or parameters from outside sources, could be vulnerable to a Denial of Service attack. Other impacted functions include DH_check_pub_key_ex(), EVP_PKEY_public_check), and EVP_PKEY_generate(). Note that the OpenSSL pkey command line application is also vulnerable when using the "-pubcheck" option. This vulnerability has been assigned CVE-2023-5678.
To fix this vulnerability, update to OpenSSL-3.2.0 or later using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
In Perl-5.38.2, a security vulnerability was fixed that could allow for writing past the end of a buffer when a user passes an illegal Unicode property in a regular expression. This causes a one-byte attacker controlled buffer overflow in a heap allocated buffer. This vulnerability has been assigned CVE-2023-47038.
To fix this vulnerability, update to Perl-5.38.2 or later using the instructions from the LFS book for Perl (sysv) or Perl (systemd).
In QtWebEngine-5.15.17, nine security vulnerabilities were fixed that could allow for remotely exploitable crashes and remote code execution. One of these vulnerabilities is under active exploitation and can be triggered when rendering any web page that contains an image or other 2D content. The other vulnerabilities may be triggered during navigation, VP8 encoding, using ZIP files, when using site isolation capabilities, when using sites that use the WebAudio API, and during garbage collection. Because of the severity of the Skia vulnerability that can be triggered when visiting web pages with images and other 2D content, it is recommended that you update to QtWebEngine-5.15.17 immediately to protect your system. These vulnerabilities have been assigned CVE-2023-6345, CVE-2023-5482, CVE-2023-5849, CVE-2023-45853, CVE-2023-5218, CVE-2023-5217, CVE-2023-5996, CVE-2023-6112, and CVE-2023-5997.
To fix these vulnerabilities, update to QtWebEngine-5.15.17 or later using the instructions from QtWebEngine (sysv) or QtWebEngine (systemd).
In Thunderbird-115.5.0, seven security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, clickjacking when permission prompts are presented to the user, memory data leakage onto a canvas, and for text to be copied into the primary selection unexpectedly when running under X11. Note that the memory leakage issue is dependent on graphics settings and drivers. These vulnerabilities have been assigned CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, and CVE-2023-6212.
More details about these vulnerabilities can be found at the Mozilla Security Advisory.
To fix these vulnerabilities, update to Thunderbird-115.5.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In firefox 115.5.0 seven vulnerabilities were fixed. Upstream rate five of these as High. Details at mfsa-2023-50. Details may appear at CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, and CVE-2023-6212.
To fix these update to firefox-115.5.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In GnuTLS-3.8.2, a security vulnerability was fixed that could allow for a timing side-channel attack. This vulnerability exists because response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differs from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is impacted. This could allow for extra information gathering from what was originally intended to be disclosed. This vulnerability has been assigned CVE-2023-5981.
Additional information can be found at GnuTLS Issue #1511.
To fix this vulnerability, update to GnuTLS-3.8.2 or later using the instructions from GnuTLS (sysv) or GnuTLS (systemd).
In WebKitGTK-2.42.2, two security vulnerabilities were fixed. While processing crafted Web content, one of them could lead to a denial of service and another one could lead to arbitrary code execution. NVD rates the arbitrary code execution issue as High severity. The BLFS team recommends that you update to WebKitGTK-2.42.2 or later immediately to protect your system. These vulnerabilities has been assigned CVE-2023-41983 and CVE-2023-42852.
To fix these vulnerabilities, update to WebKitGTK-2.42.2 or later using the instructions from WebKitGTK (sysv) or WebKitGTK (systemd).
In intel-microcode-20231114, a vulnerability known as "Redundant Prefix Issue" was fixed. It may allow a local privilege privilege, an information disclosure, and/or a denial of service on Intel Xeon processors based on Ice Lake, Sapphire Rapids, or Rocket Lake microarchitectures, or Intel Core, Pentium Gold, and Celeron processors based on Tiger Lake, Alder Lake, Rocket Lake, or Raptor Lake microarchitectures. This vulnerability has been assigned CVE-2023-23583. More details can be found from the Intel-SA-00950, and the Intel technical paper.
If you are running the system on an affected processor, to fix this vulnerability, update to intel-microcode-20231114 or later using the instructions for About Firmware (sysv) or About Firmware (systemd). For some affected processors this vulnerability has already been fixed in a previous microcode release, read the Intel technical paper (linked above) for the precice minimal microcode revision needed for the fix.
In gst-plugins-bad-1.22.7, two security vulnerabilities were fixed that could allow for crashes or arbitrary code execution. The crash can occur when using the MXF demuxer, and is classified as a use-after-free. The arbitrary code execution vulnerability occurs when parsing malformed streams that use the AV1 video codec, and is classified as a heap-based buffer overflow. Note that the AV1 security vulnerability can be exploited via a web browser. Because of the way gstreamer plugins are handled, you will need to upgrade the entire gstreamer stack to fix these vulnerabilities. These vulnerabilities have been assigned CVE-2023-44446 and CVE-2023-44429.
To fix these vulnerabilities, update the gstreamer stack to 1.22.7 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In PostgreSQL-16.1 (and 15.5), three security vulnerabilities were fixed that could allow for memory and information disclosure, arbitrary code execution, signaling superuser processes, and denial of service. The memory disclosure vulnerability happens in aggregate function calls when they recieve 'unknown'-type arguments. The arbitrary code execution and another memory disclosure vulnerability occurs due to a buffer overrun from an integer overflow in array modification. This is due to a lack of overflow checks. The superuser signaling vulnerability occurs when using third party extensions when a user has the pg_cancel_backend role assigned to them. Due to the arbitrary code execution and information disclosure vulnerabilities, it is recommended you update your PostgreSQL servers as soon as possible. These vulnerabilities have been assigned CVE-2023-5868, CVE-2023-5869, and CVE-2023-5870.
To fix these vulnerabilities, update to PostgreSQL-16.1 (or 15.5 if you wish to stay on 15.x) using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In GIMP-2.10.36, four security vulnerabilities were fixed that could allow for remote code execution or denial of service when processing DDS, PSD, or PSP files. Limited details are available about these vulnerabilities, but exploitation is possible by opening a crafted file in GIMP. These vulnerabilities have been assigned CVE-2023-44441, CVE-2023-44442, CVE-2023-44443, and CVE-2023-44444.
To fix these vulnerabilities, update to GIMP-2.10.36 or later using the instructions from GIMP (sysv) or GIMP (systemd).
In FAAD2-2.11.0, two security vulnerabilities were fixed that could allow for remote code execution or denial of service when processing MP4 files. These occur when using the mp4info command with zero-sample input (or corrupted input), and also when using the wrong mp4 frame offset calculations. Several additional memory safety problems (including integer overflows, division by zero, and out-of-bounds accesses) were fixed in this version as well, though they were not assigned CVEs. These vulnerabilities have been assigned CVE-2023-38857 and CVE-2023-38858.
Additional information can be found from the release notes at FAAD2-2.11.0 Release Notes.
To fix these vulnerabilities, update to FAAD2-2.11.0 or later using the instructions from FAAD2 (sysv) or FAAD2 (systemd).
In Exiv2-0.28.1, a security vulnerability was fixed that could allow for arbitrary code execution when reading the metadata from a crafted image file. This vulnerability is caused by an out-of-bounds right, and happens in the BmffImage::brotliUncompressed function. This vulnerability has been assigned CVE-2023-44398.
To fix this vulnerability, update to Exiv2-0.28.1 or later using the instructions from Exiv2 (sysv) or Exiv2 (systemd).
In Thunderbird-115.4.1, six security vulnerabilities were fixed that could allow for remotely exploitable crashes, arbitrary code execution, clickjacking, address bark spoofing, and for extensions to open arbitrary URLs in the background. Most of these vulnerabilities are only applicable to HTML mail, but the extensions vulnerability can allow for these URLs to be opened without the user's knowledge and can happen anywhere in the application. These vulnerabilities have been assigned CVE-2023-5721, CVE-2023-5732, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, and CVE-2023-5730.
To fix these vulnerabilities, update to Thunderbird-115.4.1 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In OpenJDK-21.0.1, two security vulnerabilities were fixed that could allow for a remote attacker to modify, add, or delete data that a Java application has access to, as well as for a remote attacker to cause a denial of service. Both of these vulnerabilities are easy to exploit and require no user authentication. The remotely exploitable denial of service can happen when accessing data over HTTPS as well since the problem is due to a certificate path validation issue. These vulnerabilities have been assigned CVE-2023-22081 and CVE-2023-22025.
To fix these vulnerabilities, update to OpenJDK-21.0.1 (or use the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In openssl-3.1.4, a security vulnerability was fixed that could lead to potential truncation or overruns during the initialization of some symmetric ciphers. This can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. This vulnerability has been assigned CVE-2023-5363.
To fix this vulnerability, update to openssl-3.1.4 or later using the instructions from openssl (sysv) or openssl (systemd).
In tracker-miners-3.6.1, a security vulnerability was fixed that allows for a sandbox escape. This vulnerability will allow a maliciously crafted file to execute code outside of the sandbox if the tracker-extract process has been compromised by a vulnerability in another package. This particular vulnerability has been exploited to allow for a 0-click RCE if libcue is installed on the system, and was fixed by tightening the seccomp sandbox to guard against several system calls being used. The initial implementation of this update resulted in repeatable crashes with a SIGSYS on i686 systems, as well as in certain circumstances on x86_64 systems, so the BLFS team recommends updating to tracker-miners-3.6.2 instead. This vulnerability has been assigned CVE-2023-5557.
To fix this vulnerability, update to tracker-miners-3.6.2 and tracker-3.6.0 using the instructions from Tracker (sysv) and Tracker-miners (sysv), or Tracker (systemd) and Tracker-miners (systemd).
If you wish to stay with tracker-3.5.x, please update to tracker-miners-3.5.4 instead using the same instructions.
In QtWebEngine-5.15.16, fixes for eight Chromium security vulnerabilities were backported to the branch. All are rated as High. CVE-2023-4071, CVE-2023-4074, CVE-2023-4076, CVE-2023-4351, CVE-2023-4354, CVE-2023-4362, CVE-2023-4762, and CVE-2023-4863.
To fix these vulnerabilities, update to QtWebEngine-5.15.16 using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In xorg-server-21.1.9 and xwayland-23.2.2 a security vulnerability was fixed due to an out-of-bounds write flaw. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. This vulnerability has been assigned CVE-2023-5367.
To fix this vulnerability, update to xorg-server-21.1.9 or later using the instructions from xorg-server (sysv) or xorg-server (systemd), and update to xwayland-23.2.2 or later using the instructions from xwayland (sysv) or xwayland (systemd).
In xorg-server-21.1.9 a security vulnerability was fixed that could allow an X server crash in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. This vulnerability has been assigned CVE-2023-5380.
To fix this vulnerability, update to xorg-server-21.1.9 or later using the instructions from xorg-server (sysv) or xorg-server (systemd).
In the Javascript code of firefox-115.4.0 there is a fix for a potentially exploitable crash. Upstream rate this as Medium, But BLFS rates it as High pending external analysis, see CVE-2023-5728 in mfsa-2023-46. Further details may appear at CVE-2023-5728.
To fix this, update to SpiderMonkey-115.4.0 or later using the instructions for SpiderMonkey (sysv) or SpiderMonkey (systemd).
In firefox 115.4.0 six vulnerabilities applicable to linux users were fixed. Upstream rate two of these as High, but two others could lead to a crash and are therefore rated as High by BLFS until there is an external analysis. Details at mfsa-2023-46. Details may appear at CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5730, and CVE-2023-5732.
To fix these update to firefox-115.4.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Seamonkey-2.53.17.1 ships an old version of libvpx with a different API from current libvpx, preventing use of system libvpx. The recent public vulnerability fixed in libvpx-1.13.1 has caused upstream to commit fixes for several libvpx issues, but they have not yet been able to complete a new release. The vulnerabilities include local information disclosure, resource exhaustion, remote information disclosure, remote exploitation via heap corruption, and a crash.
These vulnerabilities have been assigned CVE-2019-9232, CVE-2019-9325, CVE-2019-9327, CVE-2019-9433, CVE-2023-5217, and CVE-2023-44488.
To fix these vulnerabilities, update to Seamonkey-2.53.17.1 plus the consolidated_fixes-1.patch, or to a later release, using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In httpd-2.4.58, three security vulnerabilities were fixed. More details at Apache 2.4 Vulnerabilities and further explanation of the mitigations from updating to nghttp2-1.57.0 at icing blog. These vulnerabilities have been assigned CVE-2023-45802, CVE-2023-43622 and CVE-2023-31122.
To fix these vulnerabilities, update to httpd-2.4.58 or later using the instructions from Apache HTTPD (sysv) or Apache HTTPD (systemd).
In node.js-18.18.2, four vulnerabilities were fixed, of which two are rated as High. One of those is in the shipped version of nghttp2, so if you follow the book using system nghttp2 you should apply sa 12.0 022 as well as updating node.js.
Upstream details are at CHANGELOG 18.18.2 and they have been assigned CVE-2023-44487, CVE-2023-45143, CVE-2023-38552, and CVE-2023-39333.
To fix these vulnerabilities, update to node.js-18.18.2 or later using the instructions from node.js (sysv) or node.js (systemd).
In exim-4.96.1 and exim-4.96.2, five security vulnerabilities were fixed, three of which are rated high. They could allow for remote code execution or sensitive information disclosure. These vulnerabilities have been assigned CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, and CVE_2023-42119.
To fix these vulnerabilities, update to exim-4.96.2 or later using the instructions from exim (sysv) or exim (systemd).
In cURL-8.4.0, two security vulnerabilities were fixed that could allow for cookie injection, and for remote code execution or crashes when using the SOCKS5 proxy feature. The SOCKS5 issue happens during the proxy handshake, and occurs if the hostname is detected to be longer than 255 bytes during a slow handshake. These vulnerabilities have been assigned CVE-2023-38545 and CVE_2023-38546.
To fix these vulnerabilities, update to cURL-8.4.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In libnotify-0.8.3, a security vulnerability was fixed that could allow for a local user to crash an application running if certain parameters were set when generating a notification. This primarily affects users who use applications which use the Electron framework, such as Discord or Spotify. This vulnerability has not been assigned a CVE, but more information can be found at libnotify Issue #34 and NEWS file.
To fix this vulnerability, update to libnotify-0.8.3 or later using the instructions from libnotify (sysv) or libnotify (systemd).
In nghttp2-1.57.0, a security vulnerability in the HTTP/2 protocol was fixed that allows for a remotely exploitable denial of service attack. This vulnerability is being exploited in the wild to trigger Distributed Denial of Service attacks against various services. If you host a website and have nghttp2 installed on your system, it is recommended that you update your system to nghttp2-1.57.0 immediately. This issue has been named "HTTP/2 Rapid Reset". This vulnerability has been assigned CVE-2023-44487.
Additional information can be found at United States Government Advisory, oss-security Mailing List posting, and Google Blog Post.
To fix this vulnerability, update to nghttp2-1.57.0 or later using the instructions from nghttp2 (sysv) or nghttp2 (systemd).
In samba-4.19.1, several security vulnerabilities were fixed that could allow for an attacker to trigger denial of service, crashing the service, or potentially compromising it. CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 and CVE-2023-42670.
To fix these vulnerabilities, update to samba-4.19.1 using the instructions from Networking Programs (sysv) or Networking Programs (systemd).
In libXpm-3.5.17, two security vulnerabilities were fixed that could allow for an attacker to read the contents of memory on a system by opening a malicious XPM image. One of these vulnerabilities occurs when an image has a corrupted colormap section, and the other occurs when calling XpmCreateXpmImageFromBuffer(). These are both classified as out-of-bounds reads, and have been present since at least 1998. It is recommended that you update libX11 to 1.8.7 as well to resolve additional issues. These vulnerabilities have been assigned CVE-2023-43788 and CVE-2023-43789.
Additional information can be found at Xorg Security Advisory.
To fix these vulnerabilities, update to libXpm-3.5.17 using the instructions from Xorg Libraries (sysv) or Xorg Libraries (systemd).
In libX11-1.8.7, three security vulnerabilities were fixed that could allow for a denial of service (application crash), or for remote code execution on systems where X11 is running as root or on systems with X11 Forwarding enabled. The first vulnerability can be triggered by connecting to an X server that sends specially crafted replies to X11 protocol requests. The X11 protocol request in question is the XkbGetMap request. This vulnerability is classified as an out-of-bounds read, and was introduced in X11R6.1 (released in March of 1996). The other two vulnerabilities happen when opening or processing XPM images. One of them causes stack exhaustion due to infinite recursion, and the other causes a heap buffer overflow due to an integer overflow. Both of these have existed since X11R2 (February 1988). Note that you should update libXpm as well since there has been additional hardening performed in that library because of these issues. These vulnerabilities have been assigned CVE-2023-43785, CVE-2023-43786, and CVE-2023-43787.
Additional information can be found at Xorg Security Advisory.
To fix these vulnerabilities, update to libX11-1.8.7 using the instructions from Xorg Libraries (sysv) or Xorg Libraries (systemd).
After Glibc-2.38 release, a buffer overflow in the dynamic loader that could allow a local privilege escalation has been found. This vulnerability has been assigned CVE-2023-4911. Glibc-2.34, 2.35, 2.36, 2.37, and 2.38 are affected.
The team discovered this vulnerability has claimed that it's very trivial to exploit, so any LFS system running the vulnerable Glibc versions (LFS 11.0, 11.1, 11.2, 11.3, and 12.0) should be patched.
glibc-2.38-memalign_fix-1.patch
replaced by
glibc-2.38-upstream_fixes-3.patch. This patch also includes
the memalign fix, the CVE-2023-4527
(see SA 12.0-004) fix, and
the CVE-2023-4806
(see SA 12.0-005) fix.After testing the package with make check
, instead
of installing it directly, perform a DESTDIR
installation
with make install DESTDIR=$PWD/dest
. Now as the
root
user, replace the vulnerable dynamic loader:
install -vm755 dest/usr/lib/ld-linux* /usr/lib
If the debug symbols for Glibc is stripped from the dynamic loader
and saved in a separate ld-linux*.so.2.dbg
file (as
demonstrated in
Stripping),
use the following commands instead to replace the dynamic loader and
the debug symbol file:
ldso=$(echo /usr/lib/ld-linux*[^g]) objcopy --only-keep-debug dest/${ldso}{,.dbg} strip --strip-unneeded dest/${ldso} objcopy --add-gnu-debuglink=${ldso}.dbg dest/${ldso} install -vm755 dest/${ldso} /usr/lib install -vm644 dest/${ldso}.dbg /usr/lib
In libvpx-1.13.0, a security vulnerability has been found that could lead to heap buffer overflow if a maliciously crafted HTML page is opened in a Web browser using libvpx for supporting VP8. Google is aware that an exploit for this vulnerability exists in the wild. This vulnerability has been assigned CVE-2023-5217.
To fix this vulnerability, update to (or rebuild) libvpx-1.13.0 with libvpx-1.13.0-security_fix-1.patch applied, using the instructions from libvpx (sysv) or libvpx (systemd).
In WebKitGTK+-2.42.1, a critical security vulnerability was fixed that could lead to remote code execution when processing crafted web content. The vulnerability was resolved with additional checks when processing JavaScript. Apple is aware of reports that this vulnerability is being actively exploited, and does not require any user interaction to exploit. The BLFS team recommends that you update to WebKitGTK+-2.42.1 immediately to protect your system. This vulnerability has been assigned CVE-2023-41993.
To fix this vulnerability, update to WebKitGTK+-2.42.1 or later using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Thunderbird-115.3.0, three security vulnerabilities were fixed that could allow for remotely exploitable crashes and arbitrary code execution. Note that these vulnerabilities only apply when using HTML mail. These vulnerabilities have been assigned CVE-2023-5169, CVE-2023-5171, and CVE-2023-5176.
To fix these vulnerabilities, update to Thunderbird-115.3.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Seamonkey-2.53.17.1, several security vulnerabilities were fixed that could allow for fullscreen window spoofing, denial of service, remote code execution, URL spoofing, push notifications being saved to disk unencrypted, and certificate exception bypasses. This update brings Seamonkey up to date with the security fixes in Firefox 115.3.0 and Thunderbird 115.3.0. These vulnerabilities have been assigned CVE-2023-34414, CVE-2023-34416, CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208, CVE-2023-32709, CVE-2023-37210, CVE-2023-37211, CVE-2023-3417, CVE-2023-3600, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4073, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4051, CVE-2023-4578, CVE-2023-4053, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-5169, CVE-2023-5171, and CVE-2023-5176.
To fix these vulnerabilities, update to Seamonkey-2.53.17.1 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In firefox 115.3.0 four vulnerabilities rated as High were fixed, Details at mfsa-2023-42. Details may appear at CVE-2023-5168, CVE-2023-5169, CVE-2023-5171, and CVE-2023-5176.
To fix these update to firefox-115.3.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Glibc-2.36, a use-after-free was fixed and recently it's found that this issue has a security implication as it may cause a denial-of-service (application crash) with malicious DNS responses.
This vulnerablity has been assigned CVE-2023-4813 and many Glibc releases before 2.36 (at least 2.17 through 2.35) are affected.
Because this issue can be only triggered with an unsupported
configuration in /etc/nsswitch.conf
, we are not providing
a patch for Glibc here. Instead you need to remove
[SUCCESS=continue]
and [SUCCESS=merge]
from
the hosts:
line in /etc/nsswitch.conf
if they
are included there. Using them in the hosts:
line is not
supported and if they "worked" it's completely by coincidence. The LFS
/etc/nsswitch.conf
file does not contain such an
unsupported configuration, so a by-the-book LFS installation is not
affected.
In BIND-9.18.19, two security vulnerabilities were fixed that could allow for a remotely-exploitable denial of service (crash of the named server process). One of these vulnerabilities happens when processing DNS-over-TLS queries, and occurs due to an assertion failure when internal data structures are incorrectly reused under significant load. The other vulnerability occurs when processing DNS queries, and can be triggered by sending a specially crafted message over the control channel. It will cause the packet parsing code to run out of available stack memory, and thus cause the named server process to terminate unexpectedly. These vulnerabilities have been assigned CVE-2023-3341 and CVE-2023-4236.
To fix these vulnerabilities, update to BIND-9.18.19 or later using the instructions from BIND (sysv) or BIND (systemd).
In gst-plugins-bad-1.22.6, three security vulnerabilities were fixed that could allow for arbitrary code execution when processing MXF files or H.265 videos. The two vulnerabilities that occur when processing MXF files happen when opening a file with uncompressed video, or with AES3 audio. The vulnerability with H.265 videos happens when parsing malformed H.265 video streams. All three of these vulnerabilities have been classified as integer overflows which lead to heap or stack overwrites. Because of the way gstreamer plugins are handled, you will need to upgrade the entire gstreamer stack to fix these vulnerabilities. These vulnerabilities have been assigned CVE-2023-40474, CVE-2023-40475, and CVE-2023-40476.
To fix these vulnerabilities, update the gstreamer stack to 1.22.6 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In CUPS-2.4.7, a security vulnerability was fixed that could allow for remote code execution or denial of service (CUPS service crash) due to a malicious print job. This occurs due to incorrectly validating the length provided by a CUPS document, and the vulnerability is in the scan_ps function. This problem causes a heap-based buffer overflow. This vulnerability has been assigned CVE-2023-4504.
To fix this vulnerability, update to CUPS-2.4.7 or later using the instructions from CUPS (sysv) or CUPS (systemd).
In libarchive-3.7.2, multiple security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service when writing a PAX archive using the libarchive API. No CVEs have been assigned for this issue, but more details can be found at libarchive upstream commit.
To fix these vulnerabilities, update to libarchive-3.7.2 or later using the instructions from libarchive (sysv) or libarchive (systemd).
In cURL-8.3.0, a security vulnerability was fixed that could allow for a denial of service when processing HTTP headers. This occurs because cURL stores incoming HTTP headers so that they can be accessed later via the libcurl headers API, but there was no limit on how many headers it could cache, or how large headers would be handled, which allows a malicious server to stream and endless series of headers and eventually cause cURL to run out of heap memory. This was fixed by setting a limit on the total size of headers in a single HTTP response - the limit is 300KB. This vulnerability has been assigned CVE-2023-38039.
To fix this vulnerability, update to cURL-8.3.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In Thunderbird-115.2.2, a critical security vulnerability in the bundled libwebp was fixed which could allow for remote code execution when loading a malicious HTML mail which contains a webp image embedded in it. The version of Thunderbird shipped with BLFS 12.0 used the bundled libwebp, however this has been changed to use the system version of libwebp in the development version of the book. Because of this, you should upgrade to both Thunderbird-115.2.2, and follow the instructions to use the system version of libwebp after it has been updated using the instructions from SA-12.0-003. It is recommended that you update to the fixed version of libwebp and Thunderbird immediately to protect your system.
To fix this vulnerability, update to Thunderbird-115.2.2 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
After Glibc-2.38 release, a use after free was fixed in the getaddrinfo() function that could allow a denial of service (crash) with custom NSS modules and extremely rare situation. This vulnerability has been assigned CVE-2023-4806. Many Glibc releases (at least 2.17 through 2.38) are affected.
The /etc/nsswitch.conf
file created following the
LFS instruction does not contain custom NSS modules, so a by-the-book
LFS installation is not vulnerable.
If you are using a custom nsswitch.conf
, backup the
system first, then rebuild Glibc (the same version as you've
installed in LFS):
glibc-2.38-memalign_fix.patch
replaced by
glibc-2.38-upstream_fixes-2.patch. This patch also includes
the memalign fix and the CVE-2023-4527
(see SA 12.0-004) fix;After testing the package with make check
, instead
of installing it directly, perform a DESTDIR
installation
with make install DESTDIR=$PWD/dest
. Now as the
root
user, replace the vulnerable library files:
install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.a /usr/lib
If the debug symbols for Glibc is stripped from the library files
and saved in a separate libc.so.6.dbg
file (as
demonstrated in
Stripping),
use the following commands instead to replace the library files and
the debug symbol file:
objcopy --only-keep-debug dest/usr/lib/libc.so.6{,.dbg} strip --strip-unneeded dest/usr/lib/libc.{a,so.6} objcopy --add-gnu-debuglink=/usr/lib/libc.so.6.dbg dest/usr/lib/libc.so.6 install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.{a,so.6.dbg} /usr/lib
After the files are replaced, reboot the system immediately.
After Glibc-2.38 release, a security vulnerability was fixed in the
DNS resolver that could allow a denial of service (crash) or
potentional information disclosure with a long DNS response if
no-aaaa
is specified in /etc/resolv.conf
.
This vulnerability has been assigned
CVE-2023-4527.
The affected Glibc releases are 2.36, 2.37, and 2.38.
The /etc/resolv.conf
file created following
LFS General Network Configuration section
(sysv or
systemd)
does not contain no-aaaa
so a by-the-book LFS installation
is not vulnerable.
If you are using no-aaaa
, backup the system first,
then apply the fix for Glibc-2.36, 2.37, or 2.38 (use the same
Glibc version as you've installed in LFS) with the following
command:
sed \ -E "/__res_context_search/\ {N;N;s/(search \(([^,]*,){6}[^,]*)NULL/\1\&alt_dns_packet_buffer/}" \ -i resolv/nss_dns/dns-host.c
and rebuild it with the instructions from
Glibc-2.36
(with the SA 11.2-075 patch applied),
Glibc-2.37, or
Glibc-2.38.
After testing the package with make check
, instead of installing
it directly, perform a DESTDIR
installation with
make install DESTDIR=$PWD/dest
. Now as the
root
user, replace the library files containing the
DNS resolver:
install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.a /usr/lib
If the debug symbols for Glibc is stripped from the library files
and saved in a separate libc.so.6.dbg
file (as
demonstrated in
Stripping),
use the following commands instead to replace the library files and
the debug symbol file:
objcopy --only-keep-debug dest/usr/lib/libc.so.6{,.dbg} strip --strip-unneeded dest/usr/lib/libc.{a,so.6} objcopy --add-gnu-debuglink=/usr/lib/libc.so.6.dbg dest/usr/lib/libc.so.6 install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.{a,so.6.dbg} /usr/lib
After the files are replaced, reboot the system immediately.
Chromium and Apple have announced a Critical vulnerability in libwebp which is being actively exploited. This vulnerability has been assigned CVE-2023-4863.
This vulnerability has been fixed in libwebp-1.3.2 published on 2023-09-14. Update to libwebp-1.3.2 or later using the instructions for LibWebP (sysv) or Libwebp (systemd).
In mutt-2.2.12 a vulnerability which could cause mutt to crash while parsing a malformed header was fixed.
This has now been assigned CVE-2023-4874 and CVE-2023-4875.
To fix this update to mutt-2.2.12 or later using the instructions for Mutt (sysv) or Mutt (sysv).
In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. This vulnerability has been assigned CVE-2023-40217.
To fix this vulnerability, update to Python-3.11.5 or later using the instructions from Python3 (sysv) or Python3 (systemd).
In Thunderbird-115.2.0, twelve security vulnerabilities were fixed that could allow for potentially exploitable crashes, spoofing attacks, out of memory exceptions, leakage of sensitive information, for the browsing context to not be cleared, and for remote code execution. Most of these vulnerabilities are only applicable to HTML mail. These vulnerabilities have been assigned CVE-2023-4051, CVE-2023-4053, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, and CVE-2023-4585.
To fix these vulnerabilities, update to Thunderbird-115.2.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In firefox 115.2.0 twelve vulnerabilities applicable to BLFS were fixed, six of them rated as High. Details at mfsa-2023-36 and at CVE-2023-4051, CVE-2023-4053, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, and CVE-2023-4585.
To fix these update to firefox-115.2.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In PHP-8.2.9, two security vulnerabilities were fixed which could allow for unauthorized disclosure of local files on a server, for remote code execution, and for remotely exploitable denial of service. The unauthorized disclosure of local files vulnerability occurs in the libxml module, which allows for external entities to be loaded even if the server's configuration does not have external entity loading enabled. This can occur when using other modules that depend on libxml such as ImageMagick, where the state of the libxml module is process-global. Note that the vulnerable state may persist in the same process across many requests, continuing until the process is shut down. In the case of the critical remote code execution vulnerability, it occurs in the Phar module, and happens due to insufficient length checking when reading PHAR directory entries leading to a stack buffer overflow. If you use the libxml or Phar modules in PHP, it's recommended that you upgrade to PHP-8.2.9 immediately. These vulnerabilities have been assigned CVE-2023-3823 and CVE-2023-3824.
To fix these vulnerabilities, update to PHP-8.2.9 or later using the instructions from PHP (sysv) or PHP (systemd).
In Thunderbird-115.1.1, several security vulnerabilities were fixed that could allow for file extension spoofing using the Text Direction Override Character, cross-origin restriction bypasses, remote code execution, remotely exploitable crashes, bypass of permissions requests, and for notifications to be obscured. These vulnerabilities have been assigned CVE-2023-3417, CVE-2023-3600, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-37201, CVE-2023-37202, CVE-2023-37207, CVE-2023-37208, and CVE-2023-37211.
To fix these vulnerabilities, update to Thunderbird-115.1.1 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
If you wish to stay on the Thunderbird 102 series, update to Thunderbird 102.14.0, but note that this series is discontinued on August 30th.
In krb5-1.21.2, two security vulnerabilities were fixed that could allow for crashes of the KDC process and of the kadm5 process. The KDC process crash occurs due to a double-free in KDC's TGS processing, and the kadm5 process crash happens due to an uninitialized pointer being freed when performing XDR parsing. These vulnerabilities can be exploited remotely. These vulnerabilities have been assigned CVE-2023-36054 and CVE-2023-39975.
To fix these vulnerabilities, update to krb5-1.21.2 or later using the instructions from MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd).
In Screen-4.9.1, a security vulnerability was fixed that could allow for local users to send a privileged SIGHUP signal to any PID on the system, which could cause a denial of service or disruption of the target process. If you are on a multi-user system and use Screen, you should upgrade. This vulnerability has been assigned CVE-2023-24626.
To fix this vulnerability, update to Screen-4.9.1 or later using the instructions from Screen (sysv) or Screen (systemd).
A side channel vulnerability in the AMD Zen/Zen2/Zen3/Zen4 CPUs has been publicised with the name "Inception" or "Speculative Return Stack Overflow" (SRSO). This vulnerability may allow an attacker to influence the return address prediction, causing speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. This vulnerability has been assigned CVE-2023-20569. More details can be found at the home page for this vulnerability.
To mitigate this vulnerability, update to Linux kernel 6.4.9 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.44 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd). The kernel update is enough to mitigate the issue for Zen/Zen2 CPUs. For Zen3/Zen4 CPUs, the kernel update only partially mitigate the issue and a full mitigation requires a microcode update besides the kernel update. For Zen3/Zen4 EPYC CPUs, update to amd-microcode-20230808 or later using the instructions for About Firmware (sysv) or About Firmware (systemd). For Zen3/Zen4 non-EPYC CPUs, a microcode update is planned by AMD to be shipped in this month (Aug 2023). But we are not sure if the update would be available for end users as a kernel-loadable microcode file. If a kernel-loadable microcode update is available, we'll issue a new security advisory for it. Otherwise, you'll need to contact the vendor of your motherboard (or laptop) for a BIOS update including the new microcode.
In node.js-18.17.1, three security vulnerabilities were fixed that could allow for permission policy bypass via the Module._load function, the module.constructor.createRequre function, and the process.binding function. In the case of using Module._load and module.constructor.createRequire, it's possible to bypass the policy mechanism and require modules outside of the policy.json definition for a given module. In the case of the process.binding function, it's possible to bpyass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in the policy.json file. Note that at this time, the policies are experimental features of Node.js, but they are still enabled by default. These vulnerabilities have been assigned CVE-2023-32002, CVE-2023-32006, and CVE-2023-32559.
To fix these vulnerabilities, update to node.js-18.17.1 or later using the instructions from node.js (sysv) or node.js (systemd).
In PostgreSQL-15.4, two security vulnerabilities were fixed that could allow for SQL Injection when using extension scripts, and for security policy bypasses when row security policies are in effect. In the case of the SQL Injection vulnerability, this occurs when an extension script uses the @extowner@, @extschema@, or @extschema:...@ tokens inside a quoting construct, such as dollar quoting, or quotation marks. This vulnerability allows an attacker having database-level CREATE privileges to execute arbitrary code as the bootstrap superuser. This update disables it by blocking the attack in the core server, so no modification of any existing extensions is required. In the case of the policy bypass vulnerability, PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid a row that INSERT policies do not, a user could be allowed to store such rows, and further consequences are possible depending on the application in use. These vulnerabilities have been assigned CVE-2023-39417 and CVE-2023-39418.
To fix these vulnerabilities, update to PostgreSQL-15.4 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In intel-microcode-20230808, three hardware vulnerabilities were fixed. All of them may potentially allow information disclosure. The first one known as "Gather Data Sampling" (GDS) affects Intel processors with AVX2 capability based on Skylake, Kaby Lake, Cascade Lake, Cooper Lake, Ice Lake, or Tiger Lake microarchitectures (the latest 12th and 13th generations of Core processors are not affected). The second one only affects Intel Xeon processors based on Cooper Lake microarchitecture. The third one affects Intel Xeon processors based on Cooper Lake or Sapphire Rapids microarchitectures if SGX is utilized; this is actually rated as "High" severity by Intel but LFS does not support utilizing SGX so we still rated this advisory as "Medium". These vulnerabilities has been assigned CVE-2022-40982, CVE-2023-23908, and CVE-2022-41804.
If you are running the system on an affected processor, to fix these
vulnerabilitites, update to intel-microcode-20230808 or later using the
instructions for
About Firmware (sysv) or
About Firmware (systemd).
Note that the GDS fix will make "gathering" AVX2 and AVX512
instructions much slower, so if you are building the system for a CPU
affected by GDS with
-march=
setting in CFLAGS
or
CXXFLAGS
(note that we do not encourage to do so at all),
append
-mtune-ctrl=^use_gather_2parts,^use_gather_4parts,^use_gather
after the -march=
option to disable these
instructions.
In rustc-1.71.1, a security vulnerability was fixed in the Cargo portion of rustc which could allow a local user to change the source code compiled and executed by another user. This problem occurs because Cargo did not respect the umask value when extracting crates on a UNIX-like system, which allowed other users to modify source code in the cache directory for Cargo without another user's knowledge. Note that the cache will be cleared the next time Cargo is run once rustc has been updated to prevent existing cached extractions from being exploitable. This vulnerability has been assigned CVE-2023-38497.
To fix this vulnerability, update to rustc-1.71.1 or later using the instructions from rustc (sysv) or rustc (systemd).
In WebKitGTK+-2.41.6 (with a patch developed by the BLFS team applied), several security vulnerabilities were fixed that could allow for remote code execution, sensitive information disclosure, and bypasses of the Same Origin Policy. These vulnerabilities have also been fixed in WebKitGTK-2.40.5 if you prefer to stay on the 2.40 series. Some of these vulnerabilities can be exploited while processing crafted web content, such as advertisements, and can be exploited with no user interaction required. These vulnerabilities have been assigned CVE-2023-38133, CVE-2023-38572, CVE-2023-38592, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597, CVE-2023-38599, CVE-2023-38600, and CVE-2023-38611.
To fix this vulnerability, rebuild WebKitGTK+-2.41.6 with the patch applied using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
If you are on the WebKitGTK+-2.40.x series, you may prefer to update to WebKitGTK+-2.40.5 instead.
In Seamonkey-2.53.17, several security patches up to Firefox and Thunderbird 102.11.0esr were applied to Seamonkey. This includes fixes for remote code execution, arbitrary code execution, denial of service, invalid GPG key verification, browser spoofing attacks, and for unauthorized downloads of files. Updating to Seamonkey-2.53.17 is recommended immediately. These vulnerabilities have been assigned CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-1945, CVE-2023-29548, CVE-2023-29550, CVE-2023-28427, CVE-2023-0547, CVE-2023-29479, CVE-2023-32205, CVE-2023-32206, CVE-2023-32207, CVE-2023-32211, CVE-2023-32212, CVE-2023-32213, and CVE-2023-32215.
To fix these vulnerabilities, update to Seamonkey-2.53.17 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In MariaDB-10.11.4 (and MariaDB-10.6.14), a security vulnerability was fixed that could allow for a denial of service. The vulnerability occurs due to it being possible for the function spider_db_mbase::print_warnings to dereference a null pointer, which will result in a crash. BLFS has moved onto MariaDB-10.11.x for BLFS 12.0, and while upgrading and running 'mariadb-upgrade' will not result in any ill effects, MariaDB-10.6.14 has been tested and is confirmed to work if you prefer to stay on the 10.6 series. This vulnerability has been assigned CVE-2022-47015.
To fix this vulnerability, update to MariaDB-10.11.4 (or 10.6.14) using the instructions from MariaDB (sysv) or MariaDB (systemd).
If you upgrade to MariaDB-10.11 from MariaDB-10.6, make sure that you run the mariadb-upgrade command.
In QtWebEngine-5.15.15, fixes for seven Chromium security vulnerabilities were backported to the branch. All are rated as High. CVE-2023-2721, CVE-2023-2931, CVE-2023-2932, CVE-2023-2933, CVE-2023-2935, CVE-2023-3079, and CVE-2023-3216.
To fix these vulnerabilities, update to QtWebEngine-5.15.15 using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In OpenSSL-3.1.2 (and OpenSSL-1.1.1v), three security vulnerabilities were fixed that could allow for applications which use the AES-SIV implementation in OpenSSL to be misled by empty associated data entries, excessive slowdown when checking DH keys and parameters, and for excessive slowdown when checking the 'q' parameter value in a DH key. This could lead to a denial of service condition due to excessive usage of resources. These vulnerabilities have been assigned CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817.
To fix these vulnerabilities, update to OpenSSL-3.1.2 (or OpenSSL-1.1.1v if you prefer to say on the 1.1 series) using the instructions from OpenSSL (sysv) or OpenSSL (systemd).
In firefox 115.1.0 seven vulnerabilities applicable to BLFS and rated as High were fixed. Details at mfsa-2023-31 and at CVE-2023-4045, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4056, and CVE-2023-4057.
To fix these update to firefox-115.1.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
A High-severity vulnerability (information disclosure in 16-byte chunks by a non-privileged user) has been publicised. Update the linux kernel to version 6.4.6 or later (6.1.41 or later if you use the LTS 6.1 version). This hardware vulnerability is known as zenbleed and allows disclosure of sensitive information. This vulnerability has been assigned CVE-2023-20593. More details can be found at the article written by the discoverer of this vulnerability.
AMD made an unexpectely early release of microcode for a few of the higher-end affected CPUs, confusion about which led to an initial recommendation to update the microcode because the fix in the kernel could slow down some usages. It has now become clear that AMD are intending to ship updated AGESA for other affected CPUs in October to December, and past experience suggests that updates to linux firmware will only happen after that. See amd-sb-7008 while noting that AMD downplay the severity.
When a fixed kernel has been booted, look for a one-time message using 'dmesg | grep -i zenbleed'. If that shows 'Zenbleed: please update your microcode for the most optimal fix' then you know that the kernel has worked around the issue, and you can update to the new microcode (or update the AGESA via a 'bios' update from the motherboard manufacturer) when available.
If the fixed kernel does not mention Zenbleed then either you are not on a Zen2 CPU, or alternatively you are on one of the EPYC Zen2 variants for which the family 17 microcode has been released (currently only Rome/Castle Peak and Mendocino). More details in the thread and sub-threads starting at oss-security
In cURL-8.2.1, a security vulnerability was fixed that could allow for accidental overwriting of data due to a TOCTOU race condition when libcurl is told to save cookies, HSTS, or alt-svc data to a file. When exploiting this flaw, an attacker can trick a victim into creating or overwriting protected files holding this data in ways it was not intended to. The race condition modifies the behavior of symbolic links in affected components, allowing them to be followed instead of overwritten. This vulnerability impacts libcurl itself rather than just the cURL utility, and thus can be exploited in many different applications. This vulnerability has been assigned CVE-2023-32001.
To fix this vulnerability, update to cURL-8.2.1 or later using the instructions from cURL (sysv) or cURL (systemd).
This advisory was based on incomplete information from upstream and has been replaced by SA 11.3-067 above.
In amd-microcode-20230719, one hardware vulnerability known as "zenbleed" has been fixed. The vulnerability may allow sensitive information disclosure on all Zen 2 class processors. This vulnerability has been assigned CVE-2023-20593. More details can be found at the article written by the discoverer of this vulnerability.
If you are running LFS on a Zen 2 processor, update AMD Microcode to 20230719 or later using the instructions for About Firmware (sysv) or About Firmware (systemd) to fix the issue. Alternatively, a software mitigation has been developed for Linux kernel. But the software mitigation can cause performance degradation, so we highly recommend to update the microcode instead of relying on the software mitigation.
In gst-plugins-ugly-1.22.5, two security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service. These vulnerabilities are in the RealMedia plugin, and occur due to integer overflows which lead to heap overwrites. If you use RealMedia files, you should update the gstreamer stack to 1.22.5 immediately. These vulnerabilities do not have CVEs assigned yet, but details are available upstream at ZDI-CAN-21443 and ZDI-CAN-21444.
To fix these vulnerabilities, update the gstreamer stack to 1.22.5 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In librsvg-2.56.3, a security vulnerability was fixed that could allow for arbitrary file reads when an xinclude href has special characters in it. These special characters include '?', '#', and '@'. A proof of concept is public which allows for reading /etc/passwd on a system when loading an SVG image using librsvg. This vulnerability has been assigned CVE-2023-38633. Additional information can be found at the librsvg Gitlab issue.
To fix this vulnerability, update to librsvg-2.56.3 or later using the instructions from librsvg (sysv) or librsvg (systemd).
In OpenJDK-20.0.2, six security vulnerabilities were fixed that could allow for unauthorized access to data on a system and for a denial of service. These vulnerabilities were found in the Hotspot, Libraries, Utility, and Networking components, and all but one of them can be exploited remotely without any user interaction and without authentication. These vulnerabilities have been assigned CVE-2023-22041, CVE-2023-22044, CVE-2023-22045, CVE-2023-22049, CVE-2023-22036, and CVE-2023-22006.
To fix these vulnerabilities, update to OpenJDK-20.0.2 (or use the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In WebKitGTK+-2.41.6, a critical security vulnerability was fixed that could lead to remote code execution. This vulnerability occurs when processing crafted web content, and is known to Apple to be actively exploited. The BLFS team has created a patch on top of 2.41.6, but if you are using WebKitGTK+-2.40.x, WebKitGTK+-2.40.4 has been released with the patch already included. This vulnerability has been issued CVE-2023-37450.
To fix this vulnerability, update to WebKitGTK+-2.41.6 or later with the patch from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
A temporary workaround is to export the following environment variable prior to running a program that uses WebKitGTK+ from the terminal: export JSC_useWebAssembly=0. Note that this is known to break some websites which rely off WASM.
In Samba-4.18.5, five security vulnerabilities were fixed that could allow for remotely exploitable crashes, packet signatures not being enforced, and for the absolute path of files on a server to be disclosed to a remote attacker. The denial of service vulnerabilities occur if you are using winbind for NTLM authentication and if you are using the mdssvc RPC service for Spotlight. Note that one of the vulnerabilities in Spotlight can result in 100% CPU usage on the server. The packet signature enforcement bypass occurs when using SMB2 packet signing, and the absolute path disclosure occurs when the Spotlight protocol is used. The vulnerability that allows for packet signature enforcement bypass also is known to cause issues with systems running the July 2023 Security Updates for Windows 10, Windows 11, and Windows Server 2012 R2 through Windows Server 2022, as those versions of Windows request packet signature enforcement when using SMBv2. On those versions of Windows, intermittent connection failures to servers without this update will occur. It is thus recommended to update Samba if you use it on a network with Windows systems present, even if you do not use winbindd or Spotlight. These vulnerabilities have been assigned CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, and CVE-2023-34968.
To fix these vulnerabilities, update to Samba-4.18.5 or later using the instructions from Samba (sysv) or Samba (systemd).
In OpenSSH-9.3p2, a security vulnerability was fixed that could allow for remote code execution in some cases when using the PKCS#11 feature in ssh-agent. The PKCS#11 feature in ssh-agent has a search path that is not trustworthy, and will load any library in /usr/lib and cause remote code execution if the agent is forward to an attacker-controlled system. This is due to an incomplete fix for CVE-2016-10009. Note that this fix does introduce incompatible behavior. The defaults have been changed to refuse requests to load PKCS#11 modules issued by remote clients. If this impacts you, you must add the "-Oallow-remote-pkcs11" flag to your ssh-agent command. Note that this vulnerability only impacts users who use the ssh-agent command. This vulnerability has been assigned CVE-2023-38408, and further details are available from Qualys from Qualys Security Advisory.
To fix this vulnerability, update to OpenSSH-9.3p2 or later using the instructions from OpenSSH (sysv) or OpenSSH (systemd).
In nghttp2-1.55.1, a security vulnerability was fixed that could allow for denial of service through memory exhaustion. This vulnerability has been assigned: wnpa-sec-2023-22.
To fix this vulnerability, update to nghttp2-1.55.1 or later using the instructions from nghttp2 (sysv) or nghttp2 (systemd).
In Wireshark-4.0.7, two security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. These vulnerabilities have been assigned: wnpa-sec-2023-21 and wnpa-sec-2023-22.
To fix these vulnerabilities, update to Wireshark-4.0.7 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In firefox 115.0.2 a vulnerability rated as High was fixed. Details at mfsa-2023-26 and CVE-2023-3600.
To fix these update to firefox-115.0.2esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In LWP-Protocol-https-6.11, a security vulnerability was fixed that could for attackers to disable server certificate validation via passing the HTTPS_CA_DIR or HTTPS_CA_FILE environment variable. This vulnerability has been assigned CVE-2014-3230.
To fix this vulnerability, update to LWP-Protocol-https-6.11 or later using the instructions from LWP::Protocol::https (sysv) or LWP::Protocol::https (systemd).
In gst-plugins-base and gst-plugins-good 1.22.4, three security vulnerabilities were fixed that could allow for arbitrary code execution and application crashes. These happen due to heap overwrites and integer overflows when processing subtitles (using the subparse and PGS subtitle parsers), and when processing malformed image tags in the FLAC parser. If you use subtitles or FLAC files, it's recommended that you update the gstreamer stack to 1.22.4 immediately. These vulnerabilities have not been assigned CVEs yet, but more details can be found at ZDI-CAN-20775, ZDI-CAN-20968, and ZDI-CAN-20994.
To fix these vulnerabilities, update the gstreamer stack to 1.22.4 using the instructions from gstreamer (sysv) or gstreamer (systemd).
In OpenJDK-20.0.1, six security vulnerabilities were fixed that could allow for unauthorized creation, modification, or deletion of data on a system, as well as for denial of service. These vulnerabilities occur in the TLS, HTTPS, Swing, core libraries, and networking components, and can be exploited remotely with no authentication required. These vulnerabilities have been assigned CVE-2023-21930, CVE-2023-21967, CVE-2023-21939, CVE-2023-21938, CVE-2023-21968, and CVE-2023-21937.
To fix these vulnerabilities, update to OpenJDK-20.0.1 (or the prebuilt Java binaries) using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In Linux Kernel 6.4.1 (as well as 6.1.31), a security vulnerability was fixed that allows for trivial privilege escalation. The vulnerability occurs due to the updated memory management subsystem starting in Linux 6.1, where the maple tree (which is responsible for managing virtual memory areas) can undergo node replacement without properly acquiring a write lock. This allows for use-after-free issues which allow unprivileged local users to compromise the kernel and escalate their privileges. This vulnerability has been called "StackRot". This vulnerability has been assigned CVE-2023-3269. A detailed technical explanation can be found at StackRot post on seclists.org.
To fix these vulnerabilities, update to Linux kernel 6.4.1 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.31 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In ghostscript-10.01.2, a security vulnerability was fixed that could allow for arbitrary code execution and a denial of service. This problem occurs due to mishandling permission validation, and can allow for PS files to execute commands on the system if the files use the %pipe% prefix or the "|" pipe character prefix. Note that this can be exploited by sending a print job to a print server as well as when viewing/editing PostScript and PDF files in most applications. This vulnerability has been assigned CVE-2023-36664.
To fix this vulnerability, update to ghostscript-10.01.2 or later using the instructions from ghostscript (sysv) or ghostscript (systemd).
In libjpeg-turbo-3.0.0, a security vulnerability was fixed that could allow for a denial of service when processing certain 12-bit lossless JPEG images which contain samples that were out-of-range. An application which attempts to decompress such an image would lead to a buffer overflow which causes an application to crash. This vulnerability has been assigned CVE-2023-2804.
To fix this vulnerability, update to libjpeg-turbo-3.0.0 or later using the instructions from libjpeg (sysv) or libjpeg (systemd).
Since ImageMagick-7.1.0-61 several vulnerabilites have come to light, one rated as High. These were fixed between 7.1.0-62 and 7.1.1-10. These vulnerabilities have been assigned CVE-2023-1289, CVE-2023-1906, CVE-2023-2157, CVE-2023-34151 and CVE-2023-34153.
To fix these, update to ImageMagick-7.1.1-12 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In both firefox 115.0 and 102.13.0 several vulnerabilities were fixed, of which three were rated high, as well as others only applicable to versions after 102esr. Details at mfsa-2023-22 (115.0) and mfsa-2022-23 (102.13.0). The high severity CVEs common to 102esr and 115esr are CVE-2023-37201, CVE-2023-37202, CVE-2023-37121.
To fix these update to firefox-115.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Alternatively, update to firefox-102.13.0 as a short-term fix which does not require updated dependencies. See the Editor Notes in the development book for guidance on required minimum dependencies for 115esr. Please note that firefox 102esr will have two more releases and then become unsupported at the end of August.
In the Javascript code of firefox-102.13.0 there is a fix for a potential use after free, see CVE-2023-37202 in mfsa-2023-23. Further details may appear at CVE-2023-37202.
To fix this, update to JS-102.13.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In BIND-9.18.16, two security vulnerabilities were fixed that could allow for a denial of service (application crash and system memory exhaustion). On systems where there is a lot of cached information, it was possible to significantly exceed the configurable cache limit by sending requests for RRsets in a certain order. Note that this impacts the default configuration for BIND, and can lead to the system running out of memory quickly. The other vulnerability occurs due to the 'recursive-clients' quota on some resolvers. If the server is configured with both 'stale-answer-enable yes' and 'stale-anser-client-timeout 0', a sequence of serve-stale-related lookups will cause the server to loop infinitely and terminate unexpectedly due to a stack overflow. If you're using BIND's DNS server instead of just the client utilities, it is recommended that you update to BIND-9.18.16 immediately as the first denial-of-service vulnerability can be exploited by any system which contacts the DNS server when using the default configuration in BLFS. This does not affect the client utilities, it only affects the server. These vulnerabilities have been assigned CVE-2023-2911 and CVE-2023-2828.
To fix these vulnerabilities, update to BIND-9.18.16 or later using the instructions from BIND (sysv) or BIND (systemd).
In node.js-18.16.1, four security vulnerabilities were fixed that could allow for policy mechanism bypasses, denial of service, HTTP Request Smuggling, and keys not being properly generated. The policy mechanism bypass happens when using the process.mainModule.proto.require() function and can allow for modules to be downloaded from outside of the policy.json definition. In terms of the denial of service vulnerability, it can occur when an invalid public key is provided to the crypt function and can allow for modules to be downloaded from outside of the policy.json definition. In terms of the denial of service vulnerability, it can occur when an invalid public key is provided to the crypto.X509Certificate() API and will result in process termination. The HTTP Request Smuggling vulnerability is very similar to the one fixed in Python. It was fixed by changing the API to use the CRLF sequence to delimit HTTP requests. The vulnerability where keys were not being properly generated occurs due to invalid documentation, where there is an inconsistency between implementation and documented design. The documentation said that crypto.createDiffieHellman() will generate keys, while the implmentation in the module does not. These vulnerabilities have been assigned CVE-2023-30581, CVE-2023-30588, CVE-2023-30589, and CVE-2023-30590.
To fix these vulnerabilities, update to node.js-18.16.1 or later using the instructions from node.js (sysv) or node.js (systemd).
In CUPS-2.4.6, a security vulnerability was fixed that could allow for denial of service or information disclosure. The problem occurs due to a use-after-free bug that affects the 'cupsd' process, and occurs in the cupsdAcceptClient() function. On systems where the cupsd process is running in a privileged mode, it is possible to exfiltrate sensitive information from the server, as well as cause a remotely exploitable crash and loss of all print jobs stored in the queue as a result. It's highly recommended to update CUPS if you print regularly or if you share printers with other computers on your network. This vulnerability has been assigned CVE-2023-34241.
To fix this vulnerability, update to CUPS-2.4.6 or later using the instructions from CUPS (sysv) or CUPS (systemd).
In cups-filters-1.28.16, a security vulnerability exists that allows for remote code execution when using an IPP printer with the 'beh' backend. Upstream has resolved the problem, but has not cut a new release yet, so the BLFS team has developed a patch for it. The remote code execution vulnerability occurs due to calling the system command with an unsanitized user-provided command line when sending print jobs to the printer. This update is extremely important if you're hosting a print server which uses the 'beh' printer backend (beh standing for Backend Error Handler). This vulnerability has been assigned CVE-2023-24805.
To fix this vulnerability, apply the patch to cups-filters using the instructions from cups-filters (sysv) or cups-filters (systemd).
In Thunderbird-102.12.0, several security vulnerabilities were fixed that could allow for crashes, browser outputs to be obscured by popups, memory corruption, spoofing, unauthorized certificate exceptions, and remote code execution. Most of these vulnerabilities are only exploitable via HTML mail. These vulnerabilities have been assigned CVE-2023-32205, CVE-2023-32206, CVE-2023-32207, CVE-2023-32211, CVE-2023-32212, CVE-2023-32213, CVE-2023-32215, CVE-2023-34414, and CVE-2023-34416.
To fix this vulnerability, update to Thunderbird-102.12.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In dbus-1.14.8, a security vulnerability was fixed that could allow for unprivileged users to crash the dbus-daemon. Note that this could cause serious problems on systemd systems, but can lead to desktop environments crashing on SysV systems. If a privileged user with control over the dbus daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic (such as QDbusViewer from Qt), an unprivileged user can trigger a crash of the dbus-daemon process by sending an unreplyable message. This vulnerability has been assigned CVE-2023-34969.
To fix this vulnerability, update to dbus-1.14.8 or later using the instructions from the BLFS book for dbus (sysv) or dbus (systemd).
In Python-3.11.4, three security vulnerabilities were fixed that could allow for directory traversal, location exposure over HTTP, and for policy bypasses. The directory traversal vulnerability occurs when using the uu.decode function when no out_file was specified. The location exposure over HTTP vulnerability occurs when using the http.client.SimpleHTTPRequestHandler function. The policy bypass happens due to not correctly following the WHATWG standard, and was resolved by modifying the urllib.parse.urlsplit function to strip leading C0 control and space characters. Note that this is the only vulnerability to have a CVE assigned to it. This vulnerability has been assigned CVE-2023-24329, and more details are available at LFS Ticket #5271.
To fix this vulnerability, update to Python-3.11.4 or later (or Python-3.8.17 or later, Python-3.9.16 or later, Python-3.10.12 or later if you decide not to update the minor version) using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In CUPS-2.4.5, a security vulnerability was fixed that could allow for a remote attacker to trigger a denial-of-service attack against a CUPS server. It offurs due to a heap buffer overflow vulnerability, and the vulnerable function has to do with logging (the format_log_line function). This would also cause all current print jobs to be canceled. If you share printers with other users, it's highly recommended to update to CUPS-2.4.5 or later. This vulnerability has been assigned CVE-2023-32324.
To fix this vulnerability, update to CUPS-2.4.5 or later using the instructions for CUPS (sysv) or CUPS (systemd).
In LibX11-1.8.6, a security vulnerability was fixed. A malicious X server (or a malicious proxy-in-the-middle) may corrupt client memory and at least cause the client to crash. This vulnerability has been assigned CVE-2023-3138.
To fix this vulnerability, update to LibX11-1.8.6 or later using the instructions for Xorg Libraries (sysv) or Xorg Libraries (systemd).
In Firefox-102.12.0esr, two security vulnerabilities rated as High by upstream were fixed. Details at mfsa-2023-19. These vulnerabilities have been assigned CVE-2023-34414, CVE-2023-34416.
To fix these vulnerabilities, update to Firefox-102.12.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In WebKitGTK+-2.40.2, two security vulnerabilities were fixed that could allow for sensitive information disclosure and remote code execution. These vulnerabilities are caused by out-of-bounds reads and use-after-frees, and can be exploited trivially with no user interaction necessary. Apple is aware of several reports of active exploitation of these vulnerabilities, and it is critical that you update your system immediately. These vulnerabilities have been assigned CVE-2023-28204 and CVE-2023-32373.
To fix these vulnerabilities, update to WebKitGTK+-2.40.2 or later using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Exiv2-0.28.0, several security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution when processing image metadata. Some of these occured due to Out-of-bounds reads, while others occured due to infinite loops and memory management problems. These vulnerabilities primarily occur in the library, though they are exploitable through the command line utility. Most of these vulnerabilities can be triggered automatically when processing an image. These vulnerabilities have been assigned CVE-2021-29473, CVE-2021-31761, CVE-2021-37620, CVE-2021-34334, CVE-2021-37622, and CVE-2021-37623.
Additional information can be found at the Exiv2 release notes.
To fix these vulnerabilities, update to Exiv2-0.28.0 using the instructions from Exiv2 (sysv) or Exiv2 (systemd).
In PostgreSQL-15.3, two security vulnerabilities were fixed that could allow for arbitrary code execution and for incorrect policies to be applied on rows. The arbitrary code execution vulnerability occurs due to CREATE SCHEMA ... schema_element defeating protective search_path changes, enabling attackers having database-level CREATE privilege to execute commands as root. The incorrect security policy application on rows occurs due to Row security policies disregarding user ID changes after inlining. These vulnerabilities were assigned CVE-2023-2454 and CVE-2023-2455.
To fix these vulnerabilities, update to PostgreSQL-15.3 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In OpenSSL-3.1.1, five security vulnerabilities were fixed that could allow for denial of service, invalid certificate policies being silently ignored, certificate policy checks not being enabled, crashes on 64-bit ARM platforms, and for significantly degraded performance. The denial of service vulnerability occurs due to excessive resource consumption when verifying X.509 policy constraints in certificate chains. The invalid certificate policies being silently ignored occurs due to leaf certificates being processed incorrectly when checking certificates. However, this vulnerability requires the nonstandard "-policy" argument to be passed to command line utilities, or by calling the X509_VERIFY_PARAM_set1_policies() function, and must be exploited by a malicious CA. The certificate policy checks not being enabled is caused by improper documentation of the X509_VERIFY_PARAM_add0_policy() function, and might require upstreams to modify applications to enable the policy check, since it's not done automatically. The ARM64-specific crash occurs because the AES-XTS cipher decryption implementation for this platform has a problem that causes it to read past its input buffer, leading to an instant crash. The performance degredation occurs when processing some ASN.1 object identifiers through the OBJ_obj2txt() function or any subsystems with no message size limit. These vulnerabilities have been assigned CVE-2023-2650, CVE-2023-1255, CVE-2023-0466, CVE-2023-0465, and CVE-2023-0464.
To fix these vulnerabilities, update to OpenSSL-3.1.1 or later (or 1.1.1u or later if you decide not to update from OpenSSL-1.1 to OpenSSL-3) using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
In libcap-2.69, two security vulnerabilities were fixed that could allow for denial of service. One of the denial of service vulnerabilities occurs when an application calls the __real_pthread_create() function in libcap, and is caused by a memory leak. It can occur when an attacker purposely causes an error to return, and memory is not properly released. The other vulnerability is caused by an integer overflow, which happens in the _libcap_strdup() function and can occur when an attacker provides an input string that is close to 4 GiB. These vulnerabilities have been assigned CVE-2023-2602 and CVE-2023-2603.
To fix these vulnerabilities, update to libcap-2.69 or later using the instructions from the LFS book for libcap (sysv) or libcap (systemd).
In cURL-8.1.0, several security vulnerabilities were fixed that could allow for expected behavior violations, IDN wildcard matches, race conditions (causing improper synchronization in multi-threaded applications), and for an information leak due to a use-after-free. These vulnerabilities are limited in their scope and exploitability due to cURL's design, but can still be exploited on normal systems in some circumstances. The information leak occurs in the SSH SHA256 fingerprint check, and the race condition occurs due to libcurl using a global buffer that isn't mutex protected. The vulnerability is exploitable if cURL is built to use a synchronous resolver, which would allow for name resolves to timeout slow operations using alarm() and siglongjmp(). The IDN wildcard matching applies to TLS server certificates, and the expected behavior violations apply to POST-after-PUT commands in HTTP(S) transfers. These vulnerabilities have been assigned CVE-2023-28322, CVE-2023-28321, CVE-2023-28320, and CVE-2023-28319.
To fix these vulnerabilities, update to cURL-8.1.2 or later using the instructions from cURL (sysv) or cURL (systemd).
In Wireshark-4.0.6, nine security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. These vulnerabilities have been assigned: CVE-2023-2855, CVE-2023-2857, wnpa-sec-2023-14, CVE-2023-2858, CVE-2023-2856, CVE-2023-2854, CVE-2023-0666, CVE-2023-0668, and wnpa-sec-2023-20.
To fix these vulnerabilities, update to Wireshark-4.0.6 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In Requests-2.31.0, a security vulnerability was fixed, rated as moderate. This has been assigned CVE-2023-32681.
To fix this, update to requests-2.31.0 or later using the instructions for requests (sysv), or requests (systemd).
In c-ares-1.19.1, three security vulnerabilities were fixed, one of them rated as high (and one other regarding cross-compilation using autotools, which is not how BLFS builds this package). Details can be found at c-ares vulnerabilities. These have been assigned CVE-2023-32067, CVE-2023-31147 and CVE-2023-31130.
To fix this, update to c-ares-1.19.1 or later using the instructions for c-ares (sysv), or c-ares (systemd).
In QtWebEngine-5.15.14, fixes for several recent Chromium security vulnerabilities were backported to the branch used for 5.15. One of these is rated as Critical, 11 others are rated as High. CVE-2023-1215, CVE-2023-1219, CVE-2023-1220, CVE-2023-1222, CVE-2023-1529, CVE-2023-1530, CVE-2023-1531, CVE-2023-1534, CVE-2023-1810, CVE-2023-1811, CVE-2023-2033, CVE-2023-2137, and CVE-2023-29469.
Qt-5.15 reaches End of Life on 2023-05-26, it is unclear if any further vulnerability fixes will be available. To fix these vulnerabilities, update to QtWebEngine-5.15.14 using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In Firefox-102.11.0esr, six security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream. Details at mfsa-2023-17. These vulnerabilities have been assigned CVE-2023-32205, CVE-2023-32206, CVE-2023-32207, CVE-2023-32211, CVE-2023-32213, CVE-2023-32215.
To fix these vulnerabilities, update to Firefox-102.11.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.11.0 there are various changes, including what appears to be the fix for a type-checking bug reported against firefox, see CVE-2023-32211 in mfsa-2023-17. Further details may appear at CVE-2023-32211.
To fix this, update to JS-102.11.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
Revision: details now at LuaTeX Security Vulnerabilities with an example exploit (it runs the last command on the lualatex command line). Now rated as High because the public exploit looks like an easy step towards privilege escalation, either by persuading you to run an untrusted file, or for a user on a multiuser system. This is CVE-2023-32700. Note that ConTeXt was not vulnerable because the debug module is disabled there, and that the vulnerability applies to LuaTeX versions 1.04 to 1.16.1 (TeXLive 2017 to 2023). There are no fixes for versions of Texlive before 2023.
In texlive_bugs (Known issues in TeX Live 2023) all users of the luatex programs were advised to update to v1.17.0 (and for the binary, that includes users of ConTeXt which uses the luametatex binary: in texlive-source we only support ConTeXt using the mkiv backend - that also needs a fix). The issue was described as "obscure ways to work around some security features".
Users of install-tl-unx who have installed lualatex should check the version using 'lualatex --version' and use tlmgr to update if the version is less than 1.17.0.
To fix this using texlive-source-2023 reinstall using the security-fixes-1 patch and applying a sed to mtxrun.lua (if you use ConTeXt) following the instructions from texlive (sysv) or texlive (systemd). Unfortunately, you will need to reinstall any of asymptote, biber, dvisvgm or xindy which you have installed.
In several versions up to Git-2.40.0, three security issues were identified and fixed in Git-2.40.1. They allowed to write outside a working tree when applying a specially crafted patch, allowed for malicious placement of crafted messages under certain circumstances, and arbitrary configuration injection. These vulnerabilities have been assigned CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007.
To fix these vulnerabilities, update to Git-2.40.1 or later using the instructions from Git (sysv) or Git (systemd).
In WebKitGTK+-2.40.1, six security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable denial of service, Same Origin Policy bypass, and sensitive user information tracking. One of these vulnerabilities resulted in emergency updates from Apple and is known to be actively exploited, and can be triggered through malicious advertisements on web pages or other crafted web content. It's recommended that you update WebKitGTK+ immediately to protect yourself and your system. These vulnerabilities have been assigned CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, and CVE-2023-28205.
To fix these vulnerabilities, update to WebKitGTK+-2.40.1 or later using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When updating to WebKitGTK+-2.40.1, you will need to install the 'unifdef' package. You only need the GTK+-3 version of WebKitGTK+, so set -DUSE_GTK4=OFF. If you do not want to install the new libavif package and it's dependency, pass -DUSE_AVIF=OFF.
We are currently aware of reports that this package fails to run properly when used on Intel GPUs between Skylake and Coffee Lake. If you have one of these GPUs, please wait until the next release of WebKitGTK+.
In Wireshark-4.0.5, three security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using RPCoRDMA packets, LISP packets, or GQUIC packets. Two of these vulnerabilities cause a crash, and the other causes a huge loop that can run your system out of resources. If you're using RPCoRDMA, LISP, or GQUIC packets in your network, it's recommended to update Wireshark. These vulnerabilities have been assigned CVE-2023-1992, CVE-2023-1993, and CVE-2023-1994.
To fix these vulnerabilities, update to Wireshark-4.0.5 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In libxml2-2.10.4, three security vulnerabilities were fixed that could cause crashes. One of these is because hashing of empty dict strings wasn't deterministic, but the other two vulnerabilities are due to null pointer dereferences when using the xmlSchemeFixupComplexType and the xmlSchemaCheckCOSSTDerivedOK functions. Note that only two of these vulnerabilities were assigned CVE IDs. These vulnerabilities have been assigned CVE-2023-29469 and CVE-2023-28484.
To fix these vulnerabilities, update to libxml2-2.10.4 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In ghostscript-10.01.1, a critical security vulnerability was fixed that allows for arbitrary code execution when loading crafted PostScript files. A proof of concept for this vulnerability is public, and it is known to be exploited. The vulnerability was fixed with ghostscript-10.01.1, but was not known to be part of this update until a posting was released to oss-security on 04-13-2023 making it public. This vulnerability is called "Shell in the Ghost", and is due to a buffer overflow. It is imperative that you update ghostscript on all systems which have it installed immediately. This vulnerability has been assigned CVE-2023-28879.
To fix this vulnerability, update to ghostscript-10.01.1 or later using the instructions for ghostscript (sysv) or ghostscript (systemd).
In Thunderbird-102.10.0, several security vulnerabilities were fixed that could allow for user confusion/spoofing attacks, potentially exploitable crashes, memory corruption, denial of service, security control bypasses (revocation status of S/MIME certificates were not checked), user interface hangs, remote code execution through download reflection and mishandling of .desktop files on Linux systems, and arbitrary code execution. Updating Thunderbird is highly recommended, and is crucial if you are using S/MIME encrypted email. These vulnerabilities have been assigned CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-0457, CVE-2023-29479, CVE-2023-29539, CVE-2023-29541, CVE-2023-1945, CVE-2023-29548, and CVE-2023-29550.
To fix these vulnerabilities, update to Thunderbird-102.10.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.10.0esr, seven security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream (also a vulnerability fixed for the shipped libwebp - BLFS uses system libwebp see SA 11.3-015). Details at mfsa-2023-14. These vulnerabilities have been assigned CVE-2023-1945, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29550.
To fix these vulnerabilities, update to Firefox-102.10.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.10.0 there is a fix for a potentially exploitable invalid free, rated as High by Mozilla - see CVE-2023-29536 in mfsa-2023-14. Further details may appear at CVE-2023-29536.
To fix this, update to JS-102.10.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
The update to firefox-102.10.0 makes public a double-free vulnerability in libwebp which the mozilla developers say could lead to memory corruption and a potentially exploitable crash. See the MFSA-TMP-2001-001 entry in mfsa-2023-14.
To fix this in the absence of a newer libwebp reliease. apply the libwebp-1.3.0-upstream_fix-1.patch using the instructions for LibWebP (sysv) or Libwebp (systemd).
In Seamonkey-2.53.16, three versions worth of Firefox and Thunderbird security vulnerabilities were resolved. This includes fixes for issues that could cause remotely exploitable crashes, remote code execution, invalid JavaScript execution, arbitrary file reads, content security policy bypass, screen hijacking, and content spoofing. These vulnerabilities have been assigned CVE-2022-46871, CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2022-46877, CVE-2023-23603, CVE-2023-23605, CVE-2023-23728, CVE-2023-0767, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25729, CVE-2023-25732, CVE-2023-25742, CVE-2023-25744, CVE-2023-25751, CVE-2023-28164, CVE-2023-28162, CVE-2023-25752, CVE-2023-28176, CVE-2023-0616, and CVE-2023-28427.
To fix these vulnerabilities, update to Seamonkey-2.53.16 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In Ruby-3.2.2, two security vulnerabilities were fixed that could allow for a denial of service when using the Time or URI gems bundled with Ruby. These issues happen due to mishandling URLs with special characters, and mishandling invalid strings that have specific characters. In both cases, it results in a significantly longer execution time when parsing strings to URI or Time objects. These vulnerabilities have been officially classified as Regular Expression Denial of Service vulnerabilities. If you do not want to update Ruby to version 3.2.2, you can update the gems manually using 'gem update uri' and 'gem update time' as a workaround. These vulnerabilities have been assigned CVE-2023-28755 and CVE-2023-28756.
To fix these vulnerabilities, update to Ruby-3.2.2 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In xwayland-23.1.1, a security vulnerability was fixed that could allow for local privilege escalation on systems where the X server is running privileged, and for remote code execution when using SSH X Forwarding. This vulnerability occurs due to a Use-After-Free, which happens if a client explicitly destroys the overlay window. The X server would leave a dangling pointer to that overlay window in the CompScreen structure, which would trigger a use-afre-free later. This vulnerability has been assigned CVE-2023-1393.
To fix this vulnerability, update to xwayland-23.1.1 or later using the instructions from xwayland (sysv) or xwayland (systemd).
In Linux 6.2.3 through 6.2.9, eleven vulnerabilies were fixed which could potentially allow a Denial of Service (deadlock or kernel panic), information leak (network filter bypass) or local priviledge escalation. These vulnerabilities have been assigned CVE-2022-4269, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1583, CVE-2023-1670, CVE-2023-25012, CVE-2023-28466 CVE-2023-28866
.To fix these vulnerabilities, update to Linux kernel 6.2.9 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.22 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.9.1, a security vulnerability was fixed that could allow for a remotely exploitable denial-of-service when using the Matrix chat protocol in Thunderbird. This was fixed by updating the 3rd-party Matrix SDK that is bundled with Thunderbird to a more recent version. This vulnerability has been assigned CVE-2023-28427.
To fix this vulnerability, update to Thunderbird-102.9.1 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In xorg-server-21.1.8, a security vulnerability was fixed that could allow for local privilege escalation on systems where the X server is running privileged, and for remote code execution when using SSH X Forwarding. This vulnerability occurs due to a Use-After-Free, which happens if a client explicitly destroys the overlay window. The X server would leave a dangling pointer to that overlay window in the CompScreen structure, which would trigger a use-afre-free later. This vulnerability has been assigned CVE-2023-1393.
To fix this vulnerability, update to xorg-server-21.1.8 or later using the instructions from xorg-server (sysv) or xorg-server (systemd).
In Samba-4.18.1, three security vulnerabilities were fixed that could allow for unauthorized attribute deletion, password resets where the new password is transmitted in plaintext, and for confidential attribute disclosure. Note that all three of these vulnerabilities require LDAP/AD DC to exploit, and while this isn't the default configuration of Samba in BLFS, some users are known to use it. The most serious vulnerability of the three is the confidential attribute disclosure. It has been discovered to be used to exfiltrate TPM owner passwords, certificate secret keys, and Bitlocker recovery keys. For users who have Active Directory Domain Controllers using Samba and use these features on Windows clients, the Samba team states that you should assume that this information has been compromised, and steps should be made to ensure that data that may have been leaked from confidential or otherwise access-controlled attributes is no longer useful. For example, drives should be re-encrypted if they are using BitLocker, TPM passwords should be changed, certificates should be re-issued, etc. Note that a successful exploitation will not show anything in the logs unless the logs are set to a level of 10 (which is highly verbose). If you are using Samba as an AD DC, you should take immediate action. In addition to applying this update, you will need to take actions to protect any data that may have been potentially compromised. See the information on CVE-2023-0614 for more information. These vulnerabilities have been assigned CVE-2023-0225, CVE-2023-0922, and CVE-2023-0614.
To fix these vulnerabilities, update to Samba-4.18.1 or later using the instructions from Samba (sysv) or Samba (systemd).
In cURL-8.0.1, six security vulnerabilities were fixed that could allow for authentication bypasses, remotely exploitable crashes, content filtering circumvention or arbitrary file writes, and command injection. These vulnerabilities occur due to improper reusage of connections when using GSS delegation, SSH, or FTP. The double-free remotely exploitable crash occurs when using HSTS, and the command injection occurs whenever using the TELNET protocol. The content filtering circumvention and arbitrary file writes occur when using SFTP, and happen due to a discrepancy when resolving the ~ (tilde) character. It's important to update cURL if you're using it to resolve HTTP URLs that redirect to HTTPS, or if you use TELNET/SSH/FTP/SFTP or GSS delegation with cURL. These vulnerabilities have been assigned CVE-2023-27538, CVE-2023-27537, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, and CVE-2023-27533.
To fix these vulnerabilities, update to cURL-8.0.1 or later using the instructions from cURL (sysv) or cURL (systemd).
In Thunderbird-102.9.0, five security vulnerabilities applicable to Linux systems were resolved, and two of them were rated as High by upstream. These vulnerabilities are only applicable if you are reading mail with HTML in it, and can allow for potentially exploitable crashes, spoofing attacks, and potentially remote code execution. It's important to update if you receive HTML mail. These vulnerabilities have been assigned CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, and CVE-2023-28176.
To fix these vulnerabilities, update to Thunderbird-102.9.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.9.0esr, five security vulnerabilities applicable to linux systems were fixed, two of them rated as High by upstream. Details at mfsa-2023-10. These vulnerabilities have been assigned CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164 and CVE-2023-28176.
To fix these vulnerabilities, update to Firefox-102.9.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.9.0 there is a fix for a potentially exploitable crash when invalidating JIT code, rated as High by Mozilla - see CVE-2023-25751 in mfsa-2023-10. Further details may appear at CVE-2023-25751.
To fix this, update to JS-102.9.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In QtWebEngine-5.15.13, fixes for several recent Chromium security vulnerabilities rated as High were backported to the branch used for 5.15. CVE-2022-4437, CVE-2022-4438, CVE-2023-0129, CVE-2023-0472, CVE-2023-0698, CVE-2023-0931, and CVE-2023-0933.
To fix these vulnerabilities, update to QtWebEngine-5.15.13 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In httpd-2.4.56, two security vulnerabilities were fixed that could allow for HTTP Request Smuggling attacks. These can occur on servers where the mod_proxy and mod_rewrite modules are enabled, or where mod_proxy_uwsgi is enabled. Request splitting or smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and for cache poisoning. Special characters in the origin response header can truncate/split the response forwarded to the client. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user supplied request-target (URL) data, and it is re-inserted into the proxied request-target using variable substitution. You should update Apache HTTPD if you are using the mod_proxy and mod_rewrite modules in combination, or if you are using the mod_proxy_uwsgi module. These vulnerabilities have been assigned CVE-2023-27522 and CVE-2023-25690. Additional information regarding example configurations which are affected can be found in BLFS Ticket #17764.
To fix these vulnerabilities, update to httpd-2.4.56 or later using the instructions from Apache HTTPD (sysv) or Apache HTTPD (systemd).
In Linux 6.2.2 five vulnerabilies were fixed which could potentially allow a Denial of Service (kernel panic) or sensitive information leak (insufficient protection against hardware vulnerabilities). These vulnerabilities have been assigned CVE-2022-2196, CVE-2022-27672, CVE-2023-1075, CVE-2023-1078, and CVE-2023-26545.
To fix these vulnerabilities, update to Linux kernel 6.2.2 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.14 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In HTTP-Daemon-6.15 a vulnerability was fixed which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests. The vulnerability has been assigned CVE-2022-31081.
To fix this vulnerability, update to HTTP-Daemon-6.15 using the instructions for perl module HTTP::Daemon (sysv) or perl module HTTP::Daemon (systemd).
In Epiphany-43.1, a security vulnerability was fixed that could allow for untrusted web content to trick user into exfiltrating passwords. This occurs because autofill occured in sandboxed contexts, and was worked around by disabling the password manager entirely when running inside of a sandbox. Google Security Research discovered this vulnerability and reported that it also impacts Safari, Bitwarden, and Dash Lane, and allows for credentials to be automatically filled into untrusted pages without the master password, and allows for complete account compromise for any users who use the password management functionality. A proof-of-concept exploit has been made public. If you are using this function, you should update Epiphany immediately, even if you don't use the sandbox mode. This vulnerability has been assigned CVE-2023-26081. Additional information can be found at Google Security Advisory in GitHub.
To fix this vulnerability, update to Epiphany-43.1 using the instructions for Epiphany (sysv) or Epiphany (systemd).
In OpenJDK-19.0.2, two security vulnerability were fixed that could allow for unauthorized ability to cause a partial Denial of Service, or compromise some JAVA VM data. It applies to Java deployements, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. Those vulnerabilities have been assigned CVE-2023-21835 and CVE-2023-21843.
To fix these vulnerabilities, update to OpenJDK-19.0.2 using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In WebKitGTK+-2.38.5, a security vulnerability was fixed that could allow for remote code execution. It occurs when processing maliciously crafted web content. A proof of concept exists and is public, and Apple is aware of reports that this vulnerability is under active exploitation. This occurs due to type confusion, and was addressed with improved logic checks. A temporary workaround would be to set the environment variable JSC_useDFGJIT=0 to force WebKitGTK+ to not use the Just-In-Time JS compiler. If you have WebKitGTK+ installed on your system, it is imperative that you apply this update immediately. This vulnerability has been assigned CVE-2023-23529. Further information can be found in Apple's security advisory for iPadOS 16.3.1, which uses the same version of the WebKit rendering engine: Apple Security Advisory.
To fix these vulnerabilities, update to WebKitGTK+-2.38.5 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In cURL-7.88.1, three security vulnerabilities were fixed that could allow for denial of service and HSTS bypass. The denial of service issue occurs when transferring data which is compressed. The problem happens when data is compressed multiple times, since cURL supports chained HTTP compression algorithms. Due to a logic flaw, it was possible for malicious servers to insert a virtually unlimited number of compression steps simply by using many headers. This can cause a "malloc bomb", where cURL spends enormous amounts of heap memory and eventually running out of system resources. In the case of the two HSTS bypass vulnerabilities, these vulnerabilities occur due to cURL's cache saving behaving incorrectly when using multiple URLs in parallel, and the other vulnerability allows for HSTS bypass because cURL's HSTS mechanism would ignore subsequent transfers when done on the same command line (due to the state not being properly carried on.). Note that the last HSTS vulnerability only affects the cURL command line utility, and not the library. These vulnerabilities have been assigned CVE-2023-23916, CVE-2023-23915, and CVE-2023-23914.
To fix these vulnerabilities, update to cURL-7.88.1 using the instructions from cURL (sysv) or cURL (systemd).
In Thunderbird-102.8.0, several security vulnerabilities were fixed that could allow for user interface lockups, content security policy leaks, screen hijacks, arbitrary memory writes, crashes, undefined behavior, extensions opening applications and executing code without a user's knowledge, and remote code execution. As is the case for most Thunderbird vulnerabilities, exploiting these takes specially crafted emails, or installation of a third party extension which has been compromised. These vulnerabilities have been assigned CVE-2023-0616, CVE-2023-25728, CVE-2023-25730, CVE-2023-0767, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25729, CVE-2023-25732, CVE-2023-25742, and CVE-2023-25746.
To fix these vulnerabilities, update to Thunderbird-102.8.0 using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In node.js-18.14.1, five security vulnerabilities were fixed. One of these is rated as High. See node.js blog. These vulnerabilities have been assigned CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, and CVE-2023-24807.
To fix this vulnerability, update to node.js-18.14.1 or later using the instructions from Node.js (sysv) or Node.js (systemd).
These also apply to node v16 from the 11.2 book, for that you could alternatively update to v16.19.1 using the instructions from the 11.2 book, but BLFS will not be tracking v16.
In PHP-8.2.3, three security vulnerabilities were fixed that could allow for trivial authentication bypass and denial-of-service (application crashes). The authentication bypass occurs in the Password_verify() function, where it was determined that it would always return true with some hashes, which would allow for a trivial authentication bypass. One of the denial of service vulnerabilities is caused by a 1-byte array overrun in common path resolution code, and the other denial of service vulnerability can be triggered when parsing multipart request bodies. It's imperative that you update PHP to 8.2.3 immediately if you are using the Password_verify() function. These security vulnerabilities have been assigned CVE-2023-0567, CVE-2023-0568, and CVE-2023-0662.
To fix these vulnerabilities, update to PHP-8.2.3 using the instructions from PHP (sysv) or PHP (systemd).
In git-2.39.2, two security vulnerabilities were fixeed that could allow for data exfiltration and path traversal through abusing symbolic links in repositories. One of these relies on the user feeding a crafted input to the 'git apply' command (and the path outside the working tree will be overwritten as long as that user has the authority to do so), and the other relies off the usage of submodules. Note that the data exfiltration vulnerability can be worked around by not cloning repositories with '--recurse-submodules', and running 'git submodule update' at each layer of a repository using submodules. When doing this, it's also important to inspect all .gitmodules files to ensure that it does not contain suspicious module URLs. These vulnerabilities have been assigned CVE-2023-22490 and CVE-2023-23946.
To fix these vulnerabilities, update to git-2.39.2 or later using the instructions from git (sysv) or git (systemd).
In intel-microcode-20230214, three hardware vulnerabilities were fixed. Two of them allows a local privileged user to access disclose the information in a SGX (Intel Software Guard Extensions) enclave, affecting 9th Generation Intel Core desktop processors, 10th Generation Intel Core mobile processors, Intel Pentium Silver, J, and N Series processors, 3rd Generation Intel Xeon Scalable processors, and Intel Xeon D processors. Another one allows a privileged user to enable escalation of privilege via adjacent network access, affecting 3rd Generation Intel Xeon Scalable processors and Intel Atom P59xx, P53xx, and C53xx processors. These vulnerabilities has been assigned CVE-2022-21216, CVE-2022-33196, and CVE-2022-38090.
If you are running the system on an affected processor, to fix these vulnerabilitites, update to intel-microcode-20230214 or later using the instructions for About Firmware (sysv) or About Firmware (systemd).
In Firefox-102.8.0esr, eleven security vulnerabilities applicable to linux systems were fixed, eight of them rated as High by upstream. Details at mfsa-2023-06. These vulnerabilities have been assigned CVE-2023-0767 which only applies if using the shipped NSS instead of system NSS, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25732, CVE-2023-25737, CVE-2023-25737, CVE-2023-25739, CVE-2023-25742, CVE-2023-25744 and CVE-2023-25746.
To fix these vulnerabilities, update to Firefox-102.8.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.8.0 there is a fix for a Use After Free, which could cause a potentially exploitable crash, rated as High by Mozilla - see CVE-2023-25735 in mfsa-2023-06. Further details may appear at CVE-2023-25735.
To fix this, update to JS-102.8.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In NSS-3.88.1, 3.79.4 and 3.87.1 a bug where an attacker could construct a PKCS 12 cert bundle in such a way that it could allow for arbitrary memory writes was fixed.
This has been assigned CVE-2023-0767 and is mentioned in the mozilla advisory for the firefox-102.8.0 release, mfsa-2023-06.
To fix this, update to at least NSS-3.88.1 using the instructions for NSS (sysv) or NSS (systemd).
BLFS updated to ImageMagick-7.1.0-61 from 7.1.0-46. Belatedly, two CVEs have been raised against 7.1.0-49 (each with the same one-line fix in 7.1.0-52). These were for a Denial of Service and possible information disclosure on png files. The relevant code in 7.1.0-49 was identical in 7.1.0-46. These vulnerability have been assigned CVE-2022-44267 and CVE-2022-44268.
To fix these, update to ImageMagick-7.1.0-61 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In GnuTLS-3.8.0, a security vulnerability which allowed a remote attacker to perform a man-in-the-middle attack was fixed. An error in TLS RSA key exchange allowed a remote attacker to perform Bleichenbacher oracle attacks using malformed TLS RSA keys, and potentially decrypt information. This vulnerability has been assigned CVE-2023-0361.
To fix this vulnerability, update to GnuTLS-3.8.0 or later using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In Seamonkey-2.53.15, several security vulnerabilities that were fixed in Firefox and Thunderbird's 102.x series were fixed. These could allow for remote code execution, email spoofing, content security bypasses, UI spoofing, DNS redirection, remotely exploitable crashes, and keystroke leakage. Update to Seamonkey-2.53.15 immediately. These vulnerabilities have been assigned CVE-2022-36319, CVE-2022-36318, CVE-2022-2505, CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059, CVE-2022-3266, CVE-2022-40959, CVE-2022-40960, CVE-2022-40958, CVE-2022-40956, CVE-2022-40597, CVE-2022-40692, CVE-2022-39249, CVE-2022-39250, CVE-2022-39251, CVE-2022-39236, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421, CVE-2022-46874, CVE-2022-46880, CVE-2022-46872, CVE-2022-46881, CVE-2022-46874, CVE-2022-46882, CVE-2022-46878.
To fix these vulnerabilities, update to Seamonkey-2.35.15 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In Thunderbird-102.7.2, several security vulnerabilities were fixed that could allow for arbitrary file reads, spoofing attacks, content security policy bypasses, notification bypasses, remote code execution, and invalid signature verification of emails (due to the revocation status of S/MIME signature certificates not being checked). Update to Thunderbird-102.7.2 as soon as possible, especially if you are using the signature verification functionality. These vulnerabilities have been assigned CVE-2022-46871, CVE-2023-23958, CVE-2023-23601, CVE-2023-23602. CVE-2023-23603, CVE-2023-23605, and CVE-2023-0430.
To fix these vulnerabilities, update to Thunderbird-102.7.2 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.17.5, a significant improvement to a prior security fix for a high severity security vulnerability was released. This vulnerability allowed for elevation of privilege to root through the Netlogon RPC subsystem, and also affected Windows. Note that this version of Samba fixes several other bugs when using macOS clients wtih Samba. This vulnerability has been assigned CVE-2022-38023.
To fix this vulnerability, update to Samba-4.17.5 using the instructions from Samba (sysv) or Samba (systemd).
In PostgreSQL-15.2, a security vulnerability was fixed that could allow for an unauthenticated server to send an unterminated string during the establishment of Kerberos transport encryption. When this occurs, and a libpq client application has a Kerberos credential cache setup that doesn't explicitly disable the gssencmode option, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following it's receive buffer. If the caller somehow makes that message accessible to the attacker, it'll achieve a disclosure of over-read bytes. It has not been confirmed that a crash or leakage of confidential information can be achieved. It is important that you update PostgreSQL if you are using Kerberos transport encryption in your configuration. Alternatively, you can disable the gssencmode option as a workaround on any clients. Note that no dump/restore is required if upgrading from another version in the 15 series, and 14.7 has been released for PostgreSQL-14 users. This vulnerability has been assigned CVE-2022-41862.
To fix this vulnerability, update to PostgreSQL-15.2 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In Xwayland before version 22.1.8, a dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory. This issue can lead to local privileges elevation on systems where Xwayland is running privileged and remote code execution for ssh X forwarding sessions. This vulnerability has been assigned CVE-2023-0494.
To fix this, update to at least Xwayland-21.1.8 using the instructions for Xwayland (sysv) or Xwayland (systemd).
In e2fsprogs-1.46.6, a security vulnerability was fixed that could allow for a segmentation fault or arbitrary code execution when mounting or running fsck on a specially crafted filesystem. This occurs due to an out-of-bounds read/write. This vulnerability has been assigned CVE-2022-1304.
To fix this vulnerability, update to e2fsprogs-1.46.6 or later using the instructions from e2fsprogs (sysv) or e2fsprogs (systemd).
In OpenSSL-3.0.8, eight security vulnerabilities were fixed that could allow for remotely exploitable denial of service, arbitrary reading of memory (including the ability to harvest private keys), plaintext data recovery, and side channel attacks. These vulnerabilities occur when performing PKCS7 data verification, validating DSA public keys, decrypting RSA data, using X.509 certificates, and when using various different OpenSSL API functions. Since OpenSSL is used in a variety of different contexts and applications for cryptography operations, it is imperative that you update OpenSSL on all affected systems immediately. For older systems which do not use OpenSSL-3 (LFS 11.1 for example), you should upgrade to 1.1.1t instead of 3.0.8. These vulnerabilities have been assigned CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401. Additional information can be found at OpenSSL Security Advisory.
To fix these vulnerabilities, update to OpenSSL-3.0.8 or later using the instructions from OpenSSL (sysv) or OpenSSL (systemd).
In Linux-6.1.9 (and 5.15.91), three security vulnerabilities were fixed that could allow for remotely exploitable system crashes, leakage of stack/heap addresses, local privilege escalation, and arbitrary code execution. These vulnerabilities existed in the Netfilter subsystem (buffer overflow), IPv6 subsystem (NULL pointer dereference in rawv6_push_pending_frames), and the kernel's NTFS3 driver (NULL pointer dereference). The IPv6 vulnerability can be exploited during normal system usage, and the NTFS vulnerability requires the user to mount a filesystem with NTFS Extended Attributes. The most serious of these vulnerabilities is the Netfilter buffer overflow, and a mitigation is possible by running "sysctl -w kernel.unprivileged_userns_clone = 0". Note that this will break desktop environments and any other applications which use User Namespaces though, such as QtWebEngine. These vulnerabilities have been assigned CVE-2023-0179, CVE-2023-0394, and CVE-2022-4842.
To fix these vulnerabilities, update to Linux-6.1.9 (or Linux-5.15.91) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In WebKitGTK+-2.38.4, three security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. All three of these issues are related to memory management problems. Note that since WebKitGTK+ is used to process HTML content in emails when using Evolution, it is possible for malicious HTML emails to exploit these vulnerabilities. These vulnerabilities may also be exploited via malicious advertisements. These vulnerabilities have been assigned CVE-2023-23517, CVE-2023-23518, and CVE-2022-42826. Further information can be found in Apple's security advisory for Safari 16.3, which uses the same version of the WebKit rendering engine: Apple Security Advisory.
To fix these vulnerabilities, update to WebKitGTK+-2.38.4 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In Wireshark-4.0.3, several security vulnerabilities were fixed that could allow for crashes, memory leaks, and excessive CPU resource consumption. These vulnerabilities all occur when dissecting different types of packets during a packet capture or analysis, and can be exploited by running Wireshark on a network which has crafted EAP, NFS, GNW, iSCSI, TIPC, BPv6, NCP, or RTPS packets passing through it. This can also occur by reading a malformed packet trace file. These vulnerabilities have not been assigned CVEs, but more details about them can be found at WNPA-SEC-2023-01, WNPA-SEC-2023-02, WNPA-SEC-2023-03, WNPA-SEC-2023-04, WNPA-SEC-2023-05, WNPA-SEC-2023-06, and WNPA-SEC-2023-07.
To fix these vulnerabilities, update to Wireshark-4.0.3 using the instructions from Wireshark (sysv) or Wireshark (systemd).
In Xorg-Server before version 21.1.7, a dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. This vulnerability has been assigned CVE-2023-0494.
To fix this, update to at least Xorg-Server-21.1.7 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
In apr-1.7.0 and earlier, three vulnerabilites have been found:
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
This could allow for denial of service or remote code execution. These vulnerabilities have been assigned CVE-2022-24963, CVE-2022-28331, and CVE-2021-35940.
To fix these vulnerabilities, update to apr-1.7.2 using the instructions from Apr (sysv) or Apr (systemd).
In apr-util-1.6.1 and prior, an integer overflow or wraparound vulnerability in apr_base64 functions allows an attacker to write beyond bounds of a buffer. This could allow for denial of service or arbitrary code execution. This vulnerability has been assigned CVE-2022-25147.
To fix this vulnerability, update to apr-util-1.6.3 using the instructions from Apr-Util (sysv) or Apr-Util (systemd).
In Glibc-2.37, a security vulnerability was fixed in the
syslog
function that could allow an information disclosure
with a long (> 1024 bytes) input.
This vulnerability has been assigned
CVE-2022-39046.
The only Glibc release affected is 2.36.
To fix this vulnerability, backup the system first, then apply
the patch
for Glibc-2.36 and rebuild it with the instructions from
Glibc. After
testing the package with make check
, instead of installing
it directly, perform a DESTDIR
installation with
make install DESTDIR=$PWD/dest
. Now as the
root
user, replace the library files containing the
syslog
function:
install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.a /usr/lib
If the debug symbols for Glibc is stripped from the library files
and saved in a separate libc.so.6.dbg
file (as
demonstrated in
Stripping),
use the following commands instead to replace the library files and
the debug symbol file:
objcopy --only-keep-debug dest/usr/lib/libc.so.6{,.dbg} strip --strip-unneeded dest/usr/lib/libc.{a,so.6} objcopy --add-gnu-debuglink=/usr/lib/libc.so.6.dbg dest/usr/lib/libc.so.6 install -vm755 dest/usr/lib/libc.so.6 /usr/lib install -vm644 dest/usr/lib/libc.{a,so.6.dbg} /usr/lib
After the files are replaced, reboot the system immediately.
Alternatively, update to the latest LFS stable release if you can afford a system rebuild.
In Sudo-1.9.12p2, a flaw in sudo's -e option (aka sudoedit) was fixed that could allow a malicious user with sudoedit privileges to edit arbitrary files. This vulnerability has been assigned CVE-2023-22809.
To fix this vulnerability, update to Sudo-1.9.12p2 using the instructions from Sudo.
In PHP-8.2.1, a security vulnerability was fixed in the PDO_SQLite module that could allow for an unquoted string to be returned due to an uncaught integer overflow in PDO::quote(). This is due to PHP's implementation of sqlite3_snprintf(), where it's possible to force the function to return a single apostrophe if the function is called on user supplied input without any length restrictions in place. Upgrading to PHP-8.2.1 is only necessary if you use the PDO_SQLite function. This vulnerability has been assigned CVE-2022-31631.
To fix this vulnerability, update to PHP-8.2.1 using the instructions from PHP (sysv) or PHP (systemd).
In httpd-2.4.55, three security vulnerabilities were fixed in the mod_proxy, mod_proxy_ajp, and mod_dav modules which could allow for remotely exploitable crashes, HTTP Response Splitting, and Request Smuggling. These vulnerabilities only affect BLFS users who have those modules enabled in their HTTPD configuration. These vulnerabilities have been assigned CVE-2006-20001, CVE-2022-36370, and CVE-2022-37436.
To fix these vulnerabilities, update to httpd-2.4.55 using the instructions from Apache (sysv) or Apache (systemd).
In git-2.39.1, two security vulnerabilities were fixed which could allow for arbitrary heap reads and writes, which can allow for remote code execution. The git project advises all users to upgrade immediately as no workarounds are available for the issues. The issues can occur when using the 'git log' and 'git archive' commands, especially when using the --format option, and they can also occur when a .gitattributes file exists within a repository. These issues are all classified as integer overflows. These vulnerabilities have been assigned CVE-2022-41903 and CVE-2022-23521.
To fix these vulnerabilities, update to git-2.39.1 using the instructions from git (sysv) or git (systemd).
In Linux-6.1.6 (and Linux-5.15.89), several security vulnerabilities were fixed that could allow for information disclosure, remote code execution, remotely-triggered denial of service, and for data loss. These vulnerabilities occur in a variety of places, including the core network stack, namespaces (Net/User namespaces), the BPF subsystem, the SGI-GRU subsystem, the NFS Daemon, the multimedia subsystem (for digital video recorders), the VMWare and Intel graphics drivers, the network scheduler, the /proc filesystem, the Xen subsystem, the sysctl subsystem, and the Bluetooth subsystem. Because of the amount of vulnerabilities and their severities, it's recommended to upgrade your kernel as soon as possible. These vulnerabilities have been assigned CVE-2022-4378, CVE-2022-3435, CVE-2022-45934, CVE-2022-42329, CVE-2022-3643, CVE-2022-42328, CVE-2022-3531, CVE-2022-3532, CVE-2022-3534, CVE-2022-3424, CVE-2022-4379, CVE-2022-36280, CVE-2022-41218, CVE-2023-23454, CVE-2022-3707, CVE-2022-23455, and CVE-2023-0210.
To fix these vulnerabilities, update to Linux-6.1.6 (or Linux-5.15.89) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In rxvt-unicode-9.31, a critical security vulnerability was fixed that could allow for remote code execution in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. Note that the default configuration supplied in BLFS 11.2 is vulnerable due to it's usage of the Perl extension. This vulnerability has been assigned CVE-2022-4170.
To fix this vulnerability, update to rxvt-unicode-9.31 or later using the instructions from rxvt-unicode (sysv) or rxvt-unicode (systemd).
In WebKitGTK+-2.38.3, several security vulnerabilities were fixed that could allow for remote code execution, disclosure of process memory, Same Origin Policy bypass, sensitive user information disclosure, and denial of service. These vulnerabilities all occur when processing crafted web content, and may be exploited via malicious advertisements on pages as well as embedded HTML content in mails, and standard visits to malicious webpages. Most of these issues were fixed with improved input validation, improved memory handling, and improved state handling. These vulnerabilities have been assigned CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692, CVE-2022-46698, CVE-2022-46699, and CVE-2022-46700.
To fix these vulnerabilities, update to WebKitGTK+-2.38.3 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In Firefox-102.7.0esr, seven security vulnerabilities were fixed, three of them rated as High by upstream. Details at mfsa-2023-02. These vulnerabilities have been assigned CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605, CVE-2023-46871 and CVE-2023-46877.
To fix these vulnerabilities, update to Firefox-102.7.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In all versions of Rust before 1.66.1, Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle attacks. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH, as that'd cause you to clone the crates.io index through SSH.
The rust security advisory is https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html. At the moment it appears that most rust users do not explicitly use SSH, the usage of SSH by developers who use rust is not known. For those who do explicitly use SSH in rust the severity should be regarded as High.
Please see CVE-2022-46176.
To fix this vulnerability, update to rustc-1.66.1 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
In QtWebEngine-5.15.12, many Chromium security vulnerabilities were fixed, including two rated as Critical that allow a remote attacker who has compromised the render to escape the sandbox, as well as many rated High allowing a remote attacker to potentially exploit heap corruption. Most of these are via a crafted HTML page, two are via a crafted PDF file, a few require the user to install a malicious extension (which might not apply to users of qtwebengine). CVE-2022-4262, CVE-2022-4181, CVE-2022-4180, CVE-2022-4174, CVE-2022-3890, CVE-2022-3887, CVE-2022-3885, CVE-2022-3573, CVE-2022-3446, CVE-2022-3445, CVE-2022-3373, CVE-2022-3370, CVE-2022-3304, CVE-2022-3201, CVE-2022-3200, CVE-2022-3199, CVE-2022-3198, CVE-2022-3197, CVE-2022-3196, CVE-2022-3075, CVE-2022-3046, CVE-2022-3041, CVE-2022-3040, and CVE-2022-3038.
To fix these vulnerabilities, update to QtWebEngine-5.15.11 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In libtiff-4.5.0, ten security vulnerabilities were fixed that could allow for a denial-of-service or arbitrary code execution when using the tiffcrop utility, as well as when an application checks for a codec-specific tag using the _TIFFCheckFieldIsValidForCodec() function. These occur due to memory allocation problems, floating-point exceptions, buffer overflows, and invalid behavior. Note that the _TIFFCheckFieldIsValidForCodec() function can be exploited by any application that uses Libtiff, including thumbnailers. These vulnerabilities have been assigned CVE-2022-3599, CVE-2022-34526, CVE-2022-3570, CVE-2022-3598, CVE-2022-3627, CVE-2022-3597, CVE-2022-3626, CVE-2022-2056, CVE-2022-2057, and CVE-2022-2058.
To fix these vulnerabilities, update to libtiff-4.5.0 using the instructions from libtiff (sysv) or libtiff (systemd).
In cURL-7.87.0, two security vulnerabilities were fixed that could allow for HSTS bypasses and for secure tunneling to fail when using TELNET and SMB. In the case of the HSTS bypass, this can lead to plaintext transmission of sensitive information, and in the case of the secure tunnel failure, it can allow for either a crash or unintended behavior. Note that you must use internationalized domain names (IDN) for the HSTS bypass to work, and you must use SMB/TELNET through cURL and stunnel for the stunnel failure to work. These vulnerabilities have been assigned CVE-2022-43551 and CVE-2022-43552.
To fix these vulnerabilities, update to cURL-7.87.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In glib-2.74.4, several security vulnerabilities in the GVariant subsystem when processing untrusted data, as well as adding some input validation in the 'GDBusMenuModel'. Upstream has declared these as security fixes, but no CVEs have been assigned, and there are a variety of impacts such as denial of service, arbitrary code execution, and undesirable application behavior. Please check the forum post for more details: GNOME Discourse Forum Post.
To fix these vulnerabilities, update to glib-2.74.4 or later using the instructions from glib (sysv) or glib (systemd).
In systemd-246 and higher, a security vulnerability was discovered that could allow for a local information leak and for privilege escalation. This vulnerability exists in the systemd-coredump program, and is caused by systemd-coredump not respecting the fs.suid_dumpable kernel setting. The BLFS team has developed a patch for systemd-251 and systemd-252 that fixes this vulnerability. Note that this vulnerability theoretically could be exploited any time an application crashes, and can even be exploited by users who intentionally crash programs (such as the 'su' command). There is a proof-of-concept available publicly that allows for the root user's password hash to be leaked through the usage of the 'su' command by an unprivileged user. If you do not wish to patch systemd, a workaround would be to set the fs.suid_dumpable flag to 0, using the following command: "sysctl -w fs.suid_dumpable=0", but note that you will be unable to debug application crashes from other users (including from root). This vulnerability has been assigned CVE-2022-4415, and more information is available at oss-security mailing list post.
To fix this vulnerability, update to systemd-252 with the patch using the instructions from systemd in BLFS development.
Alternatively, you can rebuild systemd-251 with the patch from systemd-251 security patch, applying this patch before the systemd-251-glibc_2.36_fix-1.patch in systemd in BLFS 11.2.
The development books are using Python-3.11 and the details of how to build that series of Python have changed. If you update from an older series to 3.11 you will need to rebuild all Python3 modules, including meson and wheel (the latter was added for LFS-11.2). Alternatively, Python-3.10 (and some older series) are still maintained by upstream although fixes may take a little longer to appear. If you stick with 3.10 on an existing system you will not need to rebuild modules. Therefore, please choose whether to upgrade to Python-3.11.1 or to Python-3.10.9.
In Python-3.11.1, five security vulnerabilities were fixed, with one rated as High. See Python 3.11.1 Release Notes. The IDA codec decoder vulnerability has been assigned CVE-2022-45061, the other vulnerabilities have not been assigned CVEs.
To fix these vulnerabilities using the Python-3.11 series, update to Python-3.11.1 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
Alternatively, in Python-3.10.9 a similar set of vulnerabilities with one rated as Critical and two rated as High have been fixed in Python-3.10.9, see Python 3.10.9 Release Notes. The fixes with CVEs are CVE-2022-37474, CVE-2022-42919 and CVE-2022-45061. Please note that you should read the 'Looking for a specific release?' section of https://www.python.org/downloads/ to get the source and to find when a future 3.10 release is available.
To fix these vulnerabilities update to Python-3.10.9 but following the instructions from the BLFS 11.2 books: Python3 (sysv) or Python3 (systemd).
In libksba-1.6.3 a severe bug in parsing ASN.1 structures was fixed. Full details at gnupg blog and it has been assigned CVE-2022-47629.
To fix this, update to Libksba-1.6.3 or later using the instructions for Libksba (sysv) or Libksba (systemd).
In xorg-server-21.1.6, two security vulnerabilities were fixed that could allow an attacker to write into random memory of the X server. This is specially a problem when the server is run as root. These vulnerabilities have been assigned CVE-2022-3550 and CVE-2022-3551.
To fix these vulnerabilities, update to xorg-server-21.1.6 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In Samba-4.17.4, four security vulnerabilities were fixed that could allow for elevation of privilege. These vulnerabilities are identical to the "Microsoft Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability" and "Netlogon RPC Elevation of Privilege Vulnerability" disclosed on November 8th, 2022. It was later found that these vulnerabilities allow for privilege escalation in the same way within Samba. Three of the vulnerabilities (which are related to Kerberos) require the system to be in an Active Directory domain, or Samba running in AD DC mode. However, the Netlogon vulnerability affects all configurations of Samba. Note that this update also fixes support for connecting to (and from) Microsoft Windows 11 22H2 systems, which could previously cause Samba to crash. These vulnerabilities have been assigned CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, and CVE-2022-45141.
To fix these vulnerabilities, update to Samba-4.17.4 using the instructions from Samba (sysv) or Samba (systemd).
In WebKitGTK+-2.38.2, five security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, disclosure of internal states from the application, user interface spoofing, and disclosure of sensitive user information (such as saved passwords). These vulnerabilities were resolved with improved boundary checking, state management, UI handling, and memory handling. These vulnerabilities can be exploited through malicious advertisements, HTML email, and via browsing to an impacted site. The BLFS team recommends updating WebKitGTK+ immediately. These vulnerabilities have been assigned CVE-2022-32888, CVE-2022-32923, CVE-2022-42799, CVE-2022-42823, and CVE-2022-42824.
To fix these vulnerabilities, update to WebKitGTK+-2.38.2 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In xwayland-22.1.6, six security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities have been assigned CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, and CVE-2022-4283.
To fix these vulnerabilities, update to xwayland-22.1.6 or later using the instructions for xwayland (sysv) or xwayland (systemd).
In xorg-server-21.1.5, six security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities have been assigned CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, and CVE-2022-4283.
To fix these vulnerabilities, update to xorg-server-21.1.5 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In Thunderbird-102.6.0, six security vulnerabilities were fixed, four of them rated as High by upstream. Details at mfsa-2022-53. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. These vulnerabilities have been assigned CVE-2022-46872, CVE-2022-46874, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881 and CVE-2022-46882.
To fix these vulnerabilities, update to Thunderbird-102.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.6.0esr, six security vulnerabilities were fixed, four of them rated as High by upstream. Details at mfsa-2022-52. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. These vulnerabilities have been assigned CVE-2022-46872, CVE-2022-46874, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881 and CVE-2022-46882.
To fix these vulnerabilities, update to Firefox-102.6.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Wireshark-4.0.2, two security vulnerabilities were fixed that could allow for a denial of service (CPU resource exhaustion) due to infinite loops in protocol dissectors. These vulnerabilities impact the BPv6, OpenFlow, and Kafka protocol dissectors in particular, and can be triggered either via a malicious PCAP packet trace, or when using Wireshark to capture packets on a network. If you are using Wireshark on a network where BPv6, OpenFlow, or Kafka packets may be transmitted, update to Wireshark-4.0.2. These vulnerabilities have not been assigned CVEs at this time, but more details about them can be found here: Wireshark Security Advisory 2022-09 and Wireshark Security Advisory 2022-10.
To fix these vulnerabilities, update to Wireshark-4.0.2 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Ruby-3.1.3, a security vulnerability was fixed that can allow for HTTP response splitting in applications which use the 'CGI' gem. If an application which uses the built-in 'CGI' gem generates HTTP responses with untrusted/verified user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. The contents for the CGI::Cookie object were also not checked properly. If an application creates a cookie using that malicious user input, an attacker could inject invalid attributes into the Set-Cookie header. Since this gem is built into the Ruby interpreter itself, it's recommended to update even if you don't have applications which use HTTP requests which are written in Ruby. This vulnerability has been assigned CVE-2021-33621.
To fix this vulnerability, update to Ruby-3.1.3 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In Linux-6.0.11 (and Linux-5.15.81), a security vulnerability has been fixed. It affects 12th gen intel processors integrated graphics. The full consequences are not yet analyzed, but it allows an attacker to get R/W access to physical memory through the GPU, possibly leading to data leaks and memory corruption. This vulnerability has been assigned CVE-2022-4139.
To fix this vulnerability, update to Linux-6.0.11 (or Linux-5.15.81) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.5.1, a security vulnerability was fixed, rated as Moderate by upstream. Details at mfsa-2022-50. This vulnerability has been assigned CVE-2022-45403.
To fix this vulnerability, update to Thunderbird-102.5.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Linux-6.0.8 (and Linux-5.15.78), three security vulnerabilities have been fixed. One of those could be exploited with a malicious USB device and trivially cause a kernel panic. If KASLR is disabled or bypassed, the exploitation might cause an arbitrary code execution as well. The consequences of other two vulnerabilities are not fully published yet. These vulnerabilities have been assigned CVE-2022-3628, CVE-2022-42895, and CVE-2022-42896.
To fix these vulnerabilities, update to Linux-6.0.8 (or Linux-5.15.78) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.5.0, thirteen security vulnerabilities were fixed, seven of them rated as High by upstream. Details at mfsa-2022-49. These vulnerabilities have been assigned CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420 and CVE-2022-45421.
To fix these vulnerabilities, update to Thunderbird-102.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.17.3, a security vulnerability was fixed that could allow for arbitrary code execution or application crashes on 32-bit systems. These occur due to the same bug as the one in krb5, because Samba uses a bundled copy of MIT Kerberos (and the Heimdal implementation is also impacted). If you are using Samba in a server capacity on a 32-bit system, update to Samba-4.17.3 immediately. This vulnerability has been assigned CVE-2022-42898.
To fix this vulnerability, update to Samba-4.17.3 or later using the instructions from Samba (sysv) or Samba (systemd).
In krb5-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution or application crashes on 32-bit systems. These occur due to a bug which allows remote attackers to read beyond the bounds of allocated memory, due to an integer overflow. Note that Samba is also impacted by this vulnerability, but is again only affected on 32-bit systems. Privileged attackers can also cause applications to crash which rely on the Kerberos libraries, rather than just the Kerberos applications (such as krb5kdc and kadmind). Since this vulnerability only affects 32-bit systems, the severity is only listed as Medium. However, if you are running such a system, especially in a server capacity, you should update to krb5-1.20.1 immediately. This vulnerability has been assigned CVE-2022-42898.
To fix this vulnerability, update to krb5-1.20.1 or later using the instructions from MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd).
In Firefox-102.5.0esr, twelve security vulnerabilities were fixed, seven of them rated as High by upstream. Details at mfsa-2022-48. These vulnerabilities have been assigned CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45418, CVE-2022-45420 and CVE-2022-45421.
To fix these vulnerabilities, update to Firefox-102.5.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.5.0 there is a fix for a Use After Free of a Javascript Realm, which could cause a potentially exploitable crash, rated as High by Mozilla - see CVE-2022-45406 in mfsa-2022-48. Further details may appear at CVE-2022-45406.
To fix this, update to JS-102.5.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In xfce4-settings-4.16.5, a security vulnerability was fixed that could allow for argument injection when processing MIME types. This could allow an attacker to inject arguments, such as a path to a remote filesystem, into a MIME type when using the xfce4-mime-settings program (or using "Default Applications" within the Settings Manager). The details for this vulnerability are sparse at this time, with the only mentions of it being within a release note, and the Gitlab issue is not public yet. As a result, it is unknown if a CVE has been assigned. However, more details can be found at the upstream commit and the XFCE Mailing List Announcement.
To fix this vulnerability, update to xfce4-settings-4.16.5 or later using the instructions from xfce4-settings (sysv) or xfce4-settings (systemd).
In sysstat-12.6.1, a security vulnerability was fixed that could allow for remote code execution when using the sysstat utilities. This occurs due to a size_t overflow in the shared code between all of the utilities. The function in question, allocate_structures, does not check boundaries before arithmetic manipulation, allowing for an overflow in the size allocated for representing system activities. This can lead to remote code execution, but only affects 32-bit machines. 64-bit machines are thus immune to this vulnerability. Note that the most common way of triggering this vulnerability is by displaying activity files. This vulnerability has been assigned CVE-2022-39377.
To fix this vulnerability, update to sysstat-12.6.1 or later using the instructions from sysstat (sysv) or sysstat (systemd).
In PHP-8.1.12, two security vulnerabilities were fixed in a couple of the internal modules that could allow for passing specially crafted data to a web application, to trigger an out-of-bounds read error, to read contents of memory on the system, decrypt information, and to execute arbitrary code. Both of these vulnerabilities are a result of insufficient input validation and buffer overflows. One of them is in the hashing library and is due to an underlying bug in the XKCP SHA-3 Reference Implementation, and the other occurs in the imageloadfont() function when the GD module is in use. If you run an application that uses the GD or Hash modules in PHP, you should update to the latest version immediately. These vulnerabilities have been assigned CVE-2022-31630 and CVE-2022-37454.
To fix these vulnerabilities, update to PHP-8.1.12 using the instructions for PHP (sysv) or PHP (systemd).
In ntfs-3g-2022.10.3, a security vulnerability was fixed that could allow for execute arbitrary code at the kernel level. Note that successful exploitation of this vulnerability requires physical access to the computer in order to insert a compromised USB flash drive. The vulnerability is a result of invalid verification of some of the NTFS metadata, and it is classified as a buffer overflow. This vulnerability is exploitable by both the ntfs-3g driver, as well as all of the NTFS utilities (which may be used on systems where creating or checking a NTFS filesystem is necessary). If you regularly use external media which is shared with other users, updating to ntfs-3g-2022.10.3 is recommended. This vulnerability has been assigned CVE-2022-40284.
To fix this vulnerability, update to ntfs-3g-2022.10.3 using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
In Pixman-0.42.2, a security vulnerability was fixed that could allow for either arbitrary code execution or denial-of-service, depending on the context that the library is used in. This vulnerability was caused due to an integer overflow in the rasterize_edges_8() function, and is classified as an out-of-bounds write/heap buffer overflow. A proof of concept for this vulnerability exists in the wild, but just causes a crash. Since Pixman is used in most web broswers for pixmap processing, it is recommended that you update to the latest version as soon as possible. This vulnerability has been assigned CVE-2022-44638.
To fix this vulnerability, update to Pixman-0.42.2 or later using the instructions for Pixman (sysv) or Pixman (systemd).
In zlib-1.2.13, a security vulnerability was fixed that could allow for arbitrary code execution when an application calls inflateGetHeader with an overly large gzip header extra field. This is caused by a heap buffer overflow or a buffer over-read. Zlib is used in many, many packages, but is often not advertised as such, such as cURL and Node.js. A public exploit exists for this vulnerability, and exploitation is trivial. Upstream has pulled the previous version of zlib for download, so this one must be used when constructing new LFS 11.2 systems. Update to zlib-1.2.13 immediately. This vulnerability has been assigned CVE-2022-37434.
To fix this vulnerability, update to zlib-1.2.13 using the instructions from zlib (sysv) or zlib (systemd).
NOTE: When upgrading zlib-1.2.13, update the stripping commands in Chapter 8 to use libz.so.1.2.13 instead of libz.so.1.2.12. This wil prevent your system from breaking after running the stripping commands.
In node.js-18.12.1, three security vulnerabilities were fixed. Only one applies to the version (16.18.0) which is in the stable book. It allows an attacker to perform DNS rebinding and execute arbitrary code by passing an invalid octal IP address during a "--inspect" session. This vulnerability has been assigned CVE-2022-43548.
To fix this vulnerability, update to node.js-18.12.1 or later using the instructions from Node.js (sysv) or Node.js (systemd).
In jasper-4.0.0, two security vulnerabilities were fixed that could allow for a denial of service when processing crafted JPEG2000 images. These occur due to memory leaks in the cmdopts_parse function, and an integer overflow in jasper's inttobits() function, which is used when processing JPEG2000 images. Note that this can be exploited through any application which uses jasper for processing JPEG2000 images, such as ImageMagick, gegl (GIMP), or Qt5 (KDE applications such as Gwenview and Okular). Update this package to avoid crashes in those programs. These vulnerabilities have been assigned CVE-2022-2963 and CVE-2022-40755.
To fix these vulnerabilities, update to jasper-4.0.0 or later using the instructions from jasper (sysv) or jasper (systemd).
In Sudo-1.9.12p1, a security vulnerability was fixed that could allow for arbitrary code execution, privilege escalation, or a denial of service. This vulnerability occurs due to a heap-based buffer overread which happens due to an array out-of-bounds error. This vulnerability has a significantly worse impact on x86_64 systems, while on i686 systems it just causes a crash. This can be triggered by arbitrary local users with access to Sudo by entering a password of 7 characters or fewer. Note that this only affects the default BLFS configuration of Sudo, which does not use PAM. If you use PAM with Sudo, you are immune to this vulnerability. A temporary mitigation is to use a password which is more than 8 characters in length. This vulnerability has been assigned CVE-2022-43995.
To fix this vulnerability, update to Sudo-1.9.12p1 or later using the instructions from Sudo (sysv) or Sudo (systemd).
In OpenSSL-3.0.7, three security vulnerabilites were fixed that could allow for remote code execution and denial of service. Note that one of these vulnerabilities were fixed in OpenSSL-3.0.6, but that version was withdrawn shortly after it was released. In the case of the remote code execution, an attacker can craft a malicious email address which will overflow four attacker-controlled bytes on the stack, which guarantees denial-of-service and potentially also causes remote code execution. One of these vulnerabilities is exploitable by a crafted email address which has several '.' (dots) in them. One of the vulnerabilities also allows for NULL encryption when using a custom cipher, but this is uncommon and no packages in LFS or BLFS use this feature. Note that any of these vulnerabilities can be triggered by a TLS client connecting to a malicious server, and in the case of a TLS server, it's triggered when a malicious client connects after authentication. One of the most common mechanisms reported so far is through sending and receiving email, due to the vulnerabilities being in the X.509 certificate verification code, which is commonly used for S/MIME. These vulnerabilities were originally rated as Critical by upstream, but were later downgraded to High. Update to OpenSSL-3.0.7 immediately on ANY system which has OpenSSL-3.x installed. This includes LFS 11.1 and 11.2. These vulnerabilities have been assigned CVE-2022-3602, CVE-2022-3786, and CVE-2022-3358.
To fix these vulnerabilities, update to OpenSSL-3.0.7 or later using the instructions from OpenSSL (sysv) or OpenSSL (systemd).
In inetutils-2.4, two security vulnerabilities were fixed in the telnet and telnetd programs which could allow for buffer overflows and crashes, leading to denial of service and remote code execution. In the case of the telnet vulnerability, it occurs due to insufficient validation of environment variables, and it leads to remote code execution and also for the potential of escaping restricted shells on embedded devices. It occurs primarily when processing an oversized DISPLAY argument. In the case of the telnetd vulnerability, it occurs when sending a 'IAC EC' or 'IAC EL' character to the daemon, and just results in a crash. In this version of inetutils, there were also several fixes to the 'ftp' and 'tftp' programs which can prevent crashes, but they were not assigned CVE numbers. These crashes do occur due to integer overflows (and thus out-of-bounds access), NULL pointer dereferences, heap buffer overflows, and inifinite macro recusion, so they still should be treated as security problems. These vulnerabilities have been assigned CVE-2019-0053 and CVE-2022-39028.
To fix these vulnerabilities, update to inetutils-2.4 or later using the instructions from Inetutils (sysv) or Inetutils (systemd).
In expat-2.5.0, a security vulnerability was fixed that could allow for a denial of service (or arbitrary code execution) when a system is low on memory. The problem occurs due to overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function when in situations where the system is out of memory, and it is classified as a use-after-free. This can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries uses them in. This vulnerability has been assigned CVE-2022-43680.
To fix this vulnerability, update to expat-2.5.0 using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In Linux-6.0.6 (and Linux-5.15.76), a security vulnerability was fixed that could allow a local unprivileged attacker to cause a kernel panic when running commands on an ext4 filesystem. This vulnerability occurs due to a directory block check being incorrect, it used to compare the block number against the directory size in bytes. This vulnerability only affects systems with the ext4 filesystem in use, which is the default configuration used in LFS. This vulnerability has been assigned CVE-2022-1184.
To fix this vulnerability, update to Linux-6.0.6 (or Linux-5.15.76) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In OpenJDK-19.0.1, five security vulnerabilities were fixed that could allow an unauthenticated attacker with network access via Kerberos, HTTP, or (more difficult) other protocols, to compromise a Java VM, These vulnerabilities have been assigned CVE-2022-21618, CVE_2022-21619, CVE_2022-21624, CVE_2022-21628, and CVE-2022-39399.
To fix these vulnerabilities, update to OpenJDK-19.0.1 or later using the instructions for OpenJDK (sysv) or OpenJDK (systemd), or the binaries Java (sysv) or Java (systemd).
In cURL-7.86.0, three security vulnerabilities were fixed that could allow for an application to send wrong data or use memory after it's been freed in certain circumstances, for a denial of service when using a .netrc file, and for applications to use HTTP instead of HTTPS by bypassing HSTS checks. The vulnerability which allows for an application to send wrong data, use memory after it's been freed, or cause other unexpected behavior is due to a logic problem which occurs because libcurl may erroneously use the read callback to ask for data to send if the same handle was previously used to issue a 'PUT' request which used that callback. The denial of service when using a .netrc file occurs due to an out-of-bounds access whenever a file ends in a line with consecutive non-white space characters and no new-line. The HSTS bypass occurs when a given URL uses IDN characters that get replaced to their ASCII counterparts as part of the IDN conversion. The primary threat from this vulnerability is cleartext transmission of sensitive information. These vulnerabilities have been assigned CVE-2022-32221, CVE_2022-35260, and CVE-2022-42916.
To fix these vulnerabilities, update to cURL-7.86.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In libtiff-4.4.0, five security vulnerabilities exist which could allow for crashes when using some of the utilities provided by the package. These vulnerabilities occur in the tiffcrop and tiffsplit utilities, and occue due to stack overflows, out-of-bounds reads, and divide-by-zero errors when processing certain crafted files. Upstream has not made a new release at this time, but the BLFS team has generated a patch to fix these vulnerabilities. These vulnerabilities have been assigned CVE-2022-34526, CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, and CVE-2022-2953.
To fix these vulnerabilities, rebuild libtiff-4.4.0 with the patch using the instructions for libtiff (sysv) or libtiff (systemd).
In Samba-4.17.2, three security vulnerabilities were fixed that could allow for bad passwords to be accepted (due to the count not being incremented properly), for a write heap buffer overflow when using GSSAPI, and for a malicious client to escape exported directories via symbolic links. Note that the GSSAPI vulnerability also impacts standard file servers which are not part of an Active Directory or NT4 domain. The symbolic link vulnerability only affects systems which have SMB1 communication enabled, which is not enabled by default. The bad password vulnerability and GSSAPI vulnerability occur in the default configuration though. These vulnerabilities have been assigned CVE-2021-20251, CVE-2022-3437, and CVE-2022-3952.
To fix these vulnerabilities, update to Samba-4.17.2 or later using the instructions for Samba (sysv) or Samba (systemd).
In git-2.38.1, two security vulnerabilities were fixed that could allow for remote code execution on servers where git repositories are stored, and for sensitive information to be exposed to a remote attacker. In the case of sensitive information leakage, this vulnerability can occur when a user runs a 'git clone' in a folder where symbolic links exist. It was originally thought that this exploit only worked on local clones, but it was later discovered that cloning a submodule with the '--recurse-submodules' command can achieve the same goal by having a symbolic link point to a file like '/etc/passwd' inside of the repository. The remote code execution vulnerability occurs in the 'git shell' program, which is used to implement Git's push/pull functionality over SSH. It occurs due to the function that splits command line arguments into an array improperly using an 'int' to represent the amount of entries in the array, which allows remote attackers to intentionally overflow the return value and cause arbitrary heap writes. The vulnerability then occurs when the resulting array is passed to 'execv()'. Upgrade to git-2.38.1 immediately if you are using it on a server, or if you clone untrusted repositories. These vulnerabilities have been assigned CVE-2022-39253 and CVE-2022-39260.
To fix these vulnerabilities, update to git-2.38.1 or later using the instructions for git (sysv) or git (systemd).
In PHP-8.1.11, two security vulnerabilities were fixed that could allow for a denial-of-service (infinite loop) and for cookie spoofing. The denial-of-service happens when the 'phar' command uncompresses 'quines' gzip files because the uncompressor's code would recursively uncompress them. The cookie spoofing attack can be performed either over the network or locally, and allows an attacker to set a standard insecure cookie in the victim's browser which is treated as a '__Host-' or '__Secure-' cookie by PHP applications. Update to PHP-8.1.11 if you use the 'phar' command or if you use cookies in PHP applications. These vulnerabilities have been assigned CVE-2022-31628 and CVE-2022-31629.
To fix these vulnerabilities, update to PHP-8.1.11 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-102.4.0, several security vulnerabilities were fixed that could allow for impersonation attacks, device verification attacks, data corruption, cross-origin URL leakage, memory corruption, arbitrary code execution, and denial-of-service conditions. The data corruption, impersonation attacks, and device verification attacks occur when using the Matrix chat protocol within Thunderbird, and can lead to encryption key exfiltration as well as the ability to make messages look like they came from a legitimate source, while being from an attacker-controlled system. The arbitrary code execution issues are due to memory safety problems. These vulnerabilities have been assigned CVE-2022-39249, CVE-2022-39250, CVE-2022-39251, CVE-2022-39236, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, and CVE-2022-42932.
To fix these vulnerabilities, update to Thunderbird-102.4.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection. One of these vulnerabilities can occur any time that a list is multiplied by an integer, and is fixed by detecting when the new allocated length is close to the maximum size. The shell code injection vulnerability occurs in the get-remote-certificate.py example script, and was fixed by it no longer using a shell to run openssl commands. The unsafe text injection vulnerability was in the 'mailcap' module and was fixed by refusing to inject that text into a shell command. Instead of using the text, it will throw a warning and act as if a match was not found. These vulnerabilities have not been assigned CVEs, but more details about them can be found at Python 3.10.8 Release Notes..
To fix these vulnerabilities, update to Python-3.10.8 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In libxml2-2.10.3, two security vulnerabilities were fixed that could allow for denial-of-service and arbitrary code execution. These occur due to logic errors and integer overflows, and are caused by missing safety checks and missing length limitations. Both of these issues can be triggered when performing operations on XML documents, or when loading the XML documents into memory for processing. These vulnerabilities have been assigned CVE-2022-40304 and CVE-2022-40303.
To fix these vulnerabilities, update to libxml2-2.10.3 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In DHCP-4.4.3-P1, two security vulnerabilities were fixed that could allow for a denial-of-service and memory leak when using the DHCPD server. Note that these vulnerabilities do not affect the 'dhclient' utility. One of these vulnerabilities occur due to a reference counter leak when the server is building responses to leasequery packets, and leads to the server aborting. The other vulnerability occurs when unpacking a packet that has a FQDN option that contains a label with a length greater than 63 bytes. This causes a memory leak that eventually results in the server running out of memory. Update to DHCP-4.4.3-P1 if you are using the DHCPD server. These vulnerabilities have been assigned CVE-2022-2928 and CVE-2022-2929.
To fix these vulnerabilities, update to DHCP-4.4.3-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).
In dbus-1.14.4, three security vulnerabilities were fixed that could allow for a denial-of-service by sending messages with attached file descriptors in an unexpected format, as well as when receiving messages with invalid type signatures and messages where the length of an array is not a multiple of the length of the element. These are due to assertion failures, use-after-frees, memory corruption, and out-of-bounds reads. Note that this can cause the system D-Bus daemon to crash, as well as any application which links to libdbus, and this can be exploited as an unprivileged user. These vulnerabilities have been assigned CVE-2022-42011, CVE-2022-42010, and CVE-2022-42012.
To fix these vulnerabilities, update to dbus-1.14.4 or later using the instructions from the BLFS book for dbus (sysv) or dbus (systemd).
In OpenSSH-9.1p1, three security vulnerabilities were fixed in OpenSSH tools that could allow for denial of service. These vulnerabilities have not been assigned CVEs, but have been reported as potential security issues. In the case of the ssh-keyscan utility, there is a one-byte overflow when processing SSH- banners. In the case of ssh-keygen, there is a denial-of-service (application crash) in the error path of the file hashing step when signing and verifying the keys that ssh-keygen has generated. In the case of ssh-keysign, there is a denial-of-service when going into the error path as well (both ssh-keygen and ssh-keysign vulnerabilities are due to free() being called twice). Updating to 9.1p1 is recommended if you are encountering crashes when using these utilities. More information can be found at OpenSSH Release Notes.
To fix these vulnerabilities, update to OpenSSH-9.1p1 or later using the instructions from OpenSSH (sysv) or OpenSSH (systemd).
In linux-6.0.2, several security vulnerabilities were fixed that could allow for arbitrary code execution, reading memory from anywhere on the system, out-of-bounds writes and reads, firewall bypasses, and denial of service (kernel panics). These occur in the ALSA (sound), nftables (firewall), TCP/IP, BPF, EFI, and Wireless subsystems. Note that the wireless vulnerabilities can be exploited without being connected to a network, and can be triggered by simply scanning for networks. The ALSA vulnerability occurs when using the OSS API emulation, and the firewall bypass occurs when you are connected to an IRC network. The LFS team recommends updating to a patched kernel immediately, which is one of 6.0.2 or 5.15.75 (if you prefer to use LTS kernels). These vulnerabilities have been assigned CVE-2022-3303, CVE-2022-2663, CVE-2022-40307, CVE-2022-2785, CVE-2022-39190, CVE-2022-3028, CVE-2022-2905, CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, and CVE-2022-42722.
To fix these vulnerabilities, update to Linux-6.0.2 (or Linux-5.15.75) or later using the instructions from Linux Kernel (sysv) or Linux Kernel (systemd).
In Firefox-102.4.0esr, four security vulnerabilities were fixed, two of them rated as High by upstream. Details at mfsa-2022-45. These vulnerabilities have been assigned CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932.
To fix these vulnerabilities, update to Firefox-102.4.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In libksba-1.6.2 a severe bug in parsing ASN.1 structures was fixed. The subsequent binary release of gnupg-2.3.8 (linux uses separate libksba) mentioned this - full details at gnupg blog and it has been assigned CVE-2022-3515.
To fix this, update to Libksba-1.6.2 or later using the instructions for Libksba (sysv) or Libksba (systemd).
In Thunderbird-102.3.0, six security vulnerabilities (on x86 linux, there is another for ARM64, and one on MacOS) were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Details at mfsa-2022-42. These vulnerabilities have been assigned CVE-2022-3266, CVE-2022-40956, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, and CVE-2022-40962.
To fix these vulnerabilities, update to Thunderbird-102.3.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In BIND-9.18.7, six security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution. These occur due to processing large delegations, buffer overreads in statistics channel code, memory leaks in code handling Diffie-Hellman key exchanges, memory leaks when processing ECDSA and EDDSA keys in DNSSEC, and crashes when processing stale caches. Note that the vulnerability when processing large delegations will also cause extremely degraded performance. These vulnerabilities only affect the server, not the client utilities. These vulnerabilities have been assigned CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, and CVE-2022-38178.
To fix these vulnerabilities, update to BIND-9.18.7 using the instructions for BIND (sysv) or BIND (systemd).
In Unbound-1.16.3, a security vulnerability was fixed that could allow for uncontrolled resource consumption due to a non-responsive delegation attack. This can occur over the network and the attack complexity is low, but the only significant impact is to system availability (excessive CPU and memory consumption). The BLFS team recommends updating Unbound if you are using it on a high-traffic server. This vulnerability has been assigned CVE-2022-3204.
To fix this vulnerability, update to Unbound-1.16.3 using the instructions for Unbound (sysv) or Unbound (systemd).
In Node.js-16.17.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling and weak randomness when using the HTTP Parser module or the WebCrypto keygen. These vulnerabilities occur due to unchecked return values, bypasses of previous vulnerabilities, and incorrect parsing of Multi-line Transfer-Encoding fields in a HTTP header. These occur inside the internal llhttp module and within the core of the package itself. These vulnerabilities have been assigned CVE-2022-32213, CVE-2022-35255, and CVE-2022-35256.
To fix these vulnerabilities, update to Node.js-16.17.1 using the instructions for Node.js (sysv) or Node.js (systemd).
In expat-2.4.9, a critical security vulnerability was fixed that could allow for arbitrary code execution or denial of service, depending on the context of the program that's calling the library. This occurs due to a use-after-free vulnerability in the doContent function. This can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries usese them in. The BLFS team recommends updating to expat-2.4.9 as soon as possible. This vulnerability has been assigned CVE-2022-40674.
To fix this vulnerability, update to expat-2.4.9 or later using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In WebKitGTK+-2.36.8, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. A proof of concept exists where a malicious advertisement is sideloaded onto a page. These vulnerabilities occur due to a buffer overflow and an out-of-bounds read, which were fixed with improved memory handling and boundary checking. These vulnerabilities have been assigned CVE-2022-32886 and CVE-2022-32912.
To fix these vulnerabilities, update to WebKitGTK+-2.36.8 by substituting WebKitGTK+-2.36.8 in for the instructions in WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Firefox-102.3.0esr, six security vulnerabilities (on x86, there is another for ARM64 if using WASM) were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Details at mfsa-2022-41. These vulnerabilities have been assigned CVE-2022-3266, CVE-2022-40956, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, and CVE-2022-40962.
To fix these vulnerabilities, update to Firefox-102.3.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In QtWebEngine-5.15.11, several security vulnerabilities were fixed that could allow for remote code execution, arbitrary file creation and deletion, denial of service, and information disclosure. These vulnerabilities occur due to segmentation violations, use-after-free vulnerabilities, out-of-bounds access, insufficent policy enforcement, heap buffer overflows, and type confusion. These occur in a variety of subsystems, including WebGL, WebRTC, DevTools, V8, Guest View, Filesystem API, and Messaging. These vulnerabilities have been assigned CVE-2022-2610, CVE-2022-2477, CVE-2022-27406, CVE-2022-27405, CVE-2022-27404, CVE-2022-2294, CVE-2022-2295, CVE-2022-2160, CVE-2022-2162, CVE-2022-2158, CVE-2022-2008, CVE-2022-2010, CVE-2022-1854, CVE-2022-1857, and CVE-2022-1855.
To fix these vulnerabilities, update to QtWebEngine-5.15.11 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial-of-service (application crash) due to algorithmic complexity. This occurs when converting between integers and strings in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32. The new limit is 4300 digits, and there was no limit previously. This vulnerability has been assigned CVE-2020-10735.
To fix this vulnerability, update to Python-3.10.7 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In Wireshark-3.6.8, a security vulnerability was fixed that could allow for a denial-of-service (excessive resource consumption) when using the F5 Ethernet Trailer packet dissector. This can occur via packet injection or via reading a crafted capture file, and is caused by an infinite loop. Note that this security vulnerability is only applicable if you are operating Wireshark on a network that has F5 Ethernet Trailer packets passing along it. This vulnerability has been assigned CVE-2022-3190.
To fix this vulnerability, update to Wireshark-3.6.8 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Thunderbird-102.2.1, several security vulnerabilities were fixed that could allow for leakage of sensitive information, objects to be loaded and processed unexpectedly, unauthorized network requests, and denial-of-service attacks. The leakage of sensitive information will occur when composing a reply to an HTML email with a 'META' refresh tag contained within, if the meta tag has a 'refresh' attribute and if the tag contains a URL. Thunderbird then starts a network request that URL and processes any JavaScript that is located within the email as a result (or from the URL), and executes it in the context of the message compose document. The JavaScript code could allow for an unauthorized read or modification of the contents of the email, and could also decrypt mails. The contents can then be transmitted to the network, with it being sent to the URL in the meta tag or to another URL depending on the JavaScript in use. In the case of remote content not being blocked and iframe elements triggering network requests, these occur whenever a user receives an HTML email. The denial-of-service attack can occur when connected to a network using the Matrix chat protocol, and can cause temporary corrpution. Update to Thunderbird-102.2.1 immediately. These vulnerabilities have been assigned CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, and CVE-2022-36059.
To fix these vulnerabilities, update to Thunderbird-102.2.1 using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In curl-7.85.0, a security vulnerability was fixed that could allow for a denial of service when processing cookies. When curl retrieves and parses cookies from an HTTP(S) server, it accepts cookies using control codes. When cookies that contain these control codes are sent back, it might make the server return a 400 response, effectively allowing another site to deny service to related sites. This vulnerability has been assigned CVE-2022-35252.
To fix this vulnerability, update to cURL-7.85.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In poppler-22.09.0, a critical security vulnerability was fixed that allows for arbitrary code execution when PDF files are processed. This uses the same exploit as "FORCEDENTRY" for Apple devices last year, which allowed for trivial remote code execution through WebKit's image processing system. Poppler is used to process PDF files, and a proof of concept exploit which causes a crash is available to the public. Exploitation can happen simply by opening a PDF file, or downloading a PDF file to a location where Tracker or Baloo can index it, or even when printing a PDF file using CUPS. Update to poppler-22.09.0 as soon as possible. This vulnerability has been assigned CVE-2022-38784.
To fix this vulnerability, update to poppler-22.09.0 or later using the instructions for Poppler (sysv) or Poppler (systemd).
Unfortunately, this security update breaks the compilation of two packages (Inkscape and Libreoffice) due to incompatible API changes. The BLFS team has prepared patches for both of these packages.
If you are going to build Inkscape, apply this patch before compiling the package: Inkscape Poppler Fixes Patch.
If you are going to build Libreoffice, apply this patch before compiling the package: Libreoffice Poppler Fixes Patch.
Note that later versions of inkscape (starting with 1.2.2) and libreoffice (starting with 7.4.2.3) have been fixed and the patches are not needed anymore.
In WebKitGTK+-2.36.7, a critical 0day security vulnerability was fixed that allows for trivial remote code execution when processing maliciously crafted web advertisement. This was classified as an out-of-bounds write, and was addressed with improved boundary checking. Visiting a web page, or having content loaded in (such as advertisements), can trigger this vulnerability. There are numerous reports that this vulnerability is under active exploitation, so updating immediately is recommended. This vulnerability has been assigned CVE-2022-32893.
To fix this vulnerability, update to WebKitGTK+-2.36.7 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Thunderbird-102.2.0, five security vulnerabilities were fixed that could allow for address bar spoofing, permission inheritance when processing crafted XSLT documents, data race conditions, and memory safety bugs which may lead to remote code execution. These vulnerabilities have been assigned CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, and CVE-2022-38478.
To fix these vulnerabilities, update to Thunderbird-102.2.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.2.0esr, five security vulnerabilities were fixed that could allow for address bar spoofing, permission inheritance when processing crafted XSLT documents, data race conditions, and memory safety bugs which may lead to remote code execution. If you are staying on 91esr, please note that the corresponding version (91.13.0esr) is the final release of that branch, and you should update to Firefox-102esr. These vulnerabilities have been assigned CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, and CVE-2022-38478.
To fix these vulnerabilities, update to Firefox-102.2.0esr or later (or Firefox-91.13.0esr, although this is the final release of that branch) using the instructions for Firefox (sysv) or Firefox (systemd).
In Linux-6.0-rc2, a race condition allowing an unprivileged, local user to gain write access to read-only memory mappings and increase their privileges on the system was fixed. This vulnerability have been assigned CVE-2022-2590 (not disclosed yet).
This vulnerability affects Linux 5.16 or later, and the fix is not
backported into any stable release yet. To mitigate the vulnerability,
disable CONFIG_USERFAULTFD
in the kernel configuration
and rebuild the kernel using the instructions from the LFS book for
Linux Kernel (sysv) or
Linux Kernel (systemd).
No LFS or BLFS components invoke userfaultfd() system call as of
now. If you need to enable CONFIG_USERFAULTFD
for some
programs invoking userfaultfd(), update to Linux 6.0-rc2 or later to
fix the vulnerability. But using a release candidate is not
recommended by the editors.
In intel-microcode-20220809, a hardware vulnerability was fixed. When the interrupt controller (APIC) operates in xAPIC (also known as "legacy") mode, the APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page. An attacker able to execute code on a target CPU can perform an unaligned read from the MMIO page, then the vulnerability may cause the APIC to return stale data from previous requests made by the same processor core to the same configuration page, causing a sensitive information disclosure. This vulnerability have been assigned CVE-2022-21233.
Intel recommends to enable x2APIC mode, which disables the xAPIC
MMIO page and instead exposes APIC registers through model-specific
registers (MSRs) to mitigate the issue. Run
dmesg | grep 'x2apic'
to see if APIC is operating in
x2APIC mode. If the output contains "x2apic enabled", it indicates
the APIC is already operating in x2APIC mode and no further action is
needed. If there is no output, enable CONFIG_X86_X2APIC
in the kernel configuration and rebuild the kernel, then recheck after
booting the new kernel. If the output contains "x2apic is disabled
because BIOS sets x2apic opt out bit", try to enable x2APIC in the BIOS
setting. If it's not possible, you'll need to update to at least
intel-microcode-20220809 using the instructions for
About Firmware (sysv) or
About Firmware (systemd).
In shadow-4.12.2, a time-of-check time-of-use race condition was fixed. When an administrator is running shadow utilities (useradd or userdel), a local attacker with permissions to write into a directory being operated by the utilitiy can conduct symbolic link attacks, leading to their ability to alter or remove directories outside of this directory. This vulnerability have been assigned CVE-2013-4235.
To fix these vulnerabilities, update to shadow-4.12.2 using the instructions from the BLFS book for Shadow (sysv) or Shadow (systemd). If you are unwilling or unable to update, be careful when you use the utilities from shadow as root. Especially, when you remove a user with userdel, ensure no processes are running as this user first.
In Linux-5.19.2, four security vulnerabilities were fixed. The first one can be exploited by an attacker who tricks the administrator to mount and operate on a maliciously crafted ext file system, causing a denial-of-service (kernel panic). The second or third one can be exploited by an attacker who has already got the CAP_NET_ADMIN priviledge (maybe in one separate namespace) to perform further priviledge escalation. The fourth one allows an unprivileged attacker to cause a denial-of-service (kernel panic) or potential priviledge escalation. These vulnerabilities have been assigned CVE-2022-1184, CVE-2022-2586, CVE-2022-2588, and CVE-2022-2585 (all of them are not disclosed yet).
To fix these vulnerabilities, update to Linux 5.19.2 (or 5.18.19, 5.15.62, 5.10.137 if you prefer to stay on an old kernel series) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In libxml2-2.10.0, a security vulnerability was fixed that could allow for attackers to cause a denial-of-service (application crash). This vulnerability triggers a crash through forged input data, and is caused by the iterwalk function. The primary application that is affected is 'lxml', which is a python wrapper to libxslt and libxml2. Note that libxml2-2.10.0 fixed several other security issues as well, which were not assigned CVEs. This vulnerability has been assigned CVE-2022-2309.
To fix this vulnerability, update to libxml2-2.10.0 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In MariaDB-10.6.9, five security vulnerabilities were fixed that could allow for remote code execution and remotely exploitable crashes. These vulnerabilities consist of assertion failures when processing database queries, segmentation faults, and use-after-free poison vulnerabilities when processing database queries and committing data to disk. These vulnerabilities have been assigned CVE-2022-32082, CVE-2022-32089, CVE-2022-32081, CVE-2022-32091, and CVE-2022-32084.
To fix these vulnerabilities, update to MariaDB-10.6.9 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In tumbler-4.16.1, a security vulnerability was fixed that could allow for arbitrary code execution and server-side request forgery when indexing certain file types using the gstreamer plugin. This vulnerability was resolved by adding a MIME type check to the gst-thumbnailer plugin, but further details are scarce at this time. More information can be found at XFCE Mailing List, XFCE Upstream Commit, and Issue #65 (when available).
To fix this vulnerability, update to tumbler-4.16.1 or later using the instructions for tumbler (sysv) or tumbler (systemd).
In OpenJDK-18.0.2, three security vulnerabilities were fixed that could allow for arbitrary code execution, corruption of existing Java class files, unauthorized creation, modification, and deletion of data, and unauthorized access to information (reading). These vulnerabilities occur when processing XSLT stylesheets, and when using the Hotspot feature to compile JIT code. These vulnerabilities have been assigned CVE-2022-34169, CVE-2022-21541, and CVE-2022-21540.
To fix these vulnerabilities, update to Java Binaries/OpenJDK-18.0.2 or 17.0.4.1 (LTS) or 11.0.16.1 (LTS) or later using the instructions for Java binaries (sysv) or OpenJDK (sysv) or Java binaries (systemd) or OpenJDK (systemd).
In unrar-6.1.7, a security vulnerability was fixed that could allow for path traversal, allowing for arbitrary files to be written during an extract operation on a crafted archive. This vulnerability is known to be exploited in the wild, and a proof-of-concept exploit exists that allows an attacker to create a .ssh/authorized_keys file in the home directory of whichever user extracts the archive. Update to unrar-6.1.7 as soon as possible. This vulnerability has been assigned CVE-2022-30333.
To fix this vulnerability, update to unrar-6.1.7 or later using the instructions for unrar (sysv) or unrar (systemd).
In rsync-3.2.5, a security vulnerability was fixed that could allow for malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses the files/directories which are sent to the client, and the rsync client performs insufficient validation of file names. A malicious rsync server can overwrite arbitary files in the rsync client target directory and any subdirectories, and a proof-of-concept exploit exists that overwrites the .ssh/authorized_keys file on a system to allow remote attackers to login without a password. Update to rsync-3.2.5 as soon as possible if you are using it's client. This vulnerability has been assigned CVE-2022-29154.
To fix this vulnerability, update to rsync-3.2.5 or later using the instructions for rsync (sysv) or rsync (systemd).
In Python3-3.10.6, two security vulnerabilities were fixed that could allow for open redirection when using the HTTP server and for a use-after-free-based denial of service when using the memoryview function. The HTTP server vulnerability occurs when a URI path contains double slashes (//) in it, and allows for redirection to an attacker controlled point. The memoryview vulnerability occurs when accessing the backing buffer. These vulnerabilities do not have CVEs assigned to them, but more details can be found at their respective bug reports upstream: Bug 87389 and Bug 92888.
To fix these vulnerabilities, update to Python3-3.10.6 or later using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In GnuTLS-3.7.7, a security vulnerability was fixed that could allow for remotely-exploitable denial of service. This vulnerability occurs due to a double-free error when verifying PKCS#7 signatures using the gnutls_pkcs7_verify function. The highest impact from this vulnerability is an application crash. This vulnerability has been assigned CVE-2022-2509.
To fix this vulnerability, update to GnuTLS-3.7.7 or later using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In WebKitGTK+-2.36.5 (which had crash problems, fixed by 2.36.6), two security vulnerabilities were fixed that could allow for remote code execution and UI spoofing. The remote code execution vulnerability occurs when processing crafted web content, and is caused by an out-of-bounds write, which was fixed with improved input validation. The UI spoofing issue was resolved with improved UI handling, and occurs when visiting websites which have malicious content in their frames. These vulnerabilities have been assigned CVE-2022-32816 and CVE-2022-32792.
To fix these vulnerabilities, update to WebKitGTK+-2.36.6 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Samba-4.16.4, five security vulnerabilities were fixed that could allow for password change restrictions to be bypassed, forging of password change requests for users, server crashes with LDAP addition and modification requests, and memory information leaks. In a standard BLFS configuration, none of these vulnerabilities are applicable, but some users may use Active Directory with their systems, or the SMB1 protocol for supporting communication with legacy systems. If you use Active Directory with a BLFS system, or use the SMB1 protocol in the Samba server, update to Samba-4.16.4 immediately. These vulnerabilities have been assigned CVE-2022-2031, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746, and CVE-2022-32742.
To fix these vulnerabilities, update to Samba-4.16.4 or later using the instructions for Samba (sysv) or Samba (systemd).
In sqlite-3.39.2, a security vulnerability was fixed that could allow for an array boundary overflow if billions of bytes are used in a string argument to a C API. This could be triggered when importing existing databases in some applications, or when executing large queries. The attack vector is listed as Network, while attack complexity is marked as Low, but no privileges are required to exploit this vulnerability. The primary impact is denial of service (application crashes), and updating sqlite is recommended if you use it on any public-facing web server for a database. This vulnerability has been assigned CVE-2022-35737.
To fix this vulnerability, update to sqlite-3.39.2 using the instructions for sqlite (sysv) or sqlite (systemd).
In libwebp-1.2.3 (which has since been updated to 1.2.4), a security vulnerability was fixed in the lossless encoder that could allow for memory leaks and segmentation faults in applications which attempt to convert JPEG images to WebP images using libwebp. No CVE number has been assigned, but details (such as the commits where this vulnerability was fixed) can be found in the BLFS ticket. More information can be found at BLFS Ticket #16803.
To fix this vulnerability, update to libwebp-1.2.4 or later using the instructions for libwebp (sysv) or libwebp (systemd).
Postgresql up to and including version 14.4 is vulnerable to arbitrary code execution through the use of extension scripts. The assigned CVE's is CVE-2022-2625 (not public yet). Information about the issue can be found at: Postgresql's site.
To fix this, update to postgresql-14.5 or later following the instructions for Postgresql (sysv) or Postgresql (systemd).
Unbound up to and including version 1.16.1 is vulnerable to several
types of ghost domain names
attacks. The assigned CVE's are
CVE-2022-30698
and
CVE-2022-30699.
To fix these, update to Unbound-1.16.2 or later following the instructions for Unbound (sysv) or Unbound (systemd).
In thunderbird 102.1.0 several vulnerabilities were fixed, of which one was rated high. Details at mfsa-2022-32. The CVEs applicable to linux are CVE-2022-2505 (Not yet public), CVE-2022-35318 (Not yet public), and CVE-2022-36319 (Not yet public).
To fix these update to thunderbird-102.1.0 or later using the instructions for: Thunderbird (sysv) or Thunderbird (systemd).
In firefox 102.1.0 several vulnerabilities were fixed, of which one was rated high. Details at mfsa-2022-30. The CVEs applicable to linux are CVE-2022-2505 (Not yet public), CVE-2022-35318 (Not yet public), CVE-2022-36319 (Not yet public).
To fix these update to firefox-102.1.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Linux-5.18.14.3 (and 5.15.57) there are fixes for speculative vulnerabilities which might lead to information disclosure and have been named 'RETBleed'. There are actually two quite different sets of vulnerabilities, for AMD and Intel.
This is particularly an issue for systems shared between multiple clients. The available mitigations vary. If you consider the threat is low, you might wish to disable the mitigations by passing 'retbleed=off'. Enabling the mitigations but not specifying a boot-time option will give you whatever 'auto' means on that particular CPU. All of these mitigations cause some reduction in the I/O per second and tend to slow compilations.
For AMD, this is CVE-2022-29900, which applies to Excavator, Zen1 and Zen2 processors.
For Zen1 and earlier, also Hygon, the options are 'unret' or 'unret,nosmt'. The latter disables the SMT sibling cores, so in effect you only have half the number of CPUs. 'Unret' means replace all 'ret' instructions with 'jmp __x86_return_thunk' on kernel entry. This is apparently not a total solution, an AMD advisory notes that selecting CONFIG_ZERO_CALL_USED_REGS in the kernel config may provide some strength in depth, but does not affect all possible vulnerable sites.
For Zen2, the choices are 'auto' (same as 'unret', in this case it adds STIBP protection for SMT) or 'ibpb' (stronger protection, higher performance impact.
For Intel, this is CVE-2022-29901 for generations 6 to 8, and CVE-2022-28693 for generations 9 to 12. Intel's recommended mitigation for Spectre v2 on generations 6 to 8 (IBRS) was not initially followed in the kernel because of the performance impact. Now, 'auto' (or 'ibpb') selects IBRS and this is applied to generations 6 to 8 processors. For processors from generation 9 to 12, enhanced IBRS (note that it's different from the "original" IBRS) has been used to mitigate Spectre v2 and it will be used to mitigate RETBleed too.
If you need to fix these, update to at least linux-5.18.14 (or linux-5.15.57 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In OpenSSL 3.0.4, 1.1.1p, and earlier 3.0 or 1.1.1 releases, AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. This vulnerability has been assigned CVE-2022-2097, and more details are available at the OpenSSL security advisory. (The OpenSSL security advisory also mentions CVE-2022-2274, but we'd worked around it in the instructions provided by the LFS book. So a LFS development system built "by the book" is not affected.)
If you are not running a 32-bit LFS installation, no action is needed. Otherwise to fix this vulnerability, if you are using OpenSSL 1.1.1 releases, update to OpenSSL-1.1.1q or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). If you are using OpenSSL 3.0 releases, update to OpenSSL-3.0.5 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd).
In Xwayland-22.1.3, two security vulnerabilities were fixed that could allow for local attackers to elevate privileges. These vulnerabilities occur due to improper input validation when processing keyboard inputs. Both of these vulnerabilities are classified as out-of-bounds access vulnerabilities, and they occur in the ProcXkbSetGeometry and ProcXkbSetDeviceInfo functions. The vulnerabilities occur due to not validating request lengths. These vulnerabilities have been assigned CVE-2022-2319 and CVE-2022-2320.
To fix these vulnerabilities, update to Xwayland-22.1.3 or later using the instructions for Xwayland (sysv) or Xwayland (systemd).
In xorg-server-21.1.4, two security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities occur due to improper input validation when processing keyboard inputs. Both of these vulnerabilities are classified as out-of-bounds access vulnerabilities, and they occur in the ProcXkbSetGeometry and ProcXkbSetDeviceInfo functions. The vulnerabilities occur due to not validating request lengths. These vulnerabilities have been assigned CVE-2022-2319 and CVE-2022-2320.
To fix these vulnerabilities, update to xorg-server-21.1.4 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In GnuPG-2.3.7, a security vulnerability was fixed that could allow for remote attackers to inject information into a signature that allows for signature forgery, and for application crashes for any program that uses GPGME. Note that this vulnerability can also cause repeatable crashes in mail clients such as Mutt and Evolution. This vulnerability has been assigned CVE-2022-34903.
To fix this vulnerability, update to GnuPG-2.3.7 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).
A security vulnerability was discovered in Dovecot-2.3.19.1 that could allow for privilege escalation in some cases where a system administrator has misconfigured Dovecot with multiple password databases. The BLFS Editors have developed a patch to remediate this vulnerability. This vulnerability has been assigned CVE-2022-30550. More details can be found at oss-security posting.
To fix this vulnerability, rebuild Dovecot-2.3.19.1 with the patch using the instructions for Dovecot (sysv) or Dovecot (systemd).
In Seamonkey-2.53.13, several security vulnerabilities were fixed that could allow for memory safety problems, privileged code execution, incorrect error pages, full screen browser spoofing, content security policy bypasses, integer overflows, incorrect email signatures, remotely exploitable crashes, information disclosure, and remote code execution. These vulnerabilities happen during a variety of use cases, so updating as soon as possible is recommended. These vulnerabilities have been assigned CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31747, CVE-2022-1834, CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34481, CVE-2022-31744, CVE-2022-34472, CVE-2022-2200, CVE-2022-2226, and CVE-2022-34484.
To fix these vulnerabilities, update to Seamonkey-2.53.13 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In PHP-8.1.8, a security vulnerability was fixed that could allow for a heap buffer overflow in finfo_buffer when processing input from users or scripts. This occurs when trying to determine the type of file to be processed. This heap buffer overflow mostly causes memory corruption, which leads to a denial of service condition, and there is no evidence in the upstream bug report that it can lead to remote code execution. This vulnerability has been assigned CVE-2022-31627 (not yet available). For more information, see the upstream bug report: PHP Bug 81723.
To fix this vulnerability, update to PHP-8.1.8 or later using the instructions for PHP (sysv) or PHP (systemd).
In node.js-16.16.0, several security vulnerabilities were fixed that could allow for HTTP Request Smuggling and DNS rebinding. An additional security vulnerability was fixed that could allow for a local attacker to modify the OpenSSL configuration for other users due to a hardcoded path check. The HTTP Request Smuggling vulnerabilities occur due to a flawed parsing of the Transfer-Encoding field in an HTTP Header, as well as due to a flaw where CRLF sequences are not properly delimited in HTTP requests. The DNS rebinding vulnerability occurs due to the IsIPAddress function not validating whether an IP address is valid. These vulnerabilities have been assigned CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32212, and CVE-2022-32222.
To fix these vulnerabilities, update to node.js-16.16.0 or later using the instructions for node.js (sysv) or node.js (systemd).
In git-2.37.1, a security vulnerability was fixed that could allow for privilege escalation and remote code execution due to Git not properly checking the ownership of directories in a multi-user system when running comamnds in the local repository configuration. This is similar to CVE-2022-29187 and is due to an incomplete fix. An unsuspecting user could still be affected by the issue, for example when navigating as 'root' into a shared temporary directory that is owned by them, but where an attacker has created a git repository. A temporary workaround is to avoid running git as 'root' or any administrator user. This vulnerability has been assigned CVE-2022-29187.
To fix this vulnerability, update to git-2.37.1 or later using the instructions for git (sysv) or git (systemd).
In Speex-1.2.1, two security vulnerabilities were fixed that could allow for stack buffer overflows and denial of service when using the 'speexenc' and 'speexdec' utilities to encode and decode WAV files. Note that the primary attack vector is crafted WAV files, and a user must download and run the files against the 'speexenc' and 'speexdec' programs to exploit them. These vulnerabilities have been assigned CVE-2020-23903 and CVE-2020-23904.
To fix these vulnerabilities, update to Speex-1.2.1 or later using the instructions for Speex (sysv) or Speex (systemd).
In WebKitGTK+-2.36.4, two security vulnerabilities were fixed that could allow for remote code execution and undesirable behavior. In the case of the undesirable behavior, it was found that video calls that use WebRTC could be interrupted if the audio capture was interrupted. In the case of the remote code execution vulnerability, processing maliciously crated web content can result in remote code execution - this was a use-after-free issue which was addressed with improved memory management. These vulnerabilities have been assigned CVE-2022-22677 and CVE-2022-26710.
To fix these vulnerabilities, update to WebKitGTK+-2.36.4 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In cURL-7.84.0, four security vulnerabilities were fixed that could allow for denial of service, unpreserved file permissions, and faulty message verification. The faulty message verification occurs when using the FTP protocol with Kerberos support. This flaw makes it possible to inject data into the data stream when downloading files due to improper verification. Note that FTP support with Kerberos combined very rarely used. The unpreserved file permissions vulnerability occurs due to accidentally widening permissions on files which are downloaded from cookies. Note that this can be worked around by using a strict umask. One of the denial of service vulnerabilities occurs when using HTTP compression due to a flaw in cURL's "chained" HTTP compression algorithm support. The number of acceptable "links" in the chain was unbounded, allowing for infinite amounts of memory to be used. The other denial-of-service vulnerability occurs when the Set-Cookie option is used in a HTTP header. A sufficient amount of cookies could cause cURL to deny all further cookies from any other websites. These vulnerabilities have been assigned CVE-2022-32208, CVE-2022-32207, CVE-2022-32206, and CVE-2022-32205.
To fix these vulnerabilities, update to cURL-7.84.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In thunderbird 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others (see SA 11.1 067 below) sounds as if it is high. Details at mfsa-2022-26. The high or assumed high CVEs common are CVE-2022-2200 (Not yet public), CVE-2022-34468 (Not yet public), CVE-2022-34470 (Not yet public), CVE-2022-34479 (Not yet public), CVE-2022-34484 (Not yet public).
To fix these update to thunderbird-102.0 or later using the instructions for: Thunderbird (sysv) or Thunderbird (systemd).
Alternatively, update to thunderbird-91.11.0 as a short-term fix which does not require updated dependencies. Please note that any future versions of the thunderbird 91 series will not be specifically monitored, you should plan to update to the 102 series.
In firefox 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others (see SA 11.1 067 below) sounds as if it is high. Details at mfsa-2022-25 (91.11.0) and mfsa-2022-24 (102.0). The high or assumed high CVEs common to 91esr and 102|esr are CVE-2022-2200 (Not yet public), CVE-2022-34468 (Not yet public), CVE-2022-34470 (Not yet public), CVE-2022-34479 (Not yet public), CVE-2022-34484 (Not yet public).
To fix these update to firefox-102.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Alternatively, update to firefox-91.11.0 as a short-term fix which does not require updated dependencies. Please note that firefox 91esr will have two more releases and then become unsupported.
In the javascript code of firefox-91.11.0 and 102.0 there is a fix for attackers setting undesired attributes on a Javascript object, leading to privileged code execution - CVE-2022-2200. Note that mozilla describe this as 'moderate'. Details are not yet public, see the advisory for firefox-91.11.0 mfsa-2022-25. Further details are expected at CVE-2022-2200 (Not yet public).
To fix this, update to JS-91.11.0 or later using the instructions for JS91 (sysv) or JS91 (systemd).
In OpenSSL 3.0.3, 1.1.1o, and earlier 3.0 or 1.1.1 releases, an improper handling of shell metacharacters allowing command injection were found in the c_rehash script. This may be exploited to execute arbitrary commands, causing a privilege escalation if c_rehash is executed (maybe automatically in some configuration) with privileges. This vulnerability has been assigned CVE-2022-2068, and more details are available at the OpenSSL security advisory.
Use of the c_rehash script is considered obsolete and should be
replaced by openssl rehash
command.
To fix this vulnerability, if you are using OpenSSL 1.1.1 releases, update to OpenSSL-1.1.1p or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). If you are using OpenSSL 3.0 releases, update to OpenSSL-3.0.5 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). Do not update to OpenSSL-3.0.4 because 3.0.4 contains a severe issue and our workaround for it is no longer in the book.
In Qt5 5.15.6 (commercial), a security vulnerability has been fixed which could allow an out-of-bound write in the qtbase code. The fix has been ported to the repository maintained by kde, and is available in the patch provided for Qt-5.15.5 in BLFS. It is recommended that you update to version 5.15.5 as soon as possible. This vulnerability has been assigned CVE-2022-38593.
To fix this vulnerability, update to Qt-5.15.5 using the instructions for Qt5 (sysv) or Qt5 (systemd).
In gstreamer (and plugins) 1.20.3, seven security vulnerabilities were fixed which dould allow for heap overwrites, leading to arbitrary code execution or denial of service (application crashes). These vulnerabilities occur when processing AVI files, MKV files (which are using zlib, bz2, or LZO compression), MP4 files (which are using zlib compression), and when processing files which use the Matroska video codec. If you are using gstreamer and it's plugins for playing files from the internet, it is recommended that you update to version 1.20.3 of the stack as soon as possible. These vulnerabilities have been assigned CVE-2022-1921, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, and CVE-2022-1920.
To fix these vulnerabilities, update to gstreamer-1.20.3 as well as the plugins using the instructions for gstreamer (sysv) or gstreamer (systemd).
In Exo-4.16.4, a security vulnerability was fixed that could allow for Exo to silently execute malicious .desktop files which come from outside sources, such as from the web. The vulnerability exists due to a logic error which allows for untrusted .desktop files to be executed, and has been resolved by only executing local .desktop files instead. This vulnerability has been assigned CVE-2022-32278.
To fix this vulnerability, update to Exo-4.16.4 or later using the instructions for Exo (sysv) or Exo (systemd).
In PHP-8.1.7, two security vulnerabilities were fixed that could allow for remote code execution and denial of service when the mysqlnd and pgsql modules are in use. In the case of mysqlnd, the vulnerability happens while accepting passwords from a user, and results in a buffer overflow. In the case of pgsql, there is an uninitialized array vulnerability that results in remote code execution. If you have an application which accepts passwords from users (and is written in PHP and uses mysqlnd), or which uses pgsql, update to php-8.1.7 immediately as there are exploits known in the wild. These vulnerabilities have been assigned CVE-2022-31625 (not yet public) and CVE_2022-31626 (not yet public).
To fix these vulnerabilities, update to PHP-8.1.7 using the instructions for PHP (sysv) or PHP (systemd).
In httpd-2.4.54, several security vulnerabilities were fixed that could allow for information disclosure (in applications using mod_lua), authentication bypass (for applications using mod_proxy), denial of service (when using mod_lua or mod_sed), and information disclosure when httpd compares strings (using ap_strcmp_match() or ap_rwrite()). A vulnerability also exists in mod_proxy_ajp that would allow for HTTP Request Smuggling. In a standard configuration, only the information disclosure vulnerabilities for strings are relevant, but some users may have applications which use mod_proxy, mod_lua, or mod_sed, and may be impacted as well. Updating to httpd-2.4.54 is recommended. These vulnerabilities have been assigned CVE-2022-31813, CVE-2022-30556, CVE-2022-30522, CVE-2022-29404, CVE-2022-28615, CVE-2022-28614, CVE-2022-28330, and CVE-2022-26377.
To fix these vulnerabilities, update to httpd-2.4.54 or later using the instructions for Apache (sysv) or Apache (systemd).
In ntfs-3g-2022.5.17, several security vulnerabilities were fixed that could allow for kernel-level code execution. These vulnerabilities all occur due to incorrect validation of several kinds of NTFS metadata, which will cause buffer overflows when a drive (or disk image) is mounted, leading to kernel level code execution. Proof-of-concept exploits for all of these vulnerabilities are floating around in the wild, and updating to the latest version is recommended immediately if you have this package installed. These vulnerabilities have been assigned CVE-2021-46790, CVE-2022-30784, CVE-2022-30786, CVE-2022-30788, CVE-2022-30789, CVE-2022-30783, CVE-2022-30785, CVE-2022-30787.
To fix these vulnerabilities, update to NTFS-3g-2022.5.17 or later using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
In WebKitGTK+-2.36.3, five security vulnerabilities were fixed that may allow for remote code execution when processing maliciously crafted web content, such as videos, audio files, advertisements, and web pages. These vulnerabilties occur due to improper input validation when processing files, and were classified as memory corruption and use-after-free issues, being fixed by improved state and memory management. Updating to WebKitGTK+-2.36.3 immediately is recommended if you are using it in a web browser capacity. These vulnerabilities have been assigned CVE-2022-26700, CVE-2022-26709, CVE-2022-26717, CVE-2022-26716, and CVE-2022-26719.
To fix these vulnerabilities, update to WebKitGTK+-2.36.3 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In libtiff-4.4.0, two security vulnerabilities were fixed that could allow for denial of service and memory corruption when processing crafted files. These occur in the 'tiffinfo' tool and in the 'tiffcp' tool, which are commonly used by users who need to manipulate TIFF files. These vulnerabilities have been assigned CVE-2022-1354 and CVE-2022-1355.
To fix these vulnerabilities, update to libtiff-4.4.0 using the instructions for libtiff (sysv) or libtiff (systemd).
In CUPS-2.4.2, a security vulnerability was fixed that could allow for a local privilege escalation to root (or the 'lp' user on LFS systems) due to a logic error that occurs when processing internal certificates. Upstream has noted that the vulnerability is trivial to exploit and can occur in the CUPS web interface, which is often used for configuring and installing printers. This vulnerability has been assigned CVE-2022-26691, and more details are available at Mandiant Disclosure.
To fix this vulnerability, update to CUPS-2.4.2 or later using the instructions for CUPS (sysv) or CUPS (systemd).
In thunderbird 91.10.0 several vulnerabilites were fixed, of which six were rated high and one medium. Documented in mfsa-2022-22. The CVEs are CVE-2022-1834 (Not yet public), CVE-2022-31736 (Not yet public), CVE-2022-31737 (Not yet public), CVE-2022-31738 (Not yet public), CVE-2022-31741 (Not yet public), CVE-2022-31742 (Not yet public), CVE-2022-31747 (Not yet public).
To fix these vulnerabilities, update to Thunderbird-91.10.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In NSS-3.68.4, 3.78.1 and 3.79 two bugs with restricted access were fixed. It is assumed these are vulnerability fixes, and in the absence of further details they are rated as high. The bugs are bmo1767590 and bmo1766978
The first of these has now been identified as CVE-2022-31741 in the list of fixes for thunderbird-91.10.0, mfsa-2022-22.
To fix this, update to at least NSS-3.79 using the instructions for NSS (sysv) or NSS (systemd).
In firefox 91.10.0 several vulnerabilities were fixed, of which five were rated high and one rated medium. These are documented in mfsa-2022-21. The CVEs are CVE-2022-31736 (Not yet public), CVE-2022-31737 (Not yet public), CVE-2022-31738 (Not yet public), CVE-2022-31741 (Not yet public), CVE-2022-31742 (Not yet public), CVE-2022-31747 (Not yet public).
To fix these, update to firefox-91.10.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In vim-8.2.5014, 11 vulnerabilities causing vim crashing because of buffer overflow, use after free, uncontrolled recursion, and NULL pointer dereference have been found and fixed. The analysis of some vulnerabilities among them suggests that these might be exploited for remote execution. These vulnerabilities have been assigned CVE-2022-1616, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, and CVE-2022-1796.
To fix these vulnerabilities, update to vim-8.2.5014 or later using the instructions for vim (sysv) or vim (systemd).
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This vulnerabilty has been assigned CVE-2022-1348.
To fix this vulnerabilty, update to logrotate-3.20.1 or later with the instructions for logrotate (sysv) or logrotate (systemd).
A security vulnerability was identified in Seamonkey-2.53.12 that could allow for remote attackers to execute arbitrary code via crafted JavaScript statements. This occurs due to prototype pollution in the top-level await implementation, which can happen when triggering notifications from websites. This is identical to CVE-2022-1802 in Firefox and Thunderbird, but Seamonkey does not contain the required code to be vulnerable to CVE-2022-1529. The BLFS editors have created a patch to prevent this issue from happening. This vulnerabilty has been assigned CVE-2022-1802 (not yet public).
To fix this vulnerabilty, rebuild Seamonkey-2.53.12 with the patch using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In MariaDB-10.6.8, 24 security vulnerabilties were fixed that could allow for remote (and local) attackers to create, modify, and delete data, as well as perform remote code execution on the server in the context of the user which owns the MariaDB server, and cause the server to crash. This occurs due to crafted SQL statements. Updating to MariaDB-10.6.8 is recommended if you run a server which accepts queries from anonymous users, or from the internet. These vulnerabilties have been assigned CVE-2021-46669, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, and CVE-2022-27458.
To fix these vulnerabilties, update to MariaDB-10.6.8 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In cifs-utils-6.15, two security vulnerabilties were fixed that could allow for local attackers to escalate privileges to root, or for information disclosure (credentials) in some situations. The privilege escalation vulnerability happens due to a stack-based buffer overflow, which occurs when parsing the ip= command line argument to the mount.cifs command. The information disclosure vulnerability occurs due to logging errors when a file contains an 'equals sign' (=) that does not equal a valid credentials file. These vulnerabilties have been assigned CVE-2022-27239 and CVE-2022-29869.
To fix these vulnerabilties, update to cifs-utils-6.15 or later using the instructions for cifs-utils (sysv) or cifs-utils (systemd).
In PostgreSQL-14.3, a security vulnerability was fixed that could allow for a user to create objects within a database that could execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, as well as when a superuser ran commands against it. This affects the Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck commands, due to them activating the "security restricted operation" protection mechanism too late, or not at all in some code paths. If you use PostgreSQL for anything in a server capacity, updating PostgreSQL is recommended. This vulnerability has been assigned CVE-2022-1552.
To fix this vulnerability, update to PostgreSQL-14.3 or later using the instructions for PostgreSQL (sysv) or PostgreSQL (systemd).
In OpenJPEG-2.5.0, a security vulnerability was fixed that could allow for remote attackers to crash an application, causing a denial of service. This occurs when an attacker uses a command line option called "-ImgDir" on any of the OpenJPEG tools, when the directory contains 1048576 files. This particular command line option combined with the amount of files is relatively uncommon, but decompressing, compressing, and dumping JPEG2000 files is a rather common operation. If you use OpenJPEG on a folder with millions of JPEG files in it, updating OpenJPEG is recommended. This vulnerability has been assigned CVE-2021-29338.
To fix this vulnerability, update to OpenJPEG-2.5.0 or later using the instructions for OpenJPEG (sysv) or OpenJPEG (systemd).
In Epiphany-42.2, a security vulnerability was fixed that could allow for remote code execution due to a client buffer overflow when processing some crafted HTML documents. The vulnerability exists in the ephy_string_shorten function in the User Interface process, and it occurs due to the number of bytes for a UTF-8 ellipsis character not being properly considered. As a result of this, remote code execution can be achieved by visiting web pages that have overly long titles. This vulnerability has been assigned CVE-2022-29536.
To fix this vulnerability, update to Epiphany-42.2 using the instructions for Epiphany (sysv) or Epiphany (systemd).
In libxml2-2.9.14, a security vulnerability was fixed that can cause out-of-bounds memory writes due to several buffer handling functions not checking for integer overflows. Note that exploitation requires a victim to open a crafted XML file that is multiple gigabytes in size, however other software that uses libxml2's buffer functions, including libxslt, is impacted as well. This vulnerability has been assigned CVE-2022-29824.
To fix this vulnerability, update to libxml2-2.9.14 using the instructions for libxml2 (sysv) or libxml2 (systemd).
In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).
To fix these vulnerabilities, update to Thunderbird-91.9.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).
To fix these, update to firefox-91.9.1esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In BIND-9.18.3, On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. This vulnerabilities has been assigned CVE-2022-1183.
To fix this vulnerability, update to BIND-9.18.3 or later using the instructions for BIND (sysv) or BIND (systemd).
In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. It is recommended that you update as soon as possible. These vulnerabilities have been assigned mfsa-2022-18. The CVEs are CVE-2022-1520, CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913, and CVE-2022-29917.
To fix these vulnerabilities, update to Thunderbird-91.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Seamonkey-2.53.12, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.9.0 has their fixes ported over. These vulnerabilities have been assigned: mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).
To fix these vulnerabilities, update to Seamonkey-2.53.12 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In cURL-7.83.1, six vulnerabilities have been fixed. These vulnerabilites may cause cURL to wrongly remove files, mishandle HTTP cookie domains or percent-encoded elements in URLs, ignore security-related option changes reusing connections, or bypass HSTS rules. And, if cURL is built with NSS (BLFS has not mentioned such a configuration), one of the vulnerabilities can cause it to stuck into a dead loop.
These vulnerabilities have been assigned CVE-2022-27778, 27779, 27780, 27781, 27782, and 30115 (not disclosed yet). For details refer to cURL vulnerability list.
To fix them, update to at least cURL-7.83.1 for cURL (sysv) or cURL (systemd).
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Intel-SA-00617 CVE-2022-21151 (not yet public).
To fix this, update to at least microcode-20220510 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In vim-8.2.4814, three vulnerabilities causing vim crashing because of heap buffer overflow or use after free have been found and fixed. These vulnerabilities have been assigned CVE-2022-1154, CVE-2022-1160, and CVE-2022-1381.
To fix these vulnerabilities, update to vim-8.2.4814 or later using the instructions for vim (sysv) or vim (systemd).
In firefox 91.9.0 six CVE issues, five rated High, were fixed. These are listed in mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).
To fix these, update to firefox-91.9.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
The XMPP protocol is a set of open technologies for instant messaging. It relies heavily on DNS for both servers and client. One part of the protocol defines "_xmppconnect TXT record", which are now known to be vulnerable to Man-in-the-Middle attacks if not using DNSSEC. So The Pidgin developers have decided to remove the associated code in version 2.4.19. This vulnerability has been assigned CVE-2022-26491 (not public yet). More details may be found at the pidgin site.
To fix this, update to pidgin-2.4.19 or later using the instructions for Pidgin (sysv) or Pidgin (systemd).
In openjdk-18.0.1, openjdk-17.0.3 (LTS), and openjdk-11.0.15 (LTS), several security vulnerabilities were fixed that could allow remote unautenticated creation, deletion, modification of, or access to files/data or various denial of services. These vulnerabilities have been assigned CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449, CVE-2022-21476, and CVE-2022-21496.
To fix these vulnerabilities, update to java binaries/openjdk-18.0.1 or 17.0.3(LTS) or 11.0.15(LTS) or later using the instructions for Java binaries (sysv) or OpenJDK (sysv) or Java binaries (systemd) or OpenJDK (systemd).
In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution due to a bug in the log handlers. When a device is detected by libinput and initialized, libinput will log several messages with log handlers setup by the calling functions. These log handlers will eventually result in a printf() call. Logging happens with the privileges of the caller - in some cases, that may be root, in other cases it'll occur with whatever the privileges of the current user are. The device name ends up being part of the format string, and a kernel device with printf-style format string placeholders can enable an attacker to run malicious code. An exploit is therefore possible through any device where the attacker can control the device name. A couple examples are /dev/uinput and Bluetooth devices. Upstream has noted that all versions of libinput since 1.10 (released in February of 2018) are affected, and this affects any system that uses either X.org or Wayland, as well as the xf86-input-libinput X.org input driver. This vulnerability has been assigned CVE-2022-1215 (not public yet), however more details can be found at libinput security advisory.
To fix this vulnerability, update to libinput-1.20.1 or later using the instructions for libinput (sysv) or libinput (systemd).
In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. This has been assigned CVE-2022-1328 (awaiting analysis).
To fix this update to mutt-2.2.3 or later using the instructions for Mutt (sysv) or Mutt (systemd).
The same vulnerability in zgrep which was fixed in zlib-1.2.12 also applies to using xzgrep from xz. Upstream has provided a patch. This vulnerability has been assigned CVE-2022-1271, see tuukani.org/xz.
To fix this, rebuild xz with the xz-5.2.5-upstream_fix-1.patch using the instructions at xz (sysv) or xz (systemd).
In ruby-3.1.2, two security vulnerabilities were fixed that could allow for application crashes and invalid memory reads. These vulnerabilities can be triggered when using Regular Expressions (regex), and when converting a string to a float object. In the case of the regex vulnerability, it gets exploited when using a crafted source string, and causes memory free to be freed twice. In the case of the string-to-float conversion vulnerability, some conversion methods such as Kernel#Float and String#to_f cause a buffer over-read in some circumstances, leading to process termination and potentially invalid memory reads. These vulnerabilities have been assigned CVE-2022-28738 and CVE-2022-28739 (not yet public).
To fix these vulnerabilities, update to ruby-3.1.2 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In git-2.35.3, a security vulnerability was fixed that can allow for local users to run commands from other repositories on the same system. The Git developers mention that all supported platforms with multiple users are affected in one way or another, and have released versions of Git for all maintenance branches to fix this vulnerability. On multi-user systems, Git users might find themselves unexpectedly in a Git worktree. This occurs due to insufficient validation, and can allow users to run commands defined by another user in another repository. A temporary workaround would be to create the folder '.git' on all volumes/folders where Git commands would be run, and then remove Read/Write/Execute rights from all users other than root. Update to git-2.35.3 or later if you're operating a system where multiple users may use Git. This vulnerability has been assigned CVE-2022-24765.
To fix this vulnerability, update to git-2.35.3 or later using the instructions from Git (sysv) or Git (systemd).
In gzip-1.12, a security vulnerability was fixed that can allow for arbitrary file overwrite and command execution when using 'zgrep' on a crafted archive. Upstream says that it's relatively hard to exploit, but the BLFS team has independently confirmed that exploiting this vulnerability is trivial. This vulnerability is only exploitable when GNU Sed is in use, and it occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This would allow a remote attacker to execute commands on a system, or overwrite files, when a user runs 'zgrep' on the file. Please update your gzip package as soon as possible. This vulnerability has been assigned CVE-2022-1271.
To fix this vulnerability, update to gzip-1.12 or later using the instructions from gzip (sysv) or gzip (systemd).
In Linux-5.17.3 (and 5.16.20, 5.15.34 and other stable relases on 2022-04-13) fixes were made for vulnerabilities in the Linux Kernel's ax25 networking subsystem. These vulnerabilities can cause remotely exploitable kernel panics and are all rated as Moderate by upstream. The vulnerabilities has been assigned CVE-2022-1199 (not yet public), CVE-2022-1204 (not yet public), and CVE-2022-1205 (not yet public), with preliminary details at RedHat CVE-2022-1199, RedHat CVE-2022-1204, and RedHat CVE-2022-1205.
To fix these, update to at least linux-5.17.3 (or linux-5.15.34 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution. These occur in the 7zip reader, the ZIP reader, the ISO reader, and the RARv4 reader, as well as in the libarchive API. Note that these vulnerabilities have not been assigned CVEs, but are listed as security fixes by upstream. The primary attack vector for these vulnerabilties is API misuse in another application, with a malformed archive file also being a possibility. For more information, please see Release Libarchive 3.6.1.
To fix these vulnerabilities, update to libarchive-3.6.1 or later using the instructions for libarchive (sysv) or libarchive (systemd).
In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for trivial denial-of-service and for arbitrary file paths to be read. In the case of the denial-of-service vulnerability, only servers that use mod_dav_12.2 in httpd are impacted. This occurs because mod_dav_12.2 servers will atempt to use memory which has already been freed, and subsequent attempts to access the same resource will immediately result in httpd crashing. However, in the case of the arbitrary file path read vulnerability, both standard 12.2serve servers are affected, as well as those which use the mod_dav_12.2 module in httpd. This vulnerability occurs due to an improper logging implementation, causing sensitive information to be reported even if the information is supposed to be omitted. These vulnerabilities have been assigned CVE-2021-28544 and CVE-2022-24070.
To fix these vulnerabilities, update to Subversion-1.14.2 or later using the instructions for Subversion (sysv) or Subversion (systemd).
In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. In all three vulnerabilities, the primary attack vector is maliciously crafted web content, as well as local content such as maliciously crafted JPEG or PNG images. Due to the lack of details, updating to WebKitGTK+-2.36.0 is highly recommended. These vulnerabilities have been assigned CVE-2022-22624, CVE-2022-22628, and CVE-2022-22629.
To fix these vulnerabilities, update to WebKitGTK+-2.36.0 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Seamonkey-2.53.11.1, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.7.0 has their fixes ported over. This includes fixes for a browser spoofing vulnerability, a sandbox bypass, an unauthorized addon modification vulnerability, a remotely exploitable crash, and a bug that allows for temporary files downloaded to /tmp to be accessible by other users. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.
To fix these vulnerabilities, update to Seamonkey-2.53.11.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for heap buffer overflows (causing arbitrary code execution) and denial of service (index out of bounds and uninitialized variables). Since these vulnerabilities were found by oss-fuzz, no CVEs were assigned. However, upstream does list these as security fixes. For more details, please visit Release 1.1.0. If CVEs are assigned for these vulnerabilities in the future, this advisory will be updated.
To fix these vulnerabilities, update to libsndfile-1.1.0 or later using the instructions for libsndfile (sysv) or libsndfile (systemd).
In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remote code execution, memory corruption, remotely exploitable crashes, revoked OpenPGP keys to stay active, and browser spoofing attacks. Similar to previous Thunderbird vulnerabilities, emails that contain HTML in them can be used an attack vector. As a result, it's recommended that you update as soon as possible. These vulnerabilities have been assigned CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, and CVE-2022-28289.
To fix these vulnerabilities, update to Thunderbird-91.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. As well as those listed below, the Critical vulnerability in the shipped expat-2.4.3 has been fixed. But modern LFS provides a system version of expat which is used, and that was updated before our 11.1 release. If you are on an older LFS system and have not yet updated expat, see the 11.0-068 and 11.1-086 advisories below. The new vulnerabilites are: CVE-2022-1096 (not yet public), CVE-2022-0971 (not yet public), CVE-2022-0610, CVE-2022-0609, CVE-2022-0608, CVE-2022-0607, CVE-2022-0606, CVE-2022-0461, CVE-2022-0460, CVE-2022-0459, CVE-2022-0456, CVE-2022-0311, CVE-2022-0310, CVE-2022-0306, CVE-2022-0305, CVE-2022-0298, CVE-2022-0293, CVE-2022-0291, CVE-2022-0289, CVE-2022-0117, CVE-2022-0116, CVE-2022-0113, CVE-2022-0111, CVE-2022-0109, CVE-2022-0108, CVE-2022-0104, CVE-2022-0103, CVE-2022-0102, CVE-2022-0100.
To fix these, update to 5.15.9 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In firefox 91.8.0 eight CVE issues, three rated High, were fixed. These are listed in mfsa-2022-14. The CVEs are CVE-2022-1097 (Not yet public), CVE-2022-1196 (Not yet public), CVE-2022-24713, CVE-2022-28281 (Not yet public), CVE-2022-28282 (Not yet public), CVE-2022-28285 (Not yet public), CVE-2022-28286 (Not yet public), CVE-2022-28289 (Not yet public).
To fix these, update to firefox-91.8.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Zlib-1.2.12 fixes a vulnerability which allows memory corruption when deflating (i.e. compressing) if the input has many distant matches, see CVE-2018-25032.
To fix this update to zlib-1.2.12 or later using the instructions for Zlib (sysv) or Zlib (systemd).
Note that the update will cause 9 test failures in perl testsuite and these failures should be ignored. And, if you are going to strip the debug symbols for your LFS system, you need to adjust the filename of zlib library in the stripping instruction.
In Linux-5.17.1 (and 5.16.18, 5.15.32 and other stable relases on 2022-03-28), fixes were made for two vulnerabilities in the kernel's nf_tables code, one rated as high. The vulnerabilities has been assigned CVE-2022-1015 (not yet public) and CVE-2022-1016 (not yet public) with preliminary details at RedHat CVE-2022-1015 and RedHat CVE-2022-1016
To fix these, update to at least linux-5.17.1 (or linux-5.15.32 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for browser window spoofing, sandbox escapes (and thus remote code execution), unauthorized add-on modification, exploitable crashes, and for temporary files to be downloaded to /tmp instead of the user's home directory. Note that the unauthorized add-on modification vulnerability occurs due to a race condition, while the sandbox bypass vulnerability occurs when processing iframes in HTML mail, and that the remotely exploitable crashes occur when a crafted SVG file is loaded as an attachment or when it is embedded in an HTML mail. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.
To fix these vulnerabilities, update to Thunderbird-91.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In BIND-9.18.1, four security vulnerabilities were fixed that could allow for denial-of-service conditions (resource exhaustion due to infinite loops and unexpected crashes), and for DNS cache poisoning. In the case of DNS cache poisoning, it's possible for bogus NS records to be cached and used by named if it named needs to recurse for any reason, causing it to obtain and pass on incorrect records. This will cause the client-side cache to become poisoned with incorrect records, leading to queries being made to the wrong servers and thus resulting in false information being returned to clients. This could allow for cache poisoning and for clients to be redirected to malicious sites instead of the original website that they were attempting to access. Note that all four of these vulnerabilities are exploitable remotely, and one of them is only applicable to 32-bit systems. These vulnerabilities have been assigned CVE-2022-0667, CVE-2022-0635, CVE-2022-0396, and CVE-2021-25220.
To fix these vulnerabilities, update to BIND-9.18.1 or later using the instructions for BIND (sysv) or BIND (systemd).
In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 is reported to have been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the updated shared system OpenSSL library without updating Node.js would be an adequate remedy.
The vulnerability is CVE-2021-3711. To fix this vulnerability, update to Node.js-16.14.2 or later using the instructions for node.js (sysv) or node.js (systemd).
In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. CVE-2022-22719, CVE-2022-22720, CVE-2022-22721 and CVE-2022-23943.
To fix these vulnerabilities, update to httpd-2.4.53 or later using the instructions for Apache (sysv) or Apache (systemd).
A bug which can cause OpenSSL to loop forever when parsing a crafted certificate was fixed in versions 3.0.2 and 1.1.1n. CVE-2022-0778 has been assigned, details at CVE-2021-3711 and openssl 20220315.
To fix this, if using OpenSSL-3 update to OpenSSL-3.0.2 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd) or if using OpenSSL-1.1.1 update to OpenSSL-1.1.1n or later following the instructions from the LFS-11.0 book but using version 1.1.1n for OpenSSL (sysv) or OpenSSL (systemd).
In Linux-5.16.14, workarounds for hardware vulnerabilities named Branch History Injection have been added. These vulnerabilities may be exploited to cause sensitive information leakage. Read the paper for the details. The vulnerabilities has been assigned CVE-2022-0001 and CVE-2022-0002 (for x86), and CVE-2022-23690 (for ARM, not disclosed yet).
To work around them, update to at least linux-5.16.14
(or 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, 4.9.306 for older
systems using LTS stable kernels) using the instructions from the LFS
book for
Linux Kernel (sysv) or
Linux Kernel (systemd), and disable unprivileged BPF syscall via the kernel
configuration option BPF_UNPRIV_DEFAULT_OFF=y
or the
sysctl kernel.unprivileged_bpf_disabled=2
.
This security update may have a performance impact especially on AMD CPUs, but the benchmark from LFS editors shows the impact is marginal.
In vim-8.2.4567, a vulnerabilitiy causing vim to overflow the heap buffer and crash handling "z=" in visual mode have been found and fixed. This vulnerability have been assigned CVE-2022-0943.
To fix this vulnerability, update to vim-8.2.4567 or later using the instructions for vim (sysv) or vim (systemd).
In Linux since 5.8, a local privilege escalation vulnerability known as 'Dirty Pipe' has been discovered, see dirtypipe. This has been assigned CVE-2022-0847 (Not yet public).
To fix this, update to at least linux-5.16.11 (or 5.15.25, 5.10.102 for older systems using LTS stable kernels) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
Similar to Thunderbird and Firefox, Seamonkey is vulnerable to CVE-2022-26485 (the XSLT processing vulnerability). This vulnerablity exists when a XSLT parameter is removed during processing, and results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. This vulnerability is being actively exploited in the wild. Since no new version of Seamonkey is available to fix this vulnerability, the BLFS Editors have crafted a patch which backports the fix from Firefox so that the vulnerability is fixed. Note that Seamonkey is not vulnerable to the WebGPU Processing Vulnerability. Rebuild Seamonkey with the patch as soon as possible. This vulnerability has been assigned CVE-2022-26485.
To fix this vulnerability, rebuild Seamonkey with the patch (or update to a later version) using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In Thunderbird-91.6.2, two security issues which were rated as Critical were resolved. One of these vulnerabilities has to do with XSLT processing, and the other being in the WebGPU IPC Framework. The XSLT processing issue occurs when a parameter is removed during processing, which results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. The WebGPU vulnerability is similar to the XSLT processing issue, where an unexpected message can lead to a use-after-free resulting in subsequent remote code execution and sandbox escapes. There are multiple active attacks in the wild which are abusing these flaws, and it is thus recommended that you update to Thunderbird-91.6.2 immediately. These vulnerabilities have been assigned CVE-2022-26485 and CVE-2022-26486.
To fix these vulnerabilities, update to Thunderbird-91.6.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). These are listed in mfsa-2022-09. Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, listed in mfsa-2022-11. The CVEs are CVE-2022-26485 (Not yet public), CVE-2022-26486 (Not yet public), CVE-2022-26381 (Not yet public), CVE-2022-26383 (Not yet public), CVE-2022-26384 (Not yet public), CVE-2022-26386 (Not yet public), CVE-2022-26387 (Not yet public).
To fix these, update to firefox-91.7.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In seamonkey-2.53.11, all security vulnerabilities from Firefox/Thunderbird 91.5.0-91.6.1 have been fixed. These security vulnerabilities include fullscreen window spoofing, out-of-bounds memory access, denial of service, heap buffer overflows leading to arbitrary and remote code execution, sandbox escapes, information disclosure, stealth extension updates, unexpected image processing/execution, and security policy bypasses. Most notably, this update prevents attacks where an attacker could take over a system via sending a maliciously crafted email by importing the security fix from Thunderbird-91.6.1. Note that almost all of these vulnerabilities are exploitable remotely and without user interaction. These security vulnerabilities have been assigned CVE-2022-22746, CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22744, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751, CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, CVE-2022-22764, and CVE-2022-0566.
To fix these vulnerabilities, update to seamonkey-2.53.11 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
A security vulnerability was discovered in polkit-0.120 that can lead to a local denial of service. This occurs due to file descriptor exhaustion, and can be exploited by an unprivileged user. However, this is marked as Low because no severity is available from Red Hat at this time, and just results in polkitd crashing. Polkitd will then get restarted via dbus the next time that it is required, so user impact is minimal. This vulnerability has been assigned CVE-2021-4115.
To fix this vulnerability, rebuild polkit-0.120 with the new patch using the instructions for Polkit (sysv) or Polkit (systemd), or update to polkit-0.121 (or a later version) when it becomes available.
In FLAC-1.3.4, two security vulnerabilities were fixed that could allow for remote information disclosure with no privileges required. One of these vulnerabilities requires user interaction to exploit, while the other does not. Both of these security vulnerabilities are due to memory safety issues in the encoder, being out-of-bounds read/write vulnerabilities leading to heap buffer overflows. These vulnerabilities can only be exploited by playing a malicious file, so applications such as tracker-miners (which index files on a hard disk) are not impacted. These vulnerabilities have been assigned CVE-2020-0499 and CVE-2021-0561.
To fix these vulnerabilities, update to FLAC-1.3.4 or later using the instructions for FLAC (sysv) or FLAC (systemd).
In cyrus-sasl-2.1.28, two security vulnerabilities were fixed that could allow for password/information leakage and for denial of service. The denial of service vulnerability exists in the 'common.c' file that is included in all SASL plugins and in the 'libsasl2.so' library itself. The password/information leakage vulnerability exists in the SQL plugin for SASL, and is due to it not escaping the password for an SQL INSERT or UPDATE statement. Both of these vulnerabilities can be exploited remotely. These vulnerabilities have been assigned CVE-2019-19906 and CVE-2022-24407.
To fix these vulnerabilities, update to cyrus-sasl-2.1.28 or later using the instructions for Cyrus-SASL (sysv) or Cyrus-SASL (systemd).
In vim-8.2.4489, four vulnerabilities causing vim to crash handling certain operation sequences or multibyte characters have been found and fixed. These vulnerabilities have been assigned CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, and CVE-2022-0729.
To fix these vulnerabilities, update to vim-8.2.4489 or later using the instructions for vim (sysv) or vim (systemd).
In Thunderbird-91.6.1, a security vulnerability was fixed that could allow for remote code execution when processing new emails. This occurs due to an out-of-bounds write that causes one additional byte to be written into memory when processing a crafted email message. Note that this email does not have to be opened, the vulnerability is exploited when Thunderbird processes the email to add it to it's index. This vulnerability has been assigned CVE-2022-0566.
To fix this vulnerability, update to Thunderbird-91.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In WebKitGTK+-2.34.6, a security vulnerability was fixed that allows for trivial remote code execution, and that requires no user interaction. This vulnerability has been rated as an emergency by Apple, and has resulted in out-of-band security updates for all of it's devices. Processing maliciously crafted images can result in trivial remote code execution, and Apple is aware of several reports that this issue is being actively exploited. This issue is classified as a use-after-free and was fixed in WebKitGTK+ with improved memory management. Due to the severity of this vulnerability and the fact that the vulnerability is being actively exploited, the BLFS team recommends updating to WebKitGTK+-2.34.6 immediately. This vulnerability has been assigned CVE-2022-22620, but additional information can be found at Apple Security Advisory and WSA-2022-0003.
To fix this vulnerability, update to WebKitGTK+-2.34.6 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In expat-2.4.5, several security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities allows for remote code execution due to missing validation of UTF-8 characters, such as checks for whether a UTF-8 character is valid in a certain context. This could allow for the characters to be passed elsewhere in the stack, and lead to remote code execution. Another vulnerability exists that allows attackers to insert namespace-separator characters into namespace URIs, allowing for trivial remote code execution or unauthorized access to information. Another vulnerability exists in the build_model function that alows for a denial of service due to stack exhaustion (application crash). In the functions storeRawNames and copyString, integer overflow vulnerabilities exist that allow for remote code execution when processing XML files. Similar to the libxml2 and libxslt vulnerabilities, these can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries. The BLFS team recommends updating to expat-2.4.6 as soon as possible. These vulnerabilities have been assigned CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315.
To fix these vulnerabilities, update to expat-2.4.5 or later using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In libxml2-2.9.13, a security vulnerability was fixed that could allow for a remote attacker to cause an application crash or cause remote code execution to occur. This occurs due to a use-after-free in the functions that handle ID and IDREF attributes, which are extremely common in XML documents. This update also included fixes for several memory leaks, use-after-free vulnerabilities, and null-pointer dereference crashes in other functions within the libxml2 library. Similar to the libxslt vulnerabilities, these vulnerabilities have been spotted in the wild during attacks utilizing malicious advertisements. The BLFS team recommends updating to libxml2-2.9.13 as soon as possible. This vulnerability has been assigned CVE-2022-23308.
To fix this vulnerability, update to libxml2-2.9.13 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In PHP-8.1.3, a security vulnerability was fixed that could allow for a denial of service. This vulnerability occurs due to a logic error in the php_filter_float() function that leads to a use-after-free vulnerability due to it permitting integers to be passed to input that is only supposed to accept floating point numbers. According to Red Hat, this flaw allows an attacker to inject a malicious file, leading to a segmentation fault. If you are not using the php_filter_float() function, upgrading is not important. However, if you are using the php_filter_float() function, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21708.
To fix this vulnerability, update to PHP-8.1.3 or later using the instructions for PHP (sysv) or PHP (systemd).
In libxslt-1.1.35, a security vulnerability was fixed that could allow for remote attackers to exploit heap corruption via a use-after-free in the xsltApplyTemplates function. This vulnerability was originally discovered in Google Chrome (and thus QtWebEngine is affected), where remote attackers were using malicious advertisements with crafted XML documents embedded to cause remote code execution. The vulnerability was found to be in the libxslt library. Additionally, two memory leaks and a double-free (which could lead to denial of service) were fixed. The BLFS team recommends updating to libxslt-1.1.35 as soon as possible, especially if you have QtWebEngine installed. This vulnerability has been assigned CVE-2021-30560.
To fix this vulnerability, update to libxslt-1.1.35 or later using the instructions for libxslt (sysv) or libxslt (systemd).
In util-linux-2.37.4, a security vulnerability was fixed that could allow for local attackers to read information that is normally accessible only by the 'root' user. This vulnerability exists in the 'chsh' and 'chfn' utilities when compiled with support for libreadline, which is the default in LFS. The readline library uses the INPUTRC environment variable to get a path to the user's input settings from /etc/inputrc, but when the library cannot parse the specified file, it prints an error containing data from the file. An example attacker is a user setting INPUTRC to /etc/passwd, and then running chsh (or any other setuid-root application). This flaw thus allows an unprivileged user to read root-owned files, which can lead to privilege escalation and unauthorized access to privileged information. This vulnerability has been assigned CVE-2022-0563.
To fix this upgrade to util-linux-2.37.4 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.
Another heap-based buffer overflow, causing a crash when repeatedly using :retab, was fixed in vim-8.2.4359. This has been assigned CVE-2022-0572 (undergoing analysis).
To fix this vulnerability update to vim-8.2.4383 or later using the instructions for vim (sysv) or vim (systemd).
BLFS updated to ImageMagick-7.1.0-25 from 7.1.10-4. The changes include two fixes for apparent security vulnerabilities: in 7.1.0-5 fixing a Heap-based buffer overflow in the TIFF coder, and in 7.1.0-13 fixing a stack overflow when parsing a malicious ps image file. No further details of these are available.
To fix these, update to ImageMagick-7.1.0-25 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In MariaDB-10.6.7, several security vulnerabilities were fixed that could allow for application crashes and information disclosure when executing certain SELECT commands. One of these issues occurs due to incorrect usage of used_tables inside of the API. Another occurs due to improper usage of the sub_select_postjoin_aggr() function in the API. Another one occurs due to improper usage of the find_field_in_tables and find_order_in_list API calls due to an unused table common table expression. The rest of the vulnerabilities occur when a SELECT DISTINCT statement is too long, such that they interact with storage-engine resource limitations, and when SELECT is called with other unspecified options. These vulnerabilities have been assigned CVE-2021-46665, CVE-2021-46664, CVE-2021-46661, CVE-2021-46668, CVE-2021-46663, CVE-2022-24052, CVE_2022-24051, CVE-2022-24050, CVE-2022-24048, and CVE-2021-46659.
To fix these vulnerabilities, update to MariaDB-10.6.9 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In Exempi-2.6.1, several security vulnerabilities were fixed that could allow for information disclosure, vulnerability mitigation bypass, application crashes, arbitrary code execution, and remote code execution. Most of these vulnerabilities are due to stack-based buffer overflows and memory corruption issues, but a few of them are caused by use-after-free problems which result in application crashes. In theory, these vulnerabilities are exploitable by downloading files on systems where Tracker is installed and configured to index the user's home directory, but the primary attack vector listed is users who open crafted files. Due to the highly exploitable nature of these vulnerabilities though, updating to Exempi-2.6.1 as soon as possible is recommended. These vulnerabilities have been assigned CVE-2021-40716, CVE-2021-40732, CVE-2021-36045, CVE-2021-36046, CVE-2021-36052, CVE-2021-36047, CVE-2021-36048, CVE-2021-36050, CVE-2021-36051, CVE-2021-39847, CVE-2021-36053, CVE-2021-36054, CVE-2021-36055, CVE-2021-36056, CVE-2021-36057, CVE-2021-36064, and CVE-2021-36058.
To fix these vulnerabilities, update to Exempi-2.6.1 or later using the instructions for Exempi (sysv) or Exempi (systemd).
In Thunderbird-91.6.0, several security vulnerabilities were fixed that could allow for extension updates to be completed without the users' permission, for images to be dragged-and-dropped as executables, for sandboxed HTML to execute JavaScript, for cross-origin responses to be distinguished between script and non-script content types, for content security policy bypasses, for arbitrary code execution via script execution during an invalid object state, and for remotely-exploitable crashes to occur. These vulnerabilities cannot be exploited, in general, through normal email usage, except for through HTML mail. These vulnerabilities have been assigned CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, and CVE-2022-22764.
To fix these vulnerabilities, update to Thunderbird-91.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.15.3, three security vulnerabilities were fixed that could allow for an information leak, for trivial remote code execution, and for the ability to impersonate services on an Active Directory network. The information leak vulnerability occurs via symlinks, and can notify the user of the existence of a file or folder outside of an exported directory share. The remote code execution is trivial to exploit and allows remote attackers to easily execute arbitrary code as root on affected Samba servers which use the VFS module vfs_fruit. This vulnerability exists within the parsing of EA metadata when opening files in smbd. Note that vfs_fruit is most commonly used when an Apple Macintosh device is on the network. This particular vulnerability has been rated a 9.9/10 by NVD. The Active Directory impersonation vulnerability occurs due to checks being bypassed. These checks are supposed to prevent aliased SPNs from being mixed up with standard users. An attacker can exploit this vulnerability by writing to an account that is identical to the name of an existing service. This also allows an attacker to intercept traffic intended for those services, allowing for a significant loss of confidentiality and integrity. These vulnerabilities have been assigned CVE-2021-44141, CVE-2021-44142, and CVE-2022-0336.
To fix these vulnerabilities, update to Samba-4.15.3 or later using the instructions for Samba (sysv) or Samba (systemd) immediately.
In WebKitGTK+-2.34.5, several security vulnerabilities were fixed that could allow for remote code execution, unauthorized information disclosure, application crashes, content security policy bypasses, and malicious JavaScript execution. One of these vulnerabilities has a proof-of-concept exploit available which exfiltrates information out of cookies. Most of these vulnerabilities occur due to memory corruption issues that arise from processing maliciously crafted web pages, videos, and other web content. Updating as soon as possible is advised. These vulnerabilities have been assigned CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984, CVE-2022-22594, CVE-2021-45481, CVE-2021-45482, CVE-2021-45483, CVE-2022-22589, CVE-2022-22590, and CVE-2022-22592.
To fix these vulnerabilities, update to WebKitGTK+-2.34.5 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In gst-plugins-base-1.18.6 (and 1.20.0), a security vulnerability was fixed that could allow for application crashes when presented with malformed files. This occured when calling upon tagdemux during processing of a malicious MP3 file, and happens due to a race condition between typefinding and the end-of-stream event. This vulnerability can be exploited via WebKitGTK+-based browsers by visiting a web page with a corrupted MP3 file present on the page. This vulnerability has not been assigned a CVE, but more details can be found at Gstreamer Issue 967.
To fix this vulnerability, update to gstreamer-1.18.6 or 1.20.0 or later using the instructions for gst-plugins-base (sysv) or gst-plugins-base (systemd).
If you decide to update to gst-plugins-base-1.20.0, you must update the entire stack to 1.20 at the same time.
In zsh-5.8.1, a security vulnerability was fixed that could allow for malicious command execution through the PROMPT_SUBST expansion. An attacker can achieve code execution if they control a command output inside the prompt. This has been demonstrated upstream via the %F argument, and a proof of concept exploit exists that can be used to trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name. This was fixed in the shell via preventing PROMPT_SUBST evaluation on prompt-expansion arguments. This vulnerability has been assigned CVE-2021-45444.
To fix this vulnerability, update to zsh-5.8.1 or later using the instructions for zsh (sysv) or zsh (systemd).
In Wireshark-3.6.2, several security vulnerabilities were fixed that could allow for a remote attacker to cause a denial-of-service due to application crashes and excessive resource consumption. These issues can be exploited on a network where AMP, ATN-ULCS, ASN.1, BP, GDSDB, OpenFlow v5, P_MUL, SoulSeek, TDS, WBXML, WSP, ZigBee ZCL, RTMPT, PVFS, CSN.1, or CMS packets are being transmitted. Note that this is also exploitable via a malicious packet trace file, although the primary attack vector is packets traveling across a network when Wireshark is run. There are no CVEs for these issues, however they have been assigned advisories upstream. More information about these vulnerabilities can be found at wnpa-sec-2022-01, wnpa-sec-2022-02, wnpa-sec-2022-03, wnpa-sec-2022-04, and wnpa-sec-2022-05.
To fix these vulnerabilities, update to Wireshark-3.6.2 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In libarchive-3.6.0, two security vulnerabilities were fixed that could allow for symlink attacks and for a denial of service. One of these vulnerabilities occurs in the copy_string() function, and is classified as a use-after-free that results in a denial of service. The other one occurs when processing the fixup list while extracting an archive. Note that these vulnerabilities can occur in any program which uses libarchive, but the primary attack vector is a user downloading a malicious archive. These vulnerabilities have been assigned CVE-2021-31566 and CVE-2021-36976.
To fix these vulnerabilities, update to libarchive-3.6.0 or later using the instructions for libarchive (sysv) or libarchive (systemd).
In libgcrypt-1.10.0, a security vulnerability was fixed that allows for plaintext encryption key revcovery when using the ElGamal implementation in libgcrypt. This was previously fixed in 1.9.4, but the fix was improved upon in libgcrypt-1.10.0. The issue occurs during the interaction between two cryptographic libraries and a dangerous combination of the prime defined by the receiver's public key as well as the generator in the public key and the sender's ephemeral exponents. This allows for a cross-configuration attack leading to plaintext encryption key recovery. This vulnerability has been assigned CVE-2021-40528.
To fix this vulnerability, update to libgcrypt-1.10.0 or later using the instructions for libgcrypt (sysv) or libgcrypt (systemd).
In glibc-2.35, four security vulnerabilities were fixed that could allow for denial of service, remote code execution, information disclosure, arbitrary code execution, and privilege escalation. One of these vulnerabilties occurs due to an off-by-one buffer overflow and underflow in the getcwd() function, which may lead to memory corruption when the size of the buffer is exactly '1'. A local attacker who has the capability of controlling the input buffer and size passed to getcwd() in a SUID-bit enabled program can use this flaw to elevate privileges and execute arbitrary code on the system. Another vulnerability is caused by the realpath() function - in applications which use the realpath_stk() function, it is possible to have unintentional information leakage and disclosure of sensitive data due to an unexpected value being returned with the contents of memory. Another vulnerability exists in the svcunix_create() function in the SunRPC module in glibc. This occurs when the svcunix_create() function copies its path argument on the stack without validating it's length, which results in a buffer overflow and remote code execution (or crashes). The fourth and final vulnerability exists in the clnt_create() function in the SunRPC module. The clnt_create function will copy it's hostname argument on the stack without validating it's length, which results in a buffer overflow and remote code execution or application crashes. These vulnerabilities have been assigned CVE-2022-23219, CVE-2022-23218, CVE-2021-3998, and CVE-2021-3999.
Properly fixing these vulnerabilities can be tricky. To fix them, take a full system backup, and then rebuild glibc with the patch found at glibc-2.34-security_fixes-1.patch, using the instructions for glibc from glibc (sysv) or glibc (systemd).
In Expat-2.4.4, two security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. These vulnerabilities are classified as signed integer overflows. One of the vulnerabilities occurs when a program calls upon XML_GetBuffer in configurations with a non-zero value of XML_CONTENT_BYTES. The other vulnerability occurs when processing large content via the doProlog function. These vulnerabilities have been assigned CVE-2022-23990 and CVE-2022-23852.
To fix these, update to Expat-2.4.4 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
Intel microcode for Skylake and later processors has been updated to fix two vulnerabilities, a privilege escalation on certain recent Pentium, Celeron and Atom processors Intel-SA-00528 CVE-2021-0146, and for all Skylake and later processors a local Denial of Service Intel-SA-00532 CVE-2021-0127.
To fix these, update to at least microcode-20220207 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In firefox 91.6.0 several CVE issues, two rated High, were fixed. These are listed in mfsa-2022-05. The CVEs are CVE-2022-22754 (Not yet public), CVE-2022-22756 (Not yet public), CVE-2022-22759 (Not yet public), CVE-2022-22760 (Not yet public), CVE-2022-22761 (Not yet public), CVE-2022-22763 (Not yet public), CVE-2022-22766 (Not yet public).
To fix these, update to firefox-91.6.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Linux before 5.16.2 or 5.15.16 (current long term stable) a local privilege escalation via heap overflow exists. Details at oss-security. This has been assigned CVE-2022-0185 (Not yet public). Please note that linux-5.16.2 and 5.15.16 had a vulnerabiity in ext4 which could lead to data loss.
Additionally, in Linux before 5.16.4 or 5.15.18 there is a random memory access flaw in the i915 driver which a malicious user can use to crash the system or elevate their privileges. See oss-security. This has been assigned CVE-2022-0330 (Not yet public).
To fix these, update to Linux 5.16.4 or later, or Linux-5.15.18 or later (if you prefer to stick with long-term stable 5.15), or versions from 2022-01-29 or later if for some reason you are using an older stable kernel series) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In addition, there was a bug allowing privilege escalation in the kernel's vmwgfx driver (apparently not exploitable if qemu is used). See oss-security which has been assigned CVE-2022-22942 (Not yet public). The proposed fix for this did not appear on the kernel mailing list, but was included in linux-5.16.4 and other stable kernels released at the same time. Therefore, the workaround to disable the vmwgfx driver on affected systems is not required if you upgrade to linux-5.16.4 or later, or linux-5.15.18 or later.
Several vulnerabilities, three rated as Critical, have been fixed in expat-2.4.3. See CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826 and CVE-2022-22827.
To fix this, update to Expat-2.4.3 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
Many security vulnerabilities in vim have been fixed in versions up to vim-8.2.4236. Fifteen of these have been rated as High by the NVD. Unfortunately, the details are minimal. These vulnerabilities have been assigned CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, and CVE-2022-0213.
To fix these vulnerabilities, update to vim-8.2.4236 or later using the instructions for vim (sysv) or vim (systemd).
Two bugs in libmount since version 2.33 have been discovered. These apply to fuse mounts, but one of the examples shows fuse being used to umount /tmp. See oss-security. The CVEs are CVE-2021-3995 (Not yet public) and CVE-2021-3996 (Not yet public).
To fix this upgrade to util-linux-2.37.3 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.
An Out Of Bounds Write was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. Please see CVE-2021-45930.
To fix this apply the qt-everywhere-src-5.15.2-kf5.15-2.patch (or a later version of the patch if one exists) using the instructions at Qt5 (sysv), or Qt5 (systemd).
In all versions of rust before 1.58.1 an attacker can exploit a race condition to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. The rust security advisory https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html explains this. Pending further analysis, this is rated as High and if you have any privileged rust programs they should be rebuilt if they use this function on paths that may be manipulated with lesser privileges. The programs in BLFS which use rust do not install any privileged programs so most BLFS users who have installed rust will only need to upgrade it.
Please see CVE-2022-21658.
To fix rust, update to rustc-1.58.1 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
In polkit-0.120, a trivially exploitable vulnerability allowing local privilege escalation has been identified. This vulnerability affects polkit back to 0.92. The details can be found at this Qualys Security Advisory. The vulnerability has been assigned CVE-2021-4034 (not disclosed yet).
To fix this, apply the patch
for polkit >=0.114, <=0.120, or
the rebased patch
for polkit >=0.92, <=0.113 and rebuild polkit. Or, if you don't
use the functionality of the
(This is a bad idea because it can break laptop backlight control in
at least GNOME and XFCE, so striked out.)pkexec
command, you can unset
the SUID bit on it with chmod -s /usr/bin/pkexec
as the root
user, as a workaround.
A security advisory has been published by GnuTLS developers: GNUTLS-SA-2022-01-17. This vulnerability has been classified as a memory corruption vulnerability in the gnutls_x509_trust_list_verify_crt() vulnerability which occurs when a single trust list object is shared among multiple threads. A CVE identifier has not been issued for this vulnerability.
To fix this vulnerability, update to GnuTLS 3.7.3 or a later version using the instructions for GnuTLS (sysv), or GnuTLS (systemd).
Thirty-one more CVEs (from Chromium) in QtWebEngine, of which at least seventeen are rated as High, have been fixed in the 5.15.8 version: CVE-2021-4102, CVE-2021-4101, CVE-2021-4099, CVE-2021-4098, CVE-2021-4079, CVE-2021-4078, CVE-2021-4062, CVE-2021-4059, CVE-2021-4058, CVE-2021-4057, CVE-2021-38022, CVE-2021-38021, CVE-2021-38019, CVE-2021-38018, CVE-2021-38017, CVE-2021-38015, CVE-2021-38012, CVE-2021-38010, CVE-2021-38009, CVE-2021-38007, CVE-2021-38005, CVE-2021-38003, CVE-2021-38001, CVE-2021-37996, CVE-2021-37993, CVE-2021-37992, CVE-2021-37989, CVE-2021-37987, CVE-2021-37984, CVE-2021-3541, CVE-2021-3517.
To fix these, update to 5.15.8 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In Thunderbird-91.5.0, several security vulnerabilities were fixed that could allow for being unable to leave fullscreen mode, for out-of-bounds memory access (when inserting text in edit mode), for use-after-free crashes when certain network request objects were freed too early, for crashes when processing CSS filter effects, for crashes when playing audio files, for iframe sandbox escapes, origin spoofs, leakage of cross-origin URLs through the securitypolicyviolation event, and for remote code execution due to memory safety issues. An additional security vulnerability was fixed that could allow for crashes when handling empty PKCS#7 sequences. These vulnerabilities have been assigned CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, and CVE-2022-22751.
To fix these vulnerabilities, update to Thunderbird-91.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Epiphany-41.3, four security vulnerabilities were fixed that could allow for cross-site scripting (XSS) to take place. These security vulnerabilities occurred in the about:overview page, the PDF.js PDF reader (using a server's suggested_filename as the pdf_name), when using the View Source mode or Reader Mode to view a page title, and via all internal error pages. These vulnerabilities have been assigned CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, and CVE-2021-45088.
To fix these vulnerabilities, update to Epiphany-41.3 or later using the instructions for Epiphany (sysv) or Epiphany (systemd).
In systemd-249 (and systemd-250), a security vulnerability exists that allows for uncontrolled recursion in the systemd-tmpfiles program. systemd-tmpfiles creates, modifies, and deletes temporary files and directories on system startup. While this vulnerability is just classified as a denial-of-service, it is also possible to cause PID1 to Segmentation Fault when this is exploited. It is also possible to create arbitrary files if an attacker can catch a folder while it is still world-writable. If you use systemd, it is recommended that you patch your installation immediately. In response to this, the BLFS Editors have developed a patch for both version 250 (which is for the development books), and for 249 (which is the version that shipped with LFS/BLFS 11.0). This vulnerability has been assigned CVE-2021-3997.
If you are using systemd-250, apply the patch using the instructions for systemd (systemd).
If you are using systemd-249, apply the new upstream fixes patch located at systemd-249-upstream_fixes-2 and rebuild systemd.
In cryptsetup-2.3.6, a security vulnerability was identified that allows for decryption of data during crash recovery on a LUKS2-encrypted device. This attack does require physical access to the device, but no knowledge of user passphrases. An attacker can modify on-disk metadata to simulate encryption in progress with a crashed (unfinished) reencryption step, which allows for persistent decryption of the device. If you are using cryptsetup for anything other than a build dependency, you should update to 2.4.3 immediately. Note that you need to finish any encryption tasks that are currently in progress to prevent any data corruption/data loss. This vulnerability has been assigned CVE-2021-4122.
To fix this vulnerability, update to cryptsetup-2.4.3 or later using the instructions for cryptsetup (sysv) or cryptsetup (systemd).
In gfbgraph-0.2.4, a security vulnerability was discovered that causes gfbgraph to fail to perform TLS certificate validation when downloading or uploading photos or graphs from remote sources. This is because it does not enable TLS certificate validation on the SoupSessionSync objects it creates. This allows for remote injection/modification of graphs and for remote code execution. Note that this is almost identical to CVE-2016-20011 in libgrss, and CVE-2021-39365 in Grilo. This vulnerability has been assigned CVE-2021-39358.
To fix this vulnerability, update to gfbgraph-0.2.5 or later using the instructions for gfbgraph (sysv) or gfbgraph (systemd).
In libgrss-0.7.0, a security vulnerability was discovered that causes libgrss to fail to perform TLS certificate validation when downloading feeds. This allows remote attackers to manipulate the contents of feeds without detection and execute code on the machine remotely. This is another issue related to libsoup's SoupSessionSync default behavior. The BLFS developers have produced an update to the bugfixes patch for libgrss that fixes this vulnerability. This vulnerability has been assigned CVE-2016-20011.
To fix this vulnerability, rebuild libgrss with the patch (or update to a later version) using the instructions for libgrss (sysv) or libgrss (systemd).
In firefox 91.5.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2022-02. The CVEs are CVE-2021-4140 (Not yet public), CVE-2022-22737 (Not yet public), CVE-2022-22738 (Not yet public), CVE-2022-22739 (Not yet public), CVE-2022-22740 (Not yet public), CVE-2022-22741 (Not yet public), CVE-2022-22742 (Not yet public), CVE-2022-22743 (Not yet public), CVE-2022-22745 (Not yet public), CVE-2022-22747 (Not yet public) and CVE-2022-22751 (Not yet public).
To fix these update to firefox-91.5.0esr or later : Firefox (sysv) or Firefox (systemd).
In node.js-16.13.2, four medium-severity vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-44531, CVE-2021-44532, CVE-2021-44533 and CVE-2021-21824.
To fix these vulnerabilities, update to Node.js-16.13.2 or later using the instructions for node.js (sysv) or node.js (systemd).
In Grilo-0.3.14, a security vulnerability was fixed that could allow for man-in-the-middle attacks and silent TLS encryption downgrades. This problem exists due to TLS certificate validation not being enabled on the SoupSessionAsync objects that grilo creates. This could also allow for commands and false data to be injected into a stream of data, depending on the context where Grilo is used. According to the National Vulnerability Database, this vulnerability can result in high confidentiality impact (information leakage), due to the silent TLS encryption downgrade. This vulnerability has been assigned CVE-2021-39365.
To fix this vulnerability, update to Grilo-0.3.14 or later using the instructions for Grilo (sysv) or Grilo (systemd).
In make-ca-1.9, a misinterpretion of input causes the generated trust store to contain some certificates explicitly untrusted by Mozilla. These certificates were the anchors of some already hacked CAs. Hostile attackers may exploit it and perform a MIM attack if they have kept the certificates obtained by defrauding those CAs. For more information see GHSA-m5qh-728v-4xrx. This vulnerability has been assigned CVE-2022-21672.
To fix this vulnerabilitiy, update to make-ca-1.10 or later using the
instructions for
make-ca (sysv) or
make-ca (systemd),
and run make-ca -r
as the root user to regenerate the trust
store after the update.
In Wireshark-3.6.1, six security vulnerabilities were fixed that could allow for remote attackers to cause Wireshark to crash or get stuck in an infinite loop, which can cause resource exhaustion. This can occur via packet injection while Wireshark is capturing packets and dissecting them, or via a crafted capture file. This can occur when Wireshark is being used on a network with Sysdig Event, BitTorrent, RTMPT, or Kafka packets being sent and received, or when examining/parsing *.pcapng or RFC 7468 files. If you use Wireshark to examine *.pcapng or RFC 7468 files, or are using Wireshark on a network where there may be Sysdig Events, BitTorrent, RTMPT, or Kafka packets being sent or received, update to Wireshark-3.6.1. These vulnerabilities have been assigned CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, and CVE-2021-4181.
To fix these vulnerabilities, update to Wireshark-3.6.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
The BLFS Editors have become aware of six security vulnerabilities in wpa_supplicant that are known upstream, and have created a patch to fix them. These vulnerabilities allow for packets to be accepted across networks without any validation (known as CallStranger), remote code execution, crashes, forging attacks, and local privilege escalation. Note that no user interaction is required to exploit any of these vulnerabilities. These vulnerabilities have been assigned CVE-2019-16275, CVE-2020-12695, CVE-2021-0326, CVE-2021-27803, CVE-2021-30004, and CVE-2021-0535.
To fix these vulnerabilities, update to wpa_supplicant-2.10 or later using the instructions for wpa_supplicant (sysv) or wpa_supplicant (systemd).
In WebKitGTK+-2.34.3, two security vulnerabilities were fixed that could allow for a bypass of the Content Security Policy (if enabled) and for universal cross-site scripting. These were both addressed with improved state management and CSP changes, and are classified as logic issues. These vulnerabilities have been assigned CVE-2021-30887 and CVE-2021-30890.
To fix these vulnerabilities, update to WebKitGTK+-2.34.3 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Seamonkey-2.53.10.1, several security vulnerabilites were fixed. These vulnerabilities could allow for memory corruption, remote code execution, restriction bypass, spoofing attacks, silent encryption downgrade, URL leakage, and enumerating installed applications remotely. Updating to seamonkey-2.53.10.1 is recommended as soon as possible, as some of these security vulnerabilities are under active exploitation. These vulnerabilitites have been assigned CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, and CVE-2021-4129 (Not Public).
To fix these vulnerabilities, update to Seamonkey-2.53.10.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In httpd-2.4.52, two security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, or Server Side Request Forgery, if ProxyRequests is turned on in httpd.conf (enabling forward proxy). An additional security vulnerability exists that can cause a buffer overflow when mod_lua is enabled. This is caused by a carefully crafted request body when r:parsebody() is called from within a Lua script. While no exploit currently exists, it is very likely that one will be created soon according to upstream. If you use mod_lua or ProxyRequests, you should update to httpd-2.4.52 or later as soon as possible. These vulnerabilities have been assigned CVE-2021-44224 and CVE-2021-44790.
To fix these vulnerabilities, update to httpd-2.4.52 or later using the instructions for Apache (sysv) or Apache (systemd).
In PHP-8.1.1, a security vulnerability was fixed that could allow for an out-of-bounds access when using php_pcre_replace_impl() via a crafted preg_replace call. This out-of-bounds access can lead to remote information disclosure or a denial-of-service. Note that this vulnerability originated in PHP-7.1.5 from around 2017. Upgrading PHP if you use preg_replace is suggested. This vulnerability has been assigned CVE-2017-9118.
To fix this vulnerability, update to PHP-8.1.1 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-91.3.1, several security vulnerabilities were fixed. These vulnerabilities could allow for restriction bypasses via cross-site scripting, memory corruption / crashes, spoofing attacks, TLS encryption bypass, exposing target URLs during navigation, remotely querying installed applications, sandbox escapes, information disclosure (if you use Matrix via Thunderbird's Chat function), remote code execution, and plaintext recovery of encrypted data (using OpenPGP). Several of these security vulnerabilities are rated as critical by NVD, so you should update as soon as possible. These vulnerabilities have been assigned CVE-2021-40529, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, CVE-2021-43528, CVE-2021-4126 (Not Public), and CVE-2021-44538.
To fix these vulnerabilities, update to Thunderbird-91.4.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
A security vulnerability was brought to the BLFS Editors attention in Lynx. This security vulnerability allows for passwords to be leaked in cleartext on connections which are using HTTPS. In response to this, the BLFS Editors created a patch to fix this vulnerability. The vulnerability only affects users who use HTTPS URLs with Lynx, and who authenticate on that website as well. This vulnerability has been assigned CVE-2021-38165.
To fix this vulnerability, apply the patch in Lynx using the instructions for Lynx (sysv) or Lynx (systemd).
In xorg-server-21.1.2, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in XWayland as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.
To fix these vulnerabilities, update to xorg-server-21.1.2 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In XWayland-21.1.4, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in xorg-server as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.
To fix these vulnerabilities, update to XWayland-21.1.4 or later using the instructions for XWayland (sysv) or XWayland (systemd).
In lxml-4.7.1, two security vulnerabilities were fixed that could allow for crafted script content to pass through the HTML Cleaner. This can ocur with SVG files embedded with data URIs, as well as with CSS imports. Note that this only affects packages that use 'lxml' for sanitizing HTML imports, but upstream has rated both security vulnerabilities as high, and has assigned one CVE for both. This set of security vulnerabilities has been assigned CVE-2021-43818.
To fix these vulnerabilities, update to lxml-4.7.1 or later using the instructions for lxml (sysv) or lxml (systemd).
In OpenJDK-17.0.1, there were several security vulnerabilities fixes that could allow for remote code execution, unauthorized modification of data, and denial of service. Some of these occured via malicious image files, as well as TLS bypass and connection hijacking. This update to JDK also prevents exploitation of the log4j security vulnerability, known as Log4Shell. Log4Shell permits trivial remote-code-execution and is being exploited worldwide at an alarming rate. Most Java applications are affected because they use Apache's log4j logging framework. If you have Java installed, you MUST install this update immediately to protect yourself from exploitation. These vulnerabilities have been assigned CVE-2021-35567, CVE-2021-35586, CVE-2021-35564, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35578, CVE-2021-35603, and helps protect against CVE-2021-44228.
To fix these vulnerabilities, update to OpenJDK-17.0.1 or later using the instructions for OpenJDK (sysv) or OpenJDK (systemd).
Alternatively, you may use the binary the BLFS Editors have produced: Java (sysv) or Java (systemd).
On December 13th, 2021, the BLFS project became aware of several security vulnerabilities in AudioFile and created a patch. These 13 security vulnerabilities include denial of service, arbitrary command execution, and arbitrary code execution vulnerabilities. They occur in a variety of places, such as when playing a .WAV file, editing a .WAV file, or adjusting various settings such as buffer sizes in a WAV file. Some also occur when using the 'sfconvert' command provided with AudioFile. Note that the only package in BLFS that uses AudioFile is KWave. If you have KWave installed, updating to AudioFile with this patch should be done immediately. These vulnerabilities have been assigned CVE-2017-6839, CVE-2017-6838, CVE-2017-6837, CVE-2017-6836, CVE-2017-6835, CVE-2017-6834, CVE-2017-6833, CVE-2017-6832, CVE-2017-6831, CVE-2017-6830, CVE-2017-6829, CVE-2017-6828, and CVE-2017-6827.
To fix these vulnerabilities, apply the patch for AudioFile using the instructions for AudioFile (sysv) or AudioFile (systemd).
In PostgreSQL-14.1 (as well as 13.5, 12.9, 11.14, 10.19, and 9.6.24), two security vulnerabilities were fixed that could allow for both PostgreSQL Client and PostgreSQL Server to process unencrypted bytes from an unauthenticed remote attacker via a man-in-the-middle attack. This is caused by injecting false responses into PostgreSQL during initial authentication. In the case of PostgreSQL Server, this also allows for injection of arbitrary SQL queries when a connection is first established. These vulnerabilities have been assigned CVE-2021-23214 and CVE-2021-23222.
To fix these vulnerabilities, update to PostgreSQL-14.1 or later using the instructions for PostgreSQL (sysv) or PostgreSQL (systemd).
In Ruby-3.0.3, three security vulnerabilities were fixed that could allow for arbitrary code execution, denial of service, and content spoofing. The arbitrary code execution vulnerability exists in the CGI gem, and occurs when large files are passed to CGI.escape_html due to a buffer overflow. The denial of service vulnerability happens when parsing dates using Date.parse(). The content spoofing vulnerability occurs when using CGI::Cookie.parse. This is a resurgence of the CVE-2020-8184 vulnerability, which allows for attackers to modify cookies in transit and for them to be accepted by Ruby without going through any validation. These vulnerabilities have been assigned CVE-2021-41817, CVE-2021-41816, and CVE-2021-41819.
To fix these vulnerabilities, update to ruby-3.0.3 or later using the instructions for Ruby (sysv) or Ruby (systemd).
In PHP-8.0.13, a security vulnerability was fixed that could allow for PHP to read a different file from what the user intended. If a filename cotains a URL-encoded NUL character, this may cause the simplexml_load_file() function to interpret the character as the end of the filename, thus allowing remote attackers to read a different file from what the programmers intended. This vulnerability has been assigned CVE-2021-21707.
To fix this vulnerability, update to php-8.0.13 or later using the instructions for PHP (sysv) or PHP (systemd).
In firefox 91.4.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2021-53. The CVEs are CVE-2021-4129 (Not yet public), CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546.
To fix these update to firefox-91.4.0esr or later : Firefox (sysv) or Firefox (systemd).
Versions of NSS before 3.73 or 3.68.1-ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Further details at mfsa-2021-51, CVE-2021-43527 (not yet public) .
To fix this, update to at least NSS-3.73 using the instructions for NSS (sysv) or NSS (systemd).
Twenty more CVEs (from Chromium) in QtWebEngine, most rated as High but two rated as Critical, have been fixed in the 5.15.7 version: CVE-2021-37980, CVE-2021-37979, CVE-2021-37978, CVE-2021-37975, CVE-2021-37973, CVE-2021-37972, CVE-2021-37971, CVE-2021-37968, CVE-2021-37967, CVE-2021-37962, CVE-2021-37633, CVE-2021-37630, CVE-2021-37629, CVE-2021-37628, CVE-2021-37627, CVE-2021-37626, CVE-2021-37625, CVE-2021-37618, CVE-2021-37616, CVE-2021-37613.
To fix these, patch the BLFS qtwebengine-5.15.6 tarball with qtwebengine-5.15.6-5.15.7-1.patch followed by qtwebengine-5.15.7-build_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In Wireshark-3.4.10, several denial of service vulnerabilities were fixed, which could exploited through dissecting certain types of packets. These denial-of-service vulnerabilities include application crashes and excessive resource consumption. This can occur when dissecting Bluetooth DHT, HCI_ISO, SDP, and DHT packets, as well as PNRP, C12.22, IEEE-802.11 (WiFi), modbus, and Internet Printing Protocol over USB (IPPUSB) packets. These vulnerabilities have been assigned CVE-2021-39929, CVE-2021-39926, CVE-2021-39925, CVE-2021-39924, CVE-2021-39922, CVE-2021-39928, CVE-2021-39921, and CVE-2021-39920.
To fix these vulnerabilities, update to Wireshark-3.4.10 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Samba-4.15.2 (and Samba-4.14.10), eight security vulnerabilities have been fixed. Several are known to be actively exploited. The details can be found in: CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, and CVE-2021-23192. Note that there are important behavior changes after the fixes are applied. Please read the advisories to see whether you are impacted.
To fix these vulnerabilities update to Samba-4.15.2 or later (or 4.14.10) using the instructions for Samba (sysv) or Samba (systemd).
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other items. One of the High severity items has now been analyzed as Critical. These are listed in mfsa-2021-49. The items not specifically identified as for mac OS or windows are: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508 CVE-2021-38509 CVE-2021-43534. CVE-2021-43535 The latter two were initially identified as MOZ-2021-0007 and MOZ-2021-0008 pending allocation of a CVE.
To fix these update to firefox-91.3.0esr or later : Firefox (sysv) or Firefox (systemd).
In versions of BIND prior to 9.16.22, a security vulnerability existed that could allow for remote attackers to cause a service degredation in BIND resolver performance by sending malformed packets to a server. This has to do with a feature called "lame cache", which is enabled by setting the 'lame-ttl' option in named.conf to a number greater than 0. The option is set to 600 in the default configuration, meaning that it's enabled by default. A successful attack results in the internal data structures for the lame cache growing infinitely, which results in a server burning most of it's CPU time on just maintaining the "lame cache", resulting in major slowdown and timeouts on client hosts. This vulnerability is exploitable remotely. To work around this, set 'lame-ttl 0' in named.conf. NOTE: Only the server is affected, you do not need to update if you are running the client utilities. This vulnerability has been assigned CVE-2021-25219.
To fix this vulnerability, update to BIND-9.16.22 or later using the instructions for BIND (sysv) or BIND (systemd).
In Samba-4.15.1 (and Samba-4.14.9), a security vulnerability was fixed that could allow for an authenticaion bypass due to a flaw in the version of Heimdal (a kerberos implementation) that is shipped with Samba. This allows for an authentication bypass identical to the one that can happen on Microsoft Windows installations, which was patched in December of 2020. Note that the attack complexity is rated as High, although it can be performed with no user interaction, and can only be performed over a network. This vulnerability has been assigned CVE-2020-17049.
To fix this vulnerability, update to Samba-4.15.1 or later (or 4.14.9) using the instructions for Samba (sysv) or Samba (systemd).
In ffmpeg-4.4.1 (as well as 4.3.3 and 4.2.5, if you prefer to use those particular versions), 11 security vulnerabilities were fixed that could lead to remote code exection, extraction of sensitive information, and remote denial of service. These occur due to a variety of reasons, including divide-by-zero errors, buffer overflows, heap buffer overflows, memory leaks, out of bounds access, unchecked return values, and assertions being reached due to malicious files. All users who have ffmpeg should upgrade to the latest version of their particular branch. In the case of BLFS 11.0, that would be 4.4.1, but previous versions should upgrade to the relevant branches for that particular book to prevent problems when upgrading. These vulnerabilities have been assigned CVE-2020-20446, CVE-2020-24053, CVE-2020-22015, CVE-2020-22019, CVE-2020-22033, CVE-2020-22021, CVE-2020-22037, CVE-2021-33815, CVE-2021-38114, CVE-2021-38171, and CVE-2021-38291.
To fix these vulnerabilities, update to ffmpeg-4.4.1 or later (or 4.3.3/4.2.5) using the instructions for ffmpeg (sysv) or ffmpeg (systemd).
In exiv2-0.27.5, a total of six denial-of-service security vulnerabilities were fixed. Four of these are in libexiv2, while the other two are in the exiv2 command line utility. These vulnerabilities happen due to a variety of reasons, but they mostly occur due to null-pointer dereferences, out-of-memory crashes, infinite loop bugs, integer divide by zero, and out-of-bounds reads. These vulnerabilities pose no threat other than crashing programs. Because of this, only three of these vulnerabilities were assigned CVEs, while the other three were just mentioned as being security related bugfixes. These vulnerabilities have been assigned CVE-2021-37620, CVE-2021-37621, and CVE-2021-37618.
To fix these vulnerabilities, update to exiv2-0.27.5 or later using the instructions for Exiv2 (sysv) or Exiv2 (systemd).
In PHP-8.0.12 and PHP-7.4.25, a security vulnerability was fixed that allows for privilege escalation (to root) when using the PHP Fast Process Manager (FPM) in it's default configuration. In this case, a remote attacker can execute code on your server as the root process or escalate to root through Apache HTTPD due to a memory access problem in PHP FPM. This vulnerability has existed for the last 10 years, and there is a proof-of-concept and a demo exploit available. If you have php-fpm installed on your system and have the daemon started/enabled, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21703.
To fix this vulnerability, update to php-8.0.12 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-91.2.0, several security vulnerabilities were fixed. These vulnerabilities include a downgrade attack on SMTP STARTTLS connections (which could allow for encryption to be downgraded to plaintext and emails to be snooped over the wire), as well as potentially exploitable crashes, memory leaks, and memory corruption. Upgrading to this version of Thunderbird is recommended as soon as possible due to the SMTP STARTTLS downgrade attack. These vulnerabilities have been assigned CVE-2021-38502, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, and CVE-2021-38501.
To fix these vulnerabilities, update to Thunderbird-91.2.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Seamonkey-2.53.9.1, a memory safety bug that was present in Firefox was fixed. This memory safety bug is the same bug that was fixed in Firefox-78.14.0. The Mozilla developers believe that this vulnerability may be exploited to allow remote code execution, and updating is suggested. This vulnerability has been assigned CVE-2021-38493.
To fix this vulnerability, update to Seamonkey-2.53.9.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In Samba-4.17.0, a security vulnerability was fixed that could allow for a remote attacker to crash the Samba server process if the Active Directory Domain Controller was configured. This can occur due to a request to the Key Distribution Controller omitting the server name in the request. Since this is a recoverable Denial-Of-Service, a specific version of Samba was not created for this. This vulnerability only affects LFS users if they are configuring their Samba server to run as a domain controller in an Active Directory environment, and if they are using Heimdal (the internal) KDC instead of the MIT Kerberos KDC. This vulnerability has been assigned CVE-2021-3671.
To fix this vulnerability, update to Samba-4.15.0 or later using the instructions for Samba (sysv) or Samba (systemd).
In MIT Kerberos V5 1.18.2, a security vulnerability exists that can allow a remote attacker to crash the Key Distribution Center via a specially crafted packet. The official description is a NULL pointer dereference. It occurs when a packet is sent with a FAST inner body which lacks a server field. The only threat caused by this vulnerability is one to system availability, however the Samba 4.15.0 release notes suggested that users update to a version that is not affected by the bug. This vulnerability has been assigned CVE-2021-37750.
To fix this vulnerability, rebuild KRB5 using the sed in the BLFS Development Books by using the instructions for MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd), or update to a newer version when available.
In vim-8.2.3508, three security vulnerabilities were fixed. These vulnerabilities could lead to crashes and arbitrary code execution when VIM processes crafted XML source code files. These vulnerabilities can also be exploited when processing UTF-8 encoded files due to hidden characters, or when running nv_replace(). All three of these issues have been rated as High by the NVD. More information can be found at oss-security posting. These vulnerabilities have been assigned CVE-2021-3770, CVE-2021-3778, and CVE-2021-3796.
To fix these vulnerabilities, update to vim-8.2.3508 or later using the instructions for vim (sysv) or vim (systemd).
In node.js-14.18.1, two HTTP Request Smuggling vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-22959 and CVE-2021-22960.
To fix these vulnerabilities, update to Node.js-14.18.1 or later using the instructions for node.js (sysv) or node.js (systemd).
New vulnerabilities were found in apache 2.4.49, and it was then discovered that the fix in 2.4.50 was incomplete, resulting in a further CVE, see apache. This CVE is known to be exploited in the wild and is trivial to exploit, and allows for remote code execution with a simple HTTP request via cURL. This gives two vulnerabilities identified as critical although not in the default configuration (see the link above), and one which could be used to DoS the server with a specially crafted request: CVE-2021-42013, CVE-2021-41773, CVE-2021-41524.
To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other CVEs to which mozilla give a lower severity, but for one of these NVD has now rated it as critical. These are listed in mfsa-2021-44 and mfsa-2021-45. One of these is for the rust crosbeam-deque package, and rated as moderate severity by mozilla, but now rated as Critical by NVD: CVE-2021-32810. The rest are not yet public, except in the mozilla advisories : CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501.
To fix these update to firefox-91.2.0esr or later : Firefox (sysv) or Firefox (systemd). (Firefox-78 is now End of Life.)
In fetchmail before version 6.4.22, on IMAP connections without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, if the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. It is recommended to use '--ssl' or the ssl user option in an rcfile. Those were added to BLFS-11.0 in a note just before the release, the BLFS editors believe that using those removes the problem and in that case no update is necessary. The vulnerability has been assigned CVE-2021-39272.
In other cases, update to Fetchmail-6.2.22 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).
In WebKitGTK+-2.34.0, a critical 0day security vulnerability was fixed that allows for attackers to silently execute arbitrary code via maliciously crafted web content. In some cases, this may include advertisements embedded on normal web pages. There have been several reports over the past couple of days of this vulnerability being exploited in the wild to silently install malware on various Apple devices, and WebKitGTK+ is impacted because it uses Apple's WebKit. This vulnerability was fixed with improved memory management, and updating to the latest WebKit should be done without any delay due to it being actively exploited through advertisements on many web pages and through other means, such as malicious JPEG and PNG images. Exploitation is possible through the Epiphany web browser and through malicious emails in Evolution or Balsa. The vulnerability has been named "FORCEDENTRY". This vulnerability has been assigned CVE-2021-30858, and additional information is available at United States Cybersecurity and Infrastructure Security Agency Advisory and Apple Security Advisory.
On October 26th, 2021, the LFS project became aware of additional vulnerabilities that were fixed in this version. These primarily include memory corruption vulnerabilities that lead to code execution. These vulnerabilities have been assigned. CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, and CVE-2021-30851.
To fix this security vulnerability, update to WebKitGTK+-2.34.1 or later using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In libexif before 0.6.23, four total security vulnerabilities existed that could allow for denial of service and arbitrary code execution. Two of these security vulnerabilities were fixed in a patch for libexif in BLFS 10.1. The two new security vulnerabilities have not been assigned CVEs as they were discovered by automated testing. The two previous vulnerabilities have been assigned CVE-2020-0198 and CVE-2020-0452.
To fix these new vulnerabilities, update to libexif-0.6.23 or later using the instructions for libexif (sysv) or libexif (systemd).
In cURL before 7.79.0, three security vulnerabilities exist that could allow for a denial of service, security protocol downgrades (leading to disclosure of encrypted information), and malicious data injection. The denial of service vulnerability occurs when sending data to a MQTT server over the MQTT protocol, and that protocol is built into cURL by default. The protocol downgrade vulnerability affects POP3, FTP, and IMAP connections and occurs when a malicious server (or man-in-the-middle attacker) sends a properly crafted and legitimate response. The flaw makes cURL silently continue it's operations without encryption, contrary to the instructions passed to it as well as general expectations. The data injection vulnerability happens when using the STARTTLS protocol with IMAP, POP3, SMTP, or FTP. Multiple responses can be received prior to using STARTTLS to upgrade the connection to TLS, and cURL would process these out of cache and trust them instead of processing (and verifying) them after the TLS handshake was performed. This allows man-in-the-middle attackers to inject fake responses and trick cURL into sending malicious (or fake) data back to the user. These vulnerabilities have been assigned CVE-2021-22945, CVE-2021-22946, and CVE-2021-22947.
To fix these vulnerabilities, update to cURL-7.79.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In Python3 before 3.9.7, three security vulnerabilities exist that could result in crashes, performance impacts, and command injection when using Python's smtplib module. The performance impact can be triggered with malicious .pyc files compiled from wheels. The crash could result when creating Temporary Directories via tempfile.mktemp(), and the command injection was fixed by sanitizing \r and \n commands in SMTP responses. More information for these security vulnerabilities can be found at bpo-42278, bpo-41180, and bpo-43124.
To fix these vulnerabilities, update to Python-3.9.7 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
Several vulnerabilities in the Apache web server have been found, one of which is rated high: CVE-2021-40438. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Additional vulnerabilities include content spoofing, cache poisoning, denial-of-service, and buffer overflows. These vulnerabilities have been assigned CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, and CVE-2021-39275.
To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).
A vulnerability in the ghostscript library libgs.so which allows arbitrary code execution, for example by invoking the convert program from ImageMagick on a user-supplied image file, was announced in August with a public PoC provided. This was initially reported as applying to version 9.50. It has now been reported upstream and determined to apply to all current versions from 9.50 onwards. Upstream have applied a fix and are now preparing for a new release (expected later this month). The public details can now be seen at bug 704342, CVE-2021-3781 has been assigned to this vulnerability CVE-2021-3781.
To fix this use ghostscript-9.54 with the ghostscript-9.54.0-upstream_fix-2.patch from the released book, or upgrade to ghostscript-9.55.0 using the instructions for Ghostscript (sysv) or Ghostscript (systemd).
In thunderbird 91.1.0, a Memory Safety bug with a High severity has been fixed. See mfsa-2021-41. This vulnerability has been assigned CVE-2021-38495.
To fix this, update to thunderbird-91.1.0 or later: Thunderbird (sysv) or Thunderbird (systemd).
In sane-backends-1.0.32, several security vulnerabilities were fixed with Epson scanners, and also in the magicolor backend and the TCP (Network) scanning backend. These can result in a malicious scanner residing on the same network as the victim causing a denial of service (application crash). With the Epson scanner backend, it's also possible for a malicious Epson scanner to read important information from applications that use SANE (such as the ASLR offsets of the program), or to execute arbitrary code whenever a program, such as GIMP, queries the scanner for basic information. If you have an Epson scanner on your network or connected directly to your computer, upgrading SANE is suggested. These vulnerabilities have been assigned CVE-2020-12867, CVE-2020-12862, CVE-2020-12863, CVE-2020-12865, CVE-2020-12866, CVE-2020-12861, and CVE-2020-12864.
To fix these vulnerabilities, update to sane-backends-1.0.32 or later using the instructions for SANE (sysv), or SANE (systemd).
In firefox 78.14.0 and 91.1.0, the usual 'Memory Safety bugs' with a High severity have been fixed. However, the advisory for 91.1.0 mfsa-2021-40 appears to have a typo (it says CVE-2021-38495), the corresponding advisories for 78.14.0 mfsa-2021-39 and for 92.0 (which has an additional CVE fix) mfsa-2021-38 are clear that the item is CVE-2021-38493. The details for CVE-2021-38493 can be found here: CVE-2021-38493.
To fix these update to firefox-91.1.0esr or later (firefox-78 is now End of Life). Firefox (sysv) or Firefox (systemd).
In node.js-14.17.6, five security vulnerabilities were fixed that could lead to arbitrary file creation/overwrite (due to insufficient symlink protection) and arbitrary code execution. When using the Arborist module, extracting the package into a node_modules folder that contains a symbolic link will result in files being written to any location on the filesystem. The node-tar module was also affected by a symbolic link attack that could allow symlinks in a tarball to escape into the filesystem and overwrite (or create) files in attacker-controlled locations. Both node-tar and Arborist are included with Node.js. These vulnerabilities have been assigned CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135.
To fix these vulnerabilities, update to Node.js-14.17.6 or later using the instructions for node.js (sysv) or node.js (systemd).
On reviewing the vulnerabilities fixed in glibc-2.35 it became apparent that these, and one earlier vulnerability the editors had not been aware of, applied to glibc-2.33 as used in LFS-10.1. Details are at CVE-2021-33574, CVE-2021-38604, (originally fixed in LFS by a sed which is now insufficent with the other fixes), CVE-2022-3998 (not yet public), CVE-2022-3999 (not yet public), CVE-2022-23218 and CVE-2022-23219.
If you are still using an LFS glibc-2.33 system, fix these by following the instructions in glibc-2.33-security_fixes-1.patch.
ntfs-3g-2021.8.22 includes several security fixes that have to do with buffer overflows when reading NTFS metadata. These vulnerabilities allow attackers using a maliciously crafted NTFS image (or external storage, such as a USB External Hard Drive) to potentially execute arbitrary code in the context of the kernel. This can be exploited via plugging an affected drive into a USB port, and can be automatically exploited when filesystems are automounted in desktop environments. This can also be manually exploited by mounting the filesystem normally. These vulnerabilities exist due to insufficient validation of NTFS metadata. The developers of ntfs-3g suggest updating as soon as possible. These vulnerabilities have been assigned CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-35266, CVE-2021-33287, CVE-2021-33267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, and CVE-2021-39263 (21 total). Additonal details can be found at NTFS3G-SA-2021-001.
To fix these vulnerabilities, update to ntfs-3g-2021.8.22 or later using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. For details see CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.
To fix these, update to Seamonkey-2.53.9 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30599, CVE-2021-30598, CVE-2021-30588, CVE-2021-30587, CVE-2021-30585 (the backport to fix this mentions that it applies to linux, not just windows), CVE-2021-30573, CVE-2021-30569, CVE-2021-30568, CVE-2021-30563, CVE-2021-30560, CVE-2021-30559, CVE-2021-30556, CVE-2021-30554, CVE-2021-30553, CVE-2021-30551, CVE-2021-30548, CVE-2021-30547, CVE-2021-30544, CVE-2021-30541, CVE-2021-30536, CVE-2021-30535, CVE-2021-30534, CVE-2021-30533, CVE-2021-30530, CVE-2021-30523, CVE-2021-30522. To fix these, update to the BLFS 5.15.6 tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-5.15.6-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In apr-1.7.0, a security vulnerability exists due to a regression in the Apache Subversion source code repository for APR. An out of bounds array read in the apr_time_exp*() functions was fixed in apr-1.6.3 back in 2017, but the fix was not carried over to the 1.7.x branch, resulting in this vulnerability from 2017 not being fixed in apr-1.7.0. This vulnerability is easy to exploit by setting the month to something larger than 12 in an input to the apr_time_exp() functions. This vulnerability was originally known as CVE-2017-12613, but this case has a new identifier. APR was fixed with a sed. This vulnerability has been assigned CVE-2021-35940.
To fix this, apply the sed in the APR page and rebuild APR using the instructions for Apr (sysv), or Apr (systemd).
libgcrypt-1.9.4 has fixed a security vulnerability in the Elgamal encryption implementation that allows for denial of service and decryption of data via a side-channel attack. The vulnerability was originally introduced in 2000. A paper has been written on this vulnerability, and the developers recommend updating to libgcrypt-1.9.4 as soon as possible, as any version after the year 1999 is affected by this vulnerability. This vulnerability has been assigned CVE-2021-33560.
To fix this, update to libgcrypt-1.9.4 or later using the instructions for libgcrypt (sysv), or libgcrypt (systemd).
Three vulnerabilities about symlink handling in libarchive-3.5.1 and earlier releases have been discovered. These are exploitable with malicious archives containing symlinks, and can be exploited to overwrite file contents, flags, and ACL entries. No CVE numbers are assigned for those issues yet. Details at the upstream bug report, another upstream bug report, and the commit message.
To fix this, update to libarchive-3.5.2 or later using the instructions for libarchive (sysv) or libarchive (systemd).
Two vulnerabilities in OpenSSL-1.1.1k and earlier releases have been discovered. These are exploitable with malicious inputs and can be used to crash programs linked to OpenSSL. CVE-2021-3711 and CVE-2021-3712 have been assigned, details at CVE-2021-3711 and CVE-2021-3712.
To fix this, update to OpenSSL-1.1.1l or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd).
A vulnerability in the released version of glibc-2.34 has been discovered. This is remotely exploitable and can be used to crash programs linked to glibc. CVE-2021-38604 has been assigned, details at tuxcare and CVE-2021-38604.
In the development book this unfixed vulnerability existed between 2021-08-02 and 2021-08-20, it was also in LFS-11.0-rc1. It has been fixed with a sed in the chapter 8 glibc build.
There is a test file at https://www.linuxfromscratch.org/~xry111/glibc-28213.c : compile that with 'gcc glibc-28213.c -o glibc-28213 -lrt' and run it. If that segfaults, your system is vulnerable.
Some people will be happy to discard the vulnerable system and start over, but the system can be fixed. It is necessary to rebuild glibc, but because the API and ABI have not changed, only the following three files need to be updated: libc.a, libc.so.6, and libc.so.6.dbg (if you did strip the debug symbols).
If you update these files, you should reboot as soon as possible afterwards. The system will not shutdown cleanly. After rebooting, recompile and rerun the test program to confirm it now ends normally.
If you are going to fix the existing system, make a usable backup before you start (and check it can be applied in case things go wrong).
One approach is to make a fresh LFS build to the end of chapter 8 using the modified instructions, then copy those 3 files to the running system.
A more adventurous approach is to rebuild (only) glibc in the running system, using the modified instructions. But instead of installing it make a DESTDIR install followed by stripping and installing only those libraries (watch for any error messages)
[code]
make DESTDIR=/tmp/GLIBC install
cd /tmp/GLIBC/usr/lib
for LIB in libc.so.6 ; do
objcopy --only-keep-debug $LIB $LIB.dbg
cp $LIB /tmp/$LIB
strip --strip-unneeded /tmp/$LIB
objcopy --add-gnu-debuglink=$LIB.dbg /tmp/$LIB
install -vm755 /tmp/$LIB /usr/lib
rm /tmp/$LIB
install -vm755 $LIB.dbg /usr/lib
install -vm644 libc.a /usr/lib
[/code]
In BIND-9.16.20, a security vulnerability was fixed that could allow for a trivial-to-exploit remotely-exploitable crash of the BIND DNS server to occur. This is due to an assertion check which is too strict, and gets triggered when responses in BIND 9.16.19 require UDP fragmentation if RRL is in use. Note that this only affects BIND server, not the utilities. This vulnerability has been assigned CVE-2021-25218.
To fix this, update to BIND-9.16.20 or later using the instructions for BIND (sysv) or BIND (systemd).
Midnight Commander (MC) version 4.8.27 fixed a security vulnerability where the SFTP filesystem layer does not verify the SSH Server Fingerprint when a SFTP connection is established. The fingerprint is calculated, but the verification step is missing. This allows for Man-In-The-Middle attacks and attacks where the hostname has changed, but the IP address has stayed the same, to occur. This could permit unauthorized access and modification of files. This vulnerability has been assigned CVE-2021-36370, but no details are available yet other than the ticket in the Midnight Commander Trac, which can be found at Ticket #4259.
To fix this, update to MC-4.8.27 or later using the instructions for MC (sysv) or MC (systemd).
In firefox 91.0.1 one vulnerability rated as High was fixed, described as a header splitting attack against servers using HTTP/3. This has been allocated CVE-2021-29991 but details are not yet public. For a summary see mfsa-2021-37. Because HTTP/3 is not enabled by default in firefox before version 88, legacy firefox-78 is not affected.
To fix this, update to firefox-91.0.1esr or later : Firefox (sysv) or Firefox (systemd).
OpenJDK-16.0.2 brought fixes for six security vulnerabilities. Three of these vulnerabilities allows for an unauthenticated attacker with network access via multiple protocols to take over the Java SE runtime environment. Two more of these vulnerabilities give the ability for an unauthenticated remote attacker to create, modify, or delete information from inside the Java SE runtime environment, as well as on the filesystem if they have access to the Java Console. The final vulnerability is a denial of service vulnerability. The OpenJDK developers suggest updating to OpenJDK-16.0.2 or 15.0.5 when it becomes available. These vulnerabilities have been assigned CVE-2021-2388, CVE-2021-2369, CVE-2021-2432, CVE-2021-2341, CVE-2021-2161, and CVE-2021-2163.
To fix these vulnerabilities, update to OpenJDK-16.0.2 or later using the instructions for OpenJDK (sysv), or OpenJDK (systemd).
You may also use the Java binary using the instructions in Java (sysv), or Java (systemd).
Thunderbird-78.13.0 and 91.0 fixed several security vulnerabilities. One of these allows for an attacker to remotely inject files, folders, and IMAP commands when a STARTTLS connection is in use. Several of these vulnerabilities have to do with memory corruption, leading to a remotely exploitable crash and/or arbitrary code exeuction. These vulnerabilities have been assigned CVE-2021-29969, CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988 and CVE-2021-29989.
To fix these vulnerabilities, update to Thunderbird-91.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).
PostgreSQL-13.4 fixed a security vulnerability that could allow for a purpose-crafted query to read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. A workaround is to set max_worker_processes=0 inside of your PostgreSQL configuration, however undiscovered variants of the attack may run independently of that setting. It is suggested that you update your PostgreSQL instances to 13.4 as soon as possible. More information can be found at PostgreSQL 13.4 Release Announcement. This vulnerability has been assigned CVE-2021-3677.
To fix this, update to PostgreSQL-13.4 or higher using the instructions for PostgreSQL (sysv), or PostgreSQL (systemd).
Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. These have been assigned CVE-2021-22930 (full details not yet public), CVE-2021-22931 and CVE-2021-22939. See 'Node v14.17.5' Node JS News which has links to nvd.nist.gov and cve.mitre.org.
To fix these, update to Node.js-14.17.5 or later using the instructions for Node.js (sysv), or Node.js (systemd).
In c-ares-1.17.2, a security vulnerability was fixed that could allow for Domain Hijacking due to a lack of proper input validation of host names returned by Domain Name Servers within the c-ares library. A proof of concept vulnerability was included with the security announcement. This vulnerability exists in all known versions of c-ares above 1.0.0. The developers suggest upgrading to c-ares-1.17.2. immediately. More details can be found at c-ares Security Advisory. This vulnerability has been assigned CVE-2021-3672.
To fix this, update to c-ares-1.17.2 or later using the instructions for c-ares (sysv), or c-ares (systemd).
In firefox 78.13.0 and 91.0, six vulnerabilities rated as High were fixed. For details see: CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.
To fix these update to firefox-91.0esr or later : Firefox (sysv) or Firefox (systemd) or if you wish to stay on the 78esr series in the short term, update to legacy firefox-78.13.0esr or later: Firefox-legacy (sysv) or Firefox-legacy (systemd). (Firefox-78 is now End of Life).
In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984, but details are not yet public, see the advisory for firefox-78.3.0, mfsa-2021-34 In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.
To fix this, update to JS-78.13.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In MariaDB-10.6.4, two medium-severity security vulnerabilities were patched. Both of these vulnerabilities are difficult to exploit, and can result in a Denial Of Service. Note that successful exploitation requires MariaDB to be listening for requests over TCP/IP ports, and not via local applications. Successful exploitation can result in the ability to cause a hang or frequently repeatable crash of the MariaDB process. These vulnerabilities have been assigned CVE-2021-2389 and CVE-2021-2372.
To fix these vulnerabilities, update to MariaDB-10.6.4 or later using the instructions for MariaDB (sysv), or MariaDB (systemd).
MIT Kerberos V5 before 1.19.2 (or 1.18.4) is vulnerable to a denial of service attack due to a NULL pointer dereference. This then causes the krb5 daemon to crash. This vulnerability is remotely exploitable with no user interaction, and this vulnerability is caused by a return value noy being properly managed in a rare situation. An unauthenticated attacker can exploit this by sending a request containing the PA-ENCRYPTED-CHALLENGE element without using FAST. If you use Kerberos as anything other than a build dependency, you should update as soon as possible. This vulnerability has been assigned CVE-2021-36222.
To fix this, update to MIT Kerberos V5 1.19.2 or later using the instructions for MIT Kerberos V5 (sysv), or MIT Kerberos V5 (systemd).
Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-36386. Further details are at fetchmail-SA-2021-01.
To fix this, update to Fetchmail-6.2.20 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).
Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-22931.
To fix this, update to Node.js-14.17.4 or later using the instructions for Node.js (sysv), or Node.js (systemd).
WebKitGTK+-2.32.3 contained fixes for 11 security vulnerabilities. These vulnerabilities include six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. The two information leak vulnerabilities are caused whenever a ImageLoader object or GraphicsContext object load various image, or graphics, objects. Specially crafted web pages can thus lead to leakage of stack contents. Several of the arbitrary code execution vulnerabilties are known by Apple to be actively exploited, thus prompting a Critical rating by the BLFS team. The port scanning vulnerability allows malicious websites to access restricted ports on local machines on your network. Updating to WebKitGTK+-2.32.3 immediately is suggested if you have Epiphany, Evolution, or some other GNOME components installed. These vulnerabilities have been assigned CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, and CVE-2021-30799.
To fix these vulnerabilities, update to WebKitGTK+-2.32.3 or later using the instructions for WebKitGTK+ (sysv), or WebKitGTK+ (systemd).
Fixes from firefox-78.12 were included in seamonkey-2.53.8.1. Two apply to Linux builds and are rated as High, a third in ANGLE was also fixed, but that is not used for linux builds. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public. mfsa-2021-29.
To fix these, update to Seamonkey-2.53.8.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In systemd-220 and later, a security vulnerability exists that could allow a local attacker to crash systemd, which then causes a kernel panic. This vulnerability is due to a flaw in the FUSE filesystem implementation, and requires the kernel to be upgraded as well, to either Linux-5.10.52 or Linux-5.13.4. systemd constantly monitors /proc/self/mountinfo, and when a file path longer than 8MB is discovered and parsed, systemd will crash with a segmentation fault. The security patch that is available will use a different string duplication function to prevent this crash from occuring. This primarily affects systems with FUSE filesystems, such as SSHFS or NTFS. However, FUSE is also used by XFCE and GNOME because of GVFS. This vulnerability is possible to exploit when automounting USB drives. Filesystem corruption is also possible due to the memory corruption that occurs when systemd crashes. A proof-of-concept exploit is also available in the wild. Due to the merged-/usr changes, upgrading to systemd-249 (with the patch) for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that run systemd-220 or higher. This vulnerability has been assigned CVE-2021-33910.
If you are running LFS git, you can update to systemd-249 with the patch using the instructions in the BLFS book for systemd (systemd). You must also upgrade your kernel to Linux-5.13.4 or later.
If you are running LFS 10.1, you can apply the patch from systemd-247-security_fixes-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.
If you are running LFS 10.0, you can apply the patch from systemd-246-security_fixes-1.patch to your build tree and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.
In Binutils-2.37, four security vulnerabilties were fixed. One of these vulnerabilities allows for arbitrary filesystem access due to a race condition in ar, objcopy, strip and ranlib. When these utilities are being run by a privileged user, an unprivileged user can trick them into getting ownership of arbitrary files on the filesystem through a symbolic link. An additional security vulnerability exists in GNU libiberty, which can result in a crash due to an infinite loop. Two more vulnerabilities allow for arbitrary code execution and memory corruption due to a stack based buffer overflow, or an out-of-bounds write. These vulnerabilities apply to objdump and libiberty. These vulnerabilities cannot be exploited remotely. These vulnerabilities have been assigned CVE-2021-20197, CVE-2021-3648, CVE-2021-3549, and CVE-2021-3530.
To fix these vulnerabilities, update to Binutils-2.37 or later using the instructions from the LFS book for Binutils (sysv), or Binutils (systemd).
In cURL-7.78.0, four security vulnerabilities were fixed. The first vulnerability will allow malicious content to be stored on disk instead of discarded when using the metalink feature, because the information is not checked against the XML file that contains the hash for the file correctly. Another security vulnerability in the metalink feature will send login credentials in plaintext and pass them on to any server that cURL connects to for a metalink download. Another security vulnerability exists in the way that cURL keeps previous connections stored for use again. Due to a flaw in the logic that handles path name checks, the comparison did not take security certificates into account, and also compared the involved paths case insensitively. This will result in a certificate store bypass as well as the potential of connecting to a compromised server. Another TELNET stack content disclosure vulnerability was fixed, caused by the fix for CVE-2021-22898 in cURL-7.78.0. This could result in keystrokes, including passwords, being leaked to remote attackers during a TELNET session. These vulnerabilities have been assigned CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, and CVE-2021-22925.
To fix these vulnerabilities, update to cURL-7.78.0 or later using the instructions for cURL (sysv), or cURL (systemd).
In Linux 5.13.3 and earlier, a vulnerability given the name 'Sequoia' can be used to gain root access via an Out of Bounds write. Details at oss-security with links to a proof of concept program to crash the system, and the promise that details of the exploit will follow. This has been assigned CVE-2021-33909.
To fix this, update to Linux 5.13.4 or later, or Linux-5.10.52 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Wireshark before 3.4.7, a security vulnerability was present that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet, or via a crafted capture file. This issue will manifest itself as a segmentation fault. This vulnerability has been assigned CVE-2021-22235.
To fix this, update to Wireshark-3.4.7 or higher using the instructions for Wireshark (sysv), or Wireshark (systemd).
In apache-ant-1.10.11, two security vulnerabilities were fixed that could lead to out-of-resource conditions when extracting ZIP or TAR files during a build process. The problem can also be triggered with JAR files. The out-of-resource condition consists of Out-Of-Memory errors. These are similar to issues in Apache Commons. These two vulnerabilities have been assigned CVE-2021-35517 and CVE-2021-36090.
To fix these, update to apache-ant-1.10.11 or later using the instructions for apache-ant (sysv), or apache-ant (systemd).
In firefox 78.12.0 two vulnerabilities rated as High were fixed. A third vulnerabilitiy in ANGLE was also fixed, but that is not used for linux builds. mfsa-2021-29. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public.
To fix these, update to firefox-78.12.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Ruby-3.0.2, three security vulnerabilities were fixed. One of these vulnerabilities allows for the Net::FTP module to connect to another IP address/port and return information about services that are otherwise private and not disclosed (basically allowing the attacker to run a port scan). This is due to invalid verification of FTP PASV responses. Another security vulnerability exists in the Net::IMAP module, where Net::IMAP does not raise an exception when a STARTTLS connection fails with an unknown response. This would allow man-in-the-middle attacks to occur, as well as bypasses of the TLS protections. The third vulnerability is rated High, and is a command injection vulnerability in the RDoc command. When using the RDoc command, if a file name starts with a pipe ("|"), and ends with a tag, the command following the pipe character will be executed. A malicious Ruby project could thus exploit it to run arbitrary commands against a user who attempts to use the RDoc command. It is recommended to update Ruby as soon as possible. These vulnerabilities have been assigned CVE-2021-31810, CVE-2021-32066, and CVE-2021-31799.
To fix these vulnerabilities, update to Ruby-3.0.2 or later using the instructions for Ruby (sysv), or Ruby (systemd).
In libuv before 1.41.1, a security vulnerability exists that allows for information disclosure when using the punycode decoder in libuv's IDNA implementation. Several downstream applications use this library and may be affected. This is similar to the vulnerability that was fixed in Node.JS-14.17.2. The vulnerability can be triggered via both uv_getaddrinfo() and uv__idna_toascii(). This vulnerability has been assigned CVE-2021-22918.
To fix this, update to libuv-1.41.1 or later using the instructions for libuv (sysv), or libuv (systemd).
In systemd before 249, a security vulnerability exists that could allow for a remote attacker to reconfigure network settings on systems that use systemd-networkd without any user interaction. This happens due to an issue with the handling of DHCPRENEW packets. With a DHCPRENEW and a DHCPACK packet that is specially crafted, a remote attacker can reconfigure your network settings. Due to the merged-/usr changes, upgrading to systemd-249 for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that use systemd-networkd, and that run systemd-245 or higher (thus, LFS 9.1 is not affected). This vulnerability has been assigned CVE-2020-13529.
If you are running LFS git, you can update to systemd-249 or later using the instructions in the BLFS book for systemd (systemd).
If you are running LFS 10.1, you can apply the patch from systemd-247-security_fix-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd.
If you are running LFS 10.0, you can apply the patch from systemd-246-security_fix-1.patch to your build tree and rebuild systemd.
In Python3 before 3.9.6, a security vulnerability exists that could allow a remote attacker to cause a resource exhaustion via the mod:http.client module. This is due to a flaw where Python will infinitely read potential HTTP headers after a "HTTP 100 Continue" message from the server. This vulnerability has not been assigned a CVE, but more details can be found at BPO-44022.
To fix this, update to Python-3.9.6 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Node.js-14.17.2, a security vulnerability was fixed that could lead to information disclosures or crashes on applications that use Node's dns module. The vulnerability exists in the lookup() function, and occurs due to a similar vulnerability in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This vulnerability has been assigned CVE-2021-22918.
To fix this, update to Node.js-14.17.2 or later using the instructions for Node.js (sysv), or Node.js (systemd).
In PHP-8.0.8, two security vulnerabilities were fixed. One of them could lead to a buffer overflow and thus remote code execution when using a Firebird database, and the other could allow for remote attackers to redirect servers to arbitrary URLs via a SSRF bypass in FILTER_VALIDATE_URL. These options are rather uncommon, which is why these vulnerabilities are rated as Moderate. These vulnerabilities have been assigned CVE-2021-21705 and CVE-2021-21704.
To fix these, update to PHP-8.0.8 or later using the instructions for PHP (sysv), or PHP (systemd).
In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network information in rare circumstances. This only applies if using a plugin shipped within NetworkManager with some code borrowed from systemd-networkd to get an IP address via DHCP, which is enabled with "dhcp=systemd" in the configuration files. This option is not the default, nor mentioned by NetworkManager documentation or the BLFS book. This vulnerability has been assigned CVE-2020-13529.
If you'd like to use "dhcp=systemd" anyway, to fix this, update to NetworkManager-1.32.2 or later using the instructions for NetworkManager (sysv), or NetworkManager (systemd).
Fixes from firefox-78.8.0 to 78.8.11 were included in seamonkey-2.53.8. See BLFS #15227. Updating to seamonkey-2.53.8 is highly recommended due to impacts relating to remote code execution, memory safety problems, and command injection via FTP. The following CVEs have been fixed, most of them being High or Critical: CVE-2021-29955, CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-23402, CVE-2021-29945, CVE-2021-29946, CVE-2021-29951, CVE-2021-29964, and CVE-2021-29967.
To fix these, update to Seamonkey-2.53.8 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Two security vulnerabilities were patched in Dovecot-2.3.15. One of these vulnerabilities allows path traversal which can be used as an authentication bypass via OAuth2, forcing Dovecot to accept a key from an attacker-controlled location. This occurs when Dovecot uses JWT validation with the posix filesystem driver. The other vulnerability allows for command injection when using STARTTLS command injection. If more commands are pipelined as plaintext after a STARTTLS connection is initiated, the commands are run as part of the TLS session. These can be used to redirect mail, passwords, and other user variables to an attacker controlled address. These vulnerabilities have been assigned CVE-2021-29157 and CVE-2021-33515.
To fix these, update to dovecot-2.3.15 or later using the instructions for dovecot (sysv), or dovecot (systemd).
Several more CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-2 patch (fixes to 2021-06-02) : CVE-2021-30518, CVE-2021-30516, CVE-2021-30515, CVE-2021-30513, CVE-2021-30512, CVE-2021-30510, CVE-2021i-30508.
To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-2.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. This vulnerability has been assigned CVE-2021-3481 which is not yet public. For more information see RedHat CVE-2021-3481 or QTBUG-91507.
To fix this, apply the qt-everywhere-src-5.15.2-CVE-2021-3481-1.patch (or update to a later version) using the instructions at Qt5 (sysv), or Qt5 (systemd).
In Exiv2-0.27.4, nine security vulnerabilities were fixed. These security vulnerabilities are complex to exploit, but can be exploited remotely through a web browser. Three of these vulnerabilities are arbitrary code execution vulnerabilities, another is an information disclosure vulnerability, and the others are denial of service (crash) vulnerabilities. These vulnerabilities have been assigned CVE-2021-32617, CVE-2021-29623, CVE-2021-29473, CVE-2021-29470, CVE-2021-29464, CVE-2021-29463, CVE-2021-29458, CVE-2021-29457, and CVE-2021-3482.
To fix these, update to exiv2-0.27.4 or higher using the instructions for exiv2 (sysv), or exiv2 (systemd).
In Linux 5.12.10 and earlier, several security vulnerabilities existed in the Bluetooth, Xen (virtualization), and wireless networking stacks. The Bluetooth vulnerability can allow for denial of service by allowing a local user to cause a kernel panic by attaching a malicious HCI TTY Bluetooth device. The Xen vulnerability can allow for the network adapter on the host system to fail due to a driver crash in the kernel. This vulnerability can be exploited through a virtual machine running on the system. The wireless stack vulnerabilities impact all cards and could allow for decryption of encrypted packets sent over Wi-Fi Protected Access (WPA/WPA2/WPA3) and Wired Equivalent Privacy (WEP) packets due to a protocol issue that does not require all fragments in a frame to be signed by a single key. Another vulnerability in the ath11k wireless driver can allow for an attacker to inject and decrypt packets in a connection that uses WPA or WPA2 with the TKIP data-confidentiality protocol. Another vulnerability in the ath10k driver allows for a remote attacker to inject arbitrary packets since the plaintext QoS header in a packet is not required to be authenticated under thw WPA, WPA2, WPA3, or WEP standard. Another vulnerability in the wireless stack allows for arbitrary network packets to be injected and for the exfiltration of user data regardless of whether any encryption is in place, and fragments are not cleared from memory after reconnecting to a network. These vulnerabilities have been assigned CVE-2021-3564, CVE-2021-28691, CVE-2020-24587, CVE-2020-26141, CVE-2020-24588, CVE-2020-26145, and CVE-2020-24586.
To fix these, update to Linux 5.12.10 or later (5,12 is no-longer maintained), or Linux 5.10.44 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Apache PDFBox-2.0.24, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-31812 and CVE-2021-31811.
To fix these, update the supplemental JAR files in fop to 2.0.24 using the instructions in fop (sysv) or fop (systemd).
Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream (currently undergoing analysis at NVD): CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641 (updated 2021-06-15: first link was to an unrelated CVE, corrected).
To fix these, update to at least HTTPD-2.2.48 using the instructions for Apache (sysv) or Apache (systemd).
Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High Intel-SA-00442 / CVE-2021-24489 and two potential information disclosures by local access rated as Medium Intel-SA-00464 / CVE-2020-24511 and Intel-SA-00465 / CVE-2020-24513.. The CVE details are not yet public.
To fix these, update to at least microcode-20210608 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In Polkit-0.119, a security vulnerability was fixed that can allow for unprivileged users to gain root access on the system by calling a process that uses "polkit_system_bus_name_creds_sync" too many times, and also by not checking for the error value correctly. This vulnerability can be used by an unprivileged local attacker to bypass authorization and escalate privileges up to the root user. This affects polkit back to 0.113. This vulnerability has been assigned CVE-2021-3560.
To fix this, update to Polkit-0.119 or later using the instructions for Polkit (sysv) or Polkit (systemd).
In Wireshark-3.4.6, a security vulnerability was fixed that could allow for a malformed DVB-S2-BB packet to cause a denial of service due to excessive CPU resource consumption. This is due to an infinite loop. There is no CVE for this vulnerability, but the information can be found under "Security Advisories" on the Wireshark website. More details can be found at wpna-sec-2021-05.
To fix this, update to Wireshark-3.4.6 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Thunderbird-78.11.0, a security vulnerbaility was fixed that was rated as High. This security vulnerability pertains to several memory safety issues that were addressed by the Mozilla developers. More details can be found at msfa2021-26. This security vulnerability has been assigned CVE-2021-29967.
To fix these, update to Thunderbird-78.11.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. See mfsa2021-24. CVEs have been assigned (CVE-2021-299644, CVE-2021-29967) but details are not yet public.
To fix these, update to firefox-78.11.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Linux 5.12.7 and all earlier kernels back to 2.6.12 a "confused deputy" weakness exists, which makes it possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. Further details in the links at Linux-Confused-Deputy-2.6.12.
To fix this, update to Linux 5.12.8 or later, (or Linux 5.10.41 or later if you prefer to stick with 5.10.y, or for old systems Linux 5.4.123 or later) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that since August linux-5.12 kernels are no-longer maintained.
ISC DHCP (dhclient and dhcpd) before 4.4.2-P1 is affected by a vulnerability that allows for DHCP leases to be improperly deleted, or for the DHCP client and server services to be terminated improperly. This is due to a buffer overrun, and may be exploited remotely to allow for a denial of service (network outage) or for improper DHCP leases to be issued. No user interaction is required. If you use dhclient or dhcpd, it is highly recommended that you update as soon as possible. This vulnerability has been assigned CVE-2021-25217.
To fix this, update to DHCP-4.4.2-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).
Expat before 2.4.0 is vulnerable to Denial of Service ('billion laughs') attacks. The vulnerability was initially for versions up to 2.1, but protection hs been strengthened in the 2.4.0 release: see blog.hartwork.org, and CVE-2013-03405.
To fix this, update to Expat-2.4.1 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In cURL-7.77.0, three security vulnerabilities were fixed. The first one only applies to Windows systems and is therefore irrelevant to LFS. The second vulnerability allows the stack to be disclosed to a remote attacker while a TELNET session is in progress. The third vulnerability, which is rated as high, allows for remote code execution on HTTPS sessions. The TELNET vulnerability is due to an issue with an uninitialized variable, and the remote code execution vulnerability is due to a use-after-free. This vulnerability has been called the "TLS session caching disaster", and instructions for achieving remote code execution have been released to the public. Therefore, it is suggested that you update immediately. Note that this only applies to systems which use OpenSSL as their SSL backend, which is the default configuration in BLFS. These vulnerabilities have been assigned CVE-2021-22897, CVE-2021-22898, and CVE-2021-22901.
To fix these vulnerabilities, update to cURL-7.77.0 or later as soon as possible using the instructions at cURL (sysv), or cURL (systemd).
In libX11-1.7.1, a security vulnerability was fixed that allows through command injection through the libX11 API protocol. This vulnerability exists in the XLookupColor function, intended for server-side color lookup. The flaw consists of a client being allowed to send color names with a name longer than the maximum size allowed, and also the maximum packet size for normalized packets. This then allows for the X server authorization process to be disabled completely, as the end of the packet is then considered a protocol command. This vulnerability has existed since February of 1986. This vulnerability has been rated at a 9.3 CRITICAL on the CVSS scale, and has been assigned CVE-2021-31535, and more information can be found at libX11 security advisory.
To fix this vulnerability, update to libX11-1.7.1 or later using the instructions at Xorg Libraries (sysv), or Xorg Libraries (systemd).
In PostgreSQL-13.3, three security vulnerabilities were fixed that could allow for memory disclosure as well as a buffer overrun caused by an integer overflow in array subscripting calculations. The buffer overrun could allow for authenticated database users to write arbitrary bytes to a wide area of server memory. The memory disclosure vulnerabilities both allow for an attacker to read arbitrary bytes of server memory when executing UPDATE...RETURNING commands in partitioned-tables, and when executing INSERT...ON CONFLICT... DO UPDATE commands on a purpose crafted table. In the default PostgreSQL configuration, any authenticated database user can create the prerequisite objects and complete this attack at will. Users lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot exploit this attack. These vulnerabilities have been assigned CVE-2021-32028, CVE-2021-32029, and CVE-2021-32027.
To fix these vulnerabilities, update to PostgreSQL-13.3 or later using the instructions at PostgreSQL (sysv), or PostgreSQL (systemd).
A security vulnerability was fixed in rxvt-unicode-9.26 that may allow for remote code execution. An exploit has been discovered in the wild and was published to the oss-security mailing list. The vulnerability occurs due to the way that rxvt handles ANSI escape sequences, replying to queries with a newline-terminated message, and will allow applications to execute without user intervention. This was originally graded as critical (no CVE was available) but the details at CVE-2021-33477 now show it as high severity.
To fix this vulnerability, update to rxvt-unicode-9.26 or later using the instructions at rxvt-unicode (sysv), or rxvt-unicode (systemd).
In libxml2-2.9.12, a security vulnerability was fixed (in addition to all of the ones covered in libxml2-2.9.10-security_fixes-1.patch) that allows for a denial of service (system resource exhaustion) when processing a crafted XML file. This occurs through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. This vulnerability has been assigned CVE-2021-3541.
To fix this, update to libxml2-2.9.12 or later using the instructions at libxml2 (sysv), or libxml2 (systemd).
Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release : CVE-2021-3482, CVE-2021-29457, CVE-2021-29458, CVE-2021-29470, CVE-2021-29473.
To fix these, apply the exiv2-0.27.3-security_fixes-1.patch (or update to a later version) using the instructions at Exiv2 (sysv), or Exiv2 (systemd).
In Samba-4.14.4, a security vulnerability was fixed that allows for users to have unauthorized access to information, as well as the ability for users to modify/delete files from shares that they should not have access to. The underlying cause of this vulnerability is an out-of-bounds read that sometimes occurs when mapping Windows group identities (SIDs) into Unix group IDs (gids). The code that handles this could read data beyond the end of an array in the case that a negative cache entry had been added to the cache. This would then cause the conversion code to return those values into the process token that stores the group membership of a user. This vulnerability was originally spotted at Linkoping University, where a user was found deleting files from a network share that they were not supposed to have access to. If you are using the Samba file server to share files, it is suggested that you update immediately. Other impacts include potential server crashes, as well as impacts to data confidentiality and integrity. This vulnerability has been assigned CVE-2021-20254.
To fix this vulnerability, update to Samba-4.14.4 or later using the instructions for Samba (sysv) or Samba (systemd).
Two security vulnerabilities were corrected in mariadb-10.5.10. These vulnerabilities allowed for remotely exploitable crashes of the MariaDB database server. Both of these vulnerabilties are simple to exploit and can result in repeatable crashes over the network. These vulnerabilities have been assigned CVE-2021-2166 and CVE-2021-2154.
To fix these vulnerabilties, update to MariaDB-10.5.10 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
A security vulnerability was fixed in Wireshark that could allow for excessive memory and CPU consumption when using the MS-WSP packet dissector. This vulnerability could be exploited via a malformed packet, either by placing the malformed packet onto the wire while Wireshark is capturing packets, or by convincing someone to read a malformed packet trace file. This vulnerability could allow a remote attacker to run the system out of memory, and thus can cause a denial of service. This vulnerability has been assigned CVE-2021-22207.
To fix this vulnerability, update to Wireshark-3.4.5 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
A security vulnerability was discovered in the "cjpeg" utility included with libjpeg-turbo. This vulnerability is classified as a denial of service vulnerability, and is caused by a divide-by-zero error when processing some GIF images. The highest impact would be a crash of the 'cjpeg' application, thus this vulnerability has been rated as Low. This vulnerability has been assigned CVE-2021-20205.
To fix this vulnerability, update to libjpeg-turbo-2.1.0 or later using the instructions for libjpeg (sysv) or libjpeg (systemd).
Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. One of the critical CVEs was raised as 'before 1.53.0', but the fix has been backported to 1.52.0.
For the general case (where static libraries are used and a variety of crates might be built) the advice is to update both rust and all the packages which use it.
For BLFS with its limited number of crates which use rust, it can be shown (e.g. by removing the /opt/rustc symlink) that the built programs do not use the standard library at runtime), and therefore the vulnerabilities are assumed to have been at compile time. Nevertheless, the incorrect code has been available and it may be that the resulting programs can do incorrect things. The safest advice is to update rust and then rebuild (or update) all the packages which use it.
The relevant CVEs are: CVE-2021-227376, CVE-2021-28036, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162. To fix rust, update to rustc-1.52.0 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
Many CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-1 patch (fixes to 2021-05-03) : CVE-2021-21233, CVE-2021-21231, CVE-2021-21230, CVE-2021-21227, CVE-2021-21225, CVE-2021-21224, CVE-2021-21223, CVE-2021-21222, CVE-2021-21221, CVE-2021-21220, CVE-2021-21219, CVE-2021-21218, CVE-2021-21217, CVE-2021-21214, CVE-2021-21213, CVE-2021-21209, CVE-2021-21207, CVE-2021-21206, CVE-2021-21204, CVE-2021-21203, CVE-2021-21202, CVE-2021-21201.
Of these, two were rated as critical and at least one other rated as high has public exploit code available.To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In ruby-3.0.1, a security vulnerability was fixed that could lead to improper generation of XML files, including malicious code. This has been classified as a "XML round-trip vulnerability". The ruby developers suggest upgrading the REXML gem if updating Ruby on your system is not feasible. This can be done by executing "gem upgrade rexml". The fixed gem has been bundled with ruby-3.0.1. This vulnerability has been assigned CVE-2021-28965.
To fix this vulnerability, update to ruby-3.0.1 or higher using the instructions for ruby (sysv) or ruby (systemd).
In Exim-4.94.2, twenty-one security vulnerabilities were patched. These vulnerabilities can allow for local privilege escalation, remote code execution, arbitrary code execution in the context of the Exim user, command injection, modification of mails, modification/deletion of files, and more. Ten of these vulnerabilities can be exploited remotely, while the other eleven can be exploited locally. If you have any systems running Exim, this is considered an urgent matter. There are multiple exploits available in the wild for these vulnerabilities. These vulnerabilities have been assigned CVE-2020-28007, CVE-2020-28008, CVE-2020-28014, CVE-2021-27216, CVE-2020-28011, CVE-2020-28010, CVE-2020-28013, CVE-2020-28016, CVE-2020-28016, CVE-2020-28015, CVE-2020-28012, CVE-2020-28009, CVE-2020-28017, CVE-2020-28020, CVE-2020-28023, CVE-2020-28021, CVE-2020-28022, CVE-2020-28026, CVE-2020-28019, CVE-2020-28024, CVE-2020-28018, and CVE-2020-28025. Additional information can be found at Qualys Security Blog - 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server.
To fix these vulnerabilities, update to Exim-4.94.2 or higher as soon as possible using the instructions for Exim (sysv) or Exim (systemd).
In BIND-9.16.15, three security vulnerabilities were fixed that could result in crashes and remote code execution on 32-bit platforms. One security vulnerability is rated as Medium, while the other two (one of which leads to remote code execution on 32-bit platforms, and crashes on 64-bit platforms) are rated as High. These vulnerabilities have been assigned CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. Additional information can be found at BIND Release Announcement.
To fix these vulnerabilities, update to BIND-9.16.15 or higher using the instructions for BIND (sysv) or BIND (systemd).
In OpenSSH-8.6p1, a security vulnerability was fixed that was introduced in version 8.5p1 with the addition of the LogVerbose keywords. When this option was enabled with a set of patterns that activated logging in code that runs in the lower-privileged/sandboxed sshd process, the log messages were constructed in a way that printf(3) format strings could effectively be specified in the lower-privelged code. As a result, an attacker who had successfully exploited the lower-privileged process could use the logging feature to escape the sandbox and attack the higher-priveleged process. No CVE has been assigned at this time. More details can be found at Announce: OpenSSH 8.6 released.
To fix this, update to OpenSSH-8.6p1 or later using the instructions for OpenSSH (sysv) or OpenSSH (systemd).
In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. This been assigned CVE-2021-3426 but the details are not yet public. See CVE-2021-3426 at debian.
To fix this, update to Python-3.9.4 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. This has been assigned CVE-2021-3472.
To fix this, update to at least Xorg-Server-1.20.11 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. See mfsa2021-14.
To fix these, update to Thunderbird-78.10.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).
In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-15. CVEs have been assigned (CVE-2021-23994, CVE-2021-23995, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946) but details are not yet public.
To fix these, update to firefox-78.10.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A security vulnerability was fixed in librsvg-2.50.4 that applied to one of the rust crates involved with building the librsvg library. This vulnerability existed within the generic-array crate, and allowed for variables to stick around for longer than their expected lifetime. This could lead to memory corruption scenarios. This vulnerability has been assigned RUSTSEC-2020-0146.
To fix this, update to librsvg-2.50.4 or later using the instructions in librsvg (sysv), or librsvg (systemd).
A security vulnerability was discovered in cifs-utils before 6.13. When using kerberos authentication, it is possible for a leak of authentication credentials when running the cifs.upcall command. This same vulnerability can also permit privilege escalation of a local user. This vulnerability has been assigned CVE-2021-20208.
To fix this, update to cifs-utils-6.13 or later using the instructions in cifs-utils (sysv), or cifs-utils (systemd).
A security vulnerability was found in NetworkManager up to 1.30.2 where a local or remote attacker could set a "match.path" statement in a Network file, which would cause NetworkManager to crash. The root cause of this vulnerability is improper input validation. This vulnerability has been assigned CVE-2021-20297.
To fix this up date to NetworkManager-1.30.4 or later using the instructions at NetworkManager (sysv), or NetworkManager (systemd).
A security vulnerability was found in Avahi that could allow an infinite loop to be triggered when an attacker writes a long line to /run/avahi-daemon/socket. The event used to signal the termination of a client connection was not correctly handled. This vulnerability has been assigned CVE-2021-3468.
To fix this, apply a sed to Avahi using the instructions in Avahi (sysv), or Avahi (systemd).
Three security vulnerabilities were fixed in Thunderbird-78.9.1. All three of them affect systems that have OpenPGP keys configured for encrypted email. These vulnerabilities have been rated Moderate, and have been assigned CVE-2021-23991, CVE-2021-23992, CVE-2021-23993. Additional information can be found at MSFA2021-13.
To fix these, update to Thunderbird-78.9.1 or later using the instructions at Thunderbird (sysv), or Thunderbird (systemd).
Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401 : CVE-2021-21198, CVE-2021-21195, CVE-2021-21193, CVE-2021-21191, CVE-2021-21187, CVE-2021-21184, CVE-2021-21183, CVE-2021-21166, CVE-2020-27844.
To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL but can be exploited through Node.js if you have not updated that package to Openssl-1.1.1k or later, see 10.1-011
The third vulnerability is 'Prototype Pollution' in the y18n JS package used in npm. Information can be found at April 2021 Security Releases, CVE-2020-7774 and for an explanaton of 'Prototype Pollution' see SNYK-JAVA-ORGWEBJARSNPM-1038306.
To fix these, update to Node.JS-14.16.1 or later using the instructions at Node.JS (sysv) or Node.JS (systemd).
In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.
This has been assigned CVE-2020-27748 but the upstream issue at gitlab remains open.
In the meantime, to mitigate this flaw, either do not use mailto links at all, or always double-check in the user interface that there are no unwanted attachments before sending emails, especially when the email originates from clicking on a mailto link.
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This has been assigned CVE-2019-17498.
This has been fixed upstream, but no new version has been released. To fix this, apply the patch libssh2-1.9.0-security_fix-1.patch using the instructions for libssh2 (sysv) or libssh2 (systemd) or update to a later version of Libssh2 if one is released.
In Flac up to and including 1.3.3 a heap buffer overflow leading to a possible out of bounds read has been discovered. This could lead to remote information disclosure with no additional execution privileges needed and has been assigned CVE-2020-0499.
This has been fixed upstream, but no new version has been released. To fix this, apply the patch flac-1.3.3-security_fixes-1.patch using the instructions for Flac (sysv) or Flac (systemd) or update to a later version of Flac if one is released.
Fixes from firefox-78.6.1 to 78.8.0, were included in seamonkey-2.53.7. See BLFS #14840. The following CVEs have been fixed, most of them being High or Critical: CVE-2020-16044, CVE-2021-23953, CVE-2021-23954, CVE-2020-26976, CVE-2021-23960, CVE-2021-23964, CVE-2020-16048, CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, and CVE-2021-23978.
To fix these, update to Seamonkey-2.53.7 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In cURL-7.76.0, two vulnerabilities are fixed that may lead to disclosure of sensitive information or authentication bypass. These vulnerabilities have been assigned CVE-2021-22876 and CVE-2021-22890. Additional information can be found at cURL website.
To fix these vulnerabilities, update to cURL-7.76.0 or higher using the instructions for cURL (sysv) or cURL (systemd).
In Python 3 releases, multiple vulnerabilities are fixed that may lead to denial of service, remote code execution, or web cache poisoning. Python 2 is already EOL'ed and has not got the fixes. These vulnerabilities have been assigned CVE-2019-20907, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619, CVE-2021-3177, and CVE-2021-23336.
To fix these vulnerabilities, it's recommended to port everything using Python 2 to use Python 3 instead.
If you decide to stick with Python 2 anyway, rebuild Python 2 with a security patch using the instructions for Python 2 (sysv) or Python 2 (systemd).
In WebKitGTK 2.32.0, three security vulnerabilities were fixed that could lead to arbitary code execution. These vulnerabilities have been assigned CVE-2021-1788, CVE-2021-1844, and CVE-2021-1871. Additional information can be found at WSA-2021-0003.
To fix these vulnerabilities, update to WebKitGTK-2.32.0 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In glib-2.66.8, a medium-severity security vulnerability was fixed that allowed a malicious archive to create files elsewhere in the filesystem via a symlink attack. The malicious archive may also be able to overwrite existing files when extracted with file-roller. An additional vulnerability was fixed in glib-2.66.7, which has been rated High. This vulnerability allows for unintended length truncation on buffers above 4GB in size on a 64-bit platform. These vulnerabilities have been assigned CVE-2021-27218 and CVE-2021-28153, and and additional information can be found at file-roller symlink attack (#2325).
To fix these vulnerabilities, update to glib-2.66.8 or later using the instructions for glib (sysv) or glib (systemd).
In Samba-4.14.2, two security vulnerabilities were fixed that could lead to denial of service or disclosure of sensitive information. These vulnerabilities have been assigned CVE-2020-27840 and CVE-2021-20277.
To fix these vulnerabilities, update to Samba-4.14.2 or higher using the instructions for Samba (sysv) or Samba (systemd).
If you prefer to stick with 4.13 series, update to Samba-4.13.7 or higher using the instructions for Samba (10.1 sysv) or Samba (10.1 systemd).
In WebKitGTK-2.30.6, seven security vulnerabilities were fixed that could lead to arbitrary code execution, improper data deletion, sandbox escapes, and access to a ports on restricted servers. One of the vulnerabilities has an exploit in the wild and is being actively exploited. These vulnerabilities have been assigned CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, and CVE-2021-1870. Additional information can be found at WSA-2021-0002.
To fix these vulnerabilities, update to WebKitGTK-2.30.6 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In lxml-4.6.3, a security vulnerability was fixed in the HTML Cleaner that could lead to JavaScript code being passed into the output. This vulnerability is classified as "Cross Site Scripting". It does not properly sanitize the input from the HTML5 formaction attribute, leading to JavaScript code being inserted into the output. This vulnerability has been assigned CVE-2021-28957.
To fix this, update to lxml-4.6.3 or later using the instructions for lxml (sysv) or lxml (systemd).
In Nettle-3.7.2, a security vulnerability was fixed that could allow for improper results or crashes with assertion failures when processing some ECDSA signatures. This has to do with the secp224r1 and secp521r1 curves, and the maintainer suggests upgrading immediately because of the severity of the bug. More information can be found here: ANNOUNCE: Serious bug in Nettle's ecdsa_verify.
To fix this, update to Nettle-3.7.2 or later using the instructions for Nettle (sysv) or Nettle (systemd).
In Thunderbird before 78.9.0 there were two vulnerabilities rated as High for linux systems (the angle graphics item only applies to MS Windows), see mfsa2021-12. CVE-2021-23981 and CVE-2021-23987.
To fix these, update to thunderbird-78.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In OpenSSL-1.1.1k, two high severity security vulnerabilities were fixed. One of these allows for a complete bypass of the CA certificate check, and the other is a trivial-to-exploit vulnerability that lets remote attackers crash any application that uses OpenSSL on the system. Upgrading to OpenSSL-1.1.1k is suggested, as soon as possible. These vulnerabilities have been assigned CVE-2021-3450 and CVE-2021-3449.
To fix these, update to OpenSSL-1.1.1k or later using the instructions in OpenSSL (sysv) or OpenSSL (systemd).
In Apache PDFBox-2.0.23, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-27906 and CVE-2021-27807.
To fix these, update the supplemental JAR files in fop to 2.0.23 or update to a later version using the instructions in fop (sysv) or fop (systemd).
In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks, see BLFS #14804.
To fix this, update to JS-78.9.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-11. See CVE-2021-23981, CVE-2021-23982, CVE-2021-23984 and CVE-2021-23987.
To fix these, update to firefox-78.9.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In gstreamer-1.18.4 (including plugins), five high severity security vulnerabilities were fixed. Two of them were in gst-plugins-good, one in gst-plugins-ugly, one in gst-libav, and one in gst-plugins-base. Upon successful exploitation, these vulnerabilities can lead to application crashes and arbitrary code execution. More details can be found at GStreamer Security Center.
To fix these vulnerabilities, update the entire gstreamer stack to 1.18.4 using the instructions in the gstreamer pages, starting at gstreamer (sysv) or gstreamer (systemd).
If you are maintaining a system which is still using gstreamer-1.16.3 you should go to the Gstreamer Security Center link above, take the five patches for items SA-2021-001 to 005 and apply them to plugins-base (001), plugins-good (002, 003), plugins-ugly (004) and libav (005) and recompile everything except gstreamer (because a library from -base is affected).
In Wireshark-3.4.4, a 17-year-old security vulnerability was fixed that could allow Wireshark to open unsafe URLs from within packet dumps. These unsafe URLs did not follow standard HTTP/HTTPS schemes, but examples were shown using the NFS protocol as well as WebDAV and SMB3. This could result in remote code execution while reading a packet capture file. This has been assigned CVE-2021-22191.
Additional details may be found at Wireshark Gitlab Issue 17232.
To fix this, update to Wireshark-3.4.4 or later using the instructions in Wireshark (sysv) or Wireshark (systemd).
In Linux 5.11.3 and earlier, vulnerabilities in iSCSI subsystem may lead to potential privilege escalation. These has been assigned CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365.
These vulnerabilities should only affect the systems with iSCSI devices or utilities (not in LFS or BLFS) installed.
To fix these, update to Linux 5.11.4 or later, or Linux 5.10.21 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that linux kernel 5.11 and 5.12 versions are no-longer maintained.
The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). These has been assigned CVE-2021-20231 and CVE-2021-20232. The details can be found at GnuTLS issue tracker.
To fix these, update to GnuTLS-3.7.1 or later using the instructions in GnuTLS (sysv) or GnuTLS (systemd).
A double free may lead to memory corruption and other potential consequences. This has been assigned CVE-2021-3407.
To fix this, apply the patch mupdf-1.18.0-security_fix-1.patch using the instructions for MuPDF (sysv) or MuPDF (systemd).
Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Before they decided to not produce a file of changes, the details were recorded at A Qt code review. For the most recent of those, see Upstream Chrome, dated 2021-02-16. To fix these, update to the BLFS 5.15.3 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
OpenSSH-8.2p1 through OpenSSH-8.4p1 included a security vulnerability (double free) in the 'ssh-agent' program. This could lead to memory corruption and is potentially exploitable, and may lead to potential privilege escalation. This bug is only reachable by those with access to the agent socket, which is why the BLFS team has decided to rate this vulnerability as Medium severity. There is no CVE assigned for this vulnerability. Additional information can be found at OpenSSH 8.5 release announcement.
To fix this, update to OpenSSH-8.5p1 or later using the instructions in OpenSSH (sysv) or OpenSSH (systemd).
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. This has been assigned CVE-2017-6888. This was fixed in flac-1.3.3, but in the meantime a further vulnerability was discovered in flac-1.3.3, so please follow the instructions for 10.1-022.
Node.JS-14.16.0 fixed three security vulnerabilities. One of them is a denial of service vulnerability (resource exhaustion via HTTP2 protocols), another is a DNS rebinding attack, and a third is an integer overflow. These vulnerabilities have been assigned CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. The CVEs are not available at NVD yet, but more information can be found at February 2021 Security Releases.
To fix these, update to Node.JS-14.16.0 or later using the instructions in Node.JS (sysv) or Node.JS (systemd).
In thunderbird before 78.8.0 there were three vulnerabilities rated as High, see mfsa2021-09. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.
To fix these, update to thunderbird-78.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 78.8.0 three vulnerabilities rated as High were fixed, see mfsa2021-08. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.
To fix these, update to firefox-78.8.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
ffmpeg-4.3.2 fixed two medium-severity arbitary code execution vulnerabilities. These could be exploited via crafted files using the EXR and VIVIDAS codecs. These vulnerabilities have been assigned CVE-2020-35965 and CVE-2020-34964.
To fix this, update to ffmpeg-4.3.2 or later using the instructions in ffmpeg (sysv) or ffmpeg(systemd).
Python-3.9.2 contained two security fixes, one rated as 9.8 CRITICAL, and the other marked as Medium. The critical vulnerability can result in remote code execution in some Python-based programs, and the Medium-level vulnerability can result in web cache poisoning. These vulnerabilities have been assigned CVE-2021-23336 and CVE-2021-3177.
To fix this, update to Python-3.9.2 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Screen-4.8.0, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally found exploited via Minecraft servers, and is currently being exploited in the wild. The vulnerability can also allow shell injection. This has been assigned CVE-2021-26937.
To fix this, apply the patch in screen-4.8.0-upstream_fixes-1.patch to your build and recompile Screen using the instructions in Screen (sysv) or Screen (systemd).
In OpenSSL-1.1.1j, two security vulnerabilities were fixed that could lead to a potential denial-of-service attack due to integer overflows and null pointer derefererences. These have been assigned CVE-2021-23841 and CVE-2021-23840. Additional details can be found in OpenSSL.
To fix this, update to at least OpenSSL-1.1.1j using the instructions in OpenSSL (sysv) or OpenSSL (systemd).
On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. These have been assigned CVE-2020-8696 and CVE-2020-8698. See also Intel-SA-00381.
To fix this, update to at least microcode-20210216 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In bind-9.16.12, a security vulnerability was fixed that could allow remote unauthenticated users to crash the named process if the server is configured to use SPNEGO/GSSAPI. This is classified as a buffer overflow vulnerability. This has been assigned CVE-2020-8625.
To fix this, apply the sed found in the page below and rebuild BIND. BIND (sysv) or BIND (systemd).
In taglib-1.11.1, a security vulnerability was found that may lead to information disclosure when using a crafted OGG file. This is classified as a use-after-free vulnerability. This has been assigned CVE-2018-11439.
To fix this, update to at least taglib-1.12 using the instructions in taglib (sysv) or taglib (systemd).
In WebKitGTK-2.30.5, a security vulnerability was fixed that allows for arbitrary code execution when crafting maliciously crafted web content. This web content appears to be Audio, and the issue is a use-after-free in the AudioSourceProviderGstreamer class. It was fixed with improved memory management. This has been assigned CVE-2020-13558, and additional information may be found at WSA-2021-0001.
To fix this, update to at least WebKitGTK-2.30.5 using the instructions in WebKitGTK (sysv) or WebKitGTK (systemd).
In PostgreSQL-13.2, two vulnerabilities were fixed that could lead to unauthorized users leaking information from a database. One of them relates to users with the UPDATE privilege but without the SELECT privilege, and the other relates to users who have SELECT privileges for only a single column being able to read all columns of the table. These have been assigned CVE-2021-3393 and CVE-2021-20229.
To fix this, update to at least postgresql-13.2 using the instructions in PostgreSQL (sysv) or PostgreSQL (systemd).
In gnome-autoar-0.2.4, a security vulnerability was found that allows for directory traversal during extraction of an archive due to a lack of proper checks for whether a file's parent is a symlink to a directory outside of the intended extraction location. This has been assigned CVE-2020-36241.
To fix this, update to at least gnome-autoar-0.3.0 using the instructions in gnome-autoar (sysv) or gnome-autoar (systemd).
In xterm-366, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally discovered in 'Screen', but was found to affect xterm as well. The vulnerability was originally found exploited via Minecraft servers, so as a result of it's exploitation in the wild, BLFS has decided to apply a severity of Medium to this vulnerability. This has been assigned CVE-2021-26937.
To fix this, update to at least xterm-366 using the instructions in xterm (sysv) or xterm (systemd).
In Jinja2-2.11.2, a security vulnerability was found that allows for a repeatable denial-of-service attack via malformed regex. This has been assigned CVE-2020-28493.
To fix this, update to at least Jinja2-2.11.3 using the instructions for Jinja2 (sysv) or Jinja2 (systemd).
In subversion-1.14.0, a security vulnerability was found that will result in a remote unauthenticated denial-of-service. This vulnerability was found in the mod_authz_12.2 and mod_dav_12.2 modules, and is a null-pointer dereference caused by attempting to access a non-existent repository. This has been assigned CVE-2020-17525.
To fix this, update to at least Subversion-1.14.1 using the instructions for Subversion (sysv) or Subversion (systemd).
In Libgcrypt-1.9.0 there is a heap-based buffer overflow. See CVE-2021-3345.
To fix this, update to at least Libgcrypt-1.9.1 using the instructions for Libgcrypt (sysv) or Libgcrypt (systemd).
In Jasper 2.0.24, jp2_decode in jp2/jp2_dec.c in libjasper has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. This has been assigned CVE-2021-3272.
To fix this, update to at least jasper-2.0.25 using the instructions for Jasper (sysv) or Jasper (systemd).
In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. CVE-2020-7071 has been allocated but for the moment that is "reserved". See Arch CVE-2021-21702 where the severity is rated as Medium.
To fix this, update to PHP-8.0.2 or later using the instructions for PHP (sysv) or PHP (systemd).
In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.
CVE-2019-25013: According to Red Hat this can be worked around by not processing untrusted input in the (uncommon) EUC-KR character set Red Hat.
CVE-2020-27618 is currently marked as 'Reserved'. According to Red Hat an infinite loop can be encountered when processing data in certain IBM character sets containing redundant shift sequences. They rate the severity as Low because an attacker would need either local privileges, or to depend on an application feeding untrusted encoding input to iconv. Red Hat.
CVE-2020-29562: When processing UCS4 text containing an irreversible character, iconv fails an assertion and aborts, resulting in a denial of service. A workaround appears to be to avoid processing UCS4 input (constant 32-bit width characters) in iconv. For most users of LFS and BLFS it is expected that UCS4 input is uncommon.
CVE-2021-3326: When processing invalid input sequences in the ISO-2022-JP-3 encoding, iconv fails an assertion and aborts, resulting in a denial of service. According to Red Hat this can be worked around by not processing untrusted input in this encoding: Red Hat.
To fix these, build a new version of LFS. If you have usable backups and have tested a way to restore them via a rescue stick or similar, it might be possible to build glibc-2.33 in place and then immediately make an unclean shutdown, e.g. using MagicSysRQ if that is enabled in your kernel. Such a procedure is not recommended, nor has it been tested.
In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.
BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a remotely triggered crash (Denial of Service) or otherwise rated as high. For an overview of these see BLFS #14599. The most-recent included CVE-2018-9055, CVE-2018-9252, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2020-27828.
To fix this, update to at least JasPer-2.0.24 using the instructions for JasPer (sysv) or JasPer (systemd).
Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update. GHSL-2021-045 .
To fix this, update to at least Glib-2.66.6 using the instructions for Glib (sysv) or Glib (systemd).
In thunderbird before 78.7.0 there were various vulnerabilities rated as High. See mfsa2021-05 CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964) but details are not yet public.
To fix this, update to Thunderbird-78.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist, see the details at blfs-support archive.
Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash, wnpa-sec-2020-20, wnpa-sec-2020-20. According to Redhat these have been allocated CVE-2021-22173 and CVE-2021-22174 but these are currently 'Reserved'.
To fix these, update to wireshark-3.4.3 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In VLC Media Player up to and including version 3.0.11 a remote user could create a specialy crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. VideoLAN-SB-VLC-3012 .
To fix this, update to VLC-3.0.12 or later using the instructions for VLC (sysv) or VLC (systemd).
In GPTfdisk before version 1.0.6 a possible out-of-bounds write in ReadLogicalParts of basicmbr.cc could be triggered by running gdisk or cgdisk on an improperly formatted MBR partition, leading to arbitrary code execution. CVE-2021-0308.
To fix this, update to GPTfdisk-1.0.6 or later using the instructions for GPTfdisk (sysv) or GPTfdisk (systemd).
In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation, see CVE-2021-3156.
To fix this, update to Sudo-1.9.5p2 or later using the instructions for Sudo (sysv) or Sudo (systemd).
In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. CVE-2021-23960 has been assigned but details are not yet public. Summary details are at mfsa2021-04.
To fix this, update to JS-78.7.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In firefox 78.7.0 several vulnerabilities were fixed, the following are rated as High. See mfsa2021-04. CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-20201-23960, CVE-2021-23964) but details are not yet public.
To fix these, update to firefox-78.7.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. CVE-2014-9638, CVE-2014-9639, CVE-2017-11331.
To fix these, update to Vorbis Tools 1.4.2 or later using the instructions for Vorbis Tools (sysv) or Vorbis Tools (systemd).
Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. See BLFS #14548. The following are rated as Critical or High: CVE-2020-16042, CVE-2020-26950, CVE-2020-26951, CVE-2020-26968, CVE-2020-26970, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix these, update to Seamonkey-2.53.6 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. See CVE-2021-3181.
This was initially fixed with a minimal upstream patch, mutt-2.0.4-memleak-1.patch, but the 2.05 release followed a few days later with slightly more fixes. To fix this update to mutt-2.0.5 or later using the instructions for Mutt (sysv) or Mutt (systemd).
BLFS updated to ImageMagick-7.0.10-57 from 7.0.10-27 to fix two security vulnerabilities, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. For the division by zero, CVE-2020-27560, CVE-2020-29599.
To fix this, update to ImageMagick-7.0.10-57 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-02 This has been allocated CVE-2020-16044 but for the moment no details are available.
To fix this, update to Thunderbird-78.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. See oss-security and CVE-2021-20239, CVE-2021-23240,.
To fix this, update to Sudo-1.9.5p1 or later using the instructions for Sudo (sysv) or Sudo (systemd).
In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. CVE-2020-7071 has been allocated but for the moment that is "reserved". See ASA-202101-9 (Arch linux).
To fix this, update to PHP-8.0.1 or later using the instructions for PHP (sysv) or PHP (systemd).
In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-01 This has been allocated CVE-2020-16044 but for the moment no details are available.
To fix this, update to firefox-78.6.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found (one is in OpenSSL but could be exploited through Node.js). CVE-2020-8265, CVE-2020-8287, CVE-2020-1971.
To fix these, update to Node.js-14.15.4 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.20.1 or later.
A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1 and assigned CVE-2020-35702, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary.
In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. It has been assigned CVE-2020-24386.
A workaround is to disable imap hibernation by ensuring imap_hibernate_timeout is either set to 0 or unset.
To fix this, update to dovecot-2.3.13 or later using the instructions for Dovecot (sysv) or Dovecot (systemd).
The changes file for Libpcap-1.10.0 at tcpdump.org mentions various security fixes.
To fix these, update to Libpcap-1.10.0 or later using the instructions for Libpcap (sysv) or Libpcap (systemd).
In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high, and another two rated as medium. See CVE-2019-6988, CVE-2019-12793, CVE-2020-6851, CVE-2020-8112.
To fix these, update to OpenJPEG-2.4.0 or later using the instructions for OpenJPEG2 (sysv) or OpenJPEG2 (systemd).
A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated CVE-2020-26422, but it was later determined that the bug was not present in any released version of Wireshark: wnpa-sec-2020-20 so no action is necessary.
Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. Details are at mfsa2020-56, CVE-2020-16042, CVE-2020-26970, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix this, update to Thunderbird-78.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Four Medium Security Advisories for items which could cause Wireshark to crash were fixed in Wireshark-3.4.1, detailed at Wireshark Security, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421, CVE-2020-26575, CVE-2020-28030.
To fix these, update to wireshark-3.4.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In P11-Kit up to 0.23.21 there are two vulnerabilities rated as high, and another rated as medium. See CVE-2020-29361, CVE-2020-29362, CVE-2020-29363.
To fix this, update to p11-kit-0.23.22 or later using the instructions for P11-Kit (sysv) or P11-Kit (systemd).
Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical and four as high by upstream, as well as one rated low (but rated as Medium by NVD) where internal network hosts and services on the user's machine could have been probed by a malicious webpage. Details are at mfsa2020-55 and CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix these, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
The EDIPARTYNAME NULL pointer de-reference allows an attacker who can trick a client or server into checking a malicious X509 certificate could trigger a crash. This is rated High. It has been assigned CVE-2020-1971 with fuller details at OpenSSL.
To fix this, update to at least OpenSSL-1.1.1i using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
Python-3.9.1 includes three security fixes. See bpo-40791, bpo-42051, bpo-42103.
To fix this, update to at least Python-3.9.1 using the instructions from the BLFS book for Python (sysv) or Python (systemd).
cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. See BLFS #14363 and CVE-2020-8284, CVE-2020-8285, CVE-2020-8286.
To fix these, update to cURL-7.74.0 or later following the instructions for cURL (sysv) or cURL (systemd).
Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. CVE-2020-29385.
To fix this, update to Gdk-Pixbuf-2.42.2 or later following the instructions for Gdk-Pixbuf (sysv) or Gdk-Pixbuf (systemd).
In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 and CVE-2020-25712 .
To fix this, update to at least Xorg-Server-1.20.10 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. Severity downgraded following availability of analysis. CVE-2020-28935.
To fix this, update to Unbound-1.13.0 or later following the instructions for Unbound (sysv) or Unbound (systemd).
Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. CVE-2020-28896.
To fix this, update to mutt-2.0.2 or later following the instructions for Mutt (sysv) or Mutt (systemd).
Three vulnerabilities were found in LibEXIF-0.6.22, two are rated as High and one as Critical. See BLFS #14272 and the following CVEs: CVE-2020-0181, CVE-2020-0198, CVE-2020-0452.
To fix these, update to a version of LibEXIF after version 0.6.22 if one is released, or apply the patch libexif-0.6.22-security_fixes-1.patch following the instructions for LibEXIF (sysv) or LibEXIF (systemd).
Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10, two of these are rated as High. See BLFS #14271 and the following CVEs: CVE-2019-20388, CVE-2020-7595, CVE-2020-24977.
To fix these, apply the patch libxml2-2.9.10-security_fixes-1.patch following the instructions for LibXML2 (sysv) or LibXML2 (systemd), or update to a later version if one is released.
Five vulnerabilities rated as High were found in WebKitGTK. See BLFS #14281 and the following CVEs (most were filed against Safari, which uses WebKit): CVE-2020-9948, CVE-2020-9951, CVE-2020-9952, CVE-2020-9983, CVE-2020-13584.
To fix this, update to at least webkitgtk-2.30.3 using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. For QtWebEngine see QtWebEngine 5.15.2 changes, For the other parts of Qt5 see Qt-5.15.2 Changes.
To fix these, update to at least Qt-5.15.2 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).
Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. Details are at mfsa2020-52, CVE-2020-26951, CVE-2020-26968.
To fix this, update to Thunderbird-78.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. See Release Notes.
To fix this, update to krb5-1.18.3 or later using the instructions for Kerberos (sysv) or Kerberos (systemd).
An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. See CVE-2020-8277 which was initially raised against Node.js.
To fix this, update to C-Ares-1.17.1 or later using the instructions for C-Ares (sysv) or C-Ares (systemd).
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. This also applies to C-Ares, which is shipped with Node.js. CVE-2020-8277.
To fix this, update to Node.js-14.15.1 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.19.1 or later.
Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. Summary details are at mfsa2020-51 .
To fix this, update to JS-78.5.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high by upstream. Details are at mfsa2020-51 and CVE-2020-26951 and CVE-2020-26968.
To fix this, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A heap overflow vulnerability in Raptor can lead to an out-of-bounds write. Details are at oss-security and CVE-2017-18926.
To fix this, patch raptor-2.0.15 using raptor-2.0.15-security_fixes-1.patch and the instructions for Raptor (sysv) or Raptor (systemd).
Three vulnerabilities rated as High were found in PostgreSQL before 13.1. Details are at PostgreSQL and CVE-2020-25694, CVE-2020-25695, CVE-2020-25696.
To fix this, update to PostgreSQL-13.1 or later, using the instructions for PostgreSQL (sysv) or PostgrSQL (systemd).
The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to Thunderbird-78.4.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. In BLFS this was initially partly fixed by patching Seamonkey-2.53.4 using seamonkey-2.53.4-security_fixes-1.patch but was later revised to use Seamonkey-2.53.5 when that became available. And then Seamonkey-2.53.5.1 had further fixes for this.
To fix these, update to Seamonkey-2.53.5.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
An exploitable use-after-free was found in JS78 before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to JS-78.4.1 or later using the instructions for JS78 (sysv) or JS78 (systemd).
An exploitable use-after-free was found in firefox before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to firefox-78.4.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).
Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, as well as a high security vulnerability only applicable to Windows. See Release Notes and CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789.
To fix this, update to at least mariadb-10.5.7 using the instructions for MariaDB (sysv) or MariaDB (systemd).
Three CVE vulnerabilities were identified in Samba before version 4.13.1, see Samba History and CVE-2020-14318, CVE-2020-14323, CVE-2020-14383.
To fix this, update to at least samba-4.13.1 using the instructions for Samba (sysv) or Samba (systemd).
There was a signed integer overflow in libass-0.14.0. See CVE-2020-26682.
To fix this, update to at least libass-0.15.0 using the instructions for Libass (sysv) or Libass (systemd).
Upstream made an emergency release of gstreamer-1.18.1 and its stack containing important security fixes. At the same time the gstreamer-1.16.3 stack was released with similar fixes. Limited details are available at 1.18.1 Release Notes and 1.16.3 Release Notes .
On systems running Gstreamer 1.16 versions, such as BLFS-10.0, update to the gstreamer-1.16.3 packages (gstreamer, -libav, -plugins, -vaapi) using the instructions from the BLFS-10.0 book for Gstreamer 1.16 (sysv) and the rest of the stack, or Gstreamer 1.16 (systemd) and the rest of the stack.
On systems running Gstreamer 1.18 versions, update to the gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi) using the instructions for Gstreamer 1.18 (sysv) and the rest of the stack, or Gstreamer 1.18 (systemd) and the rest of the stack.
Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. Details are at mfsa2020-47.
To fix this, update to Thunderbird-78.4.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
There was an emergency release fixing a vulnerability in embedded PNG bitmap handling (since FreeType-2.6) which was being actively exploited. The original CVE was raised against Chrome OS and only rated as Medium. CVE-2020-15999 and Sourceforge - Changes in 2.10.4 .
To fix this, update to freetype-2.10.4 or later using the instructions for FreeType (sysv) or FreeType (systemd).
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. CVE-2020-27783 and cybersecurity-help.cz.
This was thought to be fixed in LXML-4.6.1, but that fix was inadequate. To fix this, update to LXML-4.6.2 or later using the instructions for LXML (sysv) or LXML (systemd).
A flaw was found in the CCS handling, allowing a remote attacker to cause a denial of service for servers linked against NSS. CVE-2020-25613 .
To fix this, update to at least NSS-3.58 using the instructions for NSS (sysv) or NSS (systemd).
In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". See Stunnel NEWS.
To fix this, update to at least stunnel-5.57 using the instructions for Stunnel (sysv) or Stunnel (systemd).
Ruby before 2.7.2 had a vulnerability in its WEBrick HTTP server. CVE-2020-25613.
To fix this, update to at least Ruby-2.7.2 using the instructions for Ruby (sysv) or Ruby (systemd).
PHP before 7.4.11 had two CVE vulnerabilities, CVE-2020-1472 and CVE-2020-1472.
To fix this, update to at least PHP-7.4.11 using the instructions for PHP (sysv) or PHP (systemd).
Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. See Release Notes .
To fix this, update to at least Glib-2.66.1 using the instructions for Glib (sysv) or Glib (systemd).
Three Security Advisories (wnpa-sec-2020-11,12,13) which could cause Wireshark to crash were fixed in Wireshark-3.2.7, detailed at Wireshark Security and CVE-2020-25862, CVE-2020-25863, CVE-2020-25866.
To fix these, update to wireshark-3.2.7 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
Revised 2020-09-26
Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-44.
But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Please see The Release Notes.
To fix these, update to Seamonkey-2.53.4 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Four vulnerabilities with CVE numbers were fixed in firefox-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-43.
To fix these, update to firefox-78.3.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. CVE-2020-1472 has been assigned.
To fix this, update to Samba-4.12.7 or later using the instructions for Samba (sysv) or Samba (systemd).
Multiple security vulnerabilities were discovered in Node.js, including two marked as High. These have been assigned CVE-2020-8201 and CVE-2020-8252.
To fix this, update to Node.js-12.18.4 or later using the instructions for Node.js (sysv) or Node.js (systemd).
Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. For an overview, including the approximately 50 security fixes from Chrome which had CVEs assigned at the time of the update, see BLFS ticket #14026.
To fix this, update to at least Qt-5.15.1 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).
In Linux Kernels before 5.8.8 there is a potential privilege escalation. See oss-security.
To fix this, update to linux-5.8.9 or later using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See The Release Announcement.
To fix this, update to bison-3.7.2 or later using the instructions from the LFS book for Bison (sysv) or Bison (systemd).
An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. CVE-2020-14382 has been assigned.
To fix this, update to at least cryptsetup-2.3.4 using the instructions for Cryptsetup (sysv) or Cryptsetup (systemd).
A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. CVE-2020-25125 has been assigned.
To fix this, update to GnuPG-2.2.23 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).
An integer oveflow in brotli before version 1.0.9 can lead to a crash. This was assigned CVE-2020-8927.
To fix this, update to brotli-1.0.9 or later using the instructions for Brotli (sysv) or Brotli (systemd).
A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. These were assigned CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. See also BIND 9 Security Vulnerabilty Matrix #114-8.
To fix this, update to BIND-9.6.16 or later using the instructions for BIND (sysv) or BIND (systemd).
The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. This was assigned CVE-2020-14342, more details at samba-technical.
To fix this, update to cifs-utils-6.11 or later using the instructions for CIFS-utils (sysv) or CIFS-utils (systemd).
A null-pointer dereference causing a remotely-triggered crash in the client application was found and assigned CVE-2020-24659, see also GNUTLS-SA-2020-09-04.
To fix this, update to at least GnuTLS-3.6.15 using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 CVE-2020-14346 CVE-2020-14361 CVE-2020-14362.
To fix this, update to at least Xorg-Server-1.20.9 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Effective 2020-09-03
In libX11 before version 1.6.12 an integer overflow and double-free was found, which could lead to provilege escalation. This has been assigned CVE-2020-14363.
To fix this, update to at least libX11-1.6.12 using the instructions for Xorg Libraries (sysv) or Xorg Libraries (systemd).