LFS Security Advisories for LFS 12.1.

LFS-12.1 was released on 2024-03-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the released books.

Expat

12.1 010 Expat (LFS) Date: 2024-03-20 Severity: Medium

In Expat-2.6.2, a security vulnerability was fixed that could allow for denial of service via an XML Entity Expansion attack when there is isolated use of external parsers (created using the XML_ExternalEntityParserCreate function). The issue has been classified as a "billion laughs" attack, also known as an XML bomb attack. Update to Expat-2.6.2. 12.1-010

Glibc

Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

12.1 037 Glibc Date: 2024-05-02 Severity: High

In Glibc 2.39 and earlier, there is a vulnerability in an iconv module which may allow a remote code execution via network services running on the system. An exploit via PHP-based web applications has been demonstrated. And, there are four vulnerabilities in the Name Service Cache Daemon (NSCD) of Glibc.

Please read the link to fix these vulnerabilities: 12.0-037

Linux Kernel

12.1 029 Linux Kernel (LFS) Date: 2024-04-17 Severity: Medium

In Linux-6.8.5, an insufficient mitigation against the hardware vulnerability known as Branch History Injection, or BHI (see 11.1-011 for details) on some Intel processors was fixed. Read 12.1-029 for how to fully mitigate BHI for affected Intel processors.

OpenSSL

12.1 068 OpenSSL (LFS) Date: 2023-07-10 Severity: Low

In OpenSSL-3.3.1, three security vulnerabilities were fixed that could allow for a denial of service (application crash, unbounded resource access, and excessive time spent in a function) to occur. Update to OpenSSL-3.3.1 (or 3.2.2, 3.1.6, or 3.0.14). 12.1-068

Python3

12.1 069 Python3 (LFS and BLFS) Date: 2024-07-10 Severity: Medium

In Python-3.12.4, a security vulnerability was fixed that could allow for incorrect information to be returned about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This occured due to inaccurate information from the IANA Special-Purpose Address Registries. Update to Python-3.12.4. 12.1-069