This is version SVN-20110904 of the Hardened Linux From Scratch book, dated September 4, 2011. If this book is more than six months old, a newer and better version is probably already available. To find out, please check one of the mirrors via http://www.linuxfromscratch.org/mirrors.html.
Below is a list of changes made since the previous release of the book.
Changelog Entries:
2011-09-04
[robert] - Bump to binutils-2.21.1a.
2011-08-21
[robert] - Be verbose (-v) with setcap.
[robert] - Stop using capabilities with Shadow and Util-linux-ng. They're vulnerable to race conditions.
2011-08-20
[robert] - Added a couple hardening tests to gcc chap6.
2011-08-19
[robert] - Symlink /dev/urandom to /dev/erandom if /dev/erandom does not already exist.
2011-08-18
[robert] - Added Frandom to kernel page.
[robert] - Use /dev/erandom with Perl and Glibc.
[robert] - Bump to attr-2.4.46 and acl-2.2.51.
2011-08-16
[robert] - Replaced lfs-bootscripts with hlfs-bootscripts. No actual changes yet.
[robert] - Added random boot script to hlfs-bootscripts, from BLFS.
[robert] - Added iptables to chapter 6.
2011-08-14
[robert] - Add PaX patches to Binutils and Glibc.
[robert] - Add strlcpy_strlcat patch to Glibc.
[robert] - Configure Glibc, in chapter 6, with --enable-bind-now --enable-stackguard-randomization.
[robert] - Mention that the Binutils test suite is known to fail due to PT PaX program headers.
[robert] - Added XZ utils, needed to unpack Strace.
[robert] - Added Strace to chapter 6, for debugging Linux Caps.
2011-08-13
[robert] - Use acl,user_xattr in /etc/fstab.
2011-08-11
[robert] - Use Linux Caps for mount and umount.
[robert] - Use Linux Caps for ping and ping6.
[robert] - Use Linux Caps for Shadow's utils.
[robert] - New Grsecurity patch and kernel.
2011-08-02
[robert] - Bump to binutils-2.21.1.
[robert] - Bump to latest grsecurity-stable.
2011-07-24
[robert] - Added Attr to chapter 6. Thanks entirely to BLFS for their Attr page.
[robert] - Added Acl to chapter 6, again thanks to BLFS.
[robert] - Added Libcap2 to chapter 6.
2011-06-20
[robert] - Install all of Gettext in chapter 5. This will be needed for packages like ATTR and ACL.
2011-06-19
[robert] - Up to bash 4.2.
[robert] - Up to ncurses 5.9, kernel 2.6.32.41, gcc-4.5.3 and gmp-5.0.2.
2011-02-23
[robert] - Up to kernel 2.6.32.29, and new grsecurity patch.
2011-02-23
[robert] - Fixed the Binutils test suite for i686, thanks to Mr. T on the maining list.
[robert] - Upgrade to Perl-5.12.3.
[robert] - Modify Inetutils so suid programs are not group writable.
2011-02-04
[robert] - Added the Grsecurity patch.
[robert] - Build Vim with -D_FORTIFY_SOURCE=1 only on the file that needs it, not the entire package.
2011-02-03
[robert] - Use SHA512 with Shadow passwords. Install the Korean and Chinese man-pages, since man-db can now format them.
[robert] - Added GCC options to build Grub.
[robert] - Added some -no options when building the Binutils tests in chapter 6.
[robert] - Add a sed that modifies incorrect defines in glibc. Thanks to Bryan Kadzban for identifying the proper fix. Fixes #2820.
2011-01-28
[robert] - Upgrade to tar-1.25, and also install its HTML. This fixes several bugs with Tar.
[robert] - Up to perl-5.12.2.
[robert] - Up to m4-1.4.15. This fixes the issue with glibc, and a format string bug in M4.
[robert] - Up to glibc-2.12.2.
2011-01-27
[robert] - Up to linux-2.6.32.28.
[robert] - Up to gcc-4.5.2.
[robert] - Up to binutils-2.21.
2010-11-30
[robert] - Modified the chapter 6 Glibc page to build with hardened GCC options.
2010-11-27
[robert] - Added Glibc ld_audit and origin vulnerability fix patches to chapter 6.
2010-11-21
[robert] - Add the Tar overflow patch to chapter 5, or else Tar will fail to build with -D_FORTIFY_SOURCE=2.
2010-11-20
[robert] - Replace -fstack-protector with -fstack-protector-all when building Perl.
2010-11-20
[robert] - Build Patch with -no-fatal-warnings. The Patch developers rejected the old mkstemp patch, and it alters the behavior of Patch enough to break the test suite. The developers also consider their use of mktemp safe.
2010-11-20
[robert] - Bump to bash fixes 3 patch.
[robert] - Substitute LFS for HLFS in chapters 2 to 6.
2010-11-15
[robert] - Patch GCC for -D_FORTIFY_SOURCE=2, -fPIE -pie, and -fstack-protector-all. Upgraded to tcl8.5.9. tcl8.5.8 produces a buffer overflow (on i686) from tclsh8.5 strcpy() when built with -D_FORTIFY_SOURCE=2.
2010-11-14
[robert] - Downgrade to linux-2.6.32.25, to match the stable grsecurity patch version. Udev depends on 2.6.31, so this should be fine.
[robert] - Substitute lfs for hlfs in chapter 4. Add -fPIC by default to gcc-pass1. Added SSP, _FORTIFY_SOURCE, and -fPIE to Glibc in chapter 5. Added gcc_cv_libc_provides_ssp=yes to GCC pass1 make command, so GCC does not configure itself to use libssp.so.
2010-11-06
[robert] - Merged LFS-6.7 to trunk.