This is version SVN-20110904 of the Hardened Linux From Scratch book, dated September 4, 2011. If this book is more than six months old, a newer and better version is probably already available. To find out, please check one of the mirrors via http://www.linuxfromscratch.org/mirrors.html.
Below is a list of changes made since the previous release of the book.
[robert] - Bump to binutils-2.21.1a.
[robert] - Be verbose (-v) with setcap.
[robert] - Stop using capabilities with Shadow and Util-linux-ng. They're vulnerable to race conditions.
[robert] - Added a couple hardening tests to gcc chap6.
[robert] - Symlink /dev/urandom to /dev/erandom if /dev/erandom does not already exist.
[robert] - Added Frandom to kernel page.
[robert] - Use /dev/erandom with Perl and Glibc.
[robert] - Bump to attr-2.4.46 and acl-2.2.51.
[robert] - Replaced lfs-bootscripts with hlfs-bootscripts. No actual changes yet.
[robert] - Added random boot script to hlfs-bootscripts, from BLFS.
[robert] - Added iptables to chapter 6.
[robert] - Add PaX patches to Binutils and Glibc.
[robert] - Add strlcpy_strlcat patch to Glibc.
[robert] - Configure Glibc, in chapter 6, with --enable-bind-now --enable-stackguard-randomization.
[robert] - Mention that the Binutils test suite is known to fail due to PT PaX program headers.
[robert] - Added XZ utils, needed to unpack Strace.
[robert] - Added Strace to chapter 6, for debugging Linux Caps.
[robert] - Use acl,user_xattr in /etc/fstab.
[robert] - Use Linux Caps for mount and umount.
[robert] - Use Linux Caps for ping and ping6.
[robert] - Use Linux Caps for Shadow's utils.
[robert] - New Grsecurity patch and kernel.
[robert] - Bump to binutils-2.21.1.
[robert] - Bump to latest grsecurity-stable.
[robert] - Added Attr to chapter 6. Thanks entirely to BLFS for their Attr page.
[robert] - Added Acl to chapter 6, again thanks to BLFS.
[robert] - Added Libcap2 to chapter 6.
[robert] - Install all of Gettext in chapter 5. This will be needed for packages like ATTR and ACL.
[robert] - Up to bash 4.2.
[robert] - Up to ncurses 5.9, kernel 126.96.36.199, gcc-4.5.3 and gmp-5.0.2.
[robert] - Up to kernel 188.8.131.52, and new grsecurity patch.
[robert] - Fixed the Binutils test suite for i686, thanks to Mr. T on the maining list.
[robert] - Upgrade to Perl-5.12.3.
[robert] - Modify Inetutils so suid programs are not group writable.
[robert] - Added the Grsecurity patch.
[robert] - Build Vim with -D_FORTIFY_SOURCE=1 only on the file that needs it, not the entire package.
[robert] - Use SHA512 with Shadow passwords. Install the Korean and Chinese man-pages, since man-db can now format them.
[robert] - Added GCC options to build Grub.
[robert] - Added some -no options when building the Binutils tests in chapter 6.
[robert] - Add a sed that modifies incorrect defines in glibc. Thanks to Bryan Kadzban for identifying the proper fix. Fixes #2820.
[robert] - Upgrade to tar-1.25, and also install its HTML. This fixes several bugs with Tar.
[robert] - Up to perl-5.12.2.
[robert] - Up to m4-1.4.15. This fixes the issue with glibc, and a format string bug in M4.
[robert] - Up to glibc-2.12.2.
[robert] - Up to linux-184.108.40.206.
[robert] - Up to gcc-4.5.2.
[robert] - Up to binutils-2.21.
[robert] - Modified the chapter 6 Glibc page to build with hardened GCC options.
[robert] - Added Glibc ld_audit and origin vulnerability fix patches to chapter 6.
[robert] - Add the Tar overflow patch to chapter 5, or else Tar will fail to build with -D_FORTIFY_SOURCE=2.
[robert] - Replace -fstack-protector with -fstack-protector-all when building Perl.
[robert] - Build Patch with -no-fatal-warnings. The Patch developers rejected the old mkstemp patch, and it alters the behavior of Patch enough to break the test suite. The developers also consider their use of mktemp safe.
[robert] - Bump to bash fixes 3 patch.
[robert] - Substitute LFS for HLFS in chapters 2 to 6.
[robert] - Patch GCC for -D_FORTIFY_SOURCE=2, -fPIE -pie, and -fstack-protector-all. Upgraded to tcl8.5.9. tcl8.5.8 produces a buffer overflow (on i686) from tclsh8.5 strcpy() when built with -D_FORTIFY_SOURCE=2.
[robert] - Downgrade to linux-220.127.116.11, to match the stable grsecurity patch version. Udev depends on 2.6.31, so this should be fine.
[robert] - Substitute lfs for hlfs in chapter 4. Add -fPIC by default to gcc-pass1. Added SSP, _FORTIFY_SOURCE, and -fPIE to Glibc in chapter 5. Added gcc_cv_libc_provides_ssp=yes to GCC pass1 make command, so GCC does not configure itself to use libssp.so.
[robert] - Merged LFS-6.7 to trunk.