LFS and BLFS Security Advisories from September 2020 onwards

LFS has not reported Security Vulnerabilities in the Errata, at least recently, but tickets for some new versions have had details.

BLFS used to keep details of Security Vulnerabilities in the Errata, mostly updating them to point to the latest version in the development book and updating the brief text if a subsequent vulnerability was reported.

This page is a consolidated list for both LFS and BLFS.

This list contains summary details and links to upstreams or CVEs where available. Please note that vulnerabilities to package versions before those in our 10.0 releases are not noted, so if you are running a version of BLFS before 10.0 you should check the Errata for past releases as well as monitoring the items here.

This page is ordered like the Changelog of the books, with newest items first.

The severity ratings are best estimates unless either upstream or NVD has assigned a rating. If no other analysis is available, High will usually be assumed and similarly if a crash can be triggered LFS and BLFS will normally rate that as High. If in doubt, read the links.

Items between the releases of the 11.1 and 11.2 books

11.1 044 Thunderbird Date: 2022-05-22 Severity: Critical

In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).

To fix these vulnerabilities, update to Thunderbird-91.9.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.1 043 Firefox Date: 2022-05-22 Severity: Critical

In firefox 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).

To fix these, update to firefox-91.9.1esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).

11.1 042 BIND9 Date: 2022-05-19 Severity: Medium

In BIND-9.18.3, On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. This vulnerabilities has been assigned CVE-2022-1183.

To fix this vulnerability, update to BIND-9.18.3 or later using the instructions for BIND (sysv) or BIND (systemd).

11.1 041 Thunderbird Date: 2022-05-13 Severity: High

In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. It is recommended that you update as soon as possible. These vulnerabilities have been assigned mfsa-2022-18. The CVEs are CVE-2022-1520, CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913, and CVE-2022-29917.

To fix these vulnerabilities, update to Thunderbird-91.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.1 040 Seamonkey Date: 2022-05-13 Severity: High

In Seamonkey-2.53.12, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.9.0 has their fixes ported over. These vulnerabilities have been assigned: mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).

To fix these vulnerabilities, update to Seamonkey-2.53.12 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.1 039 cURL Date: 2022-05-13 Severity: Medium

In cURL-7.83.1, six vulnerabilities have been fixed. These vulnerabilites may cause cURL to wrongly remove files, mishandle HTTP cookie domains or percent-encoded elements in URLs, ignore security-related option changes reusing connections, or bypass HSTS rules. And, if cURL is built with NSS (BLFS has not mentioned such a configuration), one of the vulnerabilities can cause it to stuck into a dead loop.

These vulnerabilities have been assigned CVE-2022-27778, 27779, 27780, 27781, 27782, and 30115 (not disclosed yet). For details refer to cURL vulnerability list.

To fix them, update to at least cURL-7.83.1 for cURL (sysv) or cURL (systemd).

11.1 038 Intel Microcode Date: 2022-05-10 Severity: Medium

Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Intel-SA-00617 CVE-2022-21151 (not yet public).

To fix this, update to at least microcode-20220510 using the instructions for About Firmware (sysv) or About Firmware (systemd).

11.1 037 VIM (LFS and BLFS) Date: 2022-05-06 Severity: High

In vim-8.2.4814, three vulnerabilities causing vim crashing because of heap buffer overflow or use after free have been found and fixed. These vulnerabilities have been assigned CVE-2022-1154, CVE-2022-1160, and CVE-2022-1381.

To fix these vulnerabilities, update to vim-8.2.4814 or later using the instructions for vim (sysv) or vim (systemd).

11.1 036 Firefox Date: 2022-05-03 Severity: High

In firefox 91.9.0 six CVE issues, five rated High, were fixed. These are listed in mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).

To fix these, update to firefox-91.9.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).

11.1 035 Pidgin Date: 2022-04-30 Severity: Low

The XMPP protocol is a set of open technologies for instant messaging. It relies heavily on DNS for both servers and client. One part of the protocol defines "_xmppconnect TXT record", which are now known to be vulnerable to Man-in-the-Middle attacks if not using DNSSEC. So The Pidgin developers have decided to remove the associated code in version 2.4.19. This vulnerability has been assigned CVE-2022-26491 (not public yet). More details may be found at the pidgin site.

To fix this, update to pidgin-2.4.19 or later using the instructions from the development book for Pidgin (sysv) or Pidgin (systemd).

11.1 034 Java binaries/OpenJDK Date: 2022-04-26 Severity: High

In openjdk-18.0.1, openjdk-17.0.3 (LTS), and openjdk-11.0.15 (LTS), several security vulnerabilities were fixed that could allow remote unautenticated creation, deletion, modification of, or access to files/data or various denial of services. These vulnerabilities have been assigned CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449, CVE-2022-21476, and CVE-2022-21496.

To fix these vulnerabilities, update to java binaries/openjdk-18.0.1 or 17.0.3(LTS) or 11.0.15(LTS) or later using the instructions for Java binaries (sysv) or OpenJDK (sysv) or Java binaries (systemd) or OpenJDK (systemd).

11.1 033 libinput Date: 2022-04-21 Severity: High

In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution due to a bug in the log handlers. When a device is detected by libinput and initialized, libinput will log several messages with log handlers setup by the calling functions. These log handlers will eventually result in a printf() call. Logging happens with the privileges of the caller - in some cases, that may be root, in other cases it'll occur with whatever the privileges of the current user are. The device name ends up being part of the format string, and a kernel device with printf-style format string placeholders can enable an attacker to run malicious code. An exploit is therefore possible through any device where the attacker can control the device name. A couple examples are /dev/uinput and Bluetooth devices. Upstream has noted that all versions of libinput since 1.10 (released in February of 2018) are affected, and this affects any system that uses either X.org or Wayland, as well as the xf86-input-libinput X.org input driver. This vulnerability has been assigned CVE-2022-1215 (not public yet), however more details can be found at libinput security advisory.

To fix this vulnerability, update to libinput-1.20.1 or later using the instructions for libinput (sysv) or libinput (systemd).

11.1 032 Mutt Updated: 2022-04-15 Severity: Medium

In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. This has been assigned CVE-2022-1328 (awaiting analysis).

To fix this update to mutt-2.2.3 or later using the instructions for Mutt (sysv) or Mutt (systemd).

11.1 031 xz (LFS) Date: 2022-04-15 Severity: Critical

The same vulnerability in zgrep which was fixed in zlib-1.2.12 also applies to using xzgrep from xz. Upstream has provided a patch. This vulnerability has been assigned CVE-2022-1271, see tuukani.org/xz.

To fix this, rebuild xz with the xz-5.2.5-upstream_fix-1.patch using the instructions at xz (sysv) or xz (systemd).

11.1 030 Ruby Date: 2022-04-15 Severity: Moderate

In ruby-3.1.2, two security vulnerabilities were fixed that could allow for application crashes and invalid memory reads. These vulnerabilities can be triggered when using Regular Expressions (regex), and when converting a string to a float object. In the case of the regex vulnerability, it gets exploited when using a crafted source string, and causes memory free to be freed twice. In the case of the string-to-float conversion vulnerability, some conversion methods such as Kernel#Float and String#to_f cause a buffer over-read in some circumstances, leading to process termination and potentially invalid memory reads. These vulnerabilities have been assigned CVE-2022-28738 and CVE-2022-28739 (not yet public).

To fix these vulnerabilities, update to ruby-3.1.2 or later using the instructions from Ruby (sysv) or Ruby (systemd).

11.1 029 Git Date: 2022-04-15 Severity: Moderate

In git-2.35.3, a security vulnerability was fixed that can allow for local users to run commands from other repositories on the same system. The Git developers mention that all supported platforms with multiple users are affected in one way or another, and have released versions of Git for all maintenance branches to fix this vulnerability. On multi-user systems, Git users might find themselves unexpectedly in a Git worktree. This occurs due to insufficient validation, and can allow users to run commands defined by another user in another repository. A temporary workaround would be to create the folder '.git' on all volumes/folders where Git commands would be run, and then remove Read/Write/Execute rights from all users other than root. Update to git-2.35.3 or later if you're operating a system where multiple users may use Git. This vulnerability has been assigned CVE-2022-24765.

To fix this vulnerability, update to git-2.35.3 or later using the instructions from Git (sysv) or Git (systemd).

11.1 028 gzip (LFS) Date: 2022-04-15 Severity: Critical

In gzip-1.12, a security vulnerability was fixed that can allow for arbitrary file overwrite and command execution when using 'zgrep' on a crafted archive. Upstream says that it's relatively hard to exploit, but the BLFS team has independently confirmed that exploiting this vulnerability is trivial. This vulnerability is only exploitable when GNU Sed is in use, and it occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This would allow a remote attacker to execute commands on a system, or overwrite files, when a user runs 'zgrep' on the file. Please update your gzip package as soon as possible. This vulnerability has been assigned CVE-2022-1271.

To fix this vulnerability, update to gzip-1.12 or later using the instructions from gzip (sysv) or gzip (systemd).

11.1 027 Linux Kernel (LFS) Date: 2022-04-15 Severity: Moderate

In Linux-5.17.3 (and 5.16.20, 5.15.34 and other stable relases on 2022-04-13) fixes were made for vulnerabilities in the Linux Kernel's ax25 networking subsystem. These vulnerabilities can cause remotely exploitable kernel panics and are all rated as Moderate by upstream. The vulnerabilities has been assigned CVE-2022-1199 (not yet public), CVE-2022-1204 (not yet public), and CVE-2022-1205 (not yet public), with preliminary details at RedHat CVE-2022-1199, RedHat CVE-2022-1204, and RedHat CVE-2022-1205.

To fix these, update to at least linux-5.17.3 (or linux-5.15.34 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

11.1 026 libarchive Date: 2022-04-12 Severity: High

In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution. These occur in the 7zip reader, the ZIP reader, the ISO reader, and the RARv4 reader, as well as in the libarchive API. Note that these vulnerabilities have not been assigned CVEs, but are listed as security fixes by upstream. The primary attack vector for these vulnerabilties is API misuse in another application, with a malformed archive file also being a possibility. For more information, please see Release Libarchive 3.6.1.

To fix these vulnerabilities, update to libarchive-3.6.1 or later using the instructions for libarchive (sysv) or libarchive (systemd).

11.1 025 Subversion Date: 2022-04-12 Severity: High

In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for trivial denial-of-service and for arbitrary file paths to be read. In the case of the denial-of-service vulnerability, only servers that use mod_dav_svn in httpd are impacted. This occurs because mod_dav_svn servers will atempt to use memory which has already been freed, and subsequent attempts to access the same resource will immediately result in httpd crashing. However, in the case of the arbitrary file path read vulnerability, both standard svnserve servers are affected, as well as those which use the mod_dav_svn module in httpd. This vulnerability occurs due to an improper logging implementation, causing sensitive information to be reported even if the information is supposed to be omitted. These vulnerabilities have been assigned CVE-2021-28544 and CVE-2022-24070.

To fix these vulnerabilities, update to Subversion-1.14.2 or later using the instructions for Subversion (sysv) or Subversion (systemd).

11.1 024 WebKitGTK+ Date: 2022-04-12 Severity: High

In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. In all three vulnerabilities, the primary attack vector is maliciously crafted web content, as well as local content such as maliciously crafted JPEG or PNG images. Due to the lack of details, updating to WebKitGTK+-2.36.0 is highly recommended. These vulnerabilities have been assigned CVE-2022-22624, CVE-2022-22628, and CVE-2022-22629.

To fix these vulnerabilities, update to WebKitGTK+-2.36.0 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).

11.1 023 Seamonkey Date: 2022-04-12 Severity: High

In Seamonkey-2.53.11.1, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.7.0 has their fixes ported over. This includes fixes for a browser spoofing vulnerability, a sandbox bypass, an unauthorized addon modification vulnerability, a remotely exploitable crash, and a bug that allows for temporary files downloaded to /tmp to be accessible by other users. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.

To fix these vulnerabilities, update to Seamonkey-2.53.11.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.1 022 libsndfile Date: 2022-04-12 Severity: High

In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for heap buffer overflows (causing arbitrary code execution) and denial of service (index out of bounds and uninitialized variables). Since these vulnerabilities were found by oss-fuzz, no CVEs were assigned. However, upstream does list these as security fixes. For more details, please visit Release 1.1.0. If CVEs are assigned for these vulnerabilities in the future, this advisory will be updated.

To fix these vulnerabilities, update to libsndfile-1.1.0 or later using the instructions for libsndfile (sysv) or libsndfile (systemd).

11.1 021 Thunderbird Date: 2022-04-12 Severity: High

In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remote code execution, memory corruption, remotely exploitable crashes, revoked OpenPGP keys to stay active, and browser spoofing attacks. Similar to previous Thunderbird vulnerabilities, emails that contain HTML in them can be used an attack vector. As a result, it's recommended that you update as soon as possible. These vulnerabilities have been assigned CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, and CVE-2022-28289.

To fix these vulnerabilities, update to Thunderbird-91.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.1 020 QtWebEngine Date: 2022-04-11 Severity: High

Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. As well as those listed below, the Critical vulnerability in the shipped expat-2.4.3 has been fixed. But modern LFS provides a system version of expat which is used, and that was updated before our 11.1 release. If you are on an older LFS system and have not yet updated expat, see the 11.0-068 and 11.1-086 advisories below. The new vulnerabilites are: CVE-2022-1096 (not yet public), CVE-2022-0971 (not yet public), CVE-2022-0610, CVE-2022-0609, CVE-2022-0608, CVE-2022-0607, CVE-2022-0606, CVE-2022-0461, CVE-2022-0460, CVE-2022-0459, CVE-2022-0456, CVE-2022-0311, CVE-2022-0310, CVE-2022-0306, CVE-2022-0305, CVE-2022-0298, CVE-2022-0293, CVE-2022-0291, CVE-2022-0289, CVE-2022-0117, CVE-2022-0116, CVE-2022-0113, CVE-2022-0111, CVE-2022-0109, CVE-2022-0108, CVE-2022-0104, CVE-2022-0103, CVE-2022-0102, CVE-2022-0100.

To fix these, update to 5.15.9 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

11.1 019 Firefox Date: 2022-04-05 Severity: High

In firefox 91.8.0 eight CVE issues, three rated High, were fixed. These are listed in mfsa-2022-14. The CVEs are CVE-2022-1097 (Not yet public), CVE-2022-1196 (Not yet public), CVE-2022-24713, CVE-2022-28281 (Not yet public), CVE-2022-28282 (Not yet public), CVE-2022-28285 (Not yet public), CVE-2022-28286 (Not yet public), CVE-2022-28289 (Not yet public).

To fix these, update to firefox-91.8.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).

11.1 018 Zlib Date: 2022-04-04 Severity: High

Zlib-1.2.12 fixes a vulnerability which allows memory corruption when deflating (i.e. compressing) if the input has many distant matches, see CVE-2018-25032.

To fix this update to zlib-1.2.12 or later using the instructions for Zlib (sysv) or Zlib (systemd).

Note that the update will cause 9 test failures in perl testsuite and these failures should be ignored. And, if you are going to strip the debug symbols for your LFS system, you need to adjust the filename of zlib library in the stripping instruction.

11.1 017 Linux Kernel (LFS) Date: 2022-04-04 Severity: High

In Linux-5.17.1 (and 5.16.18, 5.15.32 and other stable relases on 2022-03-28), fixes were made for two vulnerabilities in the kernel's nf_tables code, one rated as high. The vulnerabilities has been assigned CVE-2022-1015 (not yet public) and CVE-2022-1016 (not yet public) with preliminary details at RedHat CVE-2022-1015 and RedHat CVE-2022-1016

To fix these, update to at least linux-5.17.1 (or linux-5.15.32 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

11.1 016 Thunderbird Date: 2022-03-22 Severity: High

In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for browser window spoofing, sandbox escapes (and thus remote code execution), unauthorized add-on modification, exploitable crashes, and for temporary files to be downloaded to /tmp instead of the user's home directory. Note that the unauthorized add-on modification vulnerability occurs due to a race condition, while the sandbox bypass vulnerability occurs when processing iframes in HTML mail, and that the remotely exploitable crashes occur when a crafted SVG file is loaded as an attachment or when it is embedded in an HTML mail. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.

To fix these vulnerabilities, update to Thunderbird-91.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.1 015 BIND9 Date: 2022-03-21 Severity: High

In BIND-9.18.1, four security vulnerabilities were fixed that could allow for denial-of-service conditions (resource exhaustion due to infinite loops and unexpected crashes), and for DNS cache poisoning. In the case of DNS cache poisoning, it's possible for bogus NS records to be cached and used by named if it named needs to recurse for any reason, causing it to obtain and pass on incorrect records. This will cause the client-side cache to become poisoned with incorrect records, leading to queries being made to the wrong servers and thus resulting in false information being returned to clients. This could allow for cache poisoning and for clients to be redirected to malicious sites instead of the original website that they were attempting to access. Note that all four of these vulnerabilities are exploitable remotely, and one of them is only applicable to 32-bit systems. These vulnerabilities have been assigned CVE-2022-0667, CVE-2022-0635, CVE-2022-0396, and CVE-2021-25220.

To fix these vulnerabilities, update to BIND-9.18.1 or later using the instructions for BIND (sysv) or BIND (systemd).

11.1 014 Node.js Date: 2022-03-18 Severity: High

In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 is reported to have been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the updated shared system OpenSSL library without updating Node.js would be an adequate remedy.

The vulnerability is CVE-2021-3711. To fix this vulnerability, update to Node.js-16.14.2 or later using the instructions for node.js (sysv) or node.js (systemd).

11.1 013 Apache HTTPD Date: 2022-03-18 Severity: Critical

In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. CVE-2022-22719, CVE-2022-22720, CVE-2022-22721 and CVE-2022-23943.

To fix these vulnerabilities, update to httpd-2.4.53 or later using the instructions for Apache (sysv) or Apache (systemd).

11.1 012 (LFS) OpenSSL Date: 2022-03-18 Severity: High

A bug which can cause OpenSSL to loop forever when parsing a crafted certificate was fixed in versions 3.0.2 and 1.1.1n. CVE-2022-0778 has been assigned, details at CVE-2021-3711 and openssl 20220315.

To fix this, if using OpenSSL-3 update to OpenSSL-3.0.2 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd) or if using OpenSSL-1.1.1 update to OpenSSL-1.1.1n or later following the instructions from the LFS-11.0 book but using version 1.1.1n for OpenSSL (sysv) or OpenSSL (systemd).

11.1 011 Linux Kernel (LFS) Date: 2022-03-15 Severity: Medium

In Linux-5.16.14, workarounds for hardware vulnerabilities named Branch History Injection have been added. These vulnerabilities may be exploited to cause sensitive information leakage. Read the paper for the details. The vulnerabilities has been assigned CVE-2022-0001 and CVE-2022-0002 (for x86), and CVE-2022-23690 (for ARM, not disclosed yet).

To work around them, update to at least linux-5.16.14 (or 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, 4.9.306 for older systems using LTS stable kernels) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd), and disable unprivileged BPF syscall via the kernel configuration option BPF_UNPRIV_DEFAULT_OFF=y or the sysctl kernel.unprivileged_bpf_disabled=2.

This security update may have a performance impact especially on AMD CPUs, but the benchmark from LFS editors shows the impact is marginal.

11.1 010 VIM (LFS and BLFS) Date: 2022-03-15 Severity: High

In vim-8.2.4567, a vulnerabilitiy causing vim to overflow the heap buffer and crash handling "z=" in visual mode have been found and fixed. This vulnerability have been assigned CVE-2022-0943.

To fix this vulnerability, update to vim-8.2.4567 or later using the instructions for vim (sysv) or vim (systemd).

11.1 009 Linux Kernel (LFS) Date: 2022-03-09 Severity: High

In Linux since 5.8, a local privilege escalation vulnerability known as 'Dirty Pipe' has been discovered, see dirtypipe. This has been assigned CVE-2022-0847 (Not yet public).

To fix this, update to at least linux-5.16.11 (or 5.15.25, 5.10.102 for older systems using LTS stable kernels) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

11.1 008 Seamonkey Date: 2022-03-08 Severity: Critical

Similar to Thunderbird and Firefox, Seamonkey is vulnerable to CVE-2022-26485 (the XSLT processing vulnerability). This vulnerablity exists when a XSLT parameter is removed during processing, and results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. This vulnerability is being actively exploited in the wild. Since no new version of Seamonkey is available to fix this vulnerability, the BLFS Editors have crafted a patch which backports the fix from Firefox so that the vulnerability is fixed. Note that Seamonkey is not vulnerable to the WebGPU Processing Vulnerability. Rebuild Seamonkey with the patch as soon as possible. This vulnerability has been assigned CVE-2022-26485.

To fix this vulnerability, rebuild Seamonkey with the patch (or update to a later version) using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.1 007 Thunderbird Date: 2022-03-08 Severity: Critical

In Thunderbird-91.6.2, two security issues which were rated as Critical were resolved. One of these vulnerabilities has to do with XSLT processing, and the other being in the WebGPU IPC Framework. The XSLT processing issue occurs when a parameter is removed during processing, which results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. The WebGPU vulnerability is similar to the XSLT processing issue, where an unexpected message can lead to a use-after-free resulting in subsequent remote code execution and sandbox escapes. There are multiple active attacks in the wild which are abusing these flaws, and it is thus recommended that you update to Thunderbird-91.6.2 immediately. These vulnerabilities have been assigned CVE-2022-26485 and CVE-2022-26486.

To fix these vulnerabilities, update to Thunderbird-91.6.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.1 006 Firefox Date: 2022-03-08 Severity: Critical

In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). These are listed in mfsa-2022-09. Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, listed in mfsa-2022-11. The CVEs are CVE-2022-26485 (Not yet public), CVE-2022-26486 (Not yet public), CVE-2022-26381 (Not yet public), CVE-2022-26383 (Not yet public), CVE-2022-26384 (Not yet public), CVE-2022-26386 (Not yet public), CVE-2022-26387 (Not yet public).

To fix these, update to firefox-91.7.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).

11.1 005 Seamonkey Date: 2022-03-03 Severity: Critical

In seamonkey-2.53.11, all security vulnerabilities from Firefox/Thunderbird 91.5.0-91.6.1 have been fixed. These security vulnerabilities include fullscreen window spoofing, out-of-bounds memory access, denial of service, heap buffer overflows leading to arbitrary and remote code execution, sandbox escapes, information disclosure, stealth extension updates, unexpected image processing/execution, and security policy bypasses. Most notably, this update prevents attacks where an attacker could take over a system via sending a maliciously crafted email by importing the security fix from Thunderbird-91.6.1. Note that almost all of these vulnerabilities are exploitable remotely and without user interaction. These security vulnerabilities have been assigned CVE-2022-22746, CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22744, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751, CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, CVE-2022-22764, and CVE-2022-0566.

To fix these vulnerabilities, update to seamonkey-2.53.11 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.1 004 Polkit Date: 2022-03-03 Severity: Low

A security vulnerability was discovered in polkit-0.120 that can lead to a local denial of service. This occurs due to file descriptor exhaustion, and can be exploited by an unprivileged user. However, this is marked as Low because no severity is available from Red Hat at this time, and just results in polkitd crashing. Polkitd will then get restarted via dbus the next time that it is required, so user impact is minimal. This vulnerability has been assigned CVE-2021-4115.

To fix this vulnerability, rebuild polkit-0.120 with the new patch using the instructions for Polkit (sysv) or Polkit (systemd), or update to polkit-0.121 (or a later version) when it becomes available.

11.1 003 FLAC Date: 2022-03-03 Severity: Medium

In FLAC-1.3.4, two security vulnerabilities were fixed that could allow for remote information disclosure with no privileges required. One of these vulnerabilities requires user interaction to exploit, while the other does not. Both of these security vulnerabilities are due to memory safety issues in the encoder, being out-of-bounds read/write vulnerabilities leading to heap buffer overflows. These vulnerabilities can only be exploited by playing a malicious file, so applications such as tracker-miners (which index files on a hard disk) are not impacted. These vulnerabilities have been assigned CVE-2020-0499 and CVE-2021-0561.

To fix these vulnerabilities, update to FLAC-1.3.4 or later using the instructions for FLAC (sysv) or FLAC (systemd).

11.1 002 Cyrus-SASL Date: 2022-03-03 Severity: High

In cyrus-sasl-2.1.28, two security vulnerabilities were fixed that could allow for password/information leakage and for denial of service. The denial of service vulnerability exists in the 'common.c' file that is included in all SASL plugins and in the 'libsasl2.so' library itself. The password/information leakage vulnerability exists in the SQL plugin for SASL, and is due to it not escaping the password for an SQL INSERT or UPDATE statement. Both of these vulnerabilities can be exploited remotely. These vulnerabilities have been assigned CVE-2019-19906 and CVE-2022-24407.

To fix these vulnerabilities, update to cyrus-sasl-2.1.28 or later using the instructions for Cyrus-SASL (sysv) or Cyrus-SASL (systemd).

11.1 001 VIM (LFS and BLFS) Date: 2022-03-02 Severity: High

In vim-8.2.4489, four vulnerabilities causing vim to crash handling certain operation sequences or multibyte characters have been found and fixed. These vulnerabilities have been assigned CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, and CVE-2022-0729.

To fix these vulnerabilities, update to vim-8.2.4489 or later using the instructions for vim (sysv) or vim (systemd).

Items between the releases of the 11.0 and 11.1 books

11.0 088 Thunderbird Date: 2022-02-24 Severity: High

In Thunderbird-91.6.1, a security vulnerability was fixed that could allow for remote code execution when processing new emails. This occurs due to an out-of-bounds write that causes one additional byte to be written into memory when processing a crafted email message. Note that this email does not have to be opened, the vulnerability is exploited when Thunderbird processes the email to add it to it's index. This vulnerability has been assigned CVE-2022-0566.

To fix this vulnerability, update to Thunderbird-91.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.0 087 WebKitGTK+ Date: 2022-02-24 Severity: Critical

In WebKitGTK+-2.34.6, a security vulnerability was fixed that allows for trivial remote code execution, and that requires no user interaction. This vulnerability has been rated as an emergency by Apple, and has resulted in out-of-band security updates for all of it's devices. Processing maliciously crafted images can result in trivial remote code execution, and Apple is aware of several reports that this issue is being actively exploited. This issue is classified as a use-after-free and was fixed in WebKitGTK+ with improved memory management. Due to the severity of this vulnerability and the fact that the vulnerability is being actively exploited, the BLFS team recommends updating to WebKitGTK+-2.34.6 immediately. This vulnerability has been assigned CVE-2022-22620, but additional information can be found at Apple Security Advisory and WSA-2022-0003.

To fix this vulnerability, update to WebKitGTK+-2.34.6 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).

11.0 086 Expat Date: 2022-02-24 Severity: Critical

In expat-2.4.5, several security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities allows for remote code execution due to missing validation of UTF-8 characters, such as checks for whether a UTF-8 character is valid in a certain context. This could allow for the characters to be passed elsewhere in the stack, and lead to remote code execution. Another vulnerability exists that allows attackers to insert namespace-separator characters into namespace URIs, allowing for trivial remote code execution or unauthorized access to information. Another vulnerability exists in the build_model function that alows for a denial of service due to stack exhaustion (application crash). In the functions storeRawNames and copyString, integer overflow vulnerabilities exist that allow for remote code execution when processing XML files. Similar to the libxml2 and libxslt vulnerabilities, these can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries. The BLFS team recommends updating to expat-2.4.6 as soon as possible. These vulnerabilities have been assigned CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315.

To fix these vulnerabilities, update to expat-2.4.5 or later using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.

11.0 085 libxml2 Date: 2022-02-24 Severity: High

In libxml2-2.9.13, a security vulnerability was fixed that could allow for a remote attacker to cause an application crash or cause remote code execution to occur. This occurs due to a use-after-free in the functions that handle ID and IDREF attributes, which are extremely common in XML documents. This update also included fixes for several memory leaks, use-after-free vulnerabilities, and null-pointer dereference crashes in other functions within the libxml2 library. Similar to the libxslt vulnerabilities, these vulnerabilities have been spotted in the wild during attacks utilizing malicious advertisements. The BLFS team recommends updating to libxml2-2.9.13 as soon as possible. This vulnerability has been assigned CVE-2022-23308.

To fix this vulnerability, update to libxml2-2.9.13 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).

11.0 084 PHP Date: 2022-02-24 Severity: Moderate

In PHP-8.1.3, a security vulnerability was fixed that could allow for a denial of service. This vulnerability occurs due to a logic error in the php_filter_float() function that leads to a use-after-free vulnerability due to it permitting integers to be passed to input that is only supposed to accept floating point numbers. According to Red Hat, this flaw allows an attacker to inject a malicious file, leading to a segmentation fault. If you are not using the php_filter_float() function, upgrading is not important. However, if you are using the php_filter_float() function, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21708.

To fix this vulnerability, update to PHP-8.1.3 or later using the instructions for PHP (sysv) or PHP (systemd).

11.0 083 libxslt Date: 2022-02-24 Severity: High

In libxslt-1.1.35, a security vulnerability was fixed that could allow for remote attackers to exploit heap corruption via a use-after-free in the xsltApplyTemplates function. This vulnerability was originally discovered in Google Chrome (and thus QtWebEngine is affected), where remote attackers were using malicious advertisements with crafted XML documents embedded to cause remote code execution. The vulnerability was found to be in the libxslt library. Additionally, two memory leaks and a double-free (which could lead to denial of service) were fixed. The BLFS team recommends updating to libxslt-1.1.35 as soon as possible, especially if you have QtWebEngine installed. This vulnerability has been assigned CVE-2021-30560.

To fix this vulnerability, update to libxslt-1.1.35 or later using the instructions for libxslt (sysv) or libxslt (systemd).

11.0 082 util-linux (LFS and BLFS) Date: 2022-02-24 Severity: Moderate

In util-linux-2.37.4, a security vulnerability was fixed that could allow for local attackers to read information that is normally accessible only by the 'root' user. This vulnerability exists in the 'chsh' and 'chfn' utilities when compiled with support for libreadline, which is the default in LFS. The readline library uses the INPUTRC environment variable to get a path to the user's input settings from /etc/inputrc, but when the library cannot parse the specified file, it prints an error containing data from the file. An example attacker is a user setting INPUTRC to /etc/passwd, and then running chsh (or any other setuid-root application). This flaw thus allows an unprivileged user to read root-owned files, which can lead to privilege escalation and unauthorized access to privileged information. This vulnerability has been assigned CVE-2022-0563.

To fix this upgrade to util-linux-2.37.4 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.

11.0 081 VIM (LFS and BLFS) Date: 2022-02-22 Severity: High

Another heap-based buffer overflow, causing a crash when repeatedly using :retab, was fixed in vim-8.2.4359. This has been assigned CVE-2022-0572 (undergoing analysis).

To fix this vulnerability update to vim-8.2.4383 or later using the instructions for vim (sysv) or vim (systemd).

11.0 080 ImageMagick Date: 2022-02-18 Severity: High

BLFS updated to ImageMagick-7.1.0-25 from 7.1.10-4. The changes include two fixes for apparent security vulnerabilities: in 7.1.0-5 fixing a Heap-based buffer overflow in the TIFF coder, and in 7.1.0-13 fixing a stack overflow when parsing a malicious ps image file. No further details of these are available.

To fix these, update to ImageMagick-7.1.0-25 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).

11.0 079 MariaDB Date: 2022-02-14 Severity: High

In MariaDB-10.6.7, several security vulnerabilities were fixed that could allow for application crashes and information disclosure when executing certain SELECT commands. One of these issues occurs due to incorrect usage of used_tables inside of the API. Another occurs due to improper usage of the sub_select_postjoin_aggr() function in the API. Another one occurs due to improper usage of the find_field_in_tables and find_order_in_list API calls due to an unused table common table expression. The rest of the vulnerabilities occur when a SELECT DISTINCT statement is too long, such that they interact with storage-engine resource limitations, and when SELECT is called with other unspecified options. These vulnerabilities have been assigned CVE-2021-46665, CVE-2021-46664, CVE-2021-46661, CVE-2021-46668, CVE-2021-46663, CVE-2022-24052, CVE_2022-24051, CVE-2022-24050, CVE-2022-24048, and CVE-2021-46659.

To fix these vulnerabilities, update to MariaDB-10.6.9 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).

11.0 078 Exempi Date: 2022-02-14 Severity: Critical

In Exempi-2.6.1, several security vulnerabilities were fixed that could allow for information disclosure, vulnerability mitigation bypass, application crashes, arbitrary code execution, and remote code execution. Most of these vulnerabilities are due to stack-based buffer overflows and memory corruption issues, but a few of them are caused by use-after-free problems which result in application crashes. In theory, these vulnerabilities are exploitable by downloading files on systems where Tracker is installed and configured to index the user's home directory, but the primary attack vector listed is users who open crafted files. Due to the highly exploitable nature of these vulnerabilities though, updating to Exempi-2.6.1 as soon as possible is recommended. These vulnerabilities have been assigned CVE-2021-40716, CVE-2021-40732, CVE-2021-36045, CVE-2021-36046, CVE-2021-36052, CVE-2021-36047, CVE-2021-36048, CVE-2021-36050, CVE-2021-36051, CVE-2021-39847, CVE-2021-36053, CVE-2021-36054, CVE-2021-36055, CVE-2021-36056, CVE-2021-36057, CVE-2021-36064, and CVE-2021-36058.

To fix these vulnerabilities, update to Exempi-2.6.1 or later using the instructions for Exempi (sysv) or Exempi (systemd).

11.0 077 Thunderbird Date: 2022-02-13 Severity: High

In Thunderbird-91.6.0, several security vulnerabilities were fixed that could allow for extension updates to be completed without the users' permission, for images to be dragged-and-dropped as executables, for sandboxed HTML to execute JavaScript, for cross-origin responses to be distinguished between script and non-script content types, for content security policy bypasses, for arbitrary code execution via script execution during an invalid object state, and for remotely-exploitable crashes to occur. These vulnerabilities cannot be exploited, in general, through normal email usage, except for through HTML mail. These vulnerabilities have been assigned CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, and CVE-2022-22764.

To fix these vulnerabilities, update to Thunderbird-91.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.0 076 Samba Date: 2022-02-13 Severity: Critical

In Samba-4.15.3, three security vulnerabilities were fixed that could allow for an information leak, for trivial remote code execution, and for the ability to impersonate services on an Active Directory network. The information leak vulnerability occurs via symlinks, and can notify the user of the existence of a file or folder outside of an exported directory share. The remote code execution is trivial to exploit and allows remote attackers to easily execute arbitrary code as root on affected Samba servers which use the VFS module vfs_fruit. This vulnerability exists within the parsing of EA metadata when opening files in smbd. Note that vfs_fruit is most commonly used when an Apple Macintosh device is on the network. This particular vulnerability has been rated a 9.9/10 by NVD. The Active Directory impersonation vulnerability occurs due to checks being bypassed. These checks are supposed to prevent aliased SPNs from being mixed up with standard users. An attacker can exploit this vulnerability by writing to an account that is identical to the name of an existing service. This also allows an attacker to intercept traffic intended for those services, allowing for a significant loss of confidentiality and integrity. These vulnerabilities have been assigned CVE-2021-44141, CVE-2021-44142, and CVE-2022-0336.

To fix these vulnerabilities, update to Samba-4.15.3 or later using the instructions for Samba (sysv) or Samba (systemd) immediately.

11.0 075 WebKitGTK+ Date: 2022-02-13 Severity: Critical

In WebKitGTK+-2.34.5, several security vulnerabilities were fixed that could allow for remote code execution, unauthorized information disclosure, application crashes, content security policy bypasses, and malicious JavaScript execution. One of these vulnerabilities has a proof-of-concept exploit available which exfiltrates information out of cookies. Most of these vulnerabilities occur due to memory corruption issues that arise from processing maliciously crafted web pages, videos, and other web content. Updating as soon as possible is advised. These vulnerabilities have been assigned CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984, CVE-2022-22594, CVE-2021-45481, CVE-2021-45482, CVE-2021-45483, CVE-2022-22589, CVE-2022-22590, and CVE-2022-22592.

To fix these vulnerabilities, update to WebKitGTK+-2.34.5 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).

11.0 074 gst-plugins-base Date: 2022-02-13 Severity: Medium

In gst-plugins-base-1.18.6 (and 1.20.0), a security vulnerability was fixed that could allow for application crashes when presented with malformed files. This occured when calling upon tagdemux during processing of a malicious MP3 file, and happens due to a race condition between typefinding and the end-of-stream event. This vulnerability can be exploited via WebKitGTK+-based browsers by visiting a web page with a corrupted MP3 file present on the page. This vulnerability has not been assigned a CVE, but more details can be found at Gstreamer Issue 967.

To fix this vulnerability, update to gstreamer-1.18.6 or 1.20.0 or later using the instructions for gst-plugins-base (sysv) or gst-plugins-base (systemd).

If you decide to update to gst-plugins-base-1.20.0, you must update the entire stack to 1.20 at the same time.

11.0 073 zsh Date: 2022-02-13 Severity: High

In zsh-5.8.1, a security vulnerability was fixed that could allow for malicious command execution through the PROMPT_SUBST expansion. An attacker can achieve code execution if they control a command output inside the prompt. This has been demonstrated upstream via the %F argument, and a proof of concept exploit exists that can be used to trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name. This was fixed in the shell via preventing PROMPT_SUBST evaluation on prompt-expansion arguments. This vulnerability has been assigned CVE-2021-45444.

To fix this vulnerability, update to zsh-5.8.1 or later using the instructions for zsh (sysv) or zsh (systemd).

11.0 072 Wireshark Date: 2022-02-13 Severity: High

In Wireshark-3.6.2, several security vulnerabilities were fixed that could allow for a remote attacker to cause a denial-of-service due to application crashes and excessive resource consumption. These issues can be exploited on a network where AMP, ATN-ULCS, ASN.1, BP, GDSDB, OpenFlow v5, P_MUL, SoulSeek, TDS, WBXML, WSP, ZigBee ZCL, RTMPT, PVFS, CSN.1, or CMS packets are being transmitted. Note that this is also exploitable via a malicious packet trace file, although the primary attack vector is packets traveling across a network when Wireshark is run. There are no CVEs for these issues, however they have been assigned advisories upstream. More information about these vulnerabilities can be found at wnpa-sec-2022-01, wnpa-sec-2022-02, wnpa-sec-2022-03, wnpa-sec-2022-04, and wnpa-sec-2022-05.

To fix these vulnerabilities, update to Wireshark-3.6.2 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

11.0 071 libarchive Date: 2022-02-13 Severity: Medium

In libarchive-3.6.0, two security vulnerabilities were fixed that could allow for symlink attacks and for a denial of service. One of these vulnerabilities occurs in the copy_string() function, and is classified as a use-after-free that results in a denial of service. The other one occurs when processing the fixup list while extracting an archive. Note that these vulnerabilities can occur in any program which uses libarchive, but the primary attack vector is a user downloading a malicious archive. These vulnerabilities have been assigned CVE-2021-31566 and CVE-2021-36976.

To fix these vulnerabilities, update to libarchive-3.6.0 or later using the instructions for libarchive (sysv) or libarchive (systemd).

11.0 070 libgcrypt Date: 2022-02-13 Severity: Medium

In libgcrypt-1.10.0, a security vulnerability was fixed that allows for plaintext encryption key revcovery when using the ElGamal implementation in libgcrypt. This was previously fixed in 1.9.4, but the fix was improved upon in libgcrypt-1.10.0. The issue occurs during the interaction between two cryptographic libraries and a dangerous combination of the prime defined by the receiver's public key as well as the generator in the public key and the sender's ephemeral exponents. This allows for a cross-configuration attack leading to plaintext encryption key recovery. This vulnerability has been assigned CVE-2021-40528.

To fix this vulnerability, update to libgcrypt-1.10.0 or later using the instructions for libgcrypt (sysv) or libgcrypt (systemd).

11.0 069 glibc Date: 2022-02-13 Severity: Critical

In glibc-2.35, four security vulnerabilities were fixed that could allow for denial of service, remote code execution, information disclosure, arbitrary code execution, and privilege escalation. One of these vulnerabilties occurs due to an off-by-one buffer overflow and underflow in the getcwd() function, which may lead to memory corruption when the size of the buffer is exactly '1'. A local attacker who has the capability of controlling the input buffer and size passed to getcwd() in a SUID-bit enabled program can use this flaw to elevate privileges and execute arbitrary code on the system. Another vulnerability is caused by the realpath() function - in applications which use the realpath_stk() function, it is possible to have unintentional information leakage and disclosure of sensitive data due to an unexpected value being returned with the contents of memory. Another vulnerability exists in the svcunix_create() function in the SunRPC module in glibc. This occurs when the svcunix_create() function copies its path argument on the stack without validating it's length, which results in a buffer overflow and remote code execution (or crashes). The fourth and final vulnerability exists in the clnt_create() function in the SunRPC module. The clnt_create function will copy it's hostname argument on the stack without validating it's length, which results in a buffer overflow and remote code execution or application crashes. These vulnerabilities have been assigned CVE-2022-23219, CVE-2022-23218, CVE-2021-3998, and CVE-2021-3999.

Properly fixing these vulnerabilities can be tricky. To fix them, take a full system backup, and then rebuild glibc with the patch found at glibc-2.34-security_fixes-1.patch, using the instructions for glibc from glibc (sysv) or glibc (systemd).

11.0 068 Expat Date: 2022-02-13 Severity: Critical

In Expat-2.4.4, two security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. These vulnerabilities are classified as signed integer overflows. One of the vulnerabilities occurs when a program calls upon XML_GetBuffer in configurations with a non-zero value of XML_CONTENT_BYTES. The other vulnerability occurs when processing large content via the doProlog function. These vulnerabilities have been assigned CVE-2022-23990 and CVE-2022-23852.

To fix these, update to Expat-2.4.4 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.

11.0 067 Intel Microcode Date: 2022-02-12 Severity: Medium

Intel microcode for Skylake and later processors has been updated to fix two vulnerabilities, a privilege escalation on certain recent Pentium, Celeron and Atom processors Intel-SA-00528 CVE-2021-0146, and for all Skylake and later processors a local Denial of Service Intel-SA-00532 CVE-2021-0127.

To fix these, update to at least microcode-20220207 using the instructions for About Firmware (sysv) or About Firmware (systemd).

11.0 066 Firefox Date: 2022-02-09 Severity: High

In firefox 91.6.0 several CVE issues, two rated High, were fixed. These are listed in mfsa-2022-05. The CVEs are CVE-2022-22754 (Not yet public), CVE-2022-22756 (Not yet public), CVE-2022-22759 (Not yet public), CVE-2022-22760 (Not yet public), CVE-2022-22761 (Not yet public), CVE-2022-22763 (Not yet public), CVE-2022-22766 (Not yet public).

To fix these, update to firefox-91.6.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).

11.0 065 Linux Kernel (LFS) Revised: 2022-02-04 Severity: High

In Linux before 5.16.2 or 5.15.16 (current long term stable) a local privilege escalation via heap overflow exists. Details at oss-security. This has been assigned CVE-2022-0185 (Not yet public). Please note that linux-5.16.2 and 5.15.16 had a vulnerabiity in ext4 which could lead to data loss.

Additionally, in Linux before 5.16.4 or 5.15.18 there is a random memory access flaw in the i915 driver which a malicious user can use to crash the system or elevate their privileges. See oss-security. This has been assigned CVE-2022-0330 (Not yet public).

To fix these, update to Linux 5.16.4 or later, or Linux-5.15.18 or later (if you prefer to stick with long-term stable 5.15), or versions from 2022-01-29 or later if for some reason you are using an older stable kernel series) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

In addition, there was a bug allowing privilege escalation in the kernel's vmwgfx driver (apparently not exploitable if qemu is used). See oss-security which has been assigned CVE-2022-22942 (Not yet public). The proposed fix for this did not appear on the kernel mailing list, but was included in linux-5.16.4 and other stable kernels released at the same time. Therefore, the workaround to disable the vmwgfx driver on affected systems is not required if you upgrade to linux-5.16.4 or later, or linux-5.15.18 or later.

11.0 064 Expat Date: 2022-02-01 Severity: Critical

Several vulnerabilities, three rated as Critical, have been fixed in expat-2.4.3. See CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826 and CVE-2022-22827.

To fix this, update to Expat-2.4.3 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.

11.0 063 VIM (LFS and BLFS) Date: 2022-02-01 Severity: High

Many security vulnerabilities in vim have been fixed in versions up to vim-8.2.4236. Fifteen of these have been rated as High by the NVD. Unfortunately, the details are minimal. These vulnerabilities have been assigned CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, and CVE-2022-0213.

To fix these vulnerabilities, update to vim-8.2.4236 or later using the instructions for vim (sysv) or vim (systemd).

11.0 062 util-linux Date: 2021-06-28 Severity: High

Two bugs in libmount since version 2.33 have been discovered. These apply to fuse mounts, but one of the examples shows fuse being used to umount /tmp. See oss-security. The CVEs are CVE-2021-3995 (Not yet public) and CVE-2021-3996 (Not yet public).

To fix this upgrade to util-linux-2.37.3 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.

11.0 061 Qt5 Date: 2022-01-28 Severity: Medium

An Out Of Bounds Write was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. Please see CVE-2021-45930.

To fix this apply the qt-everywhere-src-5.15.2-kf5.15-2.patch (or a later version of the patch if one exists) using the instructions at Qt5 (sysv), or Qt5 (systemd).

11.0 060 Rustc Date: 2022-01-25 Severity: High

In all versions of rust before 1.58.1 an attacker can exploit a race condition to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. The rust security advisory https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html explains this. Pending further analysis, this is rated as High and if you have any privileged rust programs they should be rebuilt if they use this function on paths that may be manipulated with lesser privileges. The programs in BLFS which use rust do not install any privileged programs so most BLFS users who have installed rust will only need to upgrade it.

Please see CVE-2022-21658.

To fix rust, update to rustc-1.58.1 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).

11.0 059 polkit Date: 2022-01-26 Severity: High

In polkit-0.120, a trivially exploitable vulnerability allowing local privilege escalation has been identified. This vulnerability affects polkit back to 0.92. The details can be found at this Qualys Security Advisory. The vulnerability has been assigned CVE-2021-4034 (not disclosed yet).

To fix this, apply the patch for polkit >=0.114, <=0.120, or the rebased patch for polkit >=0.92, <=0.113 and rebuild polkit. Or, if you don't use the functionality of the pkexec command, you can unset the SUID bit on it with chmod -s /usr/bin/pkexec as the root user, as a workaround.

11.0 058 GnuTLS Date: 2022-01-18 Severity: Low

A security advisory has been published by GnuTLS developers: GNUTLS-SA-2022-01-17. This vulnerability has been classified as a memory corruption vulnerability in the gnutls_x509_trust_list_verify_crt() vulnerability which occurs when a single trust list object is shared among multiple threads. A CVE identifier has not been issued for this vulnerability.

To fix this vulnerability, update to GnuTLS 3.7.3 or a later version using the instructions for GnuTLS (sysv), or GnuTLS (systemd).

11.0 057 QtWebEngine Date: 2022-01-17 Severity: High

Thirty-one more CVEs (from Chromium) in QtWebEngine, of which at least seventeen are rated as High, have been fixed in the 5.15.8 version: CVE-2021-4102, CVE-2021-4101, CVE-2021-4099, CVE-2021-4098, CVE-2021-4079, CVE-2021-4078, CVE-2021-4062, CVE-2021-4059, CVE-2021-4058, CVE-2021-4057, CVE-2021-38022, CVE-2021-38021, CVE-2021-38019, CVE-2021-38018, CVE-2021-38017, CVE-2021-38015, CVE-2021-38012, CVE-2021-38010, CVE-2021-38009, CVE-2021-38007, CVE-2021-38005, CVE-2021-38003, CVE-2021-38001, CVE-2021-37996, CVE-2021-37993, CVE-2021-37992, CVE-2021-37989, CVE-2021-37987, CVE-2021-37984, CVE-2021-3541, CVE-2021-3517.

To fix these, update to 5.15.8 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

11.0 056 Thunderbird Date: 2022-01-13 Severity: High

In Thunderbird-91.5.0, several security vulnerabilities were fixed that could allow for being unable to leave fullscreen mode, for out-of-bounds memory access (when inserting text in edit mode), for use-after-free crashes when certain network request objects were freed too early, for crashes when processing CSS filter effects, for crashes when playing audio files, for iframe sandbox escapes, origin spoofs, leakage of cross-origin URLs through the securitypolicyviolation event, and for remote code execution due to memory safety issues. An additional security vulnerability was fixed that could allow for crashes when handling empty PKCS#7 sequences. These vulnerabilities have been assigned CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, and CVE-2022-22751.

To fix these vulnerabilities, update to Thunderbird-91.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.0 055 Epiphany Date: 2022-01-13 Severity: Moderate

In Epiphany-41.3, four security vulnerabilities were fixed that could allow for cross-site scripting (XSS) to take place. These security vulnerabilities occurred in the about:overview page, the PDF.js PDF reader (using a server's suggested_filename as the pdf_name), when using the View Source mode or Reader Mode to view a page title, and via all internal error pages. These vulnerabilities have been assigned CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, and CVE-2021-45088.

To fix these vulnerabilities, update to Epiphany-41.3 or later using the instructions for Epiphany (sysv) or Epiphany (systemd).

11.0 054 systemd Date: 2022-01-13 Severity: High

In systemd-249 (and systemd-250), a security vulnerability exists that allows for uncontrolled recursion in the systemd-tmpfiles program. systemd-tmpfiles creates, modifies, and deletes temporary files and directories on system startup. While this vulnerability is just classified as a denial-of-service, it is also possible to cause PID1 to Segmentation Fault when this is exploited. It is also possible to create arbitrary files if an attacker can catch a folder while it is still world-writable. If you use systemd, it is recommended that you patch your installation immediately. In response to this, the BLFS Editors have developed a patch for both version 250 (which is for the development books), and for 249 (which is the version that shipped with LFS/BLFS 11.0). This vulnerability has been assigned CVE-2021-3997.

If you are using systemd-250, apply the patch using the instructions for systemd (systemd).

If you are using systemd-249, apply the new upstream fixes patch located at systemd-249-upstream_fixes-2 and rebuild systemd.

11.0 053 cryptsetup Date: 2022-01-13 Severity: High

In cryptsetup-2.3.6, a security vulnerability was identified that allows for decryption of data during crash recovery on a LUKS2-encrypted device. This attack does require physical access to the device, but no knowledge of user passphrases. An attacker can modify on-disk metadata to simulate encryption in progress with a crashed (unfinished) reencryption step, which allows for persistent decryption of the device. If you are using cryptsetup for anything other than a build dependency, you should update to 2.4.3 immediately. Note that you need to finish any encryption tasks that are currently in progress to prevent any data corruption/data loss. This vulnerability has been assigned CVE-2021-4122.

To fix this vulnerability, update to cryptsetup-2.4.3 or later using the instructions for cryptsetup (sysv) or cryptsetup (systemd).

11.0 052 gfbgraph Date: 2022-01-11 Severity: High

In gfbgraph-0.2.4, a security vulnerability was discovered that causes gfbgraph to fail to perform TLS certificate validation when downloading or uploading photos or graphs from remote sources. This is because it does not enable TLS certificate validation on the SoupSessionSync objects it creates. This allows for remote injection/modification of graphs and for remote code execution. Note that this is almost identical to CVE-2016-20011 in libgrss, and CVE-2021-39365 in Grilo. This vulnerability has been assigned CVE-2021-39358.

To fix this vulnerability, update to gfbgraph-0.2.5 or later using the instructions for gfbgraph (sysv) or gfbgraph (systemd).

11.0 051 libgrss Date: 2022-01-11 Severity: High

In libgrss-0.7.0, a security vulnerability was discovered that causes libgrss to fail to perform TLS certificate validation when downloading feeds. This allows remote attackers to manipulate the contents of feeds without detection and execute code on the machine remotely. This is another issue related to libsoup's SoupSessionSync default behavior. The BLFS developers have produced an update to the bugfixes patch for libgrss that fixes this vulnerability. This vulnerability has been assigned CVE-2016-20011.

To fix this vulnerability, rebuild libgrss with the patch (or update to a later version) using the instructions for libgrss (sysv) or libgrss (systemd).

11.0 050 Firefox Date: 2022-01-11 Severity: High

In firefox 91.5.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2022-02. The CVEs are CVE-2021-4140 (Not yet public), CVE-2022-22737 (Not yet public), CVE-2022-22738 (Not yet public), CVE-2022-22739 (Not yet public), CVE-2022-22740 (Not yet public), CVE-2022-22741 (Not yet public), CVE-2022-22742 (Not yet public), CVE-2022-22743 (Not yet public), CVE-2022-22745 (Not yet public), CVE-2022-22747 (Not yet public) and CVE-2022-22751 (Not yet public).

To fix these update to firefox-91.5.0esr or later : Firefox (sysv) or Firefox (systemd).

11.0 049 Node.js Date: 2022-01-11 Severity: Medium

In node.js-16.13.2, four medium-severity vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-44531, CVE-2021-44532, CVE-2021-44533 and CVE-2021-21824.

To fix these vulnerabilities, update to Node.js-16.13.2 or later using the instructions for node.js (sysv) or node.js (systemd).

11.0 048 Grilo Date: 2021-01-10 Severity: Moderate

In Grilo-0.3.14, a security vulnerability was fixed that could allow for man-in-the-middle attacks and silent TLS encryption downgrades. This problem exists due to TLS certificate validation not being enabled on the SoupSessionAsync objects that grilo creates. This could also allow for commands and false data to be injected into a stream of data, depending on the context where Grilo is used. According to the National Vulnerability Database, this vulnerability can result in high confidentiality impact (information leakage), due to the silent TLS encryption downgrade. This vulnerability has been assigned CVE-2021-39365.

To fix this vulnerability, update to Grilo-0.3.14 or later using the instructions for Grilo (sysv) or Grilo (systemd).

11.0 047 make-ca Date: 2022-01-10 Severity: Moderate

In make-ca-1.9, a misinterpretion of input causes the generated trust store to contain some certificates explicitly untrusted by Mozilla. These certificates were the anchors of some already hacked CAs. Hostile attackers may exploit it and perform a MIM attack if they have kept the certificates obtained by defrauding those CAs. For more information see GHSA-m5qh-728v-4xrx. This vulnerability has been assigned CVE-2022-21672.

To fix this vulnerabilitiy, update to make-ca-1.10 or later using the instructions for make-ca (sysv) or make-ca (systemd), and run make-ca -r as the root user to regenerate the trust store after the update.

11.0 046 Wireshark Date: 2022-01-03 Severity: High

In Wireshark-3.6.1, six security vulnerabilities were fixed that could allow for remote attackers to cause Wireshark to crash or get stuck in an infinite loop, which can cause resource exhaustion. This can occur via packet injection while Wireshark is capturing packets and dissecting them, or via a crafted capture file. This can occur when Wireshark is being used on a network with Sysdig Event, BitTorrent, RTMPT, or Kafka packets being sent and received, or when examining/parsing *.pcapng or RFC 7468 files. If you use Wireshark to examine *.pcapng or RFC 7468 files, or are using Wireshark on a network where there may be Sysdig Events, BitTorrent, RTMPT, or Kafka packets being sent or received, update to Wireshark-3.6.1. These vulnerabilities have been assigned CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, and CVE-2021-4181.

To fix these vulnerabilities, update to Wireshark-3.6.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

11.0 045 wpa_supplicant Date: 2021-12-26 Severity: High

The BLFS Editors have become aware of six security vulnerabilities in wpa_supplicant that are known upstream, and have created a patch to fix them. These vulnerabilities allow for packets to be accepted across networks without any validation (known as CallStranger), remote code execution, crashes, forging attacks, and local privilege escalation. Note that no user interaction is required to exploit any of these vulnerabilities. These vulnerabilities have been assigned CVE-2019-16275, CVE-2020-12695, CVE-2021-0326, CVE-2021-27803, CVE-2021-30004, and CVE-2021-0535.

To fix these vulnerabilities, update to wpa_supplicant-2.10 or later using the instructions for wpa_supplicant (sysv) or wpa_supplicant (systemd).

11.0 044 WebKitGTK+ Date: 2021-12-23 Severity: Medium

In WebKitGTK+-2.34.3, two security vulnerabilities were fixed that could allow for a bypass of the Content Security Policy (if enabled) and for universal cross-site scripting. These were both addressed with improved state management and CSP changes, and are classified as logic issues. These vulnerabilities have been assigned CVE-2021-30887 and CVE-2021-30890.

To fix these vulnerabilities, update to WebKitGTK+-2.34.3 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).

11.0 043 Seamonkey Date: 2021-12-23 Severity: Critical

In Seamonkey-2.53.10.1, several security vulnerabilites were fixed. These vulnerabilities could allow for memory corruption, remote code execution, restriction bypass, spoofing attacks, silent encryption downgrade, URL leakage, and enumerating installed applications remotely. Updating to seamonkey-2.53.10.1 is recommended as soon as possible, as some of these security vulnerabilities are under active exploitation. These vulnerabilitites have been assigned CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, and CVE-2021-4129 (Not Public).

To fix these vulnerabilities, update to Seamonkey-2.53.10.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.0 042 Apache HTTPD Date: 2021-12-23 Severity: Critical

In httpd-2.4.52, two security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, or Server Side Request Forgery, if ProxyRequests is turned on in httpd.conf (enabling forward proxy). An additional security vulnerability exists that can cause a buffer overflow when mod_lua is enabled. This is caused by a carefully crafted request body when r:parsebody() is called from within a Lua script. While no exploit currently exists, it is very likely that one will be created soon according to upstream. If you use mod_lua or ProxyRequests, you should update to httpd-2.4.52 or later as soon as possible. These vulnerabilities have been assigned CVE-2021-44224 and CVE-2021-44790.

To fix these vulnerabilities, update to httpd-2.4.52 or later using the instructions for Apache (sysv) or Apache (systemd).

11.0 041 PHP Date: 2021-12-23 Severity: High

In PHP-8.1.1, a security vulnerability was fixed that could allow for an out-of-bounds access when using php_pcre_replace_impl() via a crafted preg_replace call. This out-of-bounds access can lead to remote information disclosure or a denial-of-service. Note that this vulnerability originated in PHP-7.1.5 from around 2017. Upgrading PHP if you use preg_replace is suggested. This vulnerability has been assigned CVE-2017-9118.

To fix this vulnerability, update to PHP-8.1.1 or later using the instructions for PHP (sysv) or PHP (systemd).

11.0 040 Thunderbird Date: 2021-12-23 Severity: Critical

In Thunderbird-91.3.1, several security vulnerabilities were fixed. These vulnerabilities could allow for restriction bypasses via cross-site scripting, memory corruption / crashes, spoofing attacks, TLS encryption bypass, exposing target URLs during navigation, remotely querying installed applications, sandbox escapes, information disclosure (if you use Matrix via Thunderbird's Chat function), remote code execution, and plaintext recovery of encrypted data (using OpenPGP). Several of these security vulnerabilities are rated as critical by NVD, so you should update as soon as possible. These vulnerabilities have been assigned CVE-2021-40529, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, CVE-2021-43528, CVE-2021-4126 (Not Public), and CVE-2021-44538.

To fix these vulnerabilities, update to Thunderbird-91.4.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.0 039 Lynx Date: 2021-12-18 Severity: Medium

A security vulnerability was brought to the BLFS Editors attention in Lynx. This security vulnerability allows for passwords to be leaked in cleartext on connections which are using HTTPS. In response to this, the BLFS Editors created a patch to fix this vulnerability. The vulnerability only affects users who use HTTPS URLs with Lynx, and who authenticate on that website as well. This vulnerability has been assigned CVE-2021-38165.

To fix this vulnerability, apply the patch in Lynx using the instructions for Lynx (sysv) or Lynx (systemd).

11.0 038 xorg-server Date: 2021-12-18 Severity: High

In xorg-server-21.1.2, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in XWayland as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.

To fix these vulnerabilities, update to xorg-server-21.1.2 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).

11.0 037 XWayland Date: 2021-12-18 Severity: High

In XWayland-21.1.4, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in xorg-server as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.

To fix these vulnerabilities, update to XWayland-21.1.4 or later using the instructions for XWayland (sysv) or XWayland (systemd).

11.0 036 lxml Date: 2021-12-18 Severity: High

In lxml-4.7.1, two security vulnerabilities were fixed that could allow for crafted script content to pass through the HTML Cleaner. This can ocur with SVG files embedded with data URIs, as well as with CSS imports. Note that this only affects packages that use 'lxml' for sanitizing HTML imports, but upstream has rated both security vulnerabilities as high, and has assigned one CVE for both. This set of security vulnerabilities has been assigned CVE-2021-43818.

To fix these vulnerabilities, update to lxml-4.7.1 or later using the instructions for lxml (sysv) or lxml (systemd).

11.0 035 OpenJDK Date: 2021-12-17 Severity: Critical

In OpenJDK-17.0.1, there were several security vulnerabilities fixes that could allow for remote code execution, unauthorized modification of data, and denial of service. Some of these occured via malicious image files, as well as TLS bypass and connection hijacking. This update to JDK also prevents exploitation of the log4j security vulnerability, known as Log4Shell. Log4Shell permits trivial remote-code-execution and is being exploited worldwide at an alarming rate. Most Java applications are affected because they use Apache's log4j logging framework. If you have Java installed, you MUST install this update immediately to protect yourself from exploitation. These vulnerabilities have been assigned CVE-2021-35567, CVE-2021-35586, CVE-2021-35564, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35578, CVE-2021-35603, and helps protect against CVE-2021-44228.

To fix these vulnerabilities, update to OpenJDK-17.0.1 or later using the instructions for OpenJDK (sysv) or OpenJDK (systemd).

Alternatively, you may use the binary the BLFS Editors have produced: Java (sysv) or Java (systemd).

11.0 034 AudioFile Date: 2021-12-13 Severity: Critical

On December 13th, 2021, the BLFS project became aware of several security vulnerabilities in AudioFile and created a patch. These 13 security vulnerabilities include denial of service, arbitrary command execution, and arbitrary code execution vulnerabilities. They occur in a variety of places, such as when playing a .WAV file, editing a .WAV file, or adjusting various settings such as buffer sizes in a WAV file. Some also occur when using the 'sfconvert' command provided with AudioFile. Note that the only package in BLFS that uses AudioFile is KWave. If you have KWave installed, updating to AudioFile with this patch should be done immediately. These vulnerabilities have been assigned CVE-2017-6839, CVE-2017-6838, CVE-2017-6837, CVE-2017-6836, CVE-2017-6835, CVE-2017-6834, CVE-2017-6833, CVE-2017-6832, CVE-2017-6831, CVE-2017-6830, CVE-2017-6829, CVE-2017-6828, and CVE-2017-6827.

To fix these vulnerabilities, apply the patch for AudioFile using the instructions for AudioFile (sysv) or AudioFile (systemd).

11.0 033 PostgreSQL Date: 2021-12-13 Severity: High

In PostgreSQL-14.1 (as well as 13.5, 12.9, 11.14, 10.19, and 9.6.24), two security vulnerabilities were fixed that could allow for both PostgreSQL Client and PostgreSQL Server to process unencrypted bytes from an unauthenticed remote attacker via a man-in-the-middle attack. This is caused by injecting false responses into PostgreSQL during initial authentication. In the case of PostgreSQL Server, this also allows for injection of arbitrary SQL queries when a connection is first established. These vulnerabilities have been assigned CVE-2021-23214 and CVE-2021-23222.

To fix these vulnerabilities, update to PostgreSQL-14.1 or later using the instructions for PostgreSQL (sysv) or PostgreSQL (systemd).

11.0 032 Ruby Date: 2021-12-13 Severity: Critical

In Ruby-3.0.3, three security vulnerabilities were fixed that could allow for arbitrary code execution, denial of service, and content spoofing. The arbitrary code execution vulnerability exists in the CGI gem, and occurs when large files are passed to CGI.escape_html due to a buffer overflow. The denial of service vulnerability happens when parsing dates using Date.parse(). The content spoofing vulnerability occurs when using CGI::Cookie.parse. This is a resurgence of the CVE-2020-8184 vulnerability, which allows for attackers to modify cookies in transit and for them to be accepted by Ruby without going through any validation. These vulnerabilities have been assigned CVE-2021-41817, CVE-2021-41816, and CVE-2021-41819.

To fix these vulnerabilities, update to ruby-3.0.3 or later using the instructions for Ruby (sysv) or Ruby (systemd).

11.0 031 PHP Date: 2021-12-13 Severity: Medium

In PHP-8.0.13, a security vulnerability was fixed that could allow for PHP to read a different file from what the user intended. If a filename cotains a URL-encoded NUL character, this may cause the simplexml_load_file() function to interpret the character as the end of the filename, thus allowing remote attackers to read a different file from what the programmers intended. This vulnerability has been assigned CVE-2021-21707.

To fix this vulnerability, update to php-8.0.13 or later using the instructions for PHP (sysv) or PHP (systemd).

11.0 030 Firefox iUpdated: 2021-12-07 Severity: High

In firefox 91.4.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2021-53. The CVEs are CVE-2021-4129 (Not yet public), CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546.

To fix these update to firefox-91.4.0esr or later : Firefox (sysv) or Firefox (systemd).

11.0 029 NSS Date: 2021-12-02 Severity: Critical

Versions of NSS before 3.73 or 3.68.1-ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Further details at mfsa-2021-51, CVE-2021-43527 (not yet public) .

To fix this, update to at least NSS-3.73 using the instructions for NSS (sysv) or NSS (systemd).

11.0 028 QtWebEngine Date: 2021-11-27 Severity: Critical

Twenty more CVEs (from Chromium) in QtWebEngine, most rated as High but two rated as Critical, have been fixed in the 5.15.7 version: CVE-2021-37980, CVE-2021-37979, CVE-2021-37978, CVE-2021-37975, CVE-2021-37973, CVE-2021-37972, CVE-2021-37971, CVE-2021-37968, CVE-2021-37967, CVE-2021-37962, CVE-2021-37633, CVE-2021-37630, CVE-2021-37629, CVE-2021-37628, CVE-2021-37627, CVE-2021-37626, CVE-2021-37625, CVE-2021-37618, CVE-2021-37616, CVE-2021-37613.

To fix these, patch the BLFS qtwebengine-5.15.6 tarball with qtwebengine-5.15.6-5.15.7-1.patch followed by qtwebengine-5.15.7-build_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

11.0 027 Wireshark Date: 2021-11-22 Severity: Medium

In Wireshark-3.4.10, several denial of service vulnerabilities were fixed, which could exploited through dissecting certain types of packets. These denial-of-service vulnerabilities include application crashes and excessive resource consumption. This can occur when dissecting Bluetooth DHT, HCI_ISO, SDP, and DHT packets, as well as PNRP, C12.22, IEEE-802.11 (WiFi), modbus, and Internet Printing Protocol over USB (IPPUSB) packets. These vulnerabilities have been assigned CVE-2021-39929, CVE-2021-39926, CVE-2021-39925, CVE-2021-39924, CVE-2021-39922, CVE-2021-39928, CVE-2021-39921, and CVE-2021-39920.

To fix these vulnerabilities, update to Wireshark-3.4.10 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

11.0 026 Samba Date: 2021-11-11 Severity: Critical

In Samba-4.15.2 (and Samba-4.14.10), eight security vulnerabilities have been fixed. Several are known to be actively exploited. The details can be found in: CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, and CVE-2021-23192. Note that there are important behavior changes after the fixes are applied. Please read the advisories to see whether you are impacted.

To fix these vulnerabilities update to Samba-4.15.2 or later (or 4.14.10) using the instructions for Samba (sysv) or Samba (systemd).

11.0 025 Firefox Updated: 2021-11-02 Severity: Critical

In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other items. One of the High severity items has now been analyzed as Critical. These are listed in mfsa-2021-49. The items not specifically identified as for mac OS or windows are: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508 CVE-2021-38509 CVE-2021-43534. CVE-2021-43535 The latter two were initially identified as MOZ-2021-0007 and MOZ-2021-0008 pending allocation of a CVE.

To fix these update to firefox-91.3.0esr or later : Firefox (sysv) or Firefox (systemd).

11.0 024 BIND9 Date: 2021-10-27 Severity: Medium

In versions of BIND prior to 9.16.22, a security vulnerability existed that could allow for remote attackers to cause a service degredation in BIND resolver performance by sending malformed packets to a server. This has to do with a feature called "lame cache", which is enabled by setting the 'lame-ttl' option in named.conf to a number greater than 0. The option is set to 600 in the default configuration, meaning that it's enabled by default. A successful attack results in the internal data structures for the lame cache growing infinitely, which results in a server burning most of it's CPU time on just maintaining the "lame cache", resulting in major slowdown and timeouts on client hosts. This vulnerability is exploitable remotely. To work around this, set 'lame-ttl 0' in named.conf. NOTE: Only the server is affected, you do not need to update if you are running the client utilities. This vulnerability has been assigned CVE-2021-25219.

To fix this vulnerability, update to BIND-9.16.22 or later using the instructions for BIND (sysv) or BIND (systemd).

11.0 023 Samba Date: 2021-10-27 Severity: High

In Samba-4.15.1 (and Samba-4.14.9), a security vulnerability was fixed that could allow for an authenticaion bypass due to a flaw in the version of Heimdal (a kerberos implementation) that is shipped with Samba. This allows for an authentication bypass identical to the one that can happen on Microsoft Windows installations, which was patched in December of 2020. Note that the attack complexity is rated as High, although it can be performed with no user interaction, and can only be performed over a network. This vulnerability has been assigned CVE-2020-17049.

To fix this vulnerability, update to Samba-4.15.1 or later (or 4.14.9) using the instructions for Samba (sysv) or Samba (systemd).

11.0 022 ffmpeg Date: 2021-10-27 Severity: Critical

In ffmpeg-4.4.1 (as well as 4.3.3 and 4.2.5, if you prefer to use those particular versions), 11 security vulnerabilities were fixed that could lead to remote code exection, extraction of sensitive information, and remote denial of service. These occur due to a variety of reasons, including divide-by-zero errors, buffer overflows, heap buffer overflows, memory leaks, out of bounds access, unchecked return values, and assertions being reached due to malicious files. All users who have ffmpeg should upgrade to the latest version of their particular branch. In the case of BLFS 11.0, that would be 4.4.1, but previous versions should upgrade to the relevant branches for that particular book to prevent problems when upgrading. These vulnerabilities have been assigned CVE-2020-20446, CVE-2020-24053, CVE-2020-22015, CVE-2020-22019, CVE-2020-22033, CVE-2020-22021, CVE-2020-22037, CVE-2021-33815, CVE-2021-38114, CVE-2021-38171, and CVE-2021-38291.

To fix these vulnerabilities, update to ffmpeg-4.4.1 or later (or 4.3.3/4.2.5) using the instructions for ffmpeg (sysv) or ffmpeg (systemd).

11.0 021 Exiv2 Date: 2021-10-27 Severity: Medium

In exiv2-0.27.5, a total of six denial-of-service security vulnerabilities were fixed. Four of these are in libexiv2, while the other two are in the exiv2 command line utility. These vulnerabilities happen due to a variety of reasons, but they mostly occur due to null-pointer dereferences, out-of-memory crashes, infinite loop bugs, integer divide by zero, and out-of-bounds reads. These vulnerabilities pose no threat other than crashing programs. Because of this, only three of these vulnerabilities were assigned CVEs, while the other three were just mentioned as being security related bugfixes. These vulnerabilities have been assigned CVE-2021-37620, CVE-2021-37621, and CVE-2021-37618.

To fix these vulnerabilities, update to exiv2-0.27.5 or later using the instructions for Exiv2 (sysv) or Exiv2 (systemd).

11.0 020 PHP Date: 2021-10-27 Severity: Critical

In PHP-8.0.12 and PHP-7.4.25, a security vulnerability was fixed that allows for privilege escalation (to root) when using the PHP Fast Process Manager (FPM) in it's default configuration. In this case, a remote attacker can execute code on your server as the root process or escalate to root through Apache HTTPD due to a memory access problem in PHP FPM. This vulnerability has existed for the last 10 years, and there is a proof-of-concept and a demo exploit available. If you have php-fpm installed on your system and have the daemon started/enabled, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21703.

To fix this vulnerability, update to php-8.0.12 or later using the instructions for PHP (sysv) or PHP (systemd).

11.0 019 Thunderbird Date: 2021-10-21 Severity: Critical

In Thunderbird-91.2.0, several security vulnerabilities were fixed. These vulnerabilities include a downgrade attack on SMTP STARTTLS connections (which could allow for encryption to be downgraded to plaintext and emails to be snooped over the wire), as well as potentially exploitable crashes, memory leaks, and memory corruption. Upgrading to this version of Thunderbird is recommended as soon as possible due to the SMTP STARTTLS downgrade attack. These vulnerabilities have been assigned CVE-2021-38502, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, and CVE-2021-38501.

To fix these vulnerabilities, update to Thunderbird-91.2.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

11.0 018 Seamonkey Date: 2021-10-21 Severity: High

In Seamonkey-2.53.9.1, a memory safety bug that was present in Firefox was fixed. This memory safety bug is the same bug that was fixed in Firefox-78.14.0. The Mozilla developers believe that this vulnerability may be exploited to allow remote code execution, and updating is suggested. This vulnerability has been assigned CVE-2021-38493.

To fix this vulnerability, update to Seamonkey-2.53.9.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

11.0 017 Samba Date: 2021-10-20 Severity: Medium

In Samba-4.17.0, a security vulnerability was fixed that could allow for a remote attacker to crash the Samba server process if the Active Directory Domain Controller was configured. This can occur due to a request to the Key Distribution Controller omitting the server name in the request. Since this is a recoverable Denial-Of-Service, a specific version of Samba was not created for this. This vulnerability only affects LFS users if they are configuring their Samba server to run as a domain controller in an Active Directory environment, and if they are using Heimdal (the internal) KDC instead of the MIT Kerberos KDC. This vulnerability has been assigned CVE-2021-3671.

To fix this vulnerability, update to Samba-4.15.0 or later using the instructions for Samba (sysv) or Samba (systemd).

11.0 016 MIT Kerberos V5 Date: 2021-10-18 Severity: Medium

In MIT Kerberos V5 1.18.2, a security vulnerability exists that can allow a remote attacker to crash the Key Distribution Center via a specially crafted packet. The official description is a NULL pointer dereference. It occurs when a packet is sent with a FAST inner body which lacks a server field. The only threat caused by this vulnerability is one to system availability, however the Samba 4.15.0 release notes suggested that users update to a version that is not affected by the bug. This vulnerability has been assigned CVE-2021-37750.

To fix this vulnerability, rebuild KRB5 using the sed in the BLFS Development Books by using the instructions for MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd), or update to a newer version when available.

11.0 015 VIM (LFS and BLFS) Date: 2021-10-18 Severity: High

In vim-8.2.3508, three security vulnerabilities were fixed. These vulnerabilities could lead to crashes and arbitrary code execution when VIM processes crafted XML source code files. These vulnerabilities can also be exploited when processing UTF-8 encoded files due to hidden characters, or when running nv_replace(). All three of these issues have been rated as High by the NVD. More information can be found at oss-security posting. These vulnerabilities have been assigned CVE-2021-3770, CVE-2021-3778, and CVE-2021-3796.

To fix these vulnerabilities, update to vim-8.2.3508 or later using the instructions for vim (sysv) or vim (systemd).

11.0 014 Node.js Date: 2021-10-13 Severity: Medium

In node.js-14.18.1, two HTTP Request Smuggling vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-22959 and CVE-2021-22960.

To fix these vulnerabilities, update to Node.js-14.18.1 or later using the instructions for node.js (sysv) or node.js (systemd).

11.0 013 Apache HTTPD Date: 2021-10-12 Severity: Critical

New vulnerabilities were found in apache 2.4.49, and it was then discovered that the fix in 2.4.50 was incomplete, resulting in a further CVE, see apache. This CVE is known to be exploited in the wild and is trivial to exploit, and allows for remote code execution with a simple HTTP request via cURL. This gives two vulnerabilities identified as critical although not in the default configuration (see the link above), and one which could be used to DoS the server with a specially crafted request: CVE-2021-42013, CVE-2021-41773, CVE-2021-41524.

To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).

11.0 012 Firefox Updated: 2021-11-02 Severity: Critical

In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other CVEs to which mozilla give a lower severity, but for one of these NVD has now rated it as critical. These are listed in mfsa-2021-44 and mfsa-2021-45. One of these is for the rust crosbeam-deque package, and rated as moderate severity by mozilla, but now rated as Critical by NVD: CVE-2021-32810. The rest are not yet public, except in the mozilla advisories : CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501.

To fix these update to firefox-91.2.0esr or later : Firefox (sysv) or Firefox (systemd). (Firefox-78 is now End of Life.)

11.0 011 Fetchmail Date: 2021-09-23 Severity: Medium

In fetchmail before version 6.4.22, on IMAP connections without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, if the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. It is recommended to use '--ssl' or the ssl user option in an rcfile. Those were added to BLFS-11.0 in a note just before the release, the BLFS editors believe that using those removes the problem and in that case no update is necessary. The vulnerability has been assigned CVE-2021-39272.

In other cases, update to Fetchmail-6.2.22 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).

11.0 010 WebKitGTK+ Updated: 2021-10-26 Severity: Critical

In WebKitGTK+-2.34.0, a critical 0day security vulnerability was fixed that allows for attackers to silently execute arbitrary code via maliciously crafted web content. In some cases, this may include advertisements embedded on normal web pages. There have been several reports over the past couple of days of this vulnerability being exploited in the wild to silently install malware on various Apple devices, and WebKitGTK+ is impacted because it uses Apple's WebKit. This vulnerability was fixed with improved memory management, and updating to the latest WebKit should be done without any delay due to it being actively exploited through advertisements on many web pages and through other means, such as malicious JPEG and PNG images. Exploitation is possible through the Epiphany web browser and through malicious emails in Evolution or Balsa. The vulnerability has been named "FORCEDENTRY". This vulnerability has been assigned CVE-2021-30858, and additional information is available at United States Cybersecurity and Infrastructure Security Agency Advisory and Apple Security Advisory.

On October 26th, 2021, the LFS project became aware of additional vulnerabilities that were fixed in this version. These primarily include memory corruption vulnerabilities that lead to code execution. These vulnerabilities have been assigned. CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, and CVE-2021-30851.

To fix this security vulnerability, update to WebKitGTK+-2.34.1 or later using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

11.0 009 libexif Date: 2021-09-22 Severity: Moderate

In libexif before 0.6.23, four total security vulnerabilities existed that could allow for denial of service and arbitrary code execution. Two of these security vulnerabilities were fixed in a patch for libexif in BLFS 10.1. The two new security vulnerabilities have not been assigned CVEs as they were discovered by automated testing. The two previous vulnerabilities have been assigned CVE-2020-0198 and CVE-2020-0452.

To fix these new vulnerabilities, update to libexif-0.6.23 or later using the instructions for libexif (sysv) or libexif (systemd).

11.0 008 cURL Date: 2021-09-22 Severity: High

In cURL before 7.79.0, three security vulnerabilities exist that could allow for a denial of service, security protocol downgrades (leading to disclosure of encrypted information), and malicious data injection. The denial of service vulnerability occurs when sending data to a MQTT server over the MQTT protocol, and that protocol is built into cURL by default. The protocol downgrade vulnerability affects POP3, FTP, and IMAP connections and occurs when a malicious server (or man-in-the-middle attacker) sends a properly crafted and legitimate response. The flaw makes cURL silently continue it's operations without encryption, contrary to the instructions passed to it as well as general expectations. The data injection vulnerability happens when using the STARTTLS protocol with IMAP, POP3, SMTP, or FTP. Multiple responses can be received prior to using STARTTLS to upgrade the connection to TLS, and cURL would process these out of cache and trust them instead of processing (and verifying) them after the TLS handshake was performed. This allows man-in-the-middle attackers to inject fake responses and trick cURL into sending malicious (or fake) data back to the user. These vulnerabilities have been assigned CVE-2021-22945, CVE-2021-22946, and CVE-2021-22947.

To fix these vulnerabilities, update to cURL-7.79.0 or later using the instructions for cURL (sysv) or cURL (systemd).

11.0 007 Python (LFS and BLFS) Date: 2021-09-22 Severity: Moderate

In Python3 before 3.9.7, three security vulnerabilities exist that could result in crashes, performance impacts, and command injection when using Python's smtplib module. The performance impact can be triggered with malicious .pyc files compiled from wheels. The crash could result when creating Temporary Directories via tempfile.mktemp(), and the command injection was fixed by sanitizing \r and \n commands in SMTP responses. More information for these security vulnerabilities can be found at bpo-42278, bpo-41180, and bpo-43124.

To fix these vulnerabilities, update to Python-3.9.7 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

11.0 006 Apache HTTPD Updated: 2021-12-13 Severity: Critical

Several vulnerabilities in the Apache web server have been found, one of which is rated high: CVE-2021-40438. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Additional vulnerabilities include content spoofing, cache poisoning, denial-of-service, and buffer overflows. These vulnerabilities have been assigned CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, and CVE-2021-39275.

To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).

11.0 005 Ghostscript Date: 2021-09-10 Severity: Critical

A vulnerability in the ghostscript library libgs.so which allows arbitrary code execution, for example by invoking the convert program from ImageMagick on a user-supplied image file, was announced in August with a public PoC provided. This was initially reported as applying to version 9.50. It has now been reported upstream and determined to apply to all current versions from 9.50 onwards. Upstream have applied a fix and are now preparing for a new release (expected later this month). The public details can now be seen at bug 704342, CVE-2021-3781 has been assigned to this vulnerability CVE-2021-3781.

To fix this use ghostscript-9.54 with the ghostscript-9.54.0-upstream_fix-2.patch from the released book, or upgrade to ghostscript-9.55.0 using the instructions for Ghostscript (sysv) or Ghostscript (systemd).

11.0 004 Thunderbird Date: 2021-09-10 Severity: High

In thunderbird 91.1.0, a Memory Safety bug with a High severity has been fixed. See mfsa-2021-41. This vulnerability has been assigned CVE-2021-38495.

To fix this, update to thunderbird-91.1.0 or later: Thunderbird (sysv) or Thunderbird (systemd).

11.0 003 SANE Date: 2021-09-08 Severity: Medium

In sane-backends-1.0.32, several security vulnerabilities were fixed with Epson scanners, and also in the magicolor backend and the TCP (Network) scanning backend. These can result in a malicious scanner residing on the same network as the victim causing a denial of service (application crash). With the Epson scanner backend, it's also possible for a malicious Epson scanner to read important information from applications that use SANE (such as the ASLR offsets of the program), or to execute arbitrary code whenever a program, such as GIMP, queries the scanner for basic information. If you have an Epson scanner on your network or connected directly to your computer, upgrading SANE is suggested. These vulnerabilities have been assigned CVE-2020-12867, CVE-2020-12862, CVE-2020-12863, CVE-2020-12865, CVE-2020-12866, CVE-2020-12861, and CVE-2020-12864.

To fix these vulnerabilities, update to sane-backends-1.0.32 or later using the instructions for SANE (sysv), or SANE (systemd).

11.0 002 Firefox Updated: 2021-11-02 Severity: High

In firefox 78.14.0 and 91.1.0, the usual 'Memory Safety bugs' with a High severity have been fixed. However, the advisory for 91.1.0 mfsa-2021-40 appears to have a typo (it says CVE-2021-38495), the corresponding advisories for 78.14.0 mfsa-2021-39 and for 92.0 (which has an additional CVE fix) mfsa-2021-38 are clear that the item is CVE-2021-38493. The details for CVE-2021-38493 can be found here: CVE-2021-38493.

To fix these update to firefox-91.1.0esr or later (firefox-78 is now End of Life). Firefox (sysv) or Firefox (systemd).

11.0 001 Node.js Date: 2021-09-07 Severity: High

In node.js-14.17.6, five security vulnerabilities were fixed that could lead to arbitrary file creation/overwrite (due to insufficient symlink protection) and arbitrary code execution. When using the Arborist module, extracting the package into a node_modules folder that contains a symbolic link will result in files being written to any location on the filesystem. The node-tar module was also affected by a symbolic link attack that could allow symlinks in a tarball to escape into the filesystem and overwrite (or create) files in attacker-controlled locations. Both node-tar and Arborist are included with Node.js. These vulnerabilities have been assigned CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135.

To fix these vulnerabilities, update to Node.js-14.17.6 or later using the instructions for node.js (sysv) or node.js (systemd).

Items between the releases of the 10.1 and 11.0 books

10.1 106 (LFS) GLIBC Date: 2022-03-01 Severity: Critical

On reviewing the vulnerabilities fixed in glibc-2.35 it became apparent that these, and one earlier vulnerability the editors had not been aware of, applied to glibc-2.33 as used in LFS-10.1. Details are at CVE-2021-33574, CVE-2021-38604, (originally fixed in LFS by a sed which is now insufficent with the other fixes), CVE-2022-3998 (not yet public), CVE-2022-3999 (not yet public), CVE-2022-23218 and CVE-2022-23219.

If you are still using an LFS glibc-2.33 system, fix these by following the instructions in glibc-2.33-security_fixes-1.patch.

10.1 105 ntfs-3g Date: 2021-08-31 Severity: Critical

ntfs-3g-2021.8.22 includes several security fixes that have to do with buffer overflows when reading NTFS metadata. These vulnerabilities allow attackers using a maliciously crafted NTFS image (or external storage, such as a USB External Hard Drive) to potentially execute arbitrary code in the context of the kernel. This can be exploited via plugging an affected drive into a USB port, and can be automatically exploited when filesystems are automounted in desktop environments. This can also be manually exploited by mounting the filesystem normally. These vulnerabilities exist due to insufficient validation of NTFS metadata. The developers of ntfs-3g suggest updating as soon as possible. These vulnerabilities have been assigned CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-35266, CVE-2021-33287, CVE-2021-33267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, and CVE-2021-39263 (21 total). Additonal details can be found at NTFS3G-SA-2021-001.

To fix these vulnerabilities, update to ntfs-3g-2021.8.22 or later using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).

10.1 104 Seamonkey Date: 2021-08-29 Severity: High

The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. For details see CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.

To fix these, update to Seamonkey-2.53.9 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 103 QtWebEngine Date: 2021-08-29 Severity: High

Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30599, CVE-2021-30598, CVE-2021-30588, CVE-2021-30587, CVE-2021-30585 (the backport to fix this mentions that it applies to linux, not just windows), CVE-2021-30573, CVE-2021-30569, CVE-2021-30568, CVE-2021-30563, CVE-2021-30560, CVE-2021-30559, CVE-2021-30556, CVE-2021-30554, CVE-2021-30553, CVE-2021-30551, CVE-2021-30548, CVE-2021-30547, CVE-2021-30544, CVE-2021-30541, CVE-2021-30536, CVE-2021-30535, CVE-2021-30534, CVE-2021-30533, CVE-2021-30530, CVE-2021-30523, CVE-2021-30522. To fix these, update to the BLFS 5.15.6 tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-5.15.6-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 102 APR Date: 2021-08-26 Severity: High

In apr-1.7.0, a security vulnerability exists due to a regression in the Apache Subversion source code repository for APR. An out of bounds array read in the apr_time_exp*() functions was fixed in apr-1.6.3 back in 2017, but the fix was not carried over to the 1.7.x branch, resulting in this vulnerability from 2017 not being fixed in apr-1.7.0. This vulnerability is easy to exploit by setting the month to something larger than 12 in an input to the apr_time_exp() functions. This vulnerability was originally known as CVE-2017-12613, but this case has a new identifier. APR was fixed with a sed. This vulnerability has been assigned CVE-2021-35940.

To fix this, apply the sed in the APR page and rebuild APR using the instructions for Apr (sysv), or Apr (systemd).

10.1 101 libgcrypt Date: 2021-08-26 Severity: High

libgcrypt-1.9.4 has fixed a security vulnerability in the Elgamal encryption implementation that allows for denial of service and decryption of data via a side-channel attack. The vulnerability was originally introduced in 2000. A paper has been written on this vulnerability, and the developers recommend updating to libgcrypt-1.9.4 as soon as possible, as any version after the year 1999 is affected by this vulnerability. This vulnerability has been assigned CVE-2021-33560.

To fix this, update to libgcrypt-1.9.4 or later using the instructions for libgcrypt (sysv), or libgcrypt (systemd).

10.1 100 Libarchive Date: 2021-08-26 Severity: Medium

Three vulnerabilities about symlink handling in libarchive-3.5.1 and earlier releases have been discovered. These are exploitable with malicious archives containing symlinks, and can be exploited to overwrite file contents, flags, and ACL entries. No CVE numbers are assigned for those issues yet. Details at the upstream bug report, another upstream bug report, and the commit message.

To fix this, update to libarchive-3.5.2 or later using the instructions for libarchive (sysv) or libarchive (systemd).

10.1 099 (LFS) OpenSSL Date: 2021-08-25 Severity: High

Two vulnerabilities in OpenSSL-1.1.1k and earlier releases have been discovered. These are exploitable with malicious inputs and can be used to crash programs linked to OpenSSL. CVE-2021-3711 and CVE-2021-3712 have been assigned, details at CVE-2021-3711 and CVE-2021-3712.

To fix this, update to OpenSSL-1.1.1l or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd).

10.1 098 (LFS) GLIBC Date: 2021-08-24 Severity: High

A vulnerability in the released version of glibc-2.34 has been discovered. This is remotely exploitable and can be used to crash programs linked to glibc. CVE-2021-38604 has been assigned, details at tuxcare and CVE-2021-38604.

In the development book this unfixed vulnerability existed between 2021-08-02 and 2021-08-20, it was also in LFS-11.0-rc1. It has been fixed with a sed in the chapter 8 glibc build.

There is a test file at https://www.linuxfromscratch.org/~xry111/glibc-28213.c : compile that with 'gcc glibc-28213.c -o glibc-28213 -lrt' and run it. If that segfaults, your system is vulnerable.

Some people will be happy to discard the vulnerable system and start over, but the system can be fixed. It is necessary to rebuild glibc, but because the API and ABI have not changed, only the following three files need to be updated: libc.a, libc.so.6, and libc.so.6.dbg (if you did strip the debug symbols).

If you update these files, you should reboot as soon as possible afterwards. The system will not shutdown cleanly. After rebooting, recompile and rerun the test program to confirm it now ends normally.

If you are going to fix the existing system, make a usable backup before you start (and check it can be applied in case things go wrong).

One approach is to make a fresh LFS build to the end of chapter 8 using the modified instructions, then copy those 3 files to the running system.

A more adventurous approach is to rebuild (only) glibc in the running system, using the modified instructions. But instead of installing it make a DESTDIR install followed by stripping and installing only those libraries (watch for any error messages)

[code]
make DESTDIR=/tmp/GLIBC install
cd /tmp/GLIBC/usr/lib
for LIB in libc.so.6 ; do
    objcopy --only-keep-debug $LIB $LIB.dbg
    cp $LIB /tmp/$LIB
    strip --strip-unneeded /tmp/$LIB
    objcopy --add-gnu-debuglink=$LIB.dbg /tmp/$LIB
    install -vm755 /tmp/$LIB /usr/lib
    rm /tmp/$LIB
install -vm755 $LIB.dbg /usr/lib
install -vm644 libc.a /usr/lib
[/code]

10.1 097 BIND9 Date: 2021-08-19 Severity: High

In BIND-9.16.20, a security vulnerability was fixed that could allow for a trivial-to-exploit remotely-exploitable crash of the BIND DNS server to occur. This is due to an assertion check which is too strict, and gets triggered when responses in BIND 9.16.19 require UDP fragmentation if RRL is in use. Note that this only affects BIND server, not the utilities. This vulnerability has been assigned CVE-2021-25218.

To fix this, update to BIND-9.16.20 or later using the instructions for BIND (sysv) or BIND (systemd).

10.1 096 MC Date: 2021-08-19 Severity: High

Midnight Commander (MC) version 4.8.27 fixed a security vulnerability where the SFTP filesystem layer does not verify the SSH Server Fingerprint when a SFTP connection is established. The fingerprint is calculated, but the verification step is missing. This allows for Man-In-The-Middle attacks and attacks where the hostname has changed, but the IP address has stayed the same, to occur. This could permit unauthorized access and modification of files. This vulnerability has been assigned CVE-2021-36370, but no details are available yet other than the ticket in the Midnight Commander Trac, which can be found at Ticket #4259.

To fix this, update to MC-4.8.27 or later using the instructions for MC (sysv) or MC (systemd).

10.1 095 Firefox Date: 2021-08-17 Severity: High

In firefox 91.0.1 one vulnerability rated as High was fixed, described as a header splitting attack against servers using HTTP/3. This has been allocated CVE-2021-29991 but details are not yet public. For a summary see mfsa-2021-37. Because HTTP/3 is not enabled by default in firefox before version 88, legacy firefox-78 is not affected.

To fix this, update to firefox-91.0.1esr or later : Firefox (sysv) or Firefox (systemd).

10.1 094 OpenJDK Date: 2021-08-17 Severity: High

OpenJDK-16.0.2 brought fixes for six security vulnerabilities. Three of these vulnerabilities allows for an unauthenticated attacker with network access via multiple protocols to take over the Java SE runtime environment. Two more of these vulnerabilities give the ability for an unauthenticated remote attacker to create, modify, or delete information from inside the Java SE runtime environment, as well as on the filesystem if they have access to the Java Console. The final vulnerability is a denial of service vulnerability. The OpenJDK developers suggest updating to OpenJDK-16.0.2 or 15.0.5 when it becomes available. These vulnerabilities have been assigned CVE-2021-2388, CVE-2021-2369, CVE-2021-2432, CVE-2021-2341, CVE-2021-2161, and CVE-2021-2163.

To fix these vulnerabilities, update to OpenJDK-16.0.2 or later using the instructions for OpenJDK (sysv), or OpenJDK (systemd).

You may also use the Java binary using the instructions in Java (sysv), or Java (systemd).

10.1 093 Thunderbird Modified: 2021-08-13 Severity: Critical

Thunderbird-78.13.0 and 91.0 fixed several security vulnerabilities. One of these allows for an attacker to remotely inject files, folders, and IMAP commands when a STARTTLS connection is in use. Several of these vulnerabilities have to do with memory corruption, leading to a remotely exploitable crash and/or arbitrary code exeuction. These vulnerabilities have been assigned CVE-2021-29969, CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988 and CVE-2021-29989.

To fix these vulnerabilities, update to Thunderbird-91.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).

10.1 092 PostgreSQL Date: 2021-08-13 Severity: High

PostgreSQL-13.4 fixed a security vulnerability that could allow for a purpose-crafted query to read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. A workaround is to set max_worker_processes=0 inside of your PostgreSQL configuration, however undiscovered variants of the attack may run independently of that setting. It is suggested that you update your PostgreSQL instances to 13.4 as soon as possible. More information can be found at PostgreSQL 13.4 Release Announcement. This vulnerability has been assigned CVE-2021-3677.

To fix this, update to PostgreSQL-13.4 or higher using the instructions for PostgreSQL (sysv), or PostgreSQL (systemd).

10.1 091 node.js Updated: 2021-08-31 Severity: Critical

Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. These have been assigned CVE-2021-22930 (full details not yet public), CVE-2021-22931 and CVE-2021-22939. See 'Node v14.17.5' Node JS News which has links to nvd.nist.gov and cve.mitre.org.

To fix these, update to Node.js-14.17.5 or later using the instructions for Node.js (sysv), or Node.js (systemd).

10.1 090 c-ares Date: 2021-08-12 Severity: Moderate

In c-ares-1.17.2, a security vulnerability was fixed that could allow for Domain Hijacking due to a lack of proper input validation of host names returned by Domain Name Servers within the c-ares library. A proof of concept vulnerability was included with the security announcement. This vulnerability exists in all known versions of c-ares above 1.0.0. The developers suggest upgrading to c-ares-1.17.2. immediately. More details can be found at c-ares Security Advisory. This vulnerability has been assigned CVE-2021-3672.

To fix this, update to c-ares-1.17.2 or later using the instructions for c-ares (sysv), or c-ares (systemd).

10.1 089 Firefox Revised: 2021-11-02 Severity: High

In firefox 78.13.0 and 91.0, six vulnerabilities rated as High were fixed. For details see: CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.

To fix these update to firefox-91.0esr or later : Firefox (sysv) or Firefox (systemd) or if you wish to stay on the 78esr series in the short term, update to legacy firefox-78.13.0esr or later: Firefox-legacy (sysv) or Firefox-legacy (systemd). (Firefox-78 is now End of Life).

10.1 088 JS78 Date: 2021-08-11 Severity: High (low for BLFS packages using this)

In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984, but details are not yet public, see the advisory for firefox-78.3.0, mfsa-2021-34 In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.

To fix this, update to JS-78.13.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.1 087 MariaDB Date: 2021-08-08 Severity: Medium

In MariaDB-10.6.4, two medium-severity security vulnerabilities were patched. Both of these vulnerabilities are difficult to exploit, and can result in a Denial Of Service. Note that successful exploitation requires MariaDB to be listening for requests over TCP/IP ports, and not via local applications. Successful exploitation can result in the ability to cause a hang or frequently repeatable crash of the MariaDB process. These vulnerabilities have been assigned CVE-2021-2389 and CVE-2021-2372.

To fix these vulnerabilities, update to MariaDB-10.6.4 or later using the instructions for MariaDB (sysv), or MariaDB (systemd).

10.1 086 MIT Kerberos V5 Date: 2021-08-08 Severity: Medium

MIT Kerberos V5 before 1.19.2 (or 1.18.4) is vulnerable to a denial of service attack due to a NULL pointer dereference. This then causes the krb5 daemon to crash. This vulnerability is remotely exploitable with no user interaction, and this vulnerability is caused by a return value noy being properly managed in a rare situation. An unauthenticated attacker can exploit this by sending a request containing the PA-ENCRYPTED-CHALLENGE element without using FAST. If you use Kerberos as anything other than a build dependency, you should update as soon as possible. This vulnerability has been assigned CVE-2021-36222.

To fix this, update to MIT Kerberos V5 1.19.2 or later using the instructions for MIT Kerberos V5 (sysv), or MIT Kerberos V5 (systemd).

10.1 085 Fetchmail Date: 2021-07-30 Severity: Low

Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-36386. Further details are at fetchmail-SA-2021-01.

To fix this, update to Fetchmail-6.2.20 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).

10.1 084 node.js Updated: 2021-08-31 Severity: Critical

Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-22931.

To fix this, update to Node.js-14.17.4 or later using the instructions for Node.js (sysv), or Node.js (systemd).

10.1 083 WebKitGTK+ Date: 2021-07-26 Severity: Critical

WebKitGTK+-2.32.3 contained fixes for 11 security vulnerabilities. These vulnerabilities include six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. The two information leak vulnerabilities are caused whenever a ImageLoader object or GraphicsContext object load various image, or graphics, objects. Specially crafted web pages can thus lead to leakage of stack contents. Several of the arbitrary code execution vulnerabilties are known by Apple to be actively exploited, thus prompting a Critical rating by the BLFS team. The port scanning vulnerability allows malicious websites to access restricted ports on local machines on your network. Updating to WebKitGTK+-2.32.3 immediately is suggested if you have Epiphany, Evolution, or some other GNOME components installed. These vulnerabilities have been assigned CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, and CVE-2021-30799.

To fix these vulnerabilities, update to WebKitGTK+-2.32.3 or later using the instructions for WebKitGTK+ (sysv), or WebKitGTK+ (systemd).

10.1 082 Seamonkey Date: 2021-07-23 Severity: High

Fixes from firefox-78.12 were included in seamonkey-2.53.8.1. Two apply to Linux builds and are rated as High, a third in ANGLE was also fixed, but that is not used for linux builds. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public. mfsa-2021-29.

To fix these, update to Seamonkey-2.53.8.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High

In systemd-220 and later, a security vulnerability exists that could allow a local attacker to crash systemd, which then causes a kernel panic. This vulnerability is due to a flaw in the FUSE filesystem implementation, and requires the kernel to be upgraded as well, to either Linux-5.10.52 or Linux-5.13.4. systemd constantly monitors /proc/self/mountinfo, and when a file path longer than 8MB is discovered and parsed, systemd will crash with a segmentation fault. The security patch that is available will use a different string duplication function to prevent this crash from occuring. This primarily affects systems with FUSE filesystems, such as SSHFS or NTFS. However, FUSE is also used by XFCE and GNOME because of GVFS. This vulnerability is possible to exploit when automounting USB drives. Filesystem corruption is also possible due to the memory corruption that occurs when systemd crashes. A proof-of-concept exploit is also available in the wild. Due to the merged-/usr changes, upgrading to systemd-249 (with the patch) for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that run systemd-220 or higher. This vulnerability has been assigned CVE-2021-33910.

If you are running LFS git, you can update to systemd-249 with the patch using the instructions in the BLFS book for systemd (systemd). You must also upgrade your kernel to Linux-5.13.4 or later.

If you are running LFS 10.1, you can apply the patch from systemd-247-security_fixes-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.

If you are running LFS 10.0, you can apply the patch from systemd-246-security_fixes-1.patch to your build tree and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.

10.1 080 Binutils (LFS) Date: 2021-07-23 Severity: Moderate

In Binutils-2.37, four security vulnerabilties were fixed. One of these vulnerabilities allows for arbitrary filesystem access due to a race condition in ar, objcopy, strip and ranlib. When these utilities are being run by a privileged user, an unprivileged user can trick them into getting ownership of arbitrary files on the filesystem through a symbolic link. An additional security vulnerability exists in GNU libiberty, which can result in a crash due to an infinite loop. Two more vulnerabilities allow for arbitrary code execution and memory corruption due to a stack based buffer overflow, or an out-of-bounds write. These vulnerabilities apply to objdump and libiberty. These vulnerabilities cannot be exploited remotely. These vulnerabilities have been assigned CVE-2021-20197, CVE-2021-3648, CVE-2021-3549, and CVE-2021-3530.

To fix these vulnerabilities, update to Binutils-2.37 or later using the instructions from the LFS book for Binutils (sysv), or Binutils (systemd).

10.1 079 cURL Date: 2021-07-23 Severity: Critical

In cURL-7.78.0, four security vulnerabilities were fixed. The first vulnerability will allow malicious content to be stored on disk instead of discarded when using the metalink feature, because the information is not checked against the XML file that contains the hash for the file correctly. Another security vulnerability in the metalink feature will send login credentials in plaintext and pass them on to any server that cURL connects to for a metalink download. Another security vulnerability exists in the way that cURL keeps previous connections stored for use again. Due to a flaw in the logic that handles path name checks, the comparison did not take security certificates into account, and also compared the involved paths case insensitively. This will result in a certificate store bypass as well as the potential of connecting to a compromised server. Another TELNET stack content disclosure vulnerability was fixed, caused by the fix for CVE-2021-22898 in cURL-7.78.0. This could result in keystrokes, including passwords, being leaked to remote attackers during a TELNET session. These vulnerabilities have been assigned CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, and CVE-2021-22925.

To fix these vulnerabilities, update to cURL-7.78.0 or later using the instructions for cURL (sysv), or cURL (systemd).

10.1 078 Linux Kernel (LFS) Date: 2021-07-20 Severity: High

In Linux 5.13.3 and earlier, a vulnerability given the name 'Sequoia' can be used to gain root access via an Out of Bounds write. Details at oss-security with links to a proof of concept program to crash the system, and the promise that details of the exploit will follow. This has been assigned CVE-2021-33909.

To fix this, update to Linux 5.13.4 or later, or Linux-5.10.52 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.1 077 Wireshark Date: 2021-07-20 Severity: Low

In Wireshark before 3.4.7, a security vulnerability was present that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet, or via a crafted capture file. This issue will manifest itself as a segmentation fault. This vulnerability has been assigned CVE-2021-22235.

To fix this, update to Wireshark-3.4.7 or higher using the instructions for Wireshark (sysv), or Wireshark (systemd).

10.1 076 Apache ANT Date: 2021-07-17 Severity: Moderate

In apache-ant-1.10.11, two security vulnerabilities were fixed that could lead to out-of-resource conditions when extracting ZIP or TAR files during a build process. The problem can also be triggered with JAR files. The out-of-resource condition consists of Out-Of-Memory errors. These are similar to issues in Apache Commons. These two vulnerabilities have been assigned CVE-2021-35517 and CVE-2021-36090.

To fix these, update to apache-ant-1.10.11 or later using the instructions for apache-ant (sysv), or apache-ant (systemd).

10.1 075 Firefox Date: 2021-07-13 Severity: High

In firefox 78.12.0 two vulnerabilities rated as High were fixed. A third vulnerabilitiy in ANGLE was also fixed, but that is not used for linux builds. mfsa-2021-29. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public.

To fix these, update to firefox-78.12.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 074 Ruby Date: 2021-07-09 Severity: High

In Ruby-3.0.2, three security vulnerabilities were fixed. One of these vulnerabilities allows for the Net::FTP module to connect to another IP address/port and return information about services that are otherwise private and not disclosed (basically allowing the attacker to run a port scan). This is due to invalid verification of FTP PASV responses. Another security vulnerability exists in the Net::IMAP module, where Net::IMAP does not raise an exception when a STARTTLS connection fails with an unknown response. This would allow man-in-the-middle attacks to occur, as well as bypasses of the TLS protections. The third vulnerability is rated High, and is a command injection vulnerability in the RDoc command. When using the RDoc command, if a file name starts with a pipe ("|"), and ends with a tag, the command following the pipe character will be executed. A malicious Ruby project could thus exploit it to run arbitrary commands against a user who attempts to use the RDoc command. It is recommended to update Ruby as soon as possible. These vulnerabilities have been assigned CVE-2021-31810, CVE-2021-32066, and CVE-2021-31799.

To fix these vulnerabilities, update to Ruby-3.0.2 or later using the instructions for Ruby (sysv), or Ruby (systemd).

10.1 073 libuv Date: 2021-07-09 Severity: Moderate

In libuv before 1.41.1, a security vulnerability exists that allows for information disclosure when using the punycode decoder in libuv's IDNA implementation. Several downstream applications use this library and may be affected. This is similar to the vulnerability that was fixed in Node.JS-14.17.2. The vulnerability can be triggered via both uv_getaddrinfo() and uv__idna_toascii(). This vulnerability has been assigned CVE-2021-22918.

To fix this, update to libuv-1.41.1 or later using the instructions for libuv (sysv), or libuv (systemd).

10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Moderate

In systemd before 249, a security vulnerability exists that could allow for a remote attacker to reconfigure network settings on systems that use systemd-networkd without any user interaction. This happens due to an issue with the handling of DHCPRENEW packets. With a DHCPRENEW and a DHCPACK packet that is specially crafted, a remote attacker can reconfigure your network settings. Due to the merged-/usr changes, upgrading to systemd-249 for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that use systemd-networkd, and that run systemd-245 or higher (thus, LFS 9.1 is not affected). This vulnerability has been assigned CVE-2020-13529.

If you are running LFS git, you can update to systemd-249 or later using the instructions in the BLFS book for systemd (systemd).

If you are running LFS 10.1, you can apply the patch from systemd-247-security_fix-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd.

If you are running LFS 10.0, you can apply the patch from systemd-246-security_fix-1.patch to your build tree and rebuild systemd.

10.1 071 Python (LFS and BLFS) Date: 2021-07-09 Severity: Moderate

In Python3 before 3.9.6, a security vulnerability exists that could allow a remote attacker to cause a resource exhaustion via the mod:http.client module. This is due to a flaw where Python will infinitely read potential HTTP headers after a "HTTP 100 Continue" message from the server. This vulnerability has not been assigned a CVE, but more details can be found at BPO-44022.

To fix this, update to Python-3.9.6 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.1 070 node.js Date: 2021-07-09 Severity: Moderate

In Node.js-14.17.2, a security vulnerability was fixed that could lead to information disclosures or crashes on applications that use Node's dns module. The vulnerability exists in the lookup() function, and occurs due to a similar vulnerability in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This vulnerability has been assigned CVE-2021-22918.

To fix this, update to Node.js-14.17.2 or later using the instructions for Node.js (sysv), or Node.js (systemd).

10.1 069 PHP Date: 2021-07-01 Severity: Moderate

In PHP-8.0.8, two security vulnerabilities were fixed. One of them could lead to a buffer overflow and thus remote code execution when using a Firebird database, and the other could allow for remote attackers to redirect servers to arbitrary URLs via a SSRF bypass in FILTER_VALIDATE_URL. These options are rather uncommon, which is why these vulnerabilities are rated as Moderate. These vulnerabilities have been assigned CVE-2021-21705 and CVE-2021-21704.

To fix these, update to PHP-8.0.8 or later using the instructions for PHP (sysv), or PHP (systemd).

10.1 068 NetworkManager Date: 2021-06-30 Severity: Moderate

In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network information in rare circumstances. This only applies if using a plugin shipped within NetworkManager with some code borrowed from systemd-networkd to get an IP address via DHCP, which is enabled with "dhcp=systemd" in the configuration files. This option is not the default, nor mentioned by NetworkManager documentation or the BLFS book. This vulnerability has been assigned CVE-2020-13529.

If you'd like to use "dhcp=systemd" anyway, to fix this, update to NetworkManager-1.32.2 or later using the instructions for NetworkManager (sysv), or NetworkManager (systemd).

10.1 067 Seamonkey Date: 2021-06-30 Severity: Critical

Fixes from firefox-78.8.0 to 78.8.11 were included in seamonkey-2.53.8. See BLFS #15227. Updating to seamonkey-2.53.8 is highly recommended due to impacts relating to remote code execution, memory safety problems, and command injection via FTP. The following CVEs have been fixed, most of them being High or Critical: CVE-2021-29955, CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-23402, CVE-2021-29945, CVE-2021-29946, CVE-2021-29951, CVE-2021-29964, and CVE-2021-29967.

To fix these, update to Seamonkey-2.53.8 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 066 Dovecot Date: 2021-06-29 Severity: High

Two security vulnerabilities were patched in Dovecot-2.3.15. One of these vulnerabilities allows path traversal which can be used as an authentication bypass via OAuth2, forcing Dovecot to accept a key from an attacker-controlled location. This occurs when Dovecot uses JWT validation with the posix filesystem driver. The other vulnerability allows for command injection when using STARTTLS command injection. If more commands are pipelined as plaintext after a STARTTLS connection is initiated, the commands are run as part of the TLS session. These can be used to redirect mail, passwords, and other user variables to an attacker controlled address. These vulnerabilities have been assigned CVE-2021-29157 and CVE-2021-33515.

To fix these, update to dovecot-2.3.15 or later using the instructions for dovecot (sysv), or dovecot (systemd).

10.1 065 QtWebEngine Date: 2021-06-21 Severity: High

Several more CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-2 patch (fixes to 2021-06-02) : CVE-2021-30518, CVE-2021-30516, CVE-2021-30515, CVE-2021-30513, CVE-2021-30512, CVE-2021-30510, CVE-2021i-30508.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-2.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 064 Qt5 Date: 2021-06-21 Severity: Medium

An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. This vulnerability has been assigned CVE-2021-3481 which is not yet public. For more information see RedHat CVE-2021-3481 or QTBUG-91507.

To fix this, apply the qt-everywhere-src-5.15.2-CVE-2021-3481-1.patch (or update to a later version) using the instructions at Qt5 (sysv), or Qt5 (systemd).

10.1 063 Exiv2 Date: 2021-06-19 Severity: High

In Exiv2-0.27.4, nine security vulnerabilities were fixed. These security vulnerabilities are complex to exploit, but can be exploited remotely through a web browser. Three of these vulnerabilities are arbitrary code execution vulnerabilities, another is an information disclosure vulnerability, and the others are denial of service (crash) vulnerabilities. These vulnerabilities have been assigned CVE-2021-32617, CVE-2021-29623, CVE-2021-29473, CVE-2021-29470, CVE-2021-29464, CVE-2021-29463, CVE-2021-29458, CVE-2021-29457, and CVE-2021-3482.

To fix these, update to exiv2-0.27.4 or higher using the instructions for exiv2 (sysv), or exiv2 (systemd).

10.1 062 Linux Kernel (LFS) Date: 2021-06-16 Severity: High

In Linux 5.12.10 and earlier, several security vulnerabilities existed in the Bluetooth, Xen (virtualization), and wireless networking stacks. The Bluetooth vulnerability can allow for denial of service by allowing a local user to cause a kernel panic by attaching a malicious HCI TTY Bluetooth device. The Xen vulnerability can allow for the network adapter on the host system to fail due to a driver crash in the kernel. This vulnerability can be exploited through a virtual machine running on the system. The wireless stack vulnerabilities impact all cards and could allow for decryption of encrypted packets sent over Wi-Fi Protected Access (WPA/WPA2/WPA3) and Wired Equivalent Privacy (WEP) packets due to a protocol issue that does not require all fragments in a frame to be signed by a single key. Another vulnerability in the ath11k wireless driver can allow for an attacker to inject and decrypt packets in a connection that uses WPA or WPA2 with the TKIP data-confidentiality protocol. Another vulnerability in the ath10k driver allows for a remote attacker to inject arbitrary packets since the plaintext QoS header in a packet is not required to be authenticated under thw WPA, WPA2, WPA3, or WEP standard. Another vulnerability in the wireless stack allows for arbitrary network packets to be injected and for the exfiltration of user data regardless of whether any encryption is in place, and fragments are not cleared from memory after reconnecting to a network. These vulnerabilities have been assigned CVE-2021-3564, CVE-2021-28691, CVE-2020-24587, CVE-2020-26141, CVE-2020-24588, CVE-2020-26145, and CVE-2020-24586.

To fix these, update to Linux 5.12.10 or later (5,12 is no-longer maintained), or Linux 5.10.44 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.1 061 PDFBox (FOP) Date: 2021-06-15 Severity: Medium

In Apache PDFBox-2.0.24, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-31812 and CVE-2021-31811.

To fix these, update the supplemental JAR files in fop to 2.0.24 using the instructions in fop (sysv) or fop (systemd).

10.1 060 Apache HTTPD Updated: 2021-06-15 Severity: Moderate

Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream (currently undergoing analysis at NVD): CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641 (updated 2021-06-15: first link was to an unrelated CVE, corrected).

To fix these, update to at least HTTPD-2.2.48 using the instructions for Apache (sysv) or Apache (systemd).

10.1 059 Intel Microcode Date: 2021-06-08 Severity: High

Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High Intel-SA-00442 / CVE-2021-24489 and two potential information disclosures by local access rated as Medium Intel-SA-00464 / CVE-2020-24511 and Intel-SA-00465 / CVE-2020-24513.. The CVE details are not yet public.

To fix these, update to at least microcode-20210608 using the instructions for About Firmware (sysv) or About Firmware (systemd).

10.1 058 Polkit Date: 2021-06-06 Severity: High

In Polkit-0.119, a security vulnerability was fixed that can allow for unprivileged users to gain root access on the system by calling a process that uses "polkit_system_bus_name_creds_sync" too many times, and also by not checking for the error value correctly. This vulnerability can be used by an unprivileged local attacker to bypass authorization and escalate privileges up to the root user. This affects polkit back to 0.113. This vulnerability has been assigned CVE-2021-3560.

To fix this, update to Polkit-0.119 or later using the instructions for Polkit (sysv) or Polkit (systemd).

10.1 057 Wireshark Date: 2021-06-06 Severity: Low

In Wireshark-3.4.6, a security vulnerability was fixed that could allow for a malformed DVB-S2-BB packet to cause a denial of service due to excessive CPU resource consumption. This is due to an infinite loop. There is no CVE for this vulnerability, but the information can be found under "Security Advisories" on the Wireshark website. More details can be found at wpna-sec-2021-05.

To fix this, update to Wireshark-3.4.6 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.1 056 Thunderbird Date: 2021-06-06 Severity: High

In Thunderbird-78.11.0, a security vulnerbaility was fixed that was rated as High. This security vulnerability pertains to several memory safety issues that were addressed by the Mozilla developers. More details can be found at msfa2021-26. This security vulnerability has been assigned CVE-2021-29967.

To fix these, update to Thunderbird-78.11.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.1 055 Firefox Date: 2021-06-01 Severity: High

In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. See mfsa2021-24. CVEs have been assigned (CVE-2021-299644, CVE-2021-29967) but details are not yet public.

To fix these, update to firefox-78.11.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 054 Linux Kernel (LFS) Updated: 2021-03-31 Severity: High

In Linux 5.12.7 and all earlier kernels back to 2.6.12 a "confused deputy" weakness exists, which makes it possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. Further details in the links at Linux-Confused-Deputy-2.6.12.

To fix this, update to Linux 5.12.8 or later, (or Linux 5.10.41 or later if you prefer to stick with 5.10.y, or for old systems Linux 5.4.123 or later) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that since August linux-5.12 kernels are no-longer maintained.

10.1 053 ISC DHCP Date: 2021-05-29 Severity: High

ISC DHCP (dhclient and dhcpd) before 4.4.2-P1 is affected by a vulnerability that allows for DHCP leases to be improperly deleted, or for the DHCP client and server services to be terminated improperly. This is due to a buffer overrun, and may be exploited remotely to allow for a denial of service (network outage) or for improper DHCP leases to be issued. No user interaction is required. If you use dhclient or dhcpd, it is highly recommended that you update as soon as possible. This vulnerability has been assigned CVE-2021-25217.

To fix this, update to DHCP-4.4.2-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).

10.1 052 Expat Date: 2021-05-29 Severity: Medium

Expat before 2.4.0 is vulnerable to Denial of Service ('billion laughs') attacks. The vulnerability was initially for versions up to 2.1, but protection hs been strengthened in the 2.4.0 release: see blog.hartwork.org, and CVE-2013-03405.

To fix this, update to Expat-2.4.1 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.

10.1 051 cURL Date: 2021-05-26 Severity: Critical

In cURL-7.77.0, three security vulnerabilities were fixed. The first one only applies to Windows systems and is therefore irrelevant to LFS. The second vulnerability allows the stack to be disclosed to a remote attacker while a TELNET session is in progress. The third vulnerability, which is rated as high, allows for remote code execution on HTTPS sessions. The TELNET vulnerability is due to an issue with an uninitialized variable, and the remote code execution vulnerability is due to a use-after-free. This vulnerability has been called the "TLS session caching disaster", and instructions for achieving remote code execution have been released to the public. Therefore, it is suggested that you update immediately. Note that this only applies to systems which use OpenSSL as their SSL backend, which is the default configuration in BLFS. These vulnerabilities have been assigned CVE-2021-22897, CVE-2021-22898, and CVE-2021-22901.

To fix these vulnerabilities, update to cURL-7.77.0 or later as soon as possible using the instructions at cURL (sysv), or cURL (systemd).

10.1 050 libX11 Date: 2021-05-19 Severity: Critical

In libX11-1.7.1, a security vulnerability was fixed that allows through command injection through the libX11 API protocol. This vulnerability exists in the XLookupColor function, intended for server-side color lookup. The flaw consists of a client being allowed to send color names with a name longer than the maximum size allowed, and also the maximum packet size for normalized packets. This then allows for the X server authorization process to be disabled completely, as the end of the packet is then considered a protocol command. This vulnerability has existed since February of 1986. This vulnerability has been rated at a 9.3 CRITICAL on the CVSS scale, and has been assigned CVE-2021-31535, and more information can be found at libX11 security advisory.

To fix this vulnerability, update to libX11-1.7.1 or later using the instructions at Xorg Libraries (sysv), or Xorg Libraries (systemd).

10.1 049 postgresql Date: 2021-05-18 Severity: Medium

In PostgreSQL-13.3, three security vulnerabilities were fixed that could allow for memory disclosure as well as a buffer overrun caused by an integer overflow in array subscripting calculations. The buffer overrun could allow for authenticated database users to write arbitrary bytes to a wide area of server memory. The memory disclosure vulnerabilities both allow for an attacker to read arbitrary bytes of server memory when executing UPDATE...RETURNING commands in partitioned-tables, and when executing INSERT...ON CONFLICT... DO UPDATE commands on a purpose crafted table. In the default PostgreSQL configuration, any authenticated database user can create the prerequisite objects and complete this attack at will. Users lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot exploit this attack. These vulnerabilities have been assigned CVE-2021-32028, CVE-2021-32029, and CVE-2021-32027.

To fix these vulnerabilities, update to PostgreSQL-13.3 or later using the instructions at PostgreSQL (sysv), or PostgreSQL (systemd).

10.1 048 rxvt-unicode Updated: 2021-05-18 Severity: High

A security vulnerability was fixed in rxvt-unicode-9.26 that may allow for remote code execution. An exploit has been discovered in the wild and was published to the oss-security mailing list. The vulnerability occurs due to the way that rxvt handles ANSI escape sequences, replying to queries with a newline-terminated message, and will allow applications to execute without user intervention. This was originally graded as critical (no CVE was available) but the details at CVE-2021-33477 now show it as high severity.

To fix this vulnerability, update to rxvt-unicode-9.26 or later using the instructions at rxvt-unicode (sysv), or rxvt-unicode (systemd).

10.1 047 libxml2 Date: 2021-05-18 Severity: Medium

In libxml2-2.9.12, a security vulnerability was fixed (in addition to all of the ones covered in libxml2-2.9.10-security_fixes-1.patch) that allows for a denial of service (system resource exhaustion) when processing a crafted XML file. This occurs through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. This vulnerability has been assigned CVE-2021-3541.

To fix this, update to libxml2-2.9.12 or later using the instructions at libxml2 (sysv), or libxml2 (systemd).

10.1 046 Exiv2 Date: 2021-05-17 Severity: High

Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release : CVE-2021-3482, CVE-2021-29457, CVE-2021-29458, CVE-2021-29470, CVE-2021-29473.

To fix these, apply the exiv2-0.27.3-security_fixes-1.patch (or update to a later version) using the instructions at Exiv2 (sysv), or Exiv2 (systemd).

10.1 045 Samba Date: 2021-05-12 Severity: Critical

In Samba-4.14.4, a security vulnerability was fixed that allows for users to have unauthorized access to information, as well as the ability for users to modify/delete files from shares that they should not have access to. The underlying cause of this vulnerability is an out-of-bounds read that sometimes occurs when mapping Windows group identities (SIDs) into Unix group IDs (gids). The code that handles this could read data beyond the end of an array in the case that a negative cache entry had been added to the cache. This would then cause the conversion code to return those values into the process token that stores the group membership of a user. This vulnerability was originally spotted at Linkoping University, where a user was found deleting files from a network share that they were not supposed to have access to. If you are using the Samba file server to share files, it is suggested that you update immediately. Other impacts include potential server crashes, as well as impacts to data confidentiality and integrity. This vulnerability has been assigned CVE-2021-20254.

To fix this vulnerability, update to Samba-4.14.4 or later using the instructions for Samba (sysv) or Samba (systemd).

10.1 044 MariaDB Date: 2021-05-12 Severity: Medium

Two security vulnerabilities were corrected in mariadb-10.5.10. These vulnerabilities allowed for remotely exploitable crashes of the MariaDB database server. Both of these vulnerabilties are simple to exploit and can result in repeatable crashes over the network. These vulnerabilities have been assigned CVE-2021-2166 and CVE-2021-2154.

To fix these vulnerabilties, update to MariaDB-10.5.10 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).

10.1 043 Wireshark Date: 2021-05-12 Severity: Medium

A security vulnerability was fixed in Wireshark that could allow for excessive memory and CPU consumption when using the MS-WSP packet dissector. This vulnerability could be exploited via a malformed packet, either by placing the malformed packet onto the wire while Wireshark is capturing packets, or by convincing someone to read a malformed packet trace file. This vulnerability could allow a remote attacker to run the system out of memory, and thus can cause a denial of service. This vulnerability has been assigned CVE-2021-22207.

To fix this vulnerability, update to Wireshark-3.4.5 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.1 042 libjpeg-turbo Date: 2021-05-12 Severity: Low

A security vulnerability was discovered in the "cjpeg" utility included with libjpeg-turbo. This vulnerability is classified as a denial of service vulnerability, and is caused by a divide-by-zero error when processing some GIF images. The highest impact would be a crash of the 'cjpeg' application, thus this vulnerability has been rated as Low. This vulnerability has been assigned CVE-2021-20205.

To fix this vulnerability, update to libjpeg-turbo-2.1.0 or later using the instructions for libjpeg (sysv) or libjpeg (systemd).

10.1 041 Rustc Date: 2021-05-11 Severity: Critical

Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. One of the critical CVEs was raised as 'before 1.53.0', but the fix has been backported to 1.52.0.

For the general case (where static libraries are used and a variety of crates might be built) the advice is to update both rust and all the packages which use it.

For BLFS with its limited number of crates which use rust, it can be shown (e.g. by removing the /opt/rustc symlink) that the built programs do not use the standard library at runtime), and therefore the vulnerabilities are assumed to have been at compile time. Nevertheless, the incorrect code has been available and it may be that the resulting programs can do incorrect things. The safest advice is to update rust and then rebuild (or update) all the packages which use it.

The relevant CVEs are: CVE-2021-227376, CVE-2021-28036, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162. To fix rust, update to rustc-1.52.0 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).

10.1 040 QtWebEngine Updated: 2021-05-07 Severity: Critical

Many CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-1 patch (fixes to 2021-05-03) : CVE-2021-21233, CVE-2021-21231, CVE-2021-21230, CVE-2021-21227, CVE-2021-21225, CVE-2021-21224, CVE-2021-21223, CVE-2021-21222, CVE-2021-21221, CVE-2021-21220, CVE-2021-21219, CVE-2021-21218, CVE-2021-21217, CVE-2021-21214, CVE-2021-21213, CVE-2021-21209, CVE-2021-21207, CVE-2021-21206, CVE-2021-21204, CVE-2021-21203, CVE-2021-21202, CVE-2021-21201.

Of these, two were rated as critical and at least one other rated as high has public exploit code available.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 039 Ruby Date: 2021-05-04 Severity: Medium

In ruby-3.0.1, a security vulnerability was fixed that could lead to improper generation of XML files, including malicious code. This has been classified as a "XML round-trip vulnerability". The ruby developers suggest upgrading the REXML gem if updating Ruby on your system is not feasible. This can be done by executing "gem upgrade rexml". The fixed gem has been bundled with ruby-3.0.1. This vulnerability has been assigned CVE-2021-28965.

To fix this vulnerability, update to ruby-3.0.1 or higher using the instructions for ruby (sysv) or ruby (systemd).

10.1 038 Exim Date: 2021-05-04 Severity: Critical

In Exim-4.94.2, twenty-one security vulnerabilities were patched. These vulnerabilities can allow for local privilege escalation, remote code execution, arbitrary code execution in the context of the Exim user, command injection, modification of mails, modification/deletion of files, and more. Ten of these vulnerabilities can be exploited remotely, while the other eleven can be exploited locally. If you have any systems running Exim, this is considered an urgent matter. There are multiple exploits available in the wild for these vulnerabilities. These vulnerabilities have been assigned CVE-2020-28007, CVE-2020-28008, CVE-2020-28014, CVE-2021-27216, CVE-2020-28011, CVE-2020-28010, CVE-2020-28013, CVE-2020-28016, CVE-2020-28016, CVE-2020-28015, CVE-2020-28012, CVE-2020-28009, CVE-2020-28017, CVE-2020-28020, CVE-2020-28023, CVE-2020-28021, CVE-2020-28022, CVE-2020-28026, CVE-2020-28019, CVE-2020-28024, CVE-2020-28018, and CVE-2020-28025. Additional information can be found at Qualys Security Blog - 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server.

To fix these vulnerabilities, update to Exim-4.94.2 or higher as soon as possible using the instructions for Exim (sysv) or Exim (systemd).

10.1 037 BIND Date: 2021-05-01 Severity: High

In BIND-9.16.15, three security vulnerabilities were fixed that could result in crashes and remote code execution on 32-bit platforms. One security vulnerability is rated as Medium, while the other two (one of which leads to remote code execution on 32-bit platforms, and crashes on 64-bit platforms) are rated as High. These vulnerabilities have been assigned CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. Additional information can be found at BIND Release Announcement.

To fix these vulnerabilities, update to BIND-9.16.15 or higher using the instructions for BIND (sysv) or BIND (systemd).

10.1 036 OpenSSH Date: 2021-05-01 Severity: Medium

In OpenSSH-8.6p1, a security vulnerability was fixed that was introduced in version 8.5p1 with the addition of the LogVerbose keywords. When this option was enabled with a set of patterns that activated logging in code that runs in the lower-privileged/sandboxed sshd process, the log messages were constructed in a way that printf(3) format strings could effectively be specified in the lower-privelged code. As a result, an attacker who had successfully exploited the lower-privileged process could use the logging feature to escape the sandbox and attack the higher-priveleged process. No CVE has been assigned at this time. More details can be found at Announce: OpenSSH 8.6 released.

To fix this, update to OpenSSH-8.6p1 or later using the instructions for OpenSSH (sysv) or OpenSSH (systemd).

10.1 035 Python (LFS and BLFS) Date: 2021-04-29 Severity: High

In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. This been assigned CVE-2021-3426 but the details are not yet public. See CVE-2021-3426 at debian.

To fix this, update to Python-3.9.4 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.1 034 Xorg-Server Date 2021-04-29 Severity: High

In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. This has been assigned CVE-2021-3472.

To fix this, update to at least Xorg-Server-1.20.11 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.1 033 Thunderbird Date: 2021-04-26 Severity: High

Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. See mfsa2021-14.

To fix these, update to Thunderbird-78.10.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).

10.1 032 Firefox Date: 2021-04-19 Severity: High

In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-15. CVEs have been assigned (CVE-2021-23994, CVE-2021-23995, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946) but details are not yet public.

To fix these, update to firefox-78.10.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 031 librsvg Date: 2021-04-14 Severity: Medium

A security vulnerability was fixed in librsvg-2.50.4 that applied to one of the rust crates involved with building the librsvg library. This vulnerability existed within the generic-array crate, and allowed for variables to stick around for longer than their expected lifetime. This could lead to memory corruption scenarios. This vulnerability has been assigned RUSTSEC-2020-0146.

To fix this, update to librsvg-2.50.4 or later using the instructions in librsvg (sysv), or librsvg (systemd).

10.1 030 cifs-utils Date: 2021-04-14 Severity: Medium

A security vulnerability was discovered in cifs-utils before 6.13. When using kerberos authentication, it is possible for a leak of authentication credentials when running the cifs.upcall command. This same vulnerability can also permit privilege escalation of a local user. This vulnerability has been assigned CVE-2021-20208.

To fix this, update to cifs-utils-6.13 or later using the instructions in cifs-utils (sysv), or cifs-utils (systemd).

10.1 029 NetworkManager Updated: 2021-09-01 Severity: Medium

A security vulnerability was found in NetworkManager up to 1.30.2 where a local or remote attacker could set a "match.path" statement in a Network file, which would cause NetworkManager to crash. The root cause of this vulnerability is improper input validation. This vulnerability has been assigned CVE-2021-20297.

To fix this up date to NetworkManager-1.30.4 or later using the instructions at NetworkManager (sysv), or NetworkManager (systemd).

10.1 028 Avahi Date: 2021-04-14 Severity: Medium

A security vulnerability was found in Avahi that could allow an infinite loop to be triggered when an attacker writes a long line to /run/avahi-daemon/socket. The event used to signal the termination of a client connection was not correctly handled. This vulnerability has been assigned CVE-2021-3468.

To fix this, apply a sed to Avahi using the instructions in Avahi (sysv), or Avahi (systemd).

10.1 027 Thunderbird Updated: 2021-04-11 Severity: Medium

Three security vulnerabilities were fixed in Thunderbird-78.9.1. All three of them affect systems that have OpenPGP keys configured for encrypted email. These vulnerabilities have been rated Moderate, and have been assigned CVE-2021-23991, CVE-2021-23992, CVE-2021-23993. Additional information can be found at MSFA2021-13.

To fix these, update to Thunderbird-78.9.1 or later using the instructions at Thunderbird (sysv), or Thunderbird (systemd).

10.1 026 QtWebEngine Updated: 2021-04-09 Severity: High

Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401 : CVE-2021-21198, CVE-2021-21195, CVE-2021-21193, CVE-2021-21191, CVE-2021-21187, CVE-2021-21184, CVE-2021-21183, CVE-2021-21166, CVE-2020-27844.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 025 Node.js Date: 2021-04-09 Severity: High

Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL but can be exploited through Node.js if you have not updated that package to Openssl-1.1.1k or later, see 10.1-011

The third vulnerability is 'Prototype Pollution' in the y18n JS package used in npm. Information can be found at April 2021 Security Releases, CVE-2020-7774 and for an explanaton of 'Prototype Pollution' see SNYK-JAVA-ORGWEBJARSNPM-1038306.

To fix these, update to Node.JS-14.16.1 or later using the instructions at Node.JS (sysv) or Node.JS (systemd).

10.1 024 XDG-Utils Date: 2021-04-02 Severity: Medium

In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.

This has been assigned CVE-2020-27748 but the upstream issue at gitlab remains open.

In the meantime, to mitigate this flaw, either do not use mailto links at all, or always double-check in the user interface that there are no unwanted attachments before sending emails, especially when the email originates from clicking on a mailto link.

10.1 023 Libssh2 Date: 2021-04-02 Severity: High

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This has been assigned CVE-2019-17498.

This has been fixed upstream, but no new version has been released. To fix this, apply the patch libssh2-1.9.0-security_fix-1.patch using the instructions for libssh2 (sysv) or libssh2 (systemd) or update to a later version of Libssh2 if one is released.

10.1 022 Flac Date: 2021-04-02 Severity: Medium

In Flac up to and including 1.3.3 a heap buffer overflow leading to a possible out of bounds read has been discovered. This could lead to remote information disclosure with no additional execution privileges needed and has been assigned CVE-2020-0499.

This has been fixed upstream, but no new version has been released. To fix this, apply the patch flac-1.3.3-security_fixes-1.patch using the instructions for Flac (sysv) or Flac (systemd) or update to a later version of Flac if one is released.

10.1 021 Seamonkey Date: 2021-03-31 Severity: Critical

Fixes from firefox-78.6.1 to 78.8.0, were included in seamonkey-2.53.7. See BLFS #14840. The following CVEs have been fixed, most of them being High or Critical: CVE-2020-16044, CVE-2021-23953, CVE-2021-23954, CVE-2020-26976, CVE-2021-23960, CVE-2021-23964, CVE-2020-16048, CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, and CVE-2021-23978.

To fix these, update to Seamonkey-2.53.7 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 020 cURL Date: 2021-03-31 Severity: Medium

In cURL-7.76.0, two vulnerabilities are fixed that may lead to disclosure of sensitive information or authentication bypass. These vulnerabilities have been assigned CVE-2021-22876 and CVE-2021-22890. Additional information can be found at cURL website.

To fix these vulnerabilities, update to cURL-7.76.0 or higher using the instructions for cURL (sysv) or cURL (systemd).

10.1 019 Python 2 Date: 2021-03-31 Severity: Critical

In Python 3 releases, multiple vulnerabilities are fixed that may lead to denial of service, remote code execution, or web cache poisoning. Python 2 is already EOL'ed and has not got the fixes. These vulnerabilities have been assigned CVE-2019-20907, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619, CVE-2021-3177, and CVE-2021-23336.

To fix these vulnerabilities, it's recommended to port everything using Python 2 to use Python 3 instead.

If you decide to stick with Python 2 anyway, rebuild Python 2 with a security patch using the instructions for Python 2 (sysv) or Python 2 (systemd).

10.1 018 WebKitGTK Date: 2021-03-31 Severity: Critical

In WebKitGTK 2.32.0, three security vulnerabilities were fixed that could lead to arbitary code execution. These vulnerabilities have been assigned CVE-2021-1788, CVE-2021-1844, and CVE-2021-1871. Additional information can be found at WSA-2021-0003.

To fix these vulnerabilities, update to WebKitGTK-2.32.0 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.1 017 glib2 Updated: 2021-04-14 Severity: High

In glib-2.66.8, a medium-severity security vulnerability was fixed that allowed a malicious archive to create files elsewhere in the filesystem via a symlink attack. The malicious archive may also be able to overwrite existing files when extracted with file-roller. An additional vulnerability was fixed in glib-2.66.7, which has been rated High. This vulnerability allows for unintended length truncation on buffers above 4GB in size on a 64-bit platform. These vulnerabilities have been assigned CVE-2021-27218 and CVE-2021-28153, and and additional information can be found at file-roller symlink attack (#2325).

To fix these vulnerabilities, update to glib-2.66.8 or later using the instructions for glib (sysv) or glib (systemd).

10.1 016 Samba Date: 2021-03-28 Severity: High

In Samba-4.14.2, two security vulnerabilities were fixed that could lead to denial of service or disclosure of sensitive information. These vulnerabilities have been assigned CVE-2020-27840 and CVE-2021-20277.

To fix these vulnerabilities, update to Samba-4.14.2 or higher using the instructions for Samba (sysv) or Samba (systemd).

If you prefer to stick with 4.13 series, update to Samba-4.13.7 or higher using the instructions for Samba (10.1 sysv) or Samba (10.1 systemd).

10.1 015 WebKitGTK Date: 2021-03-28 Severity: Critical

In WebKitGTK-2.30.6, seven security vulnerabilities were fixed that could lead to arbitrary code execution, improper data deletion, sandbox escapes, and access to a ports on restricted servers. One of the vulnerabilities has an exploit in the wild and is being actively exploited. These vulnerabilities have been assigned CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, and CVE-2021-1870. Additional information can be found at WSA-2021-0002.

To fix these vulnerabilities, update to WebKitGTK-2.30.6 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.1 014 lxml Date: 2021-03-27 Severity: Medium

In lxml-4.6.3, a security vulnerability was fixed in the HTML Cleaner that could lead to JavaScript code being passed into the output. This vulnerability is classified as "Cross Site Scripting". It does not properly sanitize the input from the HTML5 formaction attribute, leading to JavaScript code being inserted into the output. This vulnerability has been assigned CVE-2021-28957.

To fix this, update to lxml-4.6.3 or later using the instructions for lxml (sysv) or lxml (systemd).

10.1 013 Nettle Date: 2021-03-27 Severity: High

In Nettle-3.7.2, a security vulnerability was fixed that could allow for improper results or crashes with assertion failures when processing some ECDSA signatures. This has to do with the secp224r1 and secp521r1 curves, and the maintainer suggests upgrading immediately because of the severity of the bug. More information can be found here: ANNOUNCE: Serious bug in Nettle's ecdsa_verify.

To fix this, update to Nettle-3.7.2 or later using the instructions for Nettle (sysv) or Nettle (systemd).

10.1 012 Thunderbird Date: 2021-02-26 Severity: High

In Thunderbird before 78.9.0 there were two vulnerabilities rated as High for linux systems (the angle graphics item only applies to MS Windows), see mfsa2021-12. CVE-2021-23981 and CVE-2021-23987.

To fix these, update to thunderbird-78.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.1 011 OpenSSL (LFS) Date: 2021-03-26 Severity: Critical

In OpenSSL-1.1.1k, two high severity security vulnerabilities were fixed. One of these allows for a complete bypass of the CA certificate check, and the other is a trivial-to-exploit vulnerability that lets remote attackers crash any application that uses OpenSSL on the system. Upgrading to OpenSSL-1.1.1k is suggested, as soon as possible. These vulnerabilities have been assigned CVE-2021-3450 and CVE-2021-3449.

To fix these, update to OpenSSL-1.1.1k or later using the instructions in OpenSSL (sysv) or OpenSSL (systemd).

10.1 010 PDFBox (FOP) Date: 2021-03-25 Severity: Medium

In Apache PDFBox-2.0.23, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-27906 and CVE-2021-27807.

To fix these, update the supplemental JAR files in fop to 2.0.23 or update to a later version using the instructions in fop (sysv) or fop (systemd).

10.1 009 JS78 Date: 2021-03-23 Severity: Medium

In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks, see BLFS #14804.

To fix this, update to JS-78.9.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.1 008 Firefox Date: 2021-03-23 Severity: High

In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-11. See CVE-2021-23981, CVE-2021-23982, CVE-2021-23984 and CVE-2021-23987.

To fix these, update to firefox-78.9.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 007 Gstreamer Updated: 2021-03-21 Severity: High

In gstreamer-1.18.4 (including plugins), five high severity security vulnerabilities were fixed. Two of them were in gst-plugins-good, one in gst-plugins-ugly, one in gst-libav, and one in gst-plugins-base. Upon successful exploitation, these vulnerabilities can lead to application crashes and arbitrary code execution. More details can be found at GStreamer Security Center.

To fix these vulnerabilities, update the entire gstreamer stack to 1.18.4 using the instructions in the gstreamer pages, starting at gstreamer (sysv) or gstreamer (systemd).

If you are maintaining a system which is still using gstreamer-1.16.3 you should go to the Gstreamer Security Center link above, take the five patches for items SA-2021-001 to 005 and apply them to plugins-base (001), plugins-good (002, 003), plugins-ugly (004) and libav (005) and recompile everything except gstreamer (because a library from -base is affected).

10.1 006 Wireshark Date: 2021-03-16 Severity: High

In Wireshark-3.4.4, a 17-year-old security vulnerability was fixed that could allow Wireshark to open unsafe URLs from within packet dumps. These unsafe URLs did not follow standard HTTP/HTTPS schemes, but examples were shown using the NFS protocol as well as WebDAV and SMB3. This could result in remote code execution while reading a packet capture file. This has been assigned CVE-2021-22191.

Additional details may be found at Wireshark Gitlab Issue 17232.

To fix this, update to Wireshark-3.4.4 or later using the instructions in Wireshark (sysv) or Wireshark (systemd).

10.1 005 Linux Kernel (LFS) Date: 2021-03-15 Severity: Low

In Linux 5.11.3 and earlier, vulnerabilities in iSCSI subsystem may lead to potential privilege escalation. These has been assigned CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365.

These vulnerabilities should only affect the systems with iSCSI devices or utilities (not in LFS or BLFS) installed.

To fix these, update to Linux 5.11.4 or later, or Linux 5.10.21 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that linux kernel 5.11 and 5.12 versions are no-longer maintained.

10.1 004 GnuTLS Date: 2021-03-12 Severity: Low

The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). These has been assigned CVE-2021-20231 and CVE-2021-20232. The details can be found at GnuTLS issue tracker.

To fix these, update to GnuTLS-3.7.1 or later using the instructions in GnuTLS (sysv) or GnuTLS (systemd).

10.1 003 MuPDF Date: 2021-03-10 Severity: Medium

A double free may lead to memory corruption and other potential consequences. This has been assigned CVE-2021-3407.

To fix this, apply the patch mupdf-1.18.0-security_fix-1.patch using the instructions for MuPDF (sysv) or MuPDF (systemd).

10.1 002 QtWebEngine Updated: 2021-03-19 Severity: High

Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Before they decided to not produce a file of changes, the details were recorded at A Qt code review. For the most recent of those, see Upstream Chrome, dated 2021-02-16. To fix these, update to the BLFS 5.15.3 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 001 OpenSSH Date: 2021-03-03 Severity: Medium

OpenSSH-8.2p1 through OpenSSH-8.4p1 included a security vulnerability (double free) in the 'ssh-agent' program. This could lead to memory corruption and is potentially exploitable, and may lead to potential privilege escalation. This bug is only reachable by those with access to the agent socket, which is why the BLFS team has decided to rate this vulnerability as Medium severity. There is no CVE assigned for this vulnerability. Additional information can be found at OpenSSH 8.5 release announcement.

To fix this, update to OpenSSH-8.5p1 or later using the instructions in OpenSSH (sysv) or OpenSSH (systemd).

Late advisories for the 10.0 books

10.0 102 Flac Date: 2021-04-25 Severity: Medium

An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. This has been assigned CVE-2017-6888. This was fixed in flac-1.3.3, but in the meantime a further vulnerability was discovered in flac-1.3.3, so please follow the instructions for 10.1-022.

Items between the releases of the 10.0 and 10.1 books

10.0 101 node.js Date: 2021-02-26 Severity: High

Node.JS-14.16.0 fixed three security vulnerabilities. One of them is a denial of service vulnerability (resource exhaustion via HTTP2 protocols), another is a DNS rebinding attack, and a third is an integer overflow. These vulnerabilities have been assigned CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. The CVEs are not available at NVD yet, but more information can be found at February 2021 Security Releases.

To fix these, update to Node.JS-14.16.0 or later using the instructions in Node.JS (sysv) or Node.JS (systemd).

10.0 100 Thunderbird Date: 2021-02-24 Severity: High

In thunderbird before 78.8.0 there were three vulnerabilities rated as High, see mfsa2021-09. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.

To fix these, update to thunderbird-78.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 099 Firefox Date: 2021-02-24 Severity: High

In firefox 78.8.0 three vulnerabilities rated as High were fixed, see mfsa2021-08. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.

To fix these, update to firefox-78.8.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 098 ffmpeg Date: 2021-02-23 Severity: Medium

ffmpeg-4.3.2 fixed two medium-severity arbitary code execution vulnerabilities. These could be exploited via crafted files using the EXR and VIVIDAS codecs. These vulnerabilities have been assigned CVE-2020-35965 and CVE-2020-34964.

To fix this, update to ffmpeg-4.3.2 or later using the instructions in ffmpeg (sysv) or ffmpeg(systemd).

10.0 097 Python (LFS and BLFS) Date: 2021-02-22 Severity: Critical

Python-3.9.2 contained two security fixes, one rated as 9.8 CRITICAL, and the other marked as Medium. The critical vulnerability can result in remote code execution in some Python-based programs, and the Medium-level vulnerability can result in web cache poisoning. These vulnerabilities have been assigned CVE-2021-23336 and CVE-2021-3177.

To fix this, update to Python-3.9.2 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.0 096 Screen Date: 2021-02-19 Severity: Critical

In Screen-4.8.0, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally found exploited via Minecraft servers, and is currently being exploited in the wild. The vulnerability can also allow shell injection. This has been assigned CVE-2021-26937.

To fix this, apply the patch in screen-4.8.0-upstream_fixes-1.patch to your build and recompile Screen using the instructions in Screen (sysv) or Screen (systemd).

10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High

In OpenSSL-1.1.1j, two security vulnerabilities were fixed that could lead to a potential denial-of-service attack due to integer overflows and null pointer derefererences. These have been assigned CVE-2021-23841 and CVE-2021-23840. Additional details can be found in OpenSSL.

To fix this, update to at least OpenSSL-1.1.1j using the instructions in OpenSSL (sysv) or OpenSSL (systemd).

10.0 094 Intel Microcode Date: 2021-02-19 Severity: Medium

On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. These have been assigned CVE-2020-8696 and CVE-2020-8698. See also Intel-SA-00381.

To fix this, update to at least microcode-20210216 using the instructions for About Firmware (sysv) or About Firmware (systemd).

10.0 093 BIND Date: 2021-02-18 Updated: 2021-02-22 Severity: High

In bind-9.16.12, a security vulnerability was fixed that could allow remote unauthenticated users to crash the named process if the server is configured to use SPNEGO/GSSAPI. This is classified as a buffer overflow vulnerability. This has been assigned CVE-2020-8625.

To fix this, apply the sed found in the page below and rebuild BIND. BIND (sysv) or BIND (systemd).

10.0 092 Taglib Date: 2021-02-15 Severity: Medium

In taglib-1.11.1, a security vulnerability was found that may lead to information disclosure when using a crafted OGG file. This is classified as a use-after-free vulnerability. This has been assigned CVE-2018-11439.

To fix this, update to at least taglib-1.12 using the instructions in taglib (sysv) or taglib (systemd).

10.0 091 WebKitGTK Date: 2021-02-15 Severity: High

In WebKitGTK-2.30.5, a security vulnerability was fixed that allows for arbitrary code execution when crafting maliciously crafted web content. This web content appears to be Audio, and the issue is a use-after-free in the AudioSourceProviderGstreamer class. It was fixed with improved memory management. This has been assigned CVE-2020-13558, and additional information may be found at WSA-2021-0001.

To fix this, update to at least WebKitGTK-2.30.5 using the instructions in WebKitGTK (sysv) or WebKitGTK (systemd).

10.0 090 PostgreSQL Date: 2021-02-12 Severity: Medium

In PostgreSQL-13.2, two vulnerabilities were fixed that could lead to unauthorized users leaking information from a database. One of them relates to users with the UPDATE privilege but without the SELECT privilege, and the other relates to users who have SELECT privileges for only a single column being able to read all columns of the table. These have been assigned CVE-2021-3393 and CVE-2021-20229.

To fix this, update to at least postgresql-13.2 using the instructions in PostgreSQL (sysv) or PostgreSQL (systemd).

10.0 089 gnome-autoar Date: 2021-02-12 Severity: Medium

In gnome-autoar-0.2.4, a security vulnerability was found that allows for directory traversal during extraction of an archive due to a lack of proper checks for whether a file's parent is a symlink to a directory outside of the intended extraction location. This has been assigned CVE-2020-36241.

To fix this, update to at least gnome-autoar-0.3.0 using the instructions in gnome-autoar (sysv) or gnome-autoar (systemd).

10.0 088 xterm Date: 2021-02-12 Severity: Medium

In xterm-366, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally discovered in 'Screen', but was found to affect xterm as well. The vulnerability was originally found exploited via Minecraft servers, so as a result of it's exploitation in the wild, BLFS has decided to apply a severity of Medium to this vulnerability. This has been assigned CVE-2021-26937.

To fix this, update to at least xterm-366 using the instructions in xterm (sysv) or xterm (systemd).

10.0 087 Jinja2 Date: 2021-02-12 Severity: Medium

In Jinja2-2.11.2, a security vulnerability was found that allows for a repeatable denial-of-service attack via malformed regex. This has been assigned CVE-2020-28493.

To fix this, update to at least Jinja2-2.11.3 using the instructions for Jinja2 (sysv) or Jinja2 (systemd).

10.0 086 Subversion Date: 2021-02-10 Severity: Medium

In subversion-1.14.0, a security vulnerability was found that will result in a remote unauthenticated denial-of-service. This vulnerability was found in the mod_authz_svn and mod_dav_svn modules, and is a null-pointer dereference caused by attempting to access a non-existent repository. This has been assigned CVE-2020-17525.

To fix this, update to at least Subversion-1.14.1 using the instructions for Subversion (sysv) or Subversion (systemd).

10.0 085 Libgcrypt Date: 2021-02-10 Severity: High

In Libgcrypt-1.9.0 there is a heap-based buffer overflow. See CVE-2021-3345.

To fix this, update to at least Libgcrypt-1.9.1 using the instructions for Libgcrypt (sysv) or Libgcrypt (systemd).

10.0 084 Jasper Updated: 2021-02-09 Severity: High

In Jasper 2.0.24, jp2_decode in jp2/jp2_dec.c in libjasper has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. This has been assigned CVE-2021-3272.

To fix this, update to at least jasper-2.0.25 using the instructions for Jasper (sysv) or Jasper (systemd).

10.0 083 PHP Updated: 2021-02-07 Severity: Medium

In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. CVE-2020-7071 has been allocated but for the moment that is "reserved". See Arch CVE-2021-21702 where the severity is rated as Medium.

To fix this, update to PHP-8.0.2 or later using the instructions for PHP (sysv) or PHP (systemd).

10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High

In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.

CVE-2019-25013: According to Red Hat this can be worked around by not processing untrusted input in the (uncommon) EUC-KR character set Red Hat.

CVE-2020-27618 is currently marked as 'Reserved'. According to Red Hat an infinite loop can be encountered when processing data in certain IBM character sets containing redundant shift sequences. They rate the severity as Low because an attacker would need either local privileges, or to depend on an application feeding untrusted encoding input to iconv. Red Hat.

CVE-2020-29562: When processing UCS4 text containing an irreversible character, iconv fails an assertion and aborts, resulting in a denial of service. A workaround appears to be to avoid processing UCS4 input (constant 32-bit width characters) in iconv. For most users of LFS and BLFS it is expected that UCS4 input is uncommon.

CVE-2021-3326: When processing invalid input sequences in the ISO-2022-JP-3 encoding, iconv fails an assertion and aborts, resulting in a denial of service. According to Red Hat this can be worked around by not processing untrusted input in this encoding: Red Hat.

To fix these, build a new version of LFS. If you have usable backups and have tested a way to restore them via a rescue stick or similar, it might be possible to build glibc-2.33 in place and then immediately make an unclean shutdown, e.g. using MagicSysRQ if that is enabled in your kernel. Such a procedure is not recommended, nor has it been tested.

10.0 081 Firefox UpDated: 2021-02-07 Severity: None

In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.

10.0 080 JasPer Date: 2021-02-04 Severity: High

BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a remotely triggered crash (Denial of Service) or otherwise rated as high. For an overview of these see BLFS #14599. The most-recent included CVE-2018-9055, CVE-2018-9252, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2020-27828.

To fix this, update to at least JasPer-2.0.24 using the instructions for JasPer (sysv) or JasPer (systemd).

10.0 079 Glib Date: 2021-02-04 Severity: High

Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update. GHSL-2021-045 .

To fix this, update to at least Glib-2.66.6 using the instructions for Glib (sysv) or Glib (systemd).

10.0 078 Thunderbird Date: 2021-01-31 Severity: High

In thunderbird before 78.7.0 there were various vulnerabilities rated as High. See mfsa2021-05 CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964) but details are not yet public.

To fix this, update to Thunderbird-78.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 077 Perl (using cpan) Date: 2021-01-30 Severity: High

If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist, see the details at blfs-support archive.

10.0 076 Wireshark Date: 2021-01-30 Severity: High

Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash, wnpa-sec-2020-20, wnpa-sec-2020-20. According to Redhat these have been allocated CVE-2021-22173 and CVE-2021-22174 but these are currently 'Reserved'.

To fix these, update to wireshark-3.4.3 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 075 VLC Media Player Date: 2021-01-30 Severity: High

In VLC Media Player up to and including version 3.0.11 a remote user could create a specialy crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. VideoLAN-SB-VLC-3012 .

To fix this, update to VLC-3.0.12 or later using the instructions for VLC (sysv) or VLC (systemd).

10.0 074 GPTfdisk Date: 2021-01-26 Severity: Moderate

In GPTfdisk before version 1.0.6 a possible out-of-bounds write in ReadLogicalParts of basicmbr.cc could be triggered by running gdisk or cgdisk on an improperly formatted MBR partition, leading to arbitrary code execution. CVE-2021-0308.

To fix this, update to GPTfdisk-1.0.6 or later using the instructions for GPTfdisk (sysv) or GPTfdisk (systemd).

10.0 073 Sudo Date: 2021-01-26 Severity: Critical

In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation, see CVE-2021-3156.

To fix this, update to Sudo-1.9.5p2 or later using the instructions for Sudo (sysv) or Sudo (systemd).

10.0 072 JS78 Date: 2021-01-26 Severity: High

In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. CVE-2021-23960 has been assigned but details are not yet public. Summary details are at mfsa2021-04.

To fix this, update to JS-78.7.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 071 Firefox Date: 2021-01-26 Severity: High

In firefox 78.7.0 several vulnerabilities were fixed, the following are rated as High. See mfsa2021-04. CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-20201-23960, CVE-2021-23964) but details are not yet public.

To fix these, update to firefox-78.7.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 070 Vorbis Tools Updated: 2021-01-26 Severity: High

Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. CVE-2014-9638, CVE-2014-9639, CVE-2017-11331.

To fix these, update to Vorbis Tools 1.4.2 or later using the instructions for Vorbis Tools (sysv) or Vorbis Tools (systemd).

10.0 069 Seamonkey Updated: 2021-01-26 Severity: Critical

Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. See BLFS #14548. The following are rated as Critical or High: CVE-2020-16042, CVE-2020-26950, CVE-2020-26951, CVE-2020-26968, CVE-2020-26970, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix these, update to Seamonkey-2.53.6 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 068 Mutt Updated: 2021-01-25 Severity: Medium

In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. See CVE-2021-3181.

This was initially fixed with a minimal upstream patch, mutt-2.0.4-memleak-1.patch, but the 2.05 release followed a few days later with slightly more fixes. To fix this update to mutt-2.0.5 or later using the instructions for Mutt (sysv) or Mutt (systemd).

10.0 067 ImageMagick Date: 2021-01-14 Severity: High

BLFS updated to ImageMagick-7.0.10-57 from 7.0.10-27 to fix two security vulnerabilities, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. For the division by zero, CVE-2020-27560, CVE-2020-29599.

To fix this, update to ImageMagick-7.0.10-57 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).

10.0 066 Thunderbird Date: 2021-01-12 Severity: Critical

In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-02 This has been allocated CVE-2020-16044 but for the moment no details are available.

To fix this, update to Thunderbird-78.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 065 Sudo Updated: 2021-02-04 Severity: High

In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. See oss-security and CVE-2021-20239, CVE-2021-23240,.

To fix this, update to Sudo-1.9.5p1 or later using the instructions for Sudo (sysv) or Sudo (systemd).

10.0 064 PHP Updated: 2021-02-04 Severity: Medium

In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. CVE-2020-7071 has been allocated but for the moment that is "reserved". See ASA-202101-9 (Arch linux).

To fix this, update to PHP-8.0.1 or later using the instructions for PHP (sysv) or PHP (systemd).

10.0 063 Firefox Date: 2021-01-06 Severity: Critical

In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-01 This has been allocated CVE-2020-16044 but for the moment no details are available.

To fix this, update to firefox-78.6.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 062 Node.js Date: 2021-01-05 Severity: High

In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found (one is in OpenSSL but could be exploited through Node.js). CVE-2020-8265, CVE-2020-8287, CVE-2020-1971.

To fix these, update to Node.js-14.15.4 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.20.1 or later.

10.0 061 Poppler Updated: 2021-02-04 Severity: Disputed

A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1 and assigned CVE-2020-35702, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary.

10.0 060 Dovecot Date: 2021-01-04 Severity: Medium

In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. It has been assigned CVE-2020-24386.

A workaround is to disable imap hibernation by ensuring imap_hibernate_timeout is either set to 0 or unset.

To fix this, update to dovecot-2.3.13 or later using the instructions for Dovecot (sysv) or Dovecot (systemd).

10.0 059 Libpcap Date: 2021-01-04 Severity: High

The changes file for Libpcap-1.10.0 at tcpdump.org mentions various security fixes.

To fix these, update to Libpcap-1.10.0 or later using the instructions for Libpcap (sysv) or Libpcap (systemd).

10.0 058 OpenJPEG Date: 2020-12-15 Severity: High

In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high, and another two rated as medium. See CVE-2019-6988, CVE-2019-12793, CVE-2020-6851, CVE-2020-8112.

To fix these, update to OpenJPEG-2.4.0 or later using the instructions for OpenJPEG2 (sysv) or OpenJPEG2 (systemd).

10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid

A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated CVE-2020-26422, but it was later determined that the bug was not present in any released version of Wireshark: wnpa-sec-2020-20 so no action is necessary.

10.0 056 Thunderbird Date: 2020-11-19 Severity: Critical

Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. Details are at mfsa2020-56, CVE-2020-16042, CVE-2020-26970, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix this, update to Thunderbird-78.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 055 Wireshark Date: 2020-09-23 Severity: High

Four Medium Security Advisories for items which could cause Wireshark to crash were fixed in Wireshark-3.4.1, detailed at Wireshark Security, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421, CVE-2020-26575, CVE-2020-28030.

To fix these, update to wireshark-3.4.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 054 P11-Kit Date: 2020-12-15 Severity: High

In P11-Kit up to 0.23.21 there are two vulnerabilities rated as high, and another rated as medium. See CVE-2020-29361, CVE-2020-29362, CVE-2020-29363.

To fix this, update to p11-kit-0.23.22 or later using the instructions for P11-Kit (sysv) or P11-Kit (systemd).

10.0 053 Firefox Date: 2020-12-15 Severity: Critical

Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical and four as high by upstream, as well as one rated low (but rated as Medium by NVD) where internal network hosts and services on the user's machine could have been probed by a malicious webpage. Details are at mfsa2020-55 and CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix these, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 052 OpenSSL (LFS) Date: 2020-12-15 Severity: High

The EDIPARTYNAME NULL pointer de-reference allows an attacker who can trick a client or server into checking a malicious X509 certificate could trigger a crash. This is rated High. It has been assigned CVE-2020-1971 with fuller details at OpenSSL.

To fix this, update to at least OpenSSL-1.1.1i using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).

10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High

Python-3.9.1 includes three security fixes. See bpo-40791, bpo-42051, bpo-42103.

To fix this, update to at least Python-3.9.1 using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.0 050 cURL Date: 2020-12-11 Severity: High

cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. See BLFS #14363 and CVE-2020-8284, CVE-2020-8285, CVE-2020-8286.

To fix these, update to cURL-7.74.0 or later following the instructions for cURL (sysv) or cURL (systemd).

10.0 049 Gdk-Pixbuf Date: 2020-12-08 Severity: Medium

Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. CVE-2020-29385.

To fix this, update to Gdk-Pixbuf-2.42.2 or later following the instructions for Gdk-Pixbuf (sysv) or Gdk-Pixbuf (systemd).

10.0 048 Xorg-Server Date 2020-12-05 Severity: High

In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 and CVE-2020-25712 .

To fix this, update to at least Xorg-Server-1.20.10 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.0 047 Unbound Updated: 2020-12-05 Severity: Medium

Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. Severity downgraded following availability of analysis. CVE-2020-28935.

To fix this, update to Unbound-1.13.0 or later following the instructions for Unbound (sysv) or Unbound (systemd).

10.0 046 Mutt Date: 2020-11-26 Severity: Medium

Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. CVE-2020-28896.

To fix this, update to mutt-2.0.2 or later following the instructions for Mutt (sysv) or Mutt (systemd).

10.0 045 LibEXIF Date: 2020-11-21 Severity: Critical

Three vulnerabilities were found in LibEXIF-0.6.22, two are rated as High and one as Critical. See BLFS #14272 and the following CVEs: CVE-2020-0181, CVE-2020-0198, CVE-2020-0452.

To fix these, update to a version of LibEXIF after version 0.6.22 if one is released, or apply the patch libexif-0.6.22-security_fixes-1.patch following the instructions for LibEXIF (sysv) or LibEXIF (systemd).

10.0 044 LibXML2 Date: 2020-11-21 Severity: High

Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10, two of these are rated as High. See BLFS #14271 and the following CVEs: CVE-2019-20388, CVE-2020-7595, CVE-2020-24977.

To fix these, apply the patch libxml2-2.9.10-security_fixes-1.patch following the instructions for LibXML2 (sysv) or LibXML2 (systemd), or update to a later version if one is released.

10.0 043 WebKitGTK Date: 2020-11-25 Severity: High

Five vulnerabilities rated as High were found in WebKitGTK. See BLFS #14281 and the following CVEs (most were filed against Safari, which uses WebKit): CVE-2020-9948, CVE-2020-9951, CVE-2020-9952, CVE-2020-9983, CVE-2020-13584.

To fix this, update to at least webkitgtk-2.30.3 using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity: Critical

The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. For QtWebEngine see QtWebEngine 5.15.2 changes, For the other parts of Qt5 see Qt-5.15.2 Changes.

To fix these, update to at least Qt-5.15.2 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).

10.0 041 Thunderbird Date: 2020-11-19 Severity: High

Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. Details are at mfsa2020-52, CVE-2020-26951, CVE-2020-26968.

To fix this, update to Thunderbird-78.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 040 Kerberos 5 Date: 2020-11-19 Severity: High

A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. See Release Notes.

To fix this, update to krb5-1.18.3 or later using the instructions for Kerberos (sysv) or Kerberos (systemd).

10.0 039 C-Ares Date: 2020-11-19 Severity: High

An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. See CVE-2020-8277 which was initially raised against Node.js.

To fix this, update to C-Ares-1.17.1 or later using the instructions for C-Ares (sysv) or C-Ares (systemd).

10.0 038 Node.js Date: 2020-11-19 Severity: High

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. This also applies to C-Ares, which is shipped with Node.js. CVE-2020-8277.

To fix this, update to Node.js-14.15.1 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.19.1 or later.

10.0 037 JS78 Date: 2020-11-16 Severity: High

Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. Summary details are at mfsa2020-51 .

To fix this, update to JS-78.5.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 036 Firefox Date: 2020-11-16 Severity: High

Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high by upstream. Details are at mfsa2020-51 and CVE-2020-26951 and CVE-2020-26968.

To fix this, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 035 Raptor Date: 2020-11-13 Severity: High

A heap overflow vulnerability in Raptor can lead to an out-of-bounds write. Details are at oss-security and CVE-2017-18926.

To fix this, patch raptor-2.0.15 using raptor-2.0.15-security_fixes-1.patch and the instructions for Raptor (sysv) or Raptor (systemd).

10.0 034 PostgreSQL Date: 2020-11-12 Severity: High

Three vulnerabilities rated as High were found in PostgreSQL before 13.1. Details are at PostgreSQL and CVE-2020-25694, CVE-2020-25695, CVE-2020-25696.

To fix this, update to PostgreSQL-13.1 or later, using the instructions for PostgreSQL (sysv) or PostgrSQL (systemd).

10.0 033 Thunderbird Date: 2020-11-10 Severity: Critical

The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to Thunderbird-78.4.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 032 Seamonkey Updated: 2020-11-21 Severity: Critical

The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. In BLFS this was initially partly fixed by patching Seamonkey-2.53.4 using seamonkey-2.53.4-security_fixes-1.patch but was later revised to use Seamonkey-2.53.5 when that became available. And then Seamonkey-2.53.5.1 had further fixes for this.

To fix these, update to Seamonkey-2.53.5.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 031 JS78 Date: 2020-11-09 Severity: Critical

An exploitable use-after-free was found in JS78 before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to JS-78.4.1 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 030 Firefox Date: 2020-11-09 Severity: Critical

An exploitable use-after-free was found in firefox before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to firefox-78.4.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 029 MariaDB Date: 2020-11-04 Severity: Medium

Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, as well as a high security vulnerability only applicable to Windows. See Release Notes and CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789.

To fix this, update to at least mariadb-10.5.7 using the instructions for MariaDB (sysv) or MariaDB (systemd).

10.0 028 Samba Date: 2020-10-30 Severity: Medium

Three CVE vulnerabilities were identified in Samba before version 4.13.1, see Samba History and CVE-2020-14318, CVE-2020-14323, CVE-2020-14383.

To fix this, update to at least samba-4.13.1 using the instructions for Samba (sysv) or Samba (systemd).

10.0 027 Libass Date: 2020-10-30 Severity: High

There was a signed integer overflow in libass-0.14.0. See CVE-2020-26682.

To fix this, update to at least libass-0.15.0 using the instructions for Libass (sysv) or Libass (systemd).

10.0 026 The Gstreamer stack Date: 2020-10-27 Severity: High

Upstream made an emergency release of gstreamer-1.18.1 and its stack containing important security fixes. At the same time the gstreamer-1.16.3 stack was released with similar fixes. Limited details are available at 1.18.1 Release Notes and 1.16.3 Release Notes .

On systems running Gstreamer 1.16 versions, such as BLFS-10.0, update to the gstreamer-1.16.3 packages (gstreamer, -libav, -plugins, -vaapi) using the instructions from the BLFS-10.0 book for Gstreamer 1.16 (sysv) and the rest of the stack, or Gstreamer 1.16 (systemd) and the rest of the stack.

On systems running Gstreamer 1.18 versions, update to the gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi) using the instructions for Gstreamer 1.18 (sysv) and the rest of the stack, or Gstreamer 1.18 (systemd) and the rest of the stack.

10.0 025 Thunderbird Date: 2020-10-23 Severity: High

Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. Details are at mfsa2020-47.

To fix this, update to Thunderbird-78.4.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 024 FreeType Date: 2020-10-20 Severity: High

There was an emergency release fixing a vulnerability in embedded PNG bitmap handling (since FreeType-2.6) which was being actively exploited. The original CVE was raised against Chrome OS and only rated as Medium. CVE-2020-15999 and Sourceforge - Changes in 2.10.4 .

To fix this, update to freetype-2.10.4 or later using the instructions for FreeType (sysv) or FreeType (systemd).

10.0 023 LXML Updated: 2020-11-28 Severity: Medium

A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. CVE-2020-27783 and cybersecurity-help.cz.

This was thought to be fixed in LXML-4.6.1, but that fix was inadequate. To fix this, update to LXML-4.6.2 or later using the instructions for LXML (sysv) or LXML (systemd).

10.0 022 NSS Date: 2020-10-17 Severity: High

A flaw was found in the CCS handling, allowing a remote attacker to cause a denial of service for servers linked against NSS. CVE-2020-25613 .

To fix this, update to at least NSS-3.58 using the instructions for NSS (sysv) or NSS (systemd).

10.0 021 Stunnel Date: 2020-10-16 Severity: High

In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". See Stunnel NEWS.

To fix this, update to at least stunnel-5.57 using the instructions for Stunnel (sysv) or Stunnel (systemd).

10.0 020 Ruby Date: 2020-10-06 Severity: High

Ruby before 2.7.2 had a vulnerability in its WEBrick HTTP server. CVE-2020-25613.

To fix this, update to at least Ruby-2.7.2 using the instructions for Ruby (sysv) or Ruby (systemd).

10.0 019 PHP Date: 2020-10-05 Severity: Medium

PHP before 7.4.11 had two CVE vulnerabilities, CVE-2020-1472 and CVE-2020-1472.

To fix this, update to at least PHP-7.4.11 using the instructions for PHP (sysv) or PHP (systemd).

10.0 018 Glib Date: 2020-10-05 Severity: Medium

Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. See Release Notes .

To fix this, update to at least Glib-2.66.1 using the instructions for Glib (sysv) or Glib (systemd).

10.0 017 Wireshark Date: 2020-09-23 Severity: High

Three Security Advisories (wnpa-sec-2020-11,12,13) which could cause Wireshark to crash were fixed in Wireshark-3.2.7, detailed at Wireshark Security and CVE-2020-25862, CVE-2020-25863, CVE-2020-25866.

To fix these, update to wireshark-3.2.7 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 016 Thunderbird Updated: 2020-09-25 Severity: High

Revised 2020-09-26

Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-44.

But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 015 Seamonkey Date: 2020-09-23 Severity: Critical

Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Please see The Release Notes.

To fix these, update to Seamonkey-2.53.4 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 014 Firefox Date: 2020-09-21 Severity: High

Four vulnerabilities with CVE numbers were fixed in firefox-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-43.

To fix these, update to firefox-78.3.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 013 Samba Date: 2020-09-26 Severity: Critical

A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. CVE-2020-1472 has been assigned.

To fix this, update to Samba-4.12.7 or later using the instructions for Samba (sysv) or Samba (systemd).

10.0 012 Node.js Date: 2020-09-17 Severity: High

Multiple security vulnerabilities were discovered in Node.js, including two marked as High. These have been assigned CVE-2020-8201 and CVE-2020-8252.

To fix this, update to Node.js-12.18.4 or later using the instructions for Node.js (sysv) or Node.js (systemd).

10.0 011 Qt5 and QtWebEngine Date: 2020-09-10 Severity: Critical

Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. For an overview, including the approximately 50 security fixes from Chrome which had CVEs assigned at the time of the update, see BLFS ticket #14026.

To fix this, update to at least Qt-5.15.1 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).

10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High

In Linux Kernels before 5.8.8 there is a potential privilege escalation. See oss-security.

To fix this, update to linux-5.8.9 or later using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low

Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See The Release Announcement.

To fix this, update to bison-3.7.2 or later using the instructions from the LFS book for Bison (sysv) or Bison (systemd).

10.0 008 Cryptsetup Date: 2020-09-06 Severity: High

An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. CVE-2020-14382 has been assigned.

To fix this, update to at least cryptsetup-2.3.4 using the instructions for Cryptsetup (sysv) or Cryptsetup (systemd).

10.0 007 GnuPG Date: 2020-09-06 Severity: Critical

A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. CVE-2020-25125 has been assigned.

To fix this, update to GnuPG-2.2.23 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).

10.0 006 Brotli Date: 2020-09-06 Severity: Medium

An integer oveflow in brotli before version 1.0.9 can lead to a crash. This was assigned CVE-2020-8927.

To fix this, update to brotli-1.0.9 or later using the instructions for Brotli (sysv) or Brotli (systemd).

10.0 005 BIND Date: 2020-09-05 Severity: High

A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. These were assigned CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. See also BIND 9 Security Vulnerabilty Matrix #114-8.

To fix this, update to BIND-9.6.16 or later using the instructions for BIND (sysv) or BIND (systemd).

10.0 004 CIFS-utils Date: 2020-09-05 Severity: High

The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. This was assigned CVE-2020-14342, more details at samba-technical.

To fix this, update to cifs-utils-6.11 or later using the instructions for CIFS-utils (sysv) or CIFS-utils (systemd).

10.0 003 GnuTLS Date: 2020-09-03 Severity: High

A null-pointer dereference causing a remotely-triggered crash in the client application was found and assigned CVE-2020-24659, see also GNUTLS-SA-2020-09-04.

To fix this, update to at least GnuTLS-3.6.15 using the instructions for GnuTLS (sysv) or GnuTLS (systemd).

10.0 002 Xorg-Server Date 2020-09-03 Severity: High

In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 CVE-2020-14346 CVE-2020-14361 CVE-2020-14362.

To fix this, update to at least Xorg-Server-1.20.9 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.0 001 LibX11 Date: 2020-09-03 Severity: High

Effective 2020-09-03

In libX11 before version 1.6.12 an integer overflow and double-free was found, which could lead to provilege escalation. This has been assigned CVE-2020-14363.

To fix this, update to at least libX11-1.6.12 using the instructions for Xorg Libraries (sysv) or Xorg Libraries (systemd).