LFS Security Advisories for LFS 12.0 and the current development books.

LFS-12.0 was released on 2023-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the development books.

Glibc

In LFS the only safe way to update Glibc is to build a new system, but reinstall the same Glibc version with patches provided in security advisories should be safe.

12.0 018 Glibc Date: 2023-10-03 Severity: High

In Glibc 2.34 through 2.38, there is a vulnerability in the dynamic linker which can lead to a trivially exploitable local privilege escalation.

Please read the link and fix the vulnerability immediately if you are running LFS 11.0, 11.1, 11.2, 11.3, or 12.0. 12.0-018

12.0 012 Glibc Date: 2023-09-24 Severity: Low

In Glibc ?? (at least 2.17) through 2.35, there is a vulnerability in getaddrinfo() which can lead to a denial of service with an unsupported configuration in /etc/nsswitch.conf.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-012

12.0 005 Glibc Date: 2023-09-13 Severity: Low

In Glibc ?? (at least 2.17) through 2.38, there is a vulnerability in getaddrinfo() which can lead to a denial of service with custom NSS modules in /etc/nsswitch.conf and extremely rare situations.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-005

12.0 004 Glibc Date: 2023-09-12 Severity: Medium

In Glibc-2.36, 2.37, and 2.38 there is a vulnerability in the DNS resolver which can lead to a denial of service or information disclosure processing long DNS responses if no-aaaa is enabled.

Please read the link to assess the severity of this for your use case, and what action to take. 12.0-004

OpenSSL

12.0 035 OpenSSL Date: 2023-11-01 Severity: Medium

In openssl-3.1.4, a security vulnerability was fixed that could lead to potential truncation or overruns during the initialization of some symmetric ciphers. 12.0-035

Python3

12.0 001 Python3 Date: 2023-09-03 Severity: Medium

In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. Update to python-3.11.5. 12.0-001