LFS Security Advisories for LFS 11.2 and the current development books.

LFS-11.2 was released on 2022-09-01

dbus

11.2 018 dbus (LFS and BLFS) Date: 2022-10-28 Severity: Medium

In dbus-1.14.4, three security vulnerabilities were fixed that could allow for unprivileged attackers to cause denial-of-service conditions (system dbus-daemon crashes, as well as crashes of any programs which use the libdbus library). Update to dbus-1.14.4 or later. 11.2-018

Expat

11.2 030 Expat Date: 2022-11-01 Severity: High

In expat-2.5.0, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service when a system is running low on memory while processing a DTD. Update to expat-2.5.0. 11.2-030

11.2 009 Expat Date: 2022-09-23 Severity: Critical

In expat-2.4.9, a critical security vulnerability was fixed in the doContent function that could allow for arbitrary code execution or denial of service. Update to expat-2.4.9 immediately. 11.2-009

Inetutils

11.2 031 Inetutils (LFS) Date: 2022-11-01 Severity: High

In inetutils-2.4, two security vulnerabilities were fixed that could allow for denial of service or remote code execution. Note that additional bugfixes were implemented as well which fix crashes with the 'ftp' and 'tftp' programs. Update to inetutils-2.4 if you use telnet, telnetd, ftp, or tftp. 11.2-031

Linux Kernel

11.2 070 Linux Kernel (LFS) Date: 2023-01-19 Severity: Critical

In Linux-6.1.6 (and Linux-5.15.89), several security vulnerabilities were fixed in a variety of subsystems, including drivers, core networking, multimedia, /proc filesystem, networking daemons, and the sysctl subsystem. Update to Linux-6.1.6 or Linux-5.15.89 (LTS) immediately. 11.2-070

11.2 049 Linux Kernel (LFS) Date: 2022-12-04 Severity: Medium

In Linux-6.0.11, a security vulnerability was fixed, which affects 12th gen intel processors integrated graphics. It allows an attacker to get unauthorized access to physical memory through the GPU. Update to Linux-6.0.11 or Linux-5.15.81 (LTS). 11.2-049

11.2 047 Linux Kernel (LFS) Date: 2022-11-23 Severity: Medium

In Linux-6.0.8, three security vulnerabilities were fixed including one that allows local unprivileged attackers to cause a kernel panic (and potential arbitary code execution if KASLR is disabled or bypassed) with a malicious USB device. Update to Linux-6.0.8 or Linux-5.15.78 (LTS). 11.2-047

11.2 029 Linux Kernel (LFS) Date: 2022-11-01 Severity: Medium

In Linux-6.0.6, a security vulnerability was fixed that allows local unprivileged attackers to cause a kernel panic when using an ext4 filesystem. Update to Linux-6.0.6 or Linux-5.15.76 (LTS). 11.2-020

11.2 016 Linux Kernel (LFS) Date: 2022-10-28 Severity: Critical

In Linux-6.0.2, several security vulnerabilities were fixed that could allow for denial of service, arbitrary code execution (especially when using WiFi networks), and the ability to read memory from anywhere on the system. Update to Linux-6.0.2 or Linux-5.15.75 (LTS) immediately. 11.2-016

OpenSSL

11.2 032 OpenSSL (LFS) Date: 2022-11-01 Severity: High

In OpenSSL-3.0.7, three security vulnerabilities were fixed which could allow for remote code execution, denial of service, and for NULL encryption. Update to OpenSSL-3.0.7 immediately on ANY system which has OpenSSL-3 installed. 11.2-032

Python3

11.2 060 Python3 (LFS and BLFS) Date: 2022-12-26 Severity: High or Critical

In Python-3.11.1 five vulnerabilities were fixed, with one rated as High. Because updating from an old Python3 series to a new one requires rebuilding all the modules, if you are remaining on Python-3.10 you should update to Python-3.10.9 which includes a Critical fix as well as an additional fix rated as High and already fixed in 3.11.0. Update to 3.11.1 or later, or 3.10.9 or later as appropriate. 11.2-060

11.2 021 Python3 (LFS and BLFS) Date: 2022-10-28 Severity: High

In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection when some modules are used. Update to Python-3.10.8 or later. 11.2-021

11.2 005 Python3 (LFS and BLFS) Date: 2022-09-14 Severity: High

In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005

systemd

11.2 061 systemd (LFS and BLFS) Date: 2022-12-28 Severity: High

In systemd-241 and higher, a security vulnerability was discovered that could allow for a local information leak and privilege escalation due to systemd-coredump not respecting a kernel option. Rebuild systemd with the patch. 11.2-061

zlib

11.2 036 zlib (LFS) Date: 2022-11-09 Severity: Critical

In zlib-1.2.13, a security vulnerability was fixed that could allow for trivial arbitrary code execution due to a buffer-overflow when calling inflateGetHeader. Update to zlib-1.2.13 immediately and take note of the special instructions for stripping. 11.2-036