BLFS-10.0 was released on 2020-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
A security vulnerability was found in BIND that could result in a crash or potentially remote code execution if the server uses GSSAPI/SPNEGO. Apply the sed in the page linked in the advisory and rebuild BIND. 10.0-093
A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. Update to BIND-9.6.16 or later. 10.0-005
An integer oveflow in brotli before version 1.0.9 can lead to a crash. Update to brotli-1.0.9 or later 10.0-006
An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial Of Service by getting the application to resolve a DNS record with an unexpectedly larger number of responses. Update to C-Ares-1.17.1 or later. 10.0-039
The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. Update to cifs-utils-6.11 or later. 10.0-004
An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. To fix this, update to at least cryptsetup-2.3.4. 10.0-008
cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. To fix these, update to curl-7.74.0 or later. 10.0-050
In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. Fix this by updating to dovecot-2.3.13 or later. A workaround is to disable imap hibernation: To do that ensure imap_hibernate_timeout is either set to 0 or unset. 10.0-060
ffmpeg-4.3.2 fixed two medium-severity arbitrary code execution vulnerabilities that could occur when processing crafted media files. Update to ffmpeg-4.3.2 or later. 10.0-098
In firefox 78.8.0 three vulnerabilities rated as High were fixed. Update to firefox-78.8.0 or later. 10.0-099
In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.
In firefox 78.7.0 several vulnerabilities rated as High were fixed. Update to firefox-78.7.0 or later. 10.0-071
In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. Update to firefox-78.6.1 or later. 10.0-063
Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical. Update to firefox-78.6.0 or later. 10.0-053
Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high. Update to firefox-78.5.0 or later. 10.0-036
An exploitable use-after-free was found in firefox before 78.4.1. Update to firefox-78.4.1 or later. 10.0-030
Four vulnerabilities including a memory safety bug rated as High were fixed in firefox-78.3.0. Update to firefox-78.3.0 or later. 10.0-014
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. 10.0-102.
In FreeType from 2.6 to 2.10.3 there was a vulnerability in handling embedded PNG bitmaps which was being actively exploited. 10.0-024
Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. To fix this, update to gdk-pixbuf-2.42.2 or later. 10.0-049
Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update to Glib-2.66.1 or later. 10.0-079
Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. Update to Glib-2.66.1 or later. 10.0-018
A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. Update to GnuPG-2.2.23 or later. 10.0-007
gnome-autoar before 0.3.0 was vulnerable to a directory traversal vulnerability due to insufficent checks on symbolic links. Update to gnome-autoar-0.3.0 or later. 10.0-089
A null-pointer dereference causing a remotely-triggered crash in the client application was found. Update to GnuTLS-3.6.15 or later. 10.0-003
In GPTfdisk before version 1.0.6, in rare cases an improperly formatted MBR partition table could lead to arbitrary code execution when running gdisk or cgdisk. To fix this update to GPTfdisk-1.0.6 or later. 10.0-074
Emergency releases of Gstreamer-1.18.1 packages, and also of 1.16.3, were made to fix several vulnerabilities. 10.0-026
Two vulnerabilities were found in ImageMagick, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. 10.0-067
On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. To fix these, update affected machines to microcode-20210216 or later. 10.0-094
One vulnerability has been found in jasper-2.0.24. To fix it, update to JasPer-2.0.25 or later. 10.0-084
BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a crash or otherwise rated as high. To fix these, update to JasPer-2.0.24 or later. 10.0-080
In Jinja2 before 2.11.3, a denial-of-service attack was possible via a malformed regex string. This vulnerability exists from 0.0.1 all the way to 2.11.3. Update to Jinja2-2.11.3 or later. 10.0-087
In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. To fix this, update to JS-78.7.0. 10.0-072
Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. To fix this, update to JS-78.5.0 or later. 10.0-037
An exploitable use-after-free was found in JS78 before 78.4.1. Update to JS-78.4.1 or later. 10.0-031
A vulnerability in Kerberos 5 before krb5-1.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. 10.0-040
In Libass-0.14.0 there was a vulnerability from a signed integer overflow. To fix this, update to Libass-0.15.0 or later. 10.0-027
Three vulnerabilities were found in LibEXIF-0.6.22. To fix this, apply the libexif-0.6.22-security_fixes-1.patch until a later release is available. 10.0-045
In Libgcrypt-1.9.0 there is a heap-based buffer overflow. To fix this, update to libgcrypt-1.9.1 or later. 10.0-085
The changes file for Libpcap-1.10.0 mentions several security fixes. To apply these, update to Libpcap-1.10.0 or later. 10.0-059
In libX11 an integer overflow and double-free was found. Update to libX11-1.6.12 or later. 10.0-001
Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10. 10.0-044
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. Update to LXML-4.6.2 or later. 10.0-023
Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, update to mariadb-10.5.7 or later. 10.0-029
In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. To fix this, update to mutt-2.0.5 or later. 10.0-068
Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. To fix this, update to mutt-2.0.2 or later. 10.0-046
In Node.js before 14.16.0, three high severity security vulnerabilities were discovered. One of them can lead to resource exhaustion, another is an integer overflow, and the other is a DNS rebinding attack. Update to v14.16.0 or later. 10.0-101
In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found. Update to v14.15.4 or later, or alternatively if remaining with the v12 series update to v12.20.1 or later. 10.0-062
An attacker could cause a Denial of Service via a DNS request for a host of their choice which resulted in an unexpectedly large number of responses. Update to v14.15.1 or later, or if remaining with the v12 series update to v12.19.1 or later. 10.0-038
Multiple security vulnerabilities were discovered in Node.js, including two marked as High. Update to Node.js-12.18.4 or later. 10.0-012
A vulnerability in CSS handling, which could allow a remote attacker to cause a denial of service for servers linked against NSS, was discovered. Update to NSS-3.58 or later. 10.0-022
In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high (heap-based buffer overflows) and two rated as Medium (crashes on crafted files) as well as several other security fixes. 10.0-058
In P11-Kit up to 0.23.21 there are multiple integer overflows in the array allocatons, and a heap-based buffer overflow. Update to p11-kit-0.23.22 or later. 10.0-054
If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist. 10.0-077
In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. To fix this, update to PHP-8.0.2 or later (or 7.4.15 or later if using the old series). 10.0-083
In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. To fix this, update to PHP-8.0.1 or later (or 7.4.14 if later if using the old series). 10.0-064
PHP before 7.4.11 had two CVE vulnerabilities. To fix these, update to PHP-7.4.11 or later. 10.0-019
A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary. 10.0-061
A number of vulnerabilities were fixed in PostgreSQL-13.1. Update to postgresql-13.1 or later. 10.0-034
Two vulnerabilities were fixed in PostgreSQL-13.2 that could lead to unauthorized users acquiring data from a database. Update to postresql-13.2 or later. 10.0-090
Python-3.9.2 fixes two security vulnerabilities, one marked as critical and the other as medium. The critical vulnerability can result in remote code execution. Update to Python-3.9.2 or later. 10.0-097
Python-3.9.1 includes three security fixes. Update to Python-3.9.1 or later. 10.0-051
The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. Update to at least Qt-5.15.2 and QtWebEngine-5.15.2. 10.0-042
Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. Update to at least Qt-5.15.1 and QtWebEngine-5.15.1. 10.0-011
A heap overflow vulnerability in Raptor can lead to an out-of-boundsi write. Patch raptor-2.0.15 with the security_fiexs-1.patch since upstream is inactive. 10.0-035
The bundled WEBrick HTTP server in ruby before 2.7.2 had a vulnerability which could lead to an HTTP Request Smuggling attack. Update to ruby-2.7.2 or later. 10.0-020
Three CVE vulnerabilities were identified in Samba before version 4.13.1, Update to 4.13.1 or later. 10.0-028
A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. Update to Samba-4.12.7 or later. 10.0-013
In screen-4.8.0, a security vulnerability was found that could potentially lead to shell injection or a denial-of-service via processing a crafted UTF-8 character sequence. This was originally discovered being used to compromise Minecraft servers. Apply the patch in the advisory to Screen and recompile it. 10.0-096
Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. Update to seamonkey-2.53.6 or later. 10.0-069
The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. Update to seamonkey-2.53.5 or later. 10.0-032
Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Update to Seamonkey-2.53.4 or later. 10.0-015
In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". Update to stunnel-5.57 or later 10.0-021
In Subversion before 1.14.1, there exists a remotely exploitable denial-of-service vulnerability that does not require authentication. This vulnerability can also cause the HTTPD webserver to crash. Update to Subversion-1.14.1 or later. 10.0-086
In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation. Update to 1.9.5p2 or later. 10.0-073
In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. 10.0-065
In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.0/systemd-246. See the advisory linked for more information. The patch replaces the current systemd-246-security_fix-1.patch. 10.1-081
systemd-249 fixed a security vulnerability that could allow for a remote attacker to reconfigure the network settings on your computer. Because of it's severity and the ease of exploitation, a patch has been prepared for LFS 10.0/systemd-246. See the advisory linked for more information. 10.1-072
In taglib-1.11.1, a security vulnerability was found that could allow for information disclosure via a crafted OGG file. Update to taglib-1.12 or later. See 10.0-092.
In general, flaws in Mozilla advisories for Thunderbird cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
In thunderbird before 78.8.0 there were three vulnerabilities rated as High. To fix these update to Thunderbird-78.8.0 or later. 10.0-100
In thunderbird before 78.7.0 there were various vulnerabilities rated as High. To fix these update to Thunderbird-78.7.0 or later. 10.0-078
In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. To fix this update to Thunderbird-78.6.1 or later. 10.0-066
Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. To fix these update to Thunderbird-78.6.0 or later. 10.0-056
Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. To fix these update to thunderbird-78.5.0 or later. 10.0-041
The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. To fix this update to thunderbird-78.4.2 or later. 10.0-033
Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. To fix these update to thunderbird-78.4.0 or later. 10.0-025
Five vulnerabilities were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later. 10.0-016
Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. 10.0-047
In VLC Media Player up to and including version 3.0.11 a remote user could create a speciaaly crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. 10.0-075
Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. To fix these update to vorbis-tools-1.4.2 or later. 10.0-070
A vulnerability that leads to arbitrary code execution when processing some forms of multimedia was found in WebKitGTK. To fix this, upgrade to webkitgtk-2.30.5 or later. 10.0-091
Five vulnerabilities rated as High were found in WebKitGTK. To fix these upgrade to webkitgtk-2.30.3 or later. 10.0-043
Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash. To fix these update to Wireshard-3.4.3 or later. 10.0-076
A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated a CVE, but it was later determined that the bug was not present in any released version of Wireshark. No action is necessary. 10.0-057
Four Medium Security Advisories which could cause Wireshark to crash were fixed in Wireshark-3.4.1, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. To fix all of these, update to Wireshark-3.4.1 or later. 10.0-055
Three Security Advisories (wnpa-sec-2020-11,12,13) were fixed in Wireshark-3.2.7, detailed at Wireshark Security. To fix these, update to wireshark-3.2.7 or later. 10.0-017
In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.10 or later. 10.0-048
In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.9 or later. 10.0-002
In xterm before 366, a denial of service vulnerability was found that could lead to a crash with certain UTF-8 characters. Update to xterm-366 or later. 10.0-088