BLFS-10.1 was released on 2021-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Two security vulnerabilities were fixed in apache-ant-1.10.11 that could lead to out-of-memory conditions when extracting JARs, ZIPs, and TARs during a build process. To fix these, update to apache-ant-1.10.11 or later. 10.1-076
Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream. To fix these update to Apache HTTPD-2.4.48 or later. 10.1-060
In apr-1.7.0, an easily-exploitable security vulnerability exists that allows for an out-of-bounds array read by using a month greater than 12 inside of an input to some APR functions. This vulnerability was originally fixed in 2017, but the fix was not carried over into the apr-1.7.x branch due to a problem in Apache's Subversion repositories. It has been fixed with a sed in the development book, which you should apply. 10.1-102
A security vulnerability was discovered in Avahi that could allow a local attacker to trigger an infinite loop by writing long lines to /run/avahi-daemon/socket. To fix this, apply a sed in the Avahi page. For more details, see the advisory linked here: 10.1-028
In BIND-9.16.20, a trivial-to-exploit remote denial of service vulnerability was fixed. The National Vulnerability Database and ISC have rated this vulnerability as High. To fix this, update to BIND-9.16.20 or later. 10.1-097
In BIND-9.16.15, three security vulnerabilities were fixed, one of which can result in remote code execution on 32-bit platforms. The other two vulnerabilities result in crashes when certain queries are executed against the DNS server. To fix these, update to BIND-9.16.15 or later. 10.1-037
In c-ares-1.17.2, a security vulnerability was fixed that could allow for domain hijacking due to improper input validation. The developers suggest upgrading immediately to c-ares-1.17.2. Update to c-ares-1.17.2 or later. 10.1-090
In cifs-utils-6.13, a security vulnerability was fixed that could lead to privilege escalation or authentication credential leaks when running the "cifs.upcall" command when Kerberos support is enabled. Update to cifs-utils-6.13 or later. 10.1-030
In cURL-7.78.0, four security vulnerabilities were fixed. Two of them could allow for passwords to be disclosed when using the metalink feature and also for the metalink feature to download malicious content due to a lack of verification on hashes. Another security vulnerability allows for certificate store bypass, and the last vulnerability allows for TELNET stack leaks again, including sensitive information such as passwords being leaked over a plain-text network protocol. This is due to an incomplete fix being released in cURL-7.77.0. To fix these, update to cURL-7.78.0 or later. 10.1-079
In cURL-7.77.0, three security vulnerabilities were fixed. One of them only applies to Windows. The second vulnerability allows for the contents of the stack to be leaked to a remote attacker while TELNET sessions are in use, and the third allows for remote code execution through an HTTPS session. To fix these, update to cURL-7.77.0 or later. 10.1-051
In cURL-7.76.0 two vulnerabilities were fixed. They may lead to disclosure of sensitive information or authentication bypass. To fix these, update to cURL-7.76.0 or later. 10.1-020
ISC DHCP-4.4.2-P1 fixed a buffer overrun vulnerability that could lead to a disruption of network services or for DHCP leases to be improperly terminated. Update to DHCP-4.4.2-P1 or later to fix this. 10.1-053
Dovecot-2.3.15 fixed two security vulnerabilities which could allow for command injection and path traversal. The highest risk is emails and passwords being forwarded to an attacker-controlled address, but the path traversal is known to allow for an authentication bypass over OAuth2. Update to dovecot-2.3.15 or later to fix these. 10.1-066
Exim-4.92.4 fixed 21 vulnerabilities, several of which allowing for remote code execution, modification of mails, privilege escalation, arbitary code execution, modification/deletion of system files, and more. If you have Exim installed, update to Exim-4.92.4 immediately. 10.1-038
Nine CVEs were fixed in Exiv2-0.27.4, all of which can be exploited remotely through a web browser. Most of these vulnerabilities are classified as denial of service, but some are information disclosure vulnerabilities as well as arbitrary code execution vulnerabilities. To fix these, update to exiv2-0.27.4 or later. 10.1-063.
Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release. To fix these apply the patch from the development books or upgrade to a later version when one is released. 10.1-046.
Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. To fix this, update to fetchmail-6.4.20 or later. 10.1-085
If you are still using firefox-78 you should update to the current version of the firefox-91 series. See the updates for the BLFS-11.0 books.
In firefox 91.0.1 one vulnerabilitiy rated as High was fixed. This vulnerability does not apply to normal builds of legacy firefox-78. To fix this, update to firefox-91.0.1 or later. 10.1-095
In firefox 78.13.0 and 91.0, five vulnerabilities rated as High and one rated as moderate were fixed. To fix these either update to firefox-91.0 or later, or to legacy firefox-78.13.0 or later. 10.1-089
In firefox 78.12.0 two vulnerabilities rated as High were fixed. To fix these, update to firefox-78.12.0 or later. 10.1-075
In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. To fix these, update to firefox-78.11.0 or later. 10.1-055
In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.10.0 or later. 10.1-032
In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.9.0 or later. 10.1-008
In Flac up to and including 1.3.3, a heap buffer overflow could lead to remote information disclosure. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-022.
A medium severity security vulnerability was discovered in glib2 that may allow for arbitrary file overwrites to happen via a symlink attack. An additional high severity security vulnerabilty was discovered that allowed for unintended length truncation. To fix this, update to glib2-2.66.8 or later. 10-1-017
The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). To fix this, upgrade to GnuTLS 3.7.1 or later versions. 10.1-004
Five security vulnerabilities were fixed in gstreamer-1.18.4. These vulnerabilities may lead to arbitrary code execution and application crashes. To fix this, upgrade the gstreamer stack to 1.18.4 or later. 10.1-007
Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High, and two potential disclosures of sensitive information via local access. To fix these, update affected machines to microcode-20210608 or later. 10.1-059
In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984. In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.
To apply these fixes, upgrade to JS-78.13.0 or later. 10.1-088In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks. To apply these, upgrade to JS-78.9.0 or later. 10.1-009
Some vulnerabilities (mishandling of symlinks) have been fixed in libarchive-3.5.2. The vulnerabilities may be exploited to overwrite file contents, flags, or ACL entries. To fix these, update to libarchive-3.5.2 or later. 10.1-100.
A denial of service and decryption vulnerability was fixed in libgcrypt-1.9.4. This vulnerability has existed since the year 2000. If you have libgcrypt installed, update to libgcrypt-1.9.4 as soon as possible. 10.1-101.
A denial of service vulnerability (divide by zero) was fixed in libjpeg-turbo-2.1.0. Note that only the 'cjpeg' tool is affected, and the worst impact is the 'cjpeg' program crashing, thus it has been rated as Low. Update to libjpeg-turbo-2.1.0 or later. 10.1-042.
In librsvg-2.50.4, a security vulnerability in a bundled rust crate was fixed that could lead to variables lasting for longer than originally expected, leading to memory corruption scenarios. Update to librsvg-2.50.4 or later. 10.1-031.
In Libssh2-1.9.0 and earlier, a crafted SSH server may be able to disclose sensitive information or cause a denial of service when the client connects. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-023.
A security vulnerability was fixed in libuv-1.41.1 that could lead to information disclosure in applications that use libuv's ASCII converter or the uv_getaddrinfo() function. To fix this, update to libuv-1.41.1 or later. 10.1-073.
A security vulnerability was fixed in libX11-1.7.1 that could allow for API protocol command injection. This vulnerability has existed since 1986. This vulnerability is rated as critical because it can be exploited without user interaction and can lead to the X server's authorization protocol being disabled. Update to libX11-1.7.1 or later as soon as possible. 10.1-050.
A security vulnerability was fixed in libxml2-2.9.12 that may allow for resource exhaustion when processing a crafted XML file. This may occur through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. Update to libxml2-2.9.12 or later. 10.1-047.
Improper input sanitization may lead to cross-site-scripting via JavaScript code being inserted into the output of an HTML file. This was fixed by adding proper input sanitization for the HTML5 formaction attribute. To fix this, update to lxml-4.6.3. 10.1-014.
Two difficult to exploit remote denial of service vulnerabilities were fixed in MariaDB-10.6.4. Successful exploitation may result in hangs or repeatable crashes of the MariaDB database server. Update to MariaDB-10.6.4. 10.1-087
Two easily exploitable remote denial of service vulnerabilities were fixed in MariaDB-10.5.10. Successful exploitation may result in repeatable crashes of the MariaDB database server. Update to MariaDB-10.5.10. 10.1-004
A security vulnerability exists in MC before 4.8.27 that could allow for a spoofing attack because SSH Fingerprints are not verified upon a successful SFTP connection. To fix this, update to MC-4.8.27. 10.1-096
A denial of service attack (daemon crash) may be performed by a rare attacker in a rarely used configuration. If you are using Kerberos as anything other than a build dependency, you should update immediately. To fix this, update to MIT Kerberos V5-1.19.2. 10.1-086
A double free may lead to memory corruption and other potential consequences. To fix this, apply the patch in the link. 10.1-003
A serious bug was found in the way that Nettle handles ECDSA signature verification that can lead to crashes, improper output, or other unspecified impacts. Update to Nettle-3.7.2 as soon as possible. 10.1-013.
In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network settings in rare circumstances if a rare plugin (dhcp=systemd) was enabled. If you're using systemd-networkd to handle getting IP addresses via DHCP, update to NetworkManager-1.32.2 or later. 10.1-068
In NetworkManager-1.30.2, a security vulnerability was discovered that could result in an attacker crashing NetworkManager by setting a 'match.path' value in a Network file. To fix this, apply the sed in BLFS linked in the advisory. 10.1-029
Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. To fix these, update to v14.17.5 or later. 10.1-091
Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. Update to v14.17.4 or later. 10.1-084
Node.JS-14.17.2 fixed a security vulnerability that could lead to information disclosures in programs using Node's DNS module lookup() function. Update to v14.17.3 or later. 10.1-070
Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL and you should have already fixed those (10.1-011), the third is in the y18n package used in npm. Update to v14.16.1 or later. 10.1-025
21 security vulnerabilites were fixed in ntfs-3g-2021.8.22 that could lead to arbitrary code execution when processing NTFS metadata. The ntfs-3g developers suggest updating to 2021.8.22 immediately. These vulnerabilities can be exploited automatically when automounting is setup in Desktop Environments. Update to ntfs-3g-2021.8.22 or higher. 10.1-105
Six vulnerabilities were fixed in OpenJDK-16.0.2 that could allow for complete takeover of the JDK environment, unauthorized modification of data, and denial of service. Updating to OpenJDK-16.0.2 via the binary or the source version is recommended. Update to OpenJDK-16.0.2 or higher. 10.1-094
A vulnerability was fixed in OpenSSH-8.6p1 that was introduced in OpenSSH-8.5p1. OpenSSH-8.5p1 added the LogVerbose flag, which can be used to escape the sandbox of the lower-privileged process and lead to privilege escalation. Update to OpenSSH-8.6p1 if you use the LogVerbose option. 10.1-036
A difficult to exploit double-free security vulnerability was discovered in OpenSSH. Update to OpenSSH-8.5p1 if you use the "ssh-agent" program. 10.1-001
Two security vulnerabilities were fixed that could lead to infinite loops or OutOfMemory exceptions when processing crafted input. Update the supplemental JARs (PDFBox and FontBox) in FOP to 2.0.24 if you have FOP installed. 10.1-061
Two security vulnerabilities were fixed that could lead to infinite loops or OutOfMemory exceptions when processing crafted input. Update the supplemental JARs (PDFBox and FontBox) in FOP to 2.0.23 if you have FOP installed. 10.1-010
In PHP-8.0.8, two security vulnerabilities were fixed that could lead to remote code execution and attacker-controlled redirects. However, both options are used in uncommon situations. Update to PHP-8.0.8 if you use a Firebird database or if you are processing URLs in a PHP file. 10.1-069
In Polkit-0.119, a security vulnerability was fixed that could allow for local users to bypass authentication checks and execute commands in the context of the root user. This is due to improper error value detection. Update to Polkit-0.119 to fix this. 10.1-058
A security vulnerability was fixed in PostgreSQL-13.4 that could allow for authenticated database users to read arbitrary bytes in server memory via a purpose crafted query. A workaround is present in the advisory, but updating to PostgreSQL-13.4 or later is suggested. 10.1-092
Three security vulnerabilities were fixed in PostgreSQL-13.3 that could allow for a remote attacker to read and write arbitrary locations in memory by executing certain database commands. Update to PostgreSQL-13.3 or later. 10.1-049
Multiple vulnerabilities are fixed in Python 3, but Python 2 has not (and won't) receive any fixes since it is EOL'ed. It's recommended to stop using Python 2 and port the applications to use Python 3 instead. If you decide to keep using Python 2 anyway, you should at least rebuild it with a security patch. 10.1-019
In Python3 before 3.9.6, a security vulnerability exists that could allow for resource exhaustion due to an infinite loop in the mod:http.client Python module. Update to Python-3.9.6 or later. 10.1-071
In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. Update to Python-3.9.4 or later. 10.1-035
An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. 10.1-064
Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version. Update to this or to a later version. 10.1-103
Several more CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-2 patch on top of the 20210401 tarball, or to a later version. 10.1-065
Many CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-1 patch on top of the 20210401 tarball, or to a later version. 10.1-040
Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401. Update to this, or a later BLFS snapshot, using the instructions to install it as 5.15.2 to match the installed Qt5 version. 10.1-026
Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Update to qtwebengine-5.15.3 (using a tarball taken from git, with instructions to install it as 5.15.2 to match the installed Qt5 version). 10.1-002
Three security vulnerabilities were fixed in Ruby-3.0.2, ranging from attackers executing arbitrary commands via malicious RDoc files, manipulation of Net::FTP to return information about other systems, and a TLS bypass in Net::SMTP. It's suggested that you update to Ruby-3.0.2 as soon as possible. 10.1-074
An XML round-trip vulnerability was discovered in the REXML gem bundled with Ruby, and was fixed and released with ruby-3.0.1. This could lead to malicious code injection in XML files, or other unspecified impacts. Update to ruby-3.0.1 or later. 10.1-039
Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. Update to rustc-1.52.0 or later. 10.1-041
A flaw in rxvt-unicode may result in remote code execution, and an exploit is available in the wild. This was fixed in rxvt-unicode-9.26. Update to rxvt-unicode-9.26 as soon as possible. 10.1-048
Samba-4.14.4 fixed a security vulnerability which, in some rare cases, could allow for a user to delete or modify files on network shares that they are not supposed to have access to. This vulnerability could allow for data confidentiality and integrity impacts, but also for crashes of the smbd server process. Update to Samba-4.14.4 (or 4.13.8) as soon as possible. 10.1-045
Samba-4.14.2 fixed two security vulnerabilities, which may lead to denial of service or disclosure of sensitive information. Update to Samba-4.14.2 or 4.13.7 as soon as possible. 10.1-016
The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. To fix these, update to seamonkey-2.53.9 or later. 10.1-104
Fixes from firefox-78.12.0 were included in seamonkey-2.53.8.1. To fix these, update to seamonkey-2.53.8.1 or later. 10.1-082
Fixes from firefox-78.8.0 to 78.11.0 were included in seamonkey-2.53.8. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.8 or later as soon as possible. 10.1-067
Fixes from firefox-78.6.1 to 78.8.0 were included in seamonkey-2.53.6. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.7 or later as soon as possible. 10.1-021
In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.1/systemd-247. See the advisory linked for more information. The patch replaces the current systemd-247-security_fix-1.patch. 10.1-081
In systemd-249, a security vulnerability was fixed that could allow for a remote attacker to reconfigure the network on your system. Because of the changes coming in LFS 11.0, updating to systemd-249 is not feasible. However, a patch has been created for LFS 10.1/systemd-249. See the advisory linked for more information. 10.1-072
In general, flaws in Mozilla advisories for Thunderbird cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Several security vulnerabilities were fixed in Thunderbird-91.0, including some that deal with Thunderbird itself and not it's HTML engine. One of the vulnerabilities can allow for remote attackers to inject attachments, mails, and folders into an IMAP session configured with STARTTLS. Update to Thunderbird-91.0 or later. 10.1-093
One security vulnerability was fixed in Thunderbird-78.11.0 which was rated as high. This has to do with a memory safety problem. To fix these, update to Thunderbird-78.11.0 or later. 10.1-056
Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. To fix these update to 78.10.0 or later. 10.1-033
In Thunderbird before 78.9.1 there were three vulnerabilities rated as Moderate. To fix these update to 78.9.1 or later. 10.1-027
In Thunderbird before 78.9.0 there were two vulnerabilities rated as High. To fix these update to 78.9.0 or later. 10.1-012
WebKitGTK+-2.32.3 fixed six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. Several of these are being exploited in the wild. Update to WebKitGTK+-2.32.3 as soon as possible. 10.1-083
WebKitGTK-2.32.0 fixed three security arbitary code execution vulnerabilities. Update to WebKitGTK-2.32.0 as soon as possible. 10.1-018
WebKitGTK-2.30.6 fixed seven security vulnerabilities, one of which is currently being exploited in the wild. The vulnerabilities include improper data deletion, sandbox escapes, arbitrary code execution, and access to restricted ports on arbitrary servers. Update to WebKitGTK-2.30.6 as soon as possible. 10.1-015
Wireshark-3.4.7 fixed a vulnerability that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet into the stream. If you use the DNP protocol (unlikely unless you are working on an automation system), update to Wireshark-3.4.7. 10.1-077
In Wireshark before 3.4.6, a security vulnerability existed that could allow a remote attacker to crash the Wireshark process due to a CPU resource exhaustion issue. This existed in the DVB-S2-BB packet, which is very uncommon. Update to Wireshark-3.4.6 if you are on a network with a satellite receiver installed. 10.1-057
In Wireshark before 3.4.5, a security vulnerability existed that could allow a remote attacker to consume excessive amounts of RAM and CPU resources through a malformed packet in the MS-WSP packet dissector. Update to Wireshark-3.4.5 if you are on a network with Windows PCs. 10.1-043
In Wireshark before 3.4.4, a security vulnerability existed that could result in unsafe URLs being opened via a malicious capture packet file. This vulnerability existed for 17 years. Update to Wireshark-3.4.4. 10.1-006
In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. Until this is fixed upstream, either do not use mailto links, or always double-check there are no unwanted attachments before sending emails. 10.1-024
In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.11 or later. 10.1-034