LFS Security Advisories for LFS 12.2 and the current development books.

LFS-12.2 was released on 2024-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the development books.

Expat

12.2 041 Expat (LFS) Date: 2024-11-10 Severity: Medium

In Expat-2.6.4, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when using the XML_ResumeParser function due to a NULL pointer dereference. It was fixed by not allowing XML_StopParser to stop or suspend an unstarted parser. Note that an application may crash with an XML_ERROR_NOT_STARTED if an exploitation is attempted. Update to Expat-2.6.4. 12.2-041

12.2 006 Expat (LFS) Date: 2024-09-17 Severity: Critical

In Expat-2.6.3, three critical security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution. Two of the issues only affect 32-bit installations of LFS, while one issue affects all architectures. Update to Expat-2.6.3 or later as soon as possible. 12.2-006

OpenSSL

12.2 007 OpenSSL (LFS) Date: 2024-09-17 Severity: Medium

In OpenSSL-3.3.2, a security vulnerability was fixed that could allow for a denial of service (application crash) while performing certificate name checks on X.509 certificates. Applications performing these checks may attempt to read an invalid memory address, which will result in termination of the program. This occurs when comparing the expected name with an 'otherName' subject alternative name in a certificate. Update to OpenSSL-3.3.2. 12.2-007

Python3

12.2 008 Python3 (LFS and BLFS) Date: 2024-09-17 Severity: High

In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. Update to Python-3.12.6. 12.2-008