Errata for the 9.1 Version of the LFS Book
Known Security Vulnerabilities
- CVE-2020-1967: Crash in OpenSSL during or after a TLS 1.3 handshake.
To patch it, upgrade to OpenSSL-1.1.1g or later using the instructions
from the 9.1 book with the version of
OpenSSL
from the development book.
- CVE-2019-18348: potential for malicious HTTP header injection if the
attacker controls the url parameter followed by an HTTP header.
To patch it, upgrade to Python-3.8.3 or later using the instructions
from the 9.1 book with the version of
Python
from the development book.
- CVE-2020-8492: Inefficient regular expression in urllib can be exploited
to cause a denial of service. The regex was fixed in Python-3.8.3 and
prevents "catastrophic backtracking".
To patch it, upgrade to Python-3.8.3 or later using the instructions
from the 9.1 book with the version of
Python
from the development book.
- CVE-2020-10543: Buffer overflow caused by a crafted regular
expression in Perl. To patch it, upgrade to Perl-5.30.3 or later using
the instructions from the 9.1 book with the version of
Perl
from the development book.
- CVE-2020-10878: Integer overflow via malformed bytecode produced
by a crafted regular expression. To patch it, upgrade to
Perl-5.30.3 or later using the instructions from the 9.1 book with
the version of
Perl
from the development book.
- CVE-2020-12723: Buffer overflow caused by a crafed regular
expression. To patch it, upgrade to Perl-5.30.3 or later using the
instructions from the 9.1 book with the version of
Perl-5.30
from the development book.
- CVE-2019-20907: infinite loop when reading TAR files. To patch
it, upgrade to Python-3.8.5 or higher using the instructions from
the 9.1 book with the version of
Python
from the development book.
- CVE-2016-10228: infinite loop in the iconv program when invoked
with the -c option with invalid multi-byte input sequences.
To fix this, upgrade to glibc-2.32 using the instructions from
the 9.1 book with the version of
Glibc
from the development book.
- CVE-2020-10029: stack corruption when using trigonometric
functions with a pseudo-zero argument on x86. To fix this,
upgrade to glibc-2.32 using the instructions from the 9.1
book with the version of
Glibc
from the development book.
- CVE-2020-1752: use-after-free vulnerability in the glob
function when expanding ~user. To fix this, upgrade to
glibc-2.32 using the instructions from the 9.1 book
with the version of
Glibc
from the development book.
Miscellaneous Errata
- The correct number of tests for gmp-6.2.0 is 197, not 190.