LFS and BLFS Security Advisories from September 2020 onwards

LFS has not reported Security Vulnerabilities in the Errata, at least recently, but tickets for some new versions have had details.

BLFS used to keep details of Security Vulnerabilities in the Errata, mostly updating them to point to the latest version in the development book and updating the brief text if a subsequent vulnerability was reported.

This page is a consolidated list for both LFS and BLFS.

This list contains summary details and links to upstreams or CVEs where available. Please note that vulnerabilities to package versions before those in our 10.0 releases are not noted, so if you are running a version of BLFS before 10.0 you should check the Errata for past releases as well as monitoring the items here.

This page is ordered like the Changelog of the books, with newest items first.

The severity ratings are best estimates unless either upstream or NVD has assigned a rating. If no other analysis is available, High will usually be assumed and similarly if a crash can be triggered LFS and BLFS will normally rate that as High. If in doubt, read the links.

Items between the releases of the 10.1 and 10.2 books

10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High

In systemd-220 and later, a security vulnerability exists that could allow a local attacker to crash systemd, which then causes a kernel panic. This vulnerability is due to a flaw in the FUSE filesystem implementation, and requires the kernel to be upgraded as well, to either Linux-5.10.52 or Linux-5.13.4. systemd constantly monitors /proc/self/mountinfo, and when a file path longer than 8MB is discovered and parsed, systemd will crash with a segmentation fault. The security patch that is available will use a different string duplication function to prevent this crash from occuring. This primarily affects systems with FUSE filesystems, such as SSHFS or NTFS. However, FUSE is also used by XFCE and GNOME because of GVFS. This vulnerability is possible to exploit when automounting USB drives. Filesystem corruption is also possible due to the memory corruption that occurs when systemd crashes. A proof-of-concept exploit is also available in the wild. Due to the merged-/usr changes, upgrading to systemd-249 (with the patch) for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that run systemd-220 or higher. This vulnerability has been assigned CVE-2021-33910.

If you are running LFS SVN, you can update to systemd-249 with the patch using the instructions in the BLFS book for systemd (systemd). You must also upgrade your kernel to Linux-5.13.4.

If you are running LFS 10.1, you can apply the patch from systemd-247-security_fixes-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52.

If you are running LFS 10.0, you can apply the patch from systemd-246-security_fixes-1.patch to your build tree and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52.

10.1 080 Binutils (LFS) Date: 2021-07-23 Severity: Moderate

In Binutils-2.37, four security vulnerabilties were fixed. One of these vulnerabilities allows for arbitrary filesystem access due to a race condition in ar, objcopy, strip and ranlib. When these utilities are being run by a privileged user, an unprivileged user can trick them into getting ownership of arbitrary files on the filesystem through a symbolic link. An additional security vulnerability exists in GNU libiberty, which can result in a crash due to an infinite loop. Two more vulnerabilities allow for arbitrary code execution and memory corruption due to a stack based buffer overflow, or an out-of-bounds write. These vulnerabilities apply to objdump and libiberty. These vulnerabilities cannot be exploited remotely. These vulnerabilities have been assigned CVE-2021-20197, CVE-2021-3648, CVE-2021-3549, and CVE-2021-3530.

To fix these vulnerabilities, update to Binutils-2.37 using the instructions from the LFS book for Binutils (sysv), or Binutils (systemd).

10.1 079 cURL Date: 2021-07-23 Severity: Critical

In cURL-7.78.0, four security vulnerabilities were fixed. The first vulnerability will allow malicious content to be stored on disk instead of discarded when using the metalink feature, because the information is not checked against the XML file that contains the hash for the file correctly. Another security vulnerability in the metalink feature will send login credentials in plaintext and pass them on to any server that cURL connects to for a metalink download. Another security vulnerability exists in the way that cURL keeps previous connections stored for use again. Due to a flaw in the logic that handles path name checks, the comparison did not take security certificates into account, and also compared the involved paths case insensitively. This will result in a certificate store bypass as well as the potential of connecting to a compromised server. Another TELNET stack content disclosure vulnerability was fixed, caused by the fix for CVE-2021-22898 in cURL-7.78.0. This could result in keystrokes, including passwords, being leaked to remote attackers during a TELNET session. These vulnerabilities have been assigned CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, and CVE-2021-22925.

To fix these vulnerabilities, update to cURL-7.78.0 using the instructions for cURL (sysv), or cURL (systemd).

10.1 078 Linux Kernel (LFS) Date: 2021-07-20 Severity: High

In Linux 5.13.3 and earlier, a vulnerability given the name 'Sequoia' can be used to gain root access via an Out of Bounds write. Details at oss-security with links to a proof of concept program to crash the system, and the promise that details of the exploit will follow. This has been assigned CVE-2021-33909.

To fix this, update to Linux 5.13.4 or later, or Linux-5.10.52 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.1 077 Wireshark Date: 2021-07-20 Severity: Low

In Wireshark before 3.4.7, a security vulnerability was present that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet, or via a crafted capture file. This issue will manifest itself as a segmentation fault. This vulnerability has been assigned CVE-2021-22235.

To fix this, update to Wireshark-3.4.7 or higher using the instructions for Wireshark (sysv), or Wireshark (systemd).

10.1 076 Apache ANT Date: 2021-07-17 Severity: Moderate

In apache-ant-1.10.11, two security vulnerabilities were fixed that could lead to out-of-resource conditions when extracting ZIP or TAR files during a build process. The problem can also be triggered with JAR files. The out-of-resource condition consists of Out-Of-Memory errors. These are similar to issues in Apache Commons. These two vulnerabilities have been assigned CVE-2021-35517 and CVE-2021-36090.

To fix these, update to apache-ant-1.10.11 or later using the instructions for apache-ant (sysv), or apache-ant (systemd).

10.1 075 Firefox Date: 2021-07-13 Severity: High

In firefox 78.12.0 two vulnerabilities rated as High were fixed. A third vulnerabilitiy in ANGLE was also fixed, but that is not used for linux builds. mfsa-2021-29. CVEs have been assigned (CVE-2021-299970, CVE-2021-29976) but details are not yet public.

To fix these, update to firefox-78.12.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 074 Ruby Date: 2021-07-09 Severity: High

In Ruby-3.0.2, three security vulnerabilities were fixed. One of these vulnerabilities allows for the Net::FTP module to connect to another IP address/port and return information about services that are otherwise private and not disclosed (basically allowing the attacker to run a port scan). This is due to invalid verification of FTP PASV responses. Another security vulnerability exists in the Net::IMAP module, where Net::IMAP does not raise an exception when a STARTTLS connection fails with an unknown response. This would allow man-in-the-middle attacks to occur, as well as bypasses of the TLS protections. The third vulnerability is rated High, and is a command injection vulnerability in the RDoc command. When using the RDoc command, if a file name starts with a pipe ("|"), and ends with a tag, the command following the pipe character will be executed. A malicious Ruby project could thus exploit it to run arbitrary commands against a user who attempts to use the RDoc command. It is recommended to update Ruby as soon as possible. These vulnerabilities have been assigned CVE-2021-31810, CVE-2021-32066, and CVE-2021-31799.

To fix these vulnerabilities, update to Ruby-3.0.2 or later using the instructions for Ruby (sysv), or Ruby (systemd).

10.1 073 libuv Date: 2021-07-09 Severity: Moderate

In libuv before 1.41.1, a security vulnerability exists that allows for information disclosure when using the punycode decoder in libuv's IDNA implementation. Several downstream applications use this library and may be affected. This is similar to the vulnerability that was fixed in Node.JS-14.17.2. The vulnerability can be triggered via both uv_getaddrinfo() and uv__idna_toascii(). This vulnerability has been assigned CVE-2021-22918.

To fix this, update to libuv-1.41.1 or later using the instructions for libuv (sysv), or libuv (systemd).

10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Moderate

In systemd before 249, a security vulnerability exists that could allow for a remote attacker to reconfigure network settings on systems that use systemd-networkd without any user interaction. This happens due to an issue with the handling of DHCPRENEW packets. With a DHCPRENEW and a DHCPACK packet that is specially crafted, a remote attacker can reconfigure your network settings. Due to the merged-/usr changes, upgrading to systemd-249 for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that use systemd-networkd, and that run systemd-245 or higher (thus, LFS 9.1 is not affected). This vulnerability has been assigned CVE-2020-13529.

If you are running LFS SVN, you can update to systemd-249 using the instructions in the BLFS book for systemd (systemd).

If you are running LFS 10.1, you can apply the patch from systemd-247-security_fix-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd.

If you are running LFS 10.0, you can apply the patch from systemd-246-security_fix-1.patch to your build tree and rebuild systemd.

10.1 071 Python (LFS and BLFS) Date: 2021-07-09 Severity: Moderate

In Python3 before 3.9.6, a security vulnerability exists that could allow a remote attacker to cause a resource exhaustion via the mod:http.client module. This is due to a flaw where Python will infinitely read potential HTTP headers after a "HTTP 100 Continue" message from the server. This vulnerability has not been assigned a CVE, but more details can be found at BPO-44022.

To fix this, update to Python-3.9.6 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.1 070 node.js Date: 2021-07-09 Severity: Moderate

In Node.js-14.17.2, a security vulnerability was fixed that could lead to information disclosures or crashes on applications that use Node's dns module. The vulnerability exists in the lookup() function, and occurs due to a similar vulnerability in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This vulnerability has been assigned CVE-2021-22918.

To fix this, update to Node.js-14.17.2 or later using the instructions for Node.js (sysv), or Node.js (systemd).

10.1 069 PHP Date: 2021-07-01 Severity: Moderate

In PHP-8.0.8, two security vulnerabilities were fixed. One of them could lead to a buffer overflow and thus remote code execution when using a Firebird database, and the other could allow for remote attackers to redirect servers to arbitrary URLs via a SSRF bypass in FILTER_VALIDATE_URL. These options are rather uncommon, which is why these vulnerabilities are rated as Moderate. These vulnerabilities have been assigned CVE-2021-21705 and CVE-2021-21704.

To fix these, update to PHP-8.0.8 using the instructions for PHP (sysv), or PHP (systemd).

10.1 068 NetworkManager Date: 2021-06-30 Severity: Moderate

In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network information in rare circumstances. This only applies if using a plugin shipped within NetworkManager with some code borrowed from systemd-networkd to get an IP address via DHCP, which is enabled with "dhcp=systemd" in the configuration files. This option is not the default, nor mentioned by NetworkManager documentation or the BLFS book. This vulnerability has been assigned CVE-2020-13529.

If you'd like to use "dhcp=systemd" anyway, to fix this, update to NetworkManager-1.32.2 or later using the instructions for NetworkManager (sysv), or NetworkManager (systemd).

10.1 067 Seamonkey Date: 2021-06-30 Severity: Critical

Fixes from firefox-78.8.0 to 78.8.11 were included in seamonkey-2.53.8. See BLFS #15227. Updating to seamonkey-2.53.8 is highly recommended due to impacts relating to remote code execution, memory safety problems, and command injection via FTP. The following CVEs have been fixed, most of them being High or Critical: CVE-2021-29955, CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-23402, CVE-2021-29945, CVE-2021-29946, CVE-2021-29951, CVE-2021-29964, and CVE-2021-29967.

To fix these, update to Seamonkey-2.53.8 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 066 Dovecot Date: 2021-06-29 Severity: High

Two security vulnerabilities were patched in Dovecot-2.3.15. One of these vulnerabilities allows path traversal which can be used as an authentication bypass via OAuth2, forcing Dovecot to accept a key from an attacker-controlled location. This occurs when Dovecot uses JWT validation with the posix filesystem driver. The other vulnerability allows for command injection when using STARTTLS command injection. If more commands are pipelined as plaintext after a STARTTLS connection is initiated, the commands are run as part of the TLS session. These can be used to redirect mail, passwords, and other user variables to an attacker controlled address. These vulnerabilities have been assigned CVE-2021-29157 and CVE-2021-33515.

To fix these, update to dovecot-2.3.15 or later using the instructions for dovecot (sysv), or dovecot (systemd).

10.1 065 QtWebEngine Date: 2021-06-21 Severity: High

Several more CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-2 patch (fixes to 2021-06-02) : CVE-2021-30518, CVE-2021-30516, CVE-2021-30515, CVE-2021-30513, CVE-2021-30512, CVE-2021-30510, CVE-2021i-30508.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-2.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 064 Qt5 Date: 2021-06-21 Severity: Medium

An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. This vulnerability has been assigned CVE-2021-3481 which is not yet public. For more information see RedHat CVE-2021-3481 or QTBUG-91507.

To fix this, apply the qt-everywhere-src-5.15.2-CVE-2021-3481-1.patch (or update to a later version) using the instructions at Qt5 (sysv), or Qt5 (systemd).

10.1 063 Exiv2 Date: 2021-06-19 Severity: High

In Exiv2-0.27.4, nine security vulnerabilities were fixed. These security vulnerabilities are complex to exploit, but can be exploited remotely through a web browser. Three of these vulnerabilities are arbitrary code execution vulnerabilities, another is an information disclosure vulnerability, and the others are denial of service (crash) vulnerabilities. These vulnerabilities have been assigned CVE-2021-32617, CVE-2021-29623, CVE-2021-29473, CVE-2021-29470, CVE-2021-29464, CVE-2021-29463, CVE-2021-29458, CVE-2021-29457, and CVE-2021-3482.

To fix these, update to exiv2-0.27.4 or higher using the instructions for exiv2 (sysv), or exiv2 (systemd).

10.1 062 Linux Kernel (LFS) Date: 2021-06-16 Severity: High

In Linux 5.12.10 and earlier, several security vulnerabilities existed in the Bluetooth, Xen (virtualization), and wireless networking stacks. The Bluetooth vulnerability can allow for denial of service by allowing a local user to cause a kernel panic by attaching a malicious HCI TTY Bluetooth device. The Xen vulnerability can allow for the network adapter on the host system to fail due to a driver crash in the kernel. This vulnerability can be exploited through a virtual machine running on the system. The wireless stack vulnerabilities impact all cards and could allow for decryption of encrypted packets sent over Wi-Fi Protected Access (WPA/WPA2/WPA3) and Wired Equivalent Privacy (WEP) packets due to a protocol issue that does not require all fragments in a frame to be signed by a single key. Another vulnerability in the ath11k wireless driver can allow for an attacker to inject and decrypt packets in a connection that uses WPA or WPA2 with the TKIP data-confidentiality protocol. Another vulnerability in the ath10k driver allows for a remote attacker to inject arbitrary packets since the plaintext QoS header in a packet is not required to be authenticated under thw WPA, WPA2, WPA3, or WEP standard. Another vulnerability in the wireless stack allows for arbitrary network packets to be injected and for the exfiltration of user data regardless of whether any encryption is in place, and fragments are not cleared from memory after reconnecting to a network. These vulnerabilities have been assigned CVE-2021-3564, CVE-2021-28691, CVE-2020-24587, CVE-2020-26141, CVE-2020-24588, CVE-2020-26145, and CVE-2020-24586.

To fix these, update to Linux 5.12.10 or later, or Linux 5.10.44 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.1 061 PDFBox (FOP) Date: 2021-06-15 Severity: Medium

In Apache PDFBox-2.0.24, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-31812 and CVE-2021-31811.

To fix these, update the supplemental JAR files in fop to 2.0.24 using the instructions in fop (sysv) or fop (systemd).

10.1 060 Apache HTTPD Updated: 2021-06-15 Severity: Moderate

Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream (currently undergoing analysis at NVD): CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641 (updated 2021-06-15: first link was to an unrelated CVE, corrected).

To fix these, update to at least HTTPD-2.2.48 using the instructions for Apache (sysv) or Apache (systemd).

10.1 059 Intel Microcode Date: 2021-06-08 Severity: High

Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High Intel-SA-00442 / CVE-2021-24489 and two potential information disclosures by local access rated as Medium Intel-SA-00464 / CVE-2020-24511 and Intel-SA-00465 / CVE-2020-24513.. The CVE details are not yet public.

To fix these, update to at least microcode-20210608 using the instructions for About Firmware (sysv) or About Firmware (systemd).

10.1 058 Polkit Date: 2021-06-06 Severity: High

In Polkit-0.119, a security vulnerability was fixed that can allow for unprivileged users to gain root access on the system by calling a process that uses "polkit_system_bus_name_creds_sync" too many times, and also by not checking for the error value correctly. This vulnerability can be used by an unprivileged local attacker to bypass authorization and escalate privileges up to the root user. This affects polkit back to 0.113. This vulnerability has been assigned CVE-2021-3560.

To fix this, update to Polkit-0.119 or later using the instructions for Polkit (sysv) or Polkit (systemd).

10.1 057 Wireshark Date: 2021-06-06 Severity: Low

In Wireshark-3.4.6, a security vulnerability was fixed that could allow for a malformed DVB-S2-BB packet to cause a denial of service due to excessive CPU resource consumption. This is due to an infinite loop. There is no CVE for this vulnerability, but the information can be found under "Security Advisories" on the Wireshark website. More details can be found at wpna-sec-2021-05.

To fix this, update to Wireshark-3.4.6 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.1 056 Thunderbird Date: 2021-06-06 Severity: High

In Thunderbird-78.11.0, a security vulnerbaility was fixed that was rated as High. This security vulnerability pertains to several memory safety issues that were addressed by the Mozilla developers. More details can be found at msfa2021-26. This security vulnerability has been assigned CVE-2021-29967.

To fix these, update to Thunderbird-78.11.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.1 055 Firefox Date: 2021-06-01 Severity: High

In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. See mfsa2021-24. CVEs have been assigned (CVE-2021-299644, CVE-2021-29967) but details are not yet public.

To fix these, update to firefox-78.11.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 054 Linux Kernel (LFS) Date: 2021-03-31 Severity: High

In Linux 5.12.7 and all earlier kernels back to 2.6.12 a "confused deputy" weakness exists, which makes it possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. Further details in the links at Linux-Confused-Deputy-2.6.12.

To fix this, update to Linux 5.12.8 or later, (or Linux 5.10.41 or later if you prefer to stick with 5.10.y, or for old systems Linux 5.4.123 or later) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that other linux-5 kernels are no-longer maintained, and the maintained linux-4 kernels have not yet been updated.

10.1 053 ISC DHCP Date: 2021-05-29 Severity: High

ISC DHCP (dhclient and dhcpd) before 4.4.2-P1 is affected by a vulnerability that allows for DHCP leases to be improperly deleted, or for the DHCP client and server services to be terminated improperly. This is due to a buffer overrun, and may be exploited remotely to allow for a denial of service (network outage) or for improper DHCP leases to be issued. No user interaction is required. If you use dhclient or dhcpd, it is highly recommended that you update as soon as possible. This vulnerability has been assigned CVE-2021-25217.

To fix this, update to DHCP-4.4.2-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).

10.1 052 Expat Date: 2021-05-29 Severity: Medium

Expat before 2.4.0 is vulnerable to Denial of Service ('billion laughs') attacks. The vulnerability was initially for versions up to 2.1, but protection hs been strengthened in the 2.4.0 release: see blog.hartwork.org, and CVE-2013-03405.

To fix this, update to Expat-2.4.1 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.

10.1 051 cURL Date: 2021-05-26 Severity: Critical

In cURL-7.77.0, three security vulnerabilities were fixed. The first one only applies to Windows systems and is therefore irrelevant to LFS. The second vulnerability allows the stack to be disclosed to a remote attacker while a TELNET session is in progress. The third vulnerability, which is rated as high, allows for remote code execution on HTTPS sessions. The TELNET vulnerability is due to an issue with an uninitialized variable, and the remote code execution vulnerability is due to a use-after-free. This vulnerability has been called the "TLS session caching disaster", and instructions for achieving remote code execution have been released to the public. Therefore, it is suggested that you update immediately. Note that this only applies to systems which use OpenSSL as their SSL backend, which is the default configuration in BLFS. These vulnerabilities have been assigned CVE-2021-22897, CVE-2021-22898, and CVE-2021-22901.

To fix these vulnerabilities, update to cURL-7.77.0 or later as soon as possible using the instructions at cURL (sysv), or cURL (systemd).

10.1 050 libX11 Date: 2021-05-19 Severity: Critical

In libX11-1.7.1, a security vulnerability was fixed that allows through command injection through the libX11 API protocol. This vulnerability exists in the XLookupColor function, intended for server-side color lookup. The flaw consists of a client being allowed to send color names with a name longer than the maximum size allowed, and also the maximum packet size for normalized packets. This then allows for the X server authorization process to be disabled completely, as the end of the packet is then considered a protocol command. This vulnerability has existed since February of 1986. This vulnerability has been rated at a 9.3 CRITICAL on the CVSS scale, and has been assigned CVE-2021-31535, and more information can be found at libX11 security advisory.

To fix this vulnerability, update to libX11-1.7.1 using the instructions at Xorg Libraries (sysv), or Xorg Libraries (systemd).

10.1 049 postgresql Date: 2021-05-18 Severity: Medium

In PostgreSQL-13.3, three security vulnerabilities were fixed that could allow for memory disclosure as well as a buffer overrun caused by an integer overflow in array subscripting calculations. The buffer overrun could allow for authenticated database users to write arbitrary bytes to a wide area of server memory. The memory disclosure vulnerabilities both allow for an attacker to read arbitrary bytes of server memory when executing UPDATE...RETURNING commands in partitioned-tables, and when executing INSERT...ON CONFLICT... DO UPDATE commands on a purpose crafted table. In the default PostgreSQL configuration, any authenticated database user can create the prerequisite objects and complete this attack at will. Users lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot exploit this attack. These vulnerabilities have been assigned CVE-2021-32028, CVE-2021-32029, and CVE-2021-32027.

To fix these vulnerabilities, update to PostgreSQL-13.3 using the instructions at PostgreSQL (sysv), or PostgreSQL (systemd).

10.1 048 rxvt-unicode Date: 2021-05-18 Severity: Critical

A security vulnerability was fixed in rxvt-unicode-9.26 that may allow for remote code execution. An exploit has been discovered in the wild and was published to the oss-security mailing list. The vulnerability occurs due to the way that rxvt handles ANSI escape sequences, replying to queries with a newline-terminated message, and will allow applications to execute without user intervention. No CVE has been assigned, but more details can be found at oss-sec: rxvt terminal 0day. Note that there is some strong language within that link, but until a CVE is assigned, this is the only information that is available.

To fix this vulnerability, update to rxvt-unicode-9.26 using the instructions at rxvt-unicode (sysv), or rxvt-unicode (systemd).

10.1 047 libxml2 Date: 2021-05-18 Severity: Medium

In libxml2-2.9.12, a security vulnerability was fixed (in addition to all of the ones covered in libxml2-2.9.10-security_fixes-1.patch) that allows for a denial of service (system resource exhaustion) when processing a crafted XML file. This occurs through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. This vulnerability has been assigned CVE-2021-3541.

To fix this, update to libxml2-2.9.12 or later using the instructions at libxml2 (sysv), or libxml2 (systemd).

10.1 046 Exiv2 Date: 2021-05-17 Severity: High

Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release : CVE-2021-3482, CVE-2021-29457, CVE-2021-29458, CVE-2021-29470, CVE-2021-29473.

To fix these, apply the exiv2-0.27.3-security_fixes-1.patch (or update to a later version) using the instructions at Exiv2 (sysv), or Exiv2 (systemd).

10.1 045 Samba Date: 2021-05-12 Severity: Critical

In Samba-4.14.4, a security vulnerability was fixed that allows for users to have unauthorized access to information, as well as the ability for users to modify/delete files from shares that they should not have access to. The underlying cause of this vulnerability is an out-of-bounds read that sometimes occurs when mapping Windows group identities (SIDs) into Unix group IDs (gids). The code that handles this could read data beyond the end of an array in the case that a negative cache entry had been added to the cache. This would then cause the conversion code to return those values into the process token that stores the group membership of a user. This vulnerability was originally spotted at Linkoping University, where a user was found deleting files from a network share that they were not supposed to have access to. If you are using the Samba file server to share files, it is suggested that you update immediately. Other impacts include potential server crashes, as well as impacts to data confidentiality and integrity. This vulnerability has been assigned CVE-2021-20254.

To fix this vulnerability, update to Samba-4.14.4 or later using the instructions for Samba (sysv) or Samba (systemd).

10.1 044 MariaDB Date: 2021-05-12 Severity: Medium

Two security vulnerabilities were corrected in mariadb-10.5.10. These vulnerabilities allowed for remotely exploitable crashes of the MariaDB database server. Both of these vulnerabilties are simple to exploit and can result in repeatable crashes over the network. These vulnerabilities have been assigned CVE-2021-2166 and CVE-2021-2154.

To fix these vulnerabilties, update to MariaDB-10.5.10 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).

10.1 043 Wireshark Date: 2021-05-12 Severity: Medium

A security vulnerability was fixed in Wireshark that could allow for excessive memory and CPU consumption when using the MS-WSP packet dissector. This vulnerability could be exploited via a malformed packet, either by placing the malformed packet onto the wire while Wireshark is capturing packets, or by convincing someone to read a malformed packet trace file. This vulnerability could allow a remote attacker to run the system out of memory, and thus can cause a denial of service. This vulnerability has been assigned CVE-2021-22207.

To fix this vulnerability, update to Wireshark-3.4.5 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.1 042 libjpeg-turbo Date: 2021-05-12 Severity: Low

A security vulnerability was discovered in the "cjpeg" utility included with libjpeg-turbo. This vulnerability is classified as a denial of service vulnerability, and is caused by a divide-by-zero error when processing some GIF images. The highest impact would be a crash of the 'cjpeg' application, thus this vulnerability has been rated as Low. This vulnerability has been assigned CVE-2021-20205.

To fix this vulnerability, update to libjpeg-turbo-2.1.0 or later using the instructions for libjpeg (sysv) or libjpeg (systemd).

10.1 041 Rustc Date: 2021-05-11 Severity: Critical

Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. One of the critical CVEs was raised as 'before 1.53.0', but the fix has been backported to 1.52.0.

For the general case (where static libraries are used and a variety of crates might be built) the advice is to update both rust and all the packages which use it.

For BLFS with its limited number of crates which use rust, it can be shown (e.g. by removing the /opt/rustc symlink) that the built programs do not use the standard library at runtime), and therefore the vulnerabilities are assumed to have been at compile time. Nevertheless, the incorrect code has been available and it may be that the resulting programs can do incorrect things. The safest advice is to update rust and then rebuild (or update) all the packages which use it.

The relevant CVEs are: CVE-2021-227376, CVE-2021-28036, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162. To fix rust, update to rustc-1.52.0 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).

10.1 040 QtWebEngine Updated: 2021-05-07 Severity: Critical

Many CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-1 patch (fixes to 2021-05-03) : CVE-2021-21233, CVE-2021-21231, CVE-2021-21230, CVE-2021-21227, CVE-2021-21225, CVE-2021-21224, CVE-2021-21223, CVE-2021-21222, CVE-2021-21221, CVE-2021-21220, CVE-2021-21219, CVE-2021-21218, CVE-2021-21217, CVE-2021-21214, CVE-2021-21213, CVE-2021-21209, CVE-2021-21207, CVE-2021-21206, CVE-2021-21204, CVE-2021-21203, CVE-2021-21202, CVE-2021-21201.

Of these, two were rated as critical and at least one other rated as high has public exploit code available.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 039 Ruby Date: 2021-05-04 Severity: Medium

In ruby-3.0.1, a security vulnerability was fixed that could lead to improper generation of XML files, including malicious code. This has been classified as a "XML round-trip vulnerability". The ruby developers suggest upgrading the REXML gem if updating Ruby on your system is not feasible. This can be done by executing "gem upgrade rexml". The fixed gem has been bundled with ruby-3.0.1. This vulnerability has been assigned CVE-2021-28965.

To fix this vulnerability, update to ruby-3.0.1 or higher using the instructions for ruby (sysv) or ruby (systemd).

10.1 038 Exim Date: 2021-05-04 Severity: Critical

In Exim-4.94.2, twenty-one security vulnerabilities were patched. These vulnerabilities can allow for local privilege escalation, remote code execution, arbitrary code execution in the context of the Exim user, command injection, modification of mails, modification/deletion of files, and more. Ten of these vulnerabilities can be exploited remotely, while the other eleven can be exploited locally. If you have any systems running Exim, this is considered an urgent matter. There are multiple exploits available in the wild for these vulnerabilities. These vulnerabilities have been assigned CVE-2020-28007, CVE-2020-28008, CVE-2020-28014, CVE-2021-27216, CVE-2020-28011, CVE-2020-28010, CVE-2020-28013, CVE-2020-28016, CVE-2020-28016, CVE-2020-28015, CVE-2020-28012, CVE-2020-28009, CVE-2020-28017, CVE-2020-28020, CVE-2020-28023, CVE-2020-28021, CVE-2020-28022, CVE-2020-28026, CVE-2020-28019, CVE-2020-28024, CVE-2020-28018, and CVE-2020-28025. Additional information can be found at Qualys Security Blog - 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server.

To fix these vulnerabilities, update to Exim-4.94.2 or higher as soon as possible using the instructions for Exim (sysv) or Exim (systemd).

10.1 037 BIND Date: 2021-05-01 Severity: High

In BIND-9.16.15, three security vulnerabilities were fixed that could result in crashes and remote code execution on 32-bit platforms. One security vulnerability is rated as Medium, while the other two (one of which leads to remote code execution on 32-bit platforms, and crashes on 64-bit platforms) are rated as High. These vulnerabilities have been assigned CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. Additional information can be found at BIND Release Announcement.

To fix these vulnerabilities, update to BIND-9.16.15 or higher using the instructions for BIND (sysv) or BIND (systemd).

10.1 036 OpenSSH Date: 2021-05-01 Severity: Medium

In OpenSSH-8.6p1, a security vulnerability was fixed that was introduced in version 8.5p1 with the addition of the LogVerbose keywords. When this option was enabled with a set of patterns that activated logging in code that runs in the lower-privileged/sandboxed sshd process, the log messages were constructed in a way that printf(3) format strings could effectively be specified in the lower-privelged code. As a result, an attacker who had successfully exploited the lower-privileged process could use the logging feature to escape the sandbox and attack the higher-priveleged process. No CVE has been assigned at this time. More details can be found at Announce: OpenSSH 8.6 released.

To fix this, update to OpenSSH-8.6p1 or later using the instructions for OpenSSH (sysv) or OpenSSH (systemd).

10.1 035 Python (LFS and BLFS) Date: 2021-04-29 Severity: High

In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. This been assigned CVE-2021-3426 but the details are not yet public. See CVE-2021-3426 at debian.

To fix this, update to Python-3.9.4 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.1 034 Xorg-Server Date 2021-04-29 Severity: High

In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. This has been assigned CVE-2021-3472.

To fix this, update to at least Xorg-Server-1.20.11 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.1 033 Thunderbird Date: 2021-04-26 Severity: High

Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. See mfsa2021-14.

To fix these, update to Thunderbird-78.10.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).

10.1 032 Firefox Date: 2021-04-19 Severity: High

In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-15. CVEs have been assigned (CVE-2021-23994, CVE-2021-23995, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946) but details are not yet public.

To fix these, update to firefox-78.10.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 031 librsvg Date: 2021-04-14 Severity: Medium

A security vulnerability was fixed in librsvg-2.50.4 that applied to one of the rust crates involved with building the librsvg library. This vulnerability existed within the generic-array crate, and allowed for variables to stick around for longer than their expected lifetime. This could lead to memory corruption scenarios. This vulnerability has been assigned RUSTSEC-2020-0146.

To fix this, update to librsvg-2.50.4 or later using the instructions in librsvg (sysv), or librsvg (systemd).

10.1 030 cifs-utils Date: 2021-04-14 Severity: Medium

A security vulnerability was discovered in cifs-utils before 6.13. When using kerberos authentication, it is possible for a leak of authentication credentials when running the cifs.upcall command. This same vulnerability can also permit privilege escalation of a local user. This vulnerability has been assigned CVE-2021-20208.

To fix this, update to cifs-utils-6.13 or later using the instructions in cifs-utils (sysv), or cifs-utils (systemd).

10.1 029 NetworkManager Date: 2021-04-14 Severity: Low

A security vulnerability was found in NetworkManager where a local or remote attacker could set a "match.path" statement in a Network file, which would cause NetworkManager to crash. The root cause of this vulnerability is improper input validation. This vulnerability has been assigned CVE-2021-20297.

To fix this, apply a sed to NetworkManager using the instructions in NetworkManager (sysv), or NetworkManager (systemd).

10.1 028 Avahi Date: 2021-04-14 Severity: Medium

A security vulnerability was found in Avahi that could allow an infinite loop to be triggered when an attacker writes a long line to /run/avahi-daemon/socket. The event used to signal the termination of a client connection was not correctly handled. This vulnerability has been assigned CVE-2021-3468.

To fix this, apply a sed to Avahi using the instructions in Avahi (sysv), or Avahi (systemd).

10.1 027 Thunderbird Updated: 2021-04-11 Severity: Medium

Three security vulnerabilities were fixed in Thunderbird-78.9.1. All three of them affect systems that have OpenPGP keys configured for encrypted email. These vulnerabilities have been rated Moderate, and have been assigned CVE-2021-23991, MOZ-2021-23992, CVE-2021-23993. Additional information can be found at MSFA2021-13.

To fix these, update to the Thunderbird-78.9.1 using the instructions at Thunderbird (sysv), or Thunderbird (systemd).

10.1 026 QtWebEngine Updated: 2021-04-09 Severity: High

Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401 : CVE-2021-21198, CVE-2021-21195, CVE-2021-21193, CVE-2021-21191, CVE-2021-21187, CVE-2021-21184, CVE-2021-21183, CVE-2021-21166, CVE-2020-27844.

To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 025 Node.js Date: 2021-04-09 Severity: High

Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL but can be exploited through Node.js if you have not updated that package to Openssl-1.1.1k or later, see 10.1-011

The third vulnerability is 'Prototype Pollution' in the y18n JS package used in npm. Information can be found at April 2021 Security Releases, CVE-2020-7774 and for an explanaton of 'Prototype Pollution' see SNYK-JAVA-ORGWEBJARSNPM-1038306.

To fix these, update to Node.JS-14.16.1 or later using the instructions from the development book for Node.JS (sysv) or Node.JS (systemd).

10.1 024 XDG-Utils Date: 2021-04-02 Severity: Medium

In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.

This has been assigned CVE-2020-27748 but the upstream issue at gitlab remains open.

In the meantime, to mitigate this flaw, either do not use mailto links at all, or always double-check in the user interface that there are no unwanted attachments before sending emails, especially when the email originates from clicking on a mailto link.

10.1 023 Libssh2 Date: 2021-04-02 Severity: High

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This has been assigned CVE-2019-17498.

This has been fixed upstream, but no new version has been released. To fix this, apply the patch libssh2-1.9.0-security_fix-1.patch using the instructions from the development book for libssh2 (sysv) or libssh2 (systemd) or update to a later version of Libssh2 if one is released.

10.1 022 Flac Date: 2021-04-02 Severity: Medium

In Flac up to and including 1.3.3 a heap buffer overflow leading to a possible out of bounds read has been discovered. This could lead to remote information disclosure with no additional execution privileges needed and has been assigned CVE-2020-0499.

This has been fixed upstream, but no new version has been released. To fix this, apply the patch flac-1.3.3-security_fix-1.patch using the instructions from the development book for Flac (sysv) or Flac (systemd) or update to a later version of Flac if one is released.

10.1 021 Seamonkey Date: 2021-03-31 Severity: Critical

Fixes from firefox-78.6.1 to 78.8.0, were included in seamonkey-2.53.7. See BLFS #14840. The following CVEs have been fixed, most of them being High or Critical: CVE-2020-16044, CVE-2021-23953, CVE-2021-23954, CVE-2020-26976, CVE-2021-23960, CVE-2021-23964, CVE-2020-16048, CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, and CVE-2021-23978.

To fix these, update to Seamonkey-2.53.7 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.1 020 cURL Date: 2021-03-31 Severity: Medium

In cURL-7.76.0, two vulnerabilities are fixed that may lead to disclosure of sensitive information or authentication bypass. These vulnerabilities have been assigned CVE-2021-22876 and CVE-2021-22890. Additional information can be found at cURL website.

To fix these vulnerabilities, update to cURL-7.76.0 or higher using the instructions for cURL (sysv) or cURL (systemd).

10.1 019 Python 2 Date: 2021-03-31 Severity: Critical

In Python 3 releases, multiple vulnerabilities are fixed that may lead to denial of service, remote code execution, or web cache poisoning. Python 2 is already EOL'ed and has not got the fixes. These vulnerabilities have been assigned CVE-2019-20907, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619, CVE-2021-3177, and CVE-2021-23336.

To fix these vulnerabilities, it's recommended to port everything using Python 2 to use Python 3 instead.

If you decide to stick with Python 2 anyway, rebuild Python 2 with a security patch using the instructions for Python 2 (sysv) or Python 2 (systemd).

10.1 018 WebKitGTK Date: 2021-03-31 Severity: Critical

In WebKitGTK 2.32.0, three security vulnerabilities were fixed that could lead to arbitary code execution. These vulnerabilities have been assigned CVE-2021-1788 (NOT PUBLIC YET), CVE-2021-1844 (NOT PUBLIC YET), and CVE-2021-1871 (NOT PUBLIC YET). Additional information can be found at WSA-2021-0003.

To fix these vulnerabilities, update to WebKitGTK-2.32.0 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.1 017 glib2 Updated: 2021-04-14 Severity: High

In glib-2.66.8, a medium-severity security vulnerability was fixed that allowed a malicious archive to create files elsewhere in the filesystem via a symlink attack. The malicious archive may also be able to overwrite existing files when extracted with file-roller. An additional vulnerability was fixed in glib-2.66.7, which has been rated High. This vulnerability allows for unintended length truncation on buffers above 4GB in size on a 64-bit platform. These vulnerabilities have been assigned CVE-2021-27218 and CVE-2021-28153, and and additional information can be found at file-roller symlink attack (#2325).

To fix these vulnerabilities, update to glib-2.66.8 or later using the instructions for glib (sysv) or glib (systemd).

10.1 016 Samba Date: 2021-03-28 Severity: High

In Samba-4.14.2, two security vulnerabilities were fixed that could lead to denial of service or disclosure of sensitive information. These vulnerabilities have been assigned CVE-2020-27840 (NOT PUBLIC YET) and CVE-2021-20277 (NOT PUBLIC YET).

To fix these vulnerabilities, update to Samba-4.14.2 or higher using the instructions for Samba (sysv) or Samba (systemd).

If you prefer to stick with 4.13 series, update to Samba-4.13.7 or higher using the instructions for Samba (10.1 sysv) or Samba (10.1 systemd).

10.1 015 WebKitGTK Date: 2021-03-28 Severity: Critical

In WebKitGTK-2.30.6, seven security vulnerabilities were fixed that could lead to arbitrary code execution, improper data deletion, sandbox escapes, and access to a ports on restricted servers. One of the vulnerabilities has an exploit in the wild and is being actively exploited. These vulnerabilities have been assigned CVE-2020-27918, CVE-2020-29623 (NOT PUBLIC YET), CVE-2021-1765 (NOT PUBLIC YET), CVE-2021-1789 (NOT PUBLIC YET), CVE-2021-1799 (NOT PUBLIC YET), CVE-2021-1801 (NOT PUBLIC YET), and CVE-2021-1870 (NOT PUBLIC YET). Additional information can be found at WSA-2021-0002.

To fix these vulnerabilities, update to WebKitGTK-2.30.6 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.1 014 lxml Date: 2021-03-27 Severity: Medium

In lxml-4.6.3, a security vulnerability was fixed in the HTML Cleaner that could lead to JavaScript code being passed into the output. This vulnerability is classified as "Cross Site Scripting". It does not properly sanitize the input from the HTML5 formaction attribute, leading to JavaScript code being inserted into the output. This vulnerability has been assigned CVE-2021-28957.

To fix this, update to lxml-4.6.3 using the instructions for lxml (sysv) or lxml (systemd).

10.1 013 Nettle Date: 2021-03-27 Severity: High

In Nettle-3.7.2, a security vulnerability was fixed that could allow for improper results or crashes with assertion failures when processing some ECDSA signatures. This has to do with the secp224r1 and secp521r1 curves, and the maintainer suggests upgrading immediately because of the severity of the bug. More information can be found here: ANNOUNCE: Serious bug in Nettle's ecdsa_verify.

To fix this, update to Nettle-3.7.2 or later using the instructions for Nettle (sysv) or Nettle (systemd).

10.1 012 Thunderbird Date: 2021-02-26 Severity: High

In Thunderbird before 78.9.0 there were two vulnerabilities rated as High for linux systems (the angle graphics item only applies to MS Windows), see mfsa2021-12. CVEs have been assigned (CVE-2021-23981, CVE-2021-23987), but details are not yet public.

To fix these, update to thunderbird-78.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.1 011 OpenSSL (LFS) Date: 2021-03-26 Severity: Critical

In OpenSSL-1.1.1k, two high severity security vulnerabilities were fixed. One of these allows for a complete bypass of the CA certificate check, and the other is a trivial-to-exploit vulnerability that lets remote attackers crash any application that uses OpenSSL on the system. Upgrading to OpenSSL-1.1.1k is suggested, as soon as possible. These vulnerabilities have been assigned CVE-2021-3450 and CVE-2021-3449.

To fix these, update to OpenSSL-1.1.1k as soon as possible using the instructions in OpenSSL (sysv) or OpenSSL (systemd).

10.1 010 PDFBox (FOP) Date: 2021-03-25 Severity: Medium

In Apache PDFBox-2.0.23, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-27906 and CVE-2021-27807.

To fix these, update the supplemental JAR files in fop to 2.0.23 using the instructions in fop (sysv) or fop (systemd).

10.1 009 JS78 Date: 2021-03-23 Severity: Medium

In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks, see BLFS #14804.

To fix this, update to JS-78.9.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.1 008 Firefox Date: 2021-03-23 Severity: High

In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-11. CVEs have been assigned (CVE-2021-23981, CVE-2021-23982, CVE-20201-23984, CVE-2021-23987) but details are not yet public.

To fix these, update to firefox-78.9.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.1 007 Gstreamer Updated: 2021-03-21 Severity: High

In gstreamer-1.18.4 (including plugins), five high severity security vulnerabilities were fixed. Two of them were in gst-plugins-good, one in gst-plugins-ugly, one in gst-libav, and one in gst-plugins-base. Upon successful exploitation, these vulnerabilities can lead to application crashes and arbitrary code execution. More details can be found at GStreamer Security Center.

To fix these vulnerabilities, update the entire gstreamer stack to 1.18.4 using the instructions in the gstreamer pages, starting at gstreamer (sysv) or gstreamer (systemd).

If you are maintaining a system which is still using gstreamer-1.16.3 you should go to the Gstreamer Security Center link above, take the five patches for items SA-2021-001 to 005 and apply them to plugins-base (001), plugins-good (002, 003), plugins-ugly (004) and libav (005) and recompile everything except gstreamer (because a library from -base is affected).

10.1 006 Wireshark Date: 2021-03-16 Severity: High

In Wireshark-3.4.4, a 17-year-old security vulnerability was fixed that could allow Wireshark to open unsafe URLs from within packet dumps. These unsafe URLs did not follow standard HTTP/HTTPS schemes, but examples were shown using the NFS protocol as well as WebDAV and SMB3. This could result in remote code execution while reading a packet capture file. This has been assigned CVE-2021-22191.

Additional details may be found at Wireshark Gitlab Issue 17232.

To fix this, update to Wireshark-3.4.4 or later using the instructions in Wireshark (sysv) or Wireshark (systemd).

10.1 005 Linux Kernel (LFS) Date: 2021-03-15 Severity: Low

In Linux 5.11.3 and earlier, vulnerabilities in iSCSI subsystem may lead to potential privilege escalation. These has been assigned CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365.

These vulnerabilities should only affect the systems with iSCSI devices or utilities (not in LFS or BLFS) installed.

To fix these, update to Linux 5.11.4 or later, or Linux 5.10.21 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.1 004 GnuTLS Date: 2021-03-12 Severity: Low

The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). These has been assigned CVE-2021-20231 and CVE-2021-20232. The details can be found at GnuTLS issue tracker.

To fix these, update to GnuTLS-3.7.1 or later using the instructions in GnuTLS (sysv) or GnuTLS (systemd).

10.1 003 MuPDF Date: 2021-03-10 Severity: Medium

A double free may lead to memory corruption and other potential consequences. This has been assigned CVE-2021-3407.

To fix this, apply the patch mupdf-1.18.0-security_fix-1.patch using the instructions from the development book for MuPDF (sysv) or MuPDF (systemd).

10.1 002 QtWebEngine Updated: 2021-03-19 Severity: High

Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Before they decided to not produce a file of changes, the details were recorded at A Qt code review. For the most recent of those, see Upstream Chrome, dated 2021-02-16. To fix these, update to the BLFS 5.15.3 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).

10.1 001 OpenSSH Date: 2021-03-03 Severity: Medium

OpenSSH-8.2p1 through OpenSSH-8.4p1 included a security vulnerability (double free) in the 'ssh-agent' program. This could lead to memory corruption and is potentially exploitable, and may lead to potential privilege escalation. This bug is only reachable by those with access to the agent socket, which is why the BLFS team has decided to rate this vulnerability as Medium severity. There is no CVE assigned for this vulnerability. Additional information can be found at OpenSSH 8.5 release announcement.

To fix this, update to OpenSSH-8.5p1 or later using the instructions in OpenSSH (sysv) or OpenSSH (systemd).

Late advisories for the 10.0 books

10.0 102 Flac Date: 2021-04-25 Severity: Medium

An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. This has been assigned CVE-2017-6888. This was fixed in flac-1.3.3, but in the meantime a further vulnerability was discovered in flac-1.3.3, so please follow the instructions for 10.1-022.

Items between the releases of the 10.0 and 10.1 books

10.0 101 node.js Date: 2021-02-26 Severity: High

Node.JS-14.16.0 fixed three security vulnerabilities. One of them is a denial of service vulnerability (resource exhaustion via HTTP2 protocols), another is a DNS rebinding attack, and a third is an integer overflow. These vulnerabilities have been assigned CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. The CVEs are not available at NVD yet, but more information can be found at February 2021 Security Releases.

To fix these, update to Node.JS-14.16.0 or later using the instructions in Node.JS (sysv) or Node.JS (systemd).

10.0 100 Thunderbird Date: 2021-02-24 Severity: High

In thunderbird before 78.8.0 there were three vulnerabilities rated as High, see mfsa2021-09. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.

To fix these, update to thunderbird-78.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 099 Firefox Date: 2021-02-24 Severity: High

In firefox 78.8.0 three vulnerabilities rated as High were fixed, see mfsa2021-08. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.

To fix these, update to firefox-78.8.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 098 ffmpeg Date: 2021-02-23 Severity: Medium

ffmpeg-4.3.2 fixed two medium-severity arbitary code execution vulnerabilities. These could be exploited via crafted files using the EXR and VIVIDAS codecs. These vulnerabilities have been assigned CVE-2020-35965 and CVE-2020-34964.

To fix this, update to ffmpeg-4.3.2 or later using the instructions in ffmpeg (sysv) or ffmpeg(systemd).

10.0 097 Python (LFS and BLFS) Date: 2021-02-22 Severity: Critical

Python-3.9.2 contained two security fixes, one rated as 9.8 CRITICAL, and the other marked as Medium. The critical vulnerability can result in remote code execution in some Python-based programs, and the Medium-level vulnerability can result in web cache poisoning. These vulnerabilities have been assigned CVE-2021-23336 and CVE-2021-3177.

To fix this, update to Python-3.9.2 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.0 096 Screen Date: 2021-02-19 Severity: Critical

In Screen-4.8.0, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally found exploited via Minecraft servers, and is currently being exploited in the wild. The vulnerability can also allow shell injection. This has been assigned CVE-2021-26937.

To fix this, apply the patch in screen-4.8.0-upstream_fixes-1.patch to your build and recompile Screen using the instructions in Screen (sysv) or Screen (systemd).

10.0 095 OpenSSL (LFS) Date: 2021-02-19 Severity: High

In OpenSSL-1.1.1j, two security vulnerabilities were fixed that could lead to a potential denial-of-service attack due to integer overflows and null pointer derefererences. These have been assigned CVE-2021-23841 and CVE-2021-23840. Additional details can be found in OpenSSL.

To fix this, update to at least OpenSSL-1.1.1j using the instructions in OpenSSL (sysv) or OpenSSL (systemd).

10.0 094 Intel Microcode Date: 2021-02-19 Severity: Medium

On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. These have been assigned CVE-2020-8696 and CVE-2020-8698. See also Intel-SA-00381.

To fix this, update to at least microcode-20210216 using the instructions for About Firmware (sysv) or About Firmware (systemd).

10.0 093 BIND Date: 2021-02-18 Updated: 2021-02-22 Severity: High

In bind-9.16.12, a security vulnerability was fixed that could allow remote unauthenticated users to crash the named process if the server is configured to use SPNEGO/GSSAPI. This is classified as a buffer overflow vulnerability. This has been assigned CVE-2020-8625.

To fix this, apply the sed found in the page below and rebuild BIND. BIND (sysv) or BIND (systemd).

10.0 092 Taglib Date: 2021-02-15 Severity: Medium

In taglib-1.11.1, a security vulnerability was found that may lead to information disclosure when using a crafted OGG file. This is classified as a use-after-free vulnerability. This has been assigned CVE-2018-11439.

To fix this, update to at least taglib-1.12 using the instructions in taglib (sysv) or taglib (systemd).

10.0 091 WebKitGTK Date: 2021-02-15 Severity: High

In WebKitGTK-2.30.5, a security vulnerability was fixed that allows for arbitrary code execution when crafting maliciously crafted web content. This web content appears to be Audio, and the issue is a use-after-free in the AudioSourceProviderGstreamer class. It was fixed with improved memory management. This has been assigned CVE-2020-13558, and additional information may be found at WSA-2021-0001.

To fix this, update to at least WebKitGTK-2.30.5 using the instructions in WebKitGTK (sysv) or WebKitGTK (systemd).

10.0 090 PostgreSQL Date: 2021-02-12 Severity: Medium

In PostgreSQL-13.2, two vulnerabilities were fixed that could lead to unauthorized users leaking information from a database. One of them relates to users with the UPDATE privilege but without the SELECT privilege, and the other relates to users who have SELECT privileges for only a single column being able to read all columns of the table. These have been assigned CVE-2021-3393 and CVE-2021-20229.

To fix this, update to at least postgresql-13.2 using the instructions in PostgreSQL (sysv) or PostgreSQL (systemd).

10.0 089 gnome-autoar Date: 2021-02-12 Severity: Medium

In gnome-autoar-0.2.4, a security vulnerability was found that allows for directory traversal during extraction of an archive due to a lack of proper checks for whether a file's parent is a symlink to a directory outside of the intended extraction location. This has been assigned CVE-2020-36241.

To fix this, update to at least gnome-autoar-0.3.0 using the instructions in gnome-autoar (sysv) or gnome-autoar (systemd).

10.0 088 xterm Date: 2021-02-12 Severity: Medium

In xterm-366, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally discovered in 'Screen', but was found to affect xterm as well. The vulnerability was originally found exploited via Minecraft servers, so as a result of it's exploitation in the wild, BLFS has decided to apply a severity of Medium to this vulnerability. This has been assigned CVE-2021-26937.

To fix this, update to at least xterm-366 using the instructions in xterm (sysv) or xterm (systemd).

10.0 087 Jinja2 Date: 2021-02-12 Severity: Medium

In Jinja2-2.11.2, a security vulnerability was found that allows for a repeatable denial-of-service attack via malformed regex. This has been assigned CVE-2020-28493.

To fix this, update to at least Jinja2-2.11.3 using the instructions for Jinja2 (sysv) or Jinja2 (systemd).

10.0 086 Subversion Date: 2021-02-10 Severity: Medium

In subversion-1.14.0, a security vulnerability was found that will result in a remote unauthenticated denial-of-service. This vulnerability was found in the mod_authz_svn and mod_dav_svn modules, and is a null-pointer dereference caused by attempting to access a non-existent repository. This has been assigned CVE-2020-17525.

To fix this, update to at least Subversion-1.14.1 using the instructions for Subversion (sysv) or Subversion (systemd).

10.0 085 Libgcrypt Date: 2021-02-10 Severity: High

In Libgcrypt-1.9.0 there is a heap-based buffer overflow. See CVE-2021-3345.

To fix this, update to at least Libgcrypt-1.9.1 using the instructions for Libgcrypt (sysv) or Libgcrypt (systemd).

10.0 084 Jasper Updated: 2021-02-09 Severity: High

In Jasper 2.0.24, jp2_decode in jp2/jp2_dec.c in libjasper has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. This has been assigned CVE-2021-3272.

To fix this, update to at least jasper-2.0.25 using the instructions for Jasper (sysv) or Jasper (systemd).

10.0 083 PHP Updated: 2021-02-07 Severity: Medium

In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. CVE-2020-7071 has been allocated but for the moment that is "reserved". See Arch CVE-2021-21702 where the severity is rated as Medium.

To fix this, update to PHP-8.0.2 or later using the instructions for PHP (sysv) or PHP (systemd).

10.0 082 (LFS) GLIBC Date: 2021-02-07 Severity: High

In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.

CVE-2019-25013: According to Red Hat this can be worked around by not processing untrusted input in the (uncommon) EUC-KR character set Red Hat.

CVE-2020-27618 is currently marked as 'Reserved'. According to Red Hat an infinite loop can be encountered when processing data in certain IBM character sets containing redundant shift sequences. They rate the severity as Low because an attacker would need either local privileges, or to depend on an application feeding untrusted encoding input to iconv. Red Hat.

CVE-2020-29562: When processing UCS4 text containing an irreversible character, iconv fails an assertion and aborts, resulting in a denial of service. A workaround appears to be to avoid processing UCS4 input (constant 32-bit width characters) in iconv. For most users of LFS and BLFS it is expected that UCS4 input is uncommon.

CVE-2021-3326: When processing invalid input sequences in the ISO-2022-JP-3 encoding, iconv fails an assertion and aborts, resulting in a denial of service. According to Red Hat this can be worked around by not processing untrusted input in this encoding: Red Hat.

To fix these, build a new version of LFS. If you have usable backups and have tested a way to restore them via a rescue stick or similar, it might be possible to build glibc-2.33 in place and then immediately make an unclean shutdown, e.g. using MagicSysRQ if that is enabled in your kernel. Such a procedure is not recommended, nor has it been tested.

10.0 081 Firefox UpDated: 2021-02-07 Severity: None

In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.

10.0 080 JasPer Date: 2021-02-04 Severity: High

BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a remotely triggered crash (Denial of Service) or otherwise rated as high. For an overview of these see BLFS #14599. The most-recent included CVE-2018-9055, CVE-2018-9252, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2020-27828.

To fix this, update to at least JasPer-2.0.24 using the instructions for JasPer (sysv) or JasPer (systemd).

10.0 079 Glib Date: 2021-02-04 Severity: High

Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update. GHSL-2021-045 .

To fix this, update to at least Glib-2.66.6 using the instructions for Glib (sysv) or Glib (systemd).

10.0 078 Thunderbird Date: 2021-01-31 Severity: High

In thunderbird before 78.7.0 there were various vulnerabilities rated as High. See mfsa2021-05 CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964) but details are not yet public.

To fix this, update to Thunderbird-78.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 077 Perl (using cpan) Date: 2021-01-30 Severity: High

If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist, see the details at blfs-support archive.

10.0 076 Wireshark Date: 2021-01-30 Severity: High

Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash, wnpa-sec-2020-20, wnpa-sec-2020-20. According to Redhat these have been allocated CVE-2021-22173 and CVE-2021-22174 but these are currently 'Reserved'.

To fix these, update to wireshark-3.4.3 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 075 VLC Media Player Date: 2021-01-30 Severity: High

In VLC Media Player up to and including version 3.0.11 a remote user could create a specialy crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. VideoLAN-SB-VLC-3012 .

To fix this, update to VLC-3.0.12 or later using the instructions for VLC (sysv) or VLC (systemd).

10.0 074 GPTfdisk Date: 2021-01-26 Severity: Moderate

In GPTfdisk before version 1.0.6 a possible out-of-bounds write in ReadLogicalParts of basicmbr.cc could be triggered by running gdisk or cgdisk on an improperly formatted MBR partition, leading to arbitrary code execution. CVE-2021-0308.

To fix this, update to GPTfdisk-1.0.6 or later using the instructions for GPTfdisk (sysv) or GPTfdisk (systemd).

10.0 073 Sudo Date: 2021-01-26 Severity: Critical

In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation, see CVE-2021-3156.

To fix this, update to Sudo-1.9.5p2 or later using the instructions for Sudo (sysv) or Sudo (systemd).

10.0 072 JS78 Date: 2021-01-26 Severity: High

In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. CVE-2021-23960 has been assigned but details are not yet public. Summary details are at mfsa2021-04.

To fix this, update to JS-78.7.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 071 Firefox Date: 2021-01-26 Severity: High

In firefox 78.7.0 several vulnerabilities were fixed, the following are rated as High. See mfsa2021-04. CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-20201-23960, CVE-2021-23964) but details are not yet public.

To fix these, update to firefox-78.7.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 070 Vorbis Tools Updated: 2021-01-26 Severity: High

Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. CVE-2014-9638, CVE-2014-9639, CVE-2017-11331.

To fix these, update to Vorbis Tools 1.4.2 or later using the instructions for Vorbis Tools (sysv) or Vorbis Tools (systemd).

10.0 069 Seamonkey Updated: 2021-01-26 Severity: Critical

Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. See BLFS #14548. The following are rated as Critical or High: CVE-2020-16042, CVE-2020-26950, CVE-2020-26951, CVE-2020-26968, CVE-2020-26970, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix these, update to Seamonkey-2.53.6 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 068 Mutt Updated: 2021-01-25 Severity: Medium

In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. See CVE-2021-3181.

This was initially fixed with a minimal upstream patch, mutt-2.0.4-memleak-1.patch, but the 2.05 release followed a few days later with slightly more fixes. To fix this update to mutt-2.0.5 or later using the instructions for Mutt (sysv) or Mutt (systemd).

10.0 067 ImageMagick Date: 2021-01-14 Severity: High

BLFS updated to ImageMagick-7.0.10-57 from 7.0.10-27 to fix two security vulnerabilities, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. For the division by zero, CVE-2020-27560, CVE-2020-29599.

To fix this, update to ImageMagick-7.0.10-57 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).

10.0 066 Thunderbird Date: 2021-01-12 Severity: Critical

In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-02 This has been allocated CVE-2020-16044 but for the moment no details are available.

To fix this, update to Thunderbird-78.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 065 Sudo Updated: 2021-02-04 Severity: High

In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. See oss-security and CVE-2021-20239, CVE-2021-23240,.

To fix this, update to Sudo-1.9.5p1 or later using the instructions for Sudo (sysv) or Sudo (systemd).

10.0 064 PHP Updated: 2021-02-04 Severity: Medium

In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. CVE-2020-7071 has been allocated but for the moment that is "reserved". See ASA-202101-9 (Arch linux).

To fix this, update to PHP-8.0.1 or later using the instructions for PHP (sysv) or PHP (systemd).

10.0 063 Firefox Date: 2021-01-06 Severity: Critical

In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-01 This has been allocated CVE-2020-16044 but for the moment no details are available.

To fix this, update to firefox-78.6.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 062 Node.js Date: 2021-01-05 Severity: High

In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found (one is in OpenSSL but could be exploited through Node.js). CVE-2020-8265, CVE-2020-8287, CVE-2020-1971.

To fix these, update to Node.js-14.15.4 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.20.1 or later.

10.0 061 Poppler Updated: 2021-02-04 Severity: Disputed

A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1 and assigned CVE-2020-35702, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary.

10.0 060 Dovecot Date: 2021-01-04 Severity: Medium

In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. It has been assigned CVE-2020-24386.

A workaround is to disable imap hibernation by ensuring imap_hibernate_timeout is either set to 0 or unset.

To fix this, update to dovecot-2.3.13 or later using the instructions for Dovecot (sysv) or Dovecot (systemd).

10.0 059 Libpcap Date: 2021-01-04 Severity: High

The changes file for Libpcap-1.10.0 at tcpdump.org mentions various security fixes.

To fix these, update to Libpcap-1.10.0 or later using the instructions for Libpcap (sysv) or Libpcap (systemd).

10.0 058 OpenJPEG Date: 2020-12-15 Severity: High

In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high, and another two rated as medium. See CVE-2019-6988, CVE-2019-12793, CVE-2020-6851, CVE-2020-8112.

To fix these, update to OpenJPEG-2.4.0 or later using the instructions for OpenJPEG2 (sysv) or OpenJPEG2 (systemd).

10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid

A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated CVE-2020-26422, but it was later determined that the bug was not present in any released version of Wireshark: wnpa-sec-2020-20 so no action is necessary.

10.0 056 Thunderbird Date: 2020-11-19 Severity: Critical

Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. Details are at mfsa2020-56, CVE-2020-16042, CVE-2020-26970, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix this, update to Thunderbird-78.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 055 Wireshark Date: 2020-09-23 Severity: High

Four Medium Security Advisories for items which could cause Wireshark to crash were fixed in Wireshark-3.4.1, detailed at Wireshark Security, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421, CVE-2020-26575, CVE-2020-28030.

To fix these, update to wireshark-3.4.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 054 P11-Kit Date: 2020-12-15 Severity: High

In P11-Kit up to 0.23.21 there are two vulnerabilities rated as high, and another rated as medium. See CVE-2020-29361, CVE-2020-29362, CVE-2020-29363.

To fix this, update to p11-kit-0.23.22 or later using the instructions for P11-Kit (sysv) or P11-Kit (systemd).

10.0 053 Firefox Date: 2020-12-15 Severity: Critical

Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical and four as high by upstream, as well as one rated low (but rated as Medium by NVD) where internal network hosts and services on the user's machine could have been probed by a malicious webpage. Details are at mfsa2020-55 and CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.

To fix these, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 052 OpenSSL (LFS) Date: 2020-12-15 Severity: High

The EDIPARTYNAME NULL pointer de-reference allows an attacker who can trick a client or server into checking a malicious X509 certificate could trigger a crash. This is rated High. It has been assigned CVE-2020-1971 with fuller details at OpenSSL.

To fix this, update to at least OpenSSL-1.1.1i using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).

10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High

Python-3.9.1 includes three security fixes. See bpo-40791, bpo-42051, bpo-42103.

To fix this, update to at least Python-3.9.1 using the instructions from the BLFS book for Python (sysv) or Python (systemd).

10.0 050 cURL Date: 2020-12-11 Severity: High

cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. See BLFS #14363 and CVE-2020-8284, CVE-2020-8285, CVE-2020-8286.

To fix these, update to cURL-7.74.0 or later following the instructions for cURL (sysv) or cURL (systemd).

10.0 049 Gdk-Pixbuf Date: 2020-12-08 Severity: Medium

Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. CVE-2020-29385.

To fix this, update to Gdk-Pixbuf-2.42.2 or later following the instructions for Gdk-Pixbuf (sysv) or Gdk-Pixbuf (systemd).

10.0 048 Xorg-Server Date 2020-12-05 Severity: High

In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 and CVE-2020-25712 .

To fix this, update to at least Xorg-Server-1.20.10 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.0 047 Unbound Updated: 2020-12-05 Severity: Medium

Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. Severity downgraded following availability of analysis. CVE-2020-28935.

To fix this, update to Unbound-1.13.0 or later following the instructions for Unbound (sysv) or Unbound (systemd).

10.0 046 Mutt Date: 2020-11-26 Severity: Medium

Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. CVE-2020-28896.

To fix this, update to mutt-2.0.2 or later following the instructions for Mutt (sysv) or Mutt (systemd).

10.0 045 LibEXIF Date: 2020-11-21 Severity: Critical

Three vulnerabilities were found in LibEXIF-0.6.22, two are rated as High and one as Critical. See BLFS #14272 and the following CVEs: CVE-2020-0181, CVE-2020-0198, CVE-2020-0452.

To fix these, update to a version of LibEXIF after version 0.6.22 if one is released, or apply the patch libexif-0.6.22-security_fixes-1.patch following the instructions for LibEXIF (sysv) or LibEXIF (systemd).

10.0 044 LibXML2 Date: 2020-11-21 Severity: High

Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10, two of these are rated as High. See BLFS #14271 and the following CVEs: CVE-2019-20388, CVE-2020-7595, CVE-2020-24977.

To fix these, apply the patch libxml2-2.9.10-security_fixes-1.patch following the instructions for LibXML2 (sysv) or LibXML2 (systemd), or update to a later version if one is released.

10.0 043 WebKitGTK Date: 2020-11-25 Severity: High

Five vulnerabilities rated as High were found in WebKitGTK. See BLFS #14281 and the following CVEs (most were filed against Safari, which uses WebKit): CVE-2020-9948, CVE-2020-9951, CVE-2020-9952, CVE-2020-9983, CVE-2020-13584.

To fix this, update to at least webkitgtk-2.30.3 using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).

10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity: Critical

The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. For QtWebEngine see QtWebEngine 5.15.2 changes, For the other parts of Qt5 see Qt-5.15.2 Changes.

To fix these, update to at least Qt-5.15.2 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).

10.0 041 Thunderbird Date: 2020-11-19 Severity: High

Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. Details are at mfsa2020-52, CVE-2020-26951, CVE-2020-26968.

To fix this, update to Thunderbird-78.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 040 Kerberos 5 Date: 2020-11-19 Severity: High

A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. See Release Notes.

To fix this, update to krb5-1.18.3 or later using the instructions for Kerberos (sysv) or Kerberos (systemd).

10.0 039 C-Ares Date: 2020-11-19 Severity: High

An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. See CVE-2020-8277 which was initially raised against Node.js.

To fix this, update to C-Ares-1.17.1 or later using the instructions for C-Ares (sysv) or C-Ares (systemd).

10.0 038 Node.js Date: 2020-11-19 Severity: High

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. This also applies to C-Ares, which is shipped with Node.js. CVE-2020-8277.

To fix this, update to Node.js-14.15.1 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.19.1 or later.

10.0 037 JS78 Date: 2020-11-16 Severity: High

Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. Summary details are at mfsa2020-51 .

To fix this, update to JS-78.5.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 036 Firefox Date: 2020-11-16 Severity: High

Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high by upstream. Details are at mfsa2020-51 and CVE-2020-26951 and CVE-2020-26968.

To fix this, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 035 Raptor Date: 2020-11-13 Severity: High

A heap overflow vulnerability in Raptor can lead to an out-of-bounds write. Details are at oss-security and CVE-2017-18926.

To fix this, patch raptor-2.0.15 using raptor-2.0.15-security_fixes-1.patch and the instructions for Raptor (sysv) or Raptor (systemd).

10.0 034 PostgreSQL Date: 2020-11-12 Severity: High

Three vulnerabilities rated as High were found in PostgreSQL before 13.1. Details are at PostgreSQL and CVE-2020-25694, CVE-2020-25695, CVE-2020-25696.

To fix this, update to PostgreSQL-13.1 or later, using the instructions for PostgreSQL (sysv) or PostgrSQL (systemd).

10.0 033 Thunderbird Date: 2020-11-10 Severity: Critical

The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to Thunderbird-78.4.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 032 Seamonkey Updated: 2020-11-21 Severity: Critical

The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. In BLFS this was initially partly fixed by patching Seamonkey-2.53.4 using seamonkey-2.53.4-security_fixes-1.patch but was later revised to use Seamonkey-2.53.5 when that became available. And then Seamonkey-2.53.5.1 had further fixes for this.

To fix these, update to Seamonkey-2.53.5.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 031 JS78 Date: 2020-11-09 Severity: Critical

An exploitable use-after-free was found in JS78 before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to JS-78.4.1 or later using the instructions for JS78 (sysv) or JS78 (systemd).

10.0 030 Firefox Date: 2020-11-09 Severity: Critical

An exploitable use-after-free was found in firefox before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.

To fix this, update to firefox-78.4.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 029 MariaDB Date: 2020-11-04 Severity: Medium

Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, as well as a high security vulnerability only applicable to Windows. See Release Notes and CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789.

To fix this, update to at least mariadb-10.5.7 using the instructions for MariaDB (sysv) or MariaDB (systemd).

10.0 028 Samba Date: 2020-10-30 Severity: Medium

Three CVE vulnerabilities were identified in Samba before version 4.13.1, see Samba History and CVE-2020-14318, CVE-2020-14323, CVE-2020-14383.

To fix this, update to at least samba-4.13.1 using the instructions for Samba (sysv) or Samba (systemd).

10.0 027 Libass Date: 2020-10-30 Severity: High

There was a signed integer overflow in libass-0.14.0. See CVE-2020-26682.

To fix this, update to at least libass-0.15.0 using the instructions for Libass (sysv) or Libass (systemd).

10.0 026 The Gstreamer stack Date: 2020-10-27 Severity: High

Upstream made an emergency release of gstreamer-1.18.1 and its stack containing important security fixes. At the same time the gstreamer-1.16.3 stack was released with similar fixes. Limited details are available at 1.18.1 Release Notes and 1.16.3 Release Notes .

On systems running Gstreamer 1.16 versions, such as BLFS-10.0, update to the gstreamer-1.16.3 packages (gstreamer, -libav, -plugins, -vaapi) using the instructions from the BLFS-10.0 book for Gstreamer 1.16 (sysv) and the rest of the stack, or Gstreamer 1.16 (systemd) and the rest of the stack.

On systems running Gstreamer 1.18 versions, update to the gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi) using the instructions for Gstreamer 1.18 (sysv) and the rest of the stack, or Gstreamer 1.18 (systemd) and the rest of the stack.

10.0 025 Thunderbird Date: 2020-10-23 Severity: High

Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. Details are at mfsa2020-47.

To fix this, update to Thunderbird-78.4.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 024 FreeType Date: 2020-10-20 Severity: High

There was an emergency release fixing a vulnerability in embedded PNG bitmap handling (since FreeType-2.6) which was being actively exploited. The original CVE was raised against Chrome OS and only rated as Medium. CVE-2020-15999 and Sourceforge - Changes in 2.10.4 .

To fix this, update to freetype-2.10.4 or later using the instructions for FreeType (sysv) or FreeType (systemd).

10.0 023 LXML Updated: 2020-11-28 Severity: Medium

A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. CVE-2020-27783 and cybersecurity-help.cz.

This was thought to be fixed in LXML-4.6.1, but that fix was inadequate. To fix this, update to LXML-4.6.2 or later using the instructions for LXML (sysv) or LXML (systemd).

10.0 022 NSS Date: 2020-10-17 Severity: High

A flaw was found in the CCS handling, allowing a remote attacker to cause a denial of service for servers linked against NSS. CVE-2020-25613 .

To fix this, update to at least NSS-3.58 using the instructions for NSS (sysv) or NSS (systemd).

10.0 021 Stunnel Date: 2020-10-16 Severity: High

In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". See Stunnel NEWS.

To fix this, update to at least stunnel-5.57 using the instructions for Stunnel (sysv) or Stunnel (systemd).

10.0 020 Ruby Date: 2020-10-06 Severity: High

Ruby before 2.7.2 had a vulnerability in its WEBrick HTTP server. CVE-2020-25613.

To fix this, update to at least Ruby-2.7.2 using the instructions for Ruby (sysv) or Ruby (systemd).

10.0 019 PHP Date: 2020-10-05 Severity: Medium

PHP before 7.4.11 had two CVE vulnerabilities, CVE-2020-1472 and CVE-2020-1472.

To fix this, update to at least PHP-7.4.11 using the instructions for PHP (sysv) or PHP (systemd).

10.0 018 Glib Date: 2020-10-05 Severity: Medium

Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. See Release Notes .

To fix this, update to at least Glib-2.66.1 using the instructions for Glib (sysv) or Glib (systemd).

10.0 017 Wireshark Date: 2020-09-23 Severity: High

Three Security Advisories (wnpa-sec-2020-11,12,13) which could cause Wireshark to crash were fixed in Wireshark-3.2.7, detailed at Wireshark Security and CVE-2020-25862, CVE-2020-25863, CVE-2020-25866.

To fix these, update to wireshark-3.2.7 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).

10.0 016 Thunderbird Updated: 2020-09-25 Severity: High

Revised 2020-09-26

Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-44.

But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).

10.0 015 Seamonkey Date: 2020-09-23 Severity: Critical

Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Please see The Release Notes.

To fix these, update to Seamonkey-2.53.4 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).

10.0 014 Firefox Date: 2020-09-21 Severity: High

Four vulnerabilities with CVE numbers were fixed in firefox-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-43.

To fix these, update to firefox-78.3.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).

10.0 013 Samba Date: 2020-09-26 Severity: Critical

A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. CVE-2020-1472 has been assigned.

To fix this, update to Samba-4.12.7 or later using the instructions for Samba (sysv) or Samba (systemd).

10.0 012 Node.js Date: 2020-09-17 Severity: High

Multiple security vulnerabilities were discovered in Node.js, including two marked as High. These have been assigned CVE-2020-8201 and CVE-2020-8252.

To fix this, update to Node.js-12.18.4 or later using the instructions for Node.js (sysv) or Node.js (systemd).

10.0 011 Qt5 and QtWebEngine Date: 2020-09-10 Severity: Critical

Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. For an overview, including the approximately 50 security fixes from Chrome which had CVEs assigned at the time of the update, see BLFS ticket #14026.

To fix this, update to at least Qt-5.15.1 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).

10.0 010 Linux Kernel (LFS) Date: 2020-09-15 Severity: High

In Linux Kernels before 5.8.8 there is a potential privilege escalation. See oss-security.

To fix this, update to linux-5.8.9 or later using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).

10.0 009 Bison (LFS) Date: 2020-09-15 Severity: Low

Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See The Release Announcement.

To fix this, update to bison-3.7.2 or later using the instructions from the LFS book for Bison (sysv) or Bison (systemd).

10.0 008 Cryptsetup Date: 2020-09-06 Severity: High

An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. CVE-2020-14382 has been assigned.

To fix this, update to at least cryptsetup-2.3.4 using the instructions for Cryptsetup (sysv) or Cryptsetup (systemd).

10.0 007 GnuPG Date: 2020-09-06 Severity: Critical

A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. CVE-2020-25125 has been assigned.

To fix this, update to GnuPG-2.2.23 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).

10.0 006 Brotli Date: 2020-09-06 Severity: Medium

An integer oveflow in brotli before version 1.0.9 can lead to a crash. This was assigned CVE-2020-8927.

To fix this, update to brotli-1.0.9 or later using the instructions for Brotli (sysv) or Brotli (systemd).

10.0 005 BIND Date: 2020-09-05 Severity: High

A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. These were assigned CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. See also BIND 9 Security Vulnerabilty Matrix #114-8.

To fix this, update to BIND-9.6.16 or later using the instructions for BIND (sysv) or BIND (systemd).

10.0 004 CIFS-utils Date: 2020-09-05 Severity: High

The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. This was assigned CVE-2020-14342, more details at samba-technical.

To fix this, update to cifs-utils-6.11 or later using the instructions for CIFS-utils (sysv) or CIFS-utils (systemd).

10.0 003 GnuTLS Date: 2020-09-03 Severity: High

A null-pointer dereference causing a remotely-triggered crash in the client application was found and assigned CVE-2020-24659, see also GNUTLS-SA-2020-09-04.

To fix this, update to at least GnuTLS-3.6.15 using the instructions for GnuTLS (sysv) or GnuTLS (systemd).

10.0 002 Xorg-Server Date 2020-09-03 Severity: High

In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 CVE-2020-14346 CVE-2020-14361 CVE-2020-14362.

To fix this, update to at least Xorg-Server-1.20.9 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).

10.0 001 LibX11 Date: 2020-09-03 Severity: High

Effective 2020-09-03

In libX11 before version 1.6.12 an integer overflow and double-free was found, which could lead to provilege escalation. This has been assigned CVE-2020-14363.

To fix this, update to at least libX11-1.6.12 using the instructions for Xorg Libraries (sysv) or Xorg Libraries (systemd).