LFS Security Advisories for LFS 12.2 and the current development books.
LFS-12.2 was released on 2024-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
Glibc
Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.
12.2 072 Glibc (LFS) Date: 2025-02-02 Severity: Medium
In Glibc-2.41, a security vulnerability was fixed that could allow for a buffer overflow when printing assertion failure messages. This can allow for application crashes, or in some extreme cases, undefined behavior. The only viable vector for exploitation of this vulnerability is local, and it must be a setuid program that has an existing bug which results in the assertion failure. At this time, the LFS team (and upstream) are not aware of any applications that may have this behavior, but users may have custom setuid programs which can be exploited. Only LFS users who have custom setuid programs installed are affected.
Please read the link to fix this vulnerability: 12.2-072
Expat
12.2 041 Expat (LFS) Date: 2024-11-10 Severity: Medium
In Expat-2.6.4, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when using the XML_ResumeParser function due to a NULL pointer dereference. It was fixed by not allowing XML_StopParser to stop or suspend an unstarted parser. Note that an application may crash with an XML_ERROR_NOT_STARTED if an exploitation is attempted. Update to Expat-2.6.4. 12.2-041
12.2 006 Expat (LFS) Date: 2024-09-17 Severity: Critical
In Expat-2.6.3, three critical security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution. Two of the issues only affect 32-bit installations of LFS, while one issue affects all architectures. Update to Expat-2.6.3 or later as soon as possible. 12.2-006
Jinja2
12.2 056 Jinja2 (LFS) Date: 2025-01-03 Severity: High
In Jinja2-3.1.5, two security vulnerabilities were fixed that could allow for sandbox escapes and execution of arbitrary Python code. One of these issues happens due to an oversight in how the Jinja sandboxed environment detects calls to str.format, and the other occurs due to a bug in the Jinja2 compiler that allows an attacker which controls both the content and filename of a template to execute arbitrary Python code outside of the sandbox. Update to Jinja2-3.1.5. 12.2-056
OpenSSL
12.2 085 OpenSSL (LFS) Date: 2025-02-12 Severity: High
In OpenSSL-3.4.1 (and 3.3.3), two security vulnerabilities were fixed that could allow for a timing side-channel attack while computing ECDSA signatures (which allows for exfitration of a private key in an ECDSA signature), and for RFC7250 handshakes with unauthenticated servers to not be aborted as expected. This can allow for man-in-the-middle attacks, but note that RFC7250 support is not enabled by default in either TLS clients or TLS servers. Update to OpenSSL-3.4.1 (or 3.3.3), but note that if you update from 3.3.x to 3.4.x, you will need to rebuild OpenSSH if you have it instaled. 12.2-085
12.2 007 OpenSSL (LFS) Date: 2024-09-17 Severity: Medium
In OpenSSL-3.3.2, a security vulnerability was fixed that could allow for a denial of service (application crash) while performing certificate name checks on X.509 certificates. Applications performing these checks may attempt to read an invalid memory address, which will result in termination of the program. This occurs when comparing the expected name with an 'otherName' subject alternative name in a certificate. Update to OpenSSL-3.3.2. 12.2-007
Python3
12.2 086 Python3 (LFS and BLFS) Date: 2025-02-12 Severity: High
In Python-3.13.2 (and 3.12.9), five security vulnerabilities were fixed that could allow for hostnames to not be flagged as incorrect when using urlparse, for denial of service conditions (memory exhaustion and crashes) when processing Unicode characters, using the asyncio module, or when using the imaplib module to connect to a malicious server, and for email header spoofing when using the email module. Only two of the five vulnerabilities were assigned CVEs. Update to Python-3.13.2 (or Python-3.12.9 if you are on the 3.12 series). 12.2-086
12.2 054 Python3 (LFS and BLFS) Date: 2025-01-03 Severity: Medium
In Python 3.13.1 (and 3.12.8), three security vulnerabilities were fixed that could allow for unauthorized command execution when spawning a virtual environment, for filtering bypassses (because IPv4-mapped IPv6 addess properties were highly inconsistent), and for pyrepl to read local files unexpectedly (which is known to cause inconsistent behavior and arbitrary code execution). Update to Python-3.13.1 (or Python 3.12.8 if you are on the 3.12 series). 12.2-054
12.2 008 Python3 (LFS and BLFS) Date: 2024-09-17 Severity: High
In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. Update to Python-3.12.6. 12.2-008
vim
12.2 073 vim (LFS and BLFS) Date: 2025-02-02 Severity: Medium
In vim-9.1.1071, a security vulnerability was fixed that could allow for a crash when the win_line() function is called in some extreme circumstances. Note that a user must intentionally and explicitly feed Vim binary data to exploit this vulnerability. Update to vim-9.1.1071. 12.2-073
12.2 067 vim (LFS and BLFS) Date: 2025-01-14 Severity: Medium
In vim-9.1.1016, a security vulnerability was fixed that could allow for a crash or arbitrary code execution when using visual mode. The issue is caused by a heap-based buffer overflow when using the :all command while visual mode is still active, because Vim does not end visual mode and will try to access beyond the end of a line in a buffer. The updated version of Vim will correctly reset visual mode before opening other windows and buffers, and will also verify that it won't try to access a position if the position is greater than the corresponding buffer line. Update to vim-9.1.1016. 12.2-067