LFS Security Advisories for LFS 12.1 and the current development books.

LFS-12.1 was released on 2024-03-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the development books.

Expat

12.1 010 Expat (LFS) Date: 2024-03-20 Severity: Medium

In Expat-2.6.2, a security vulnerability was fixed that could allow for denial of service via an XML Entity Expansion attack when there is isolated use of external parsers (created using the XML_ExternalEntityParserCreate function). The issue has been classified as a "billion laughs" attack, also known as an XML bomb attack. Update to Expat-2.6.2. 12.1-010

Glibc

Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

12.1 037 Glibc Date: 2024-05-02 Severity: High

In Glibc 2.39 and earlier, there is a vulnerability in an iconv module which may allow a remote code execution via network services running on the system. An exploit via PHP-based web applications has been demonstrated. And, there are four vulnerabilities in the Name Service Cache Daemon (NSCD) of Glibc.

Please read the link to fix these vulnerabilities: 12.0-037

Linux Kernel

12.1 029 Linux Kernel (LFS) Date: 2024-04-17 Severity: Medium

In Linux-6.8.5, an insufficient mitigation against the hardware vulnerability known as Branch History Injection, or BHI (see 11.1-011 for details) on some Intel processors was fixed. Read 12.1-029 for how to fully mitigate BHI for affected Intel processors.