BLFS-11.0 was released on 2021-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Two new security vulnerabilities were fixed in httpd-2.4.52 which could allow for a remotely exploitable crash, server-side-request forgery, or remote code execution (when using mod_lua). Updating to httpd-2.4.52 is recommended as soon as possible. 11.0-042
Two new vulnerabilities were found in apache 2.4.49, and it was then discovered that the fix for a vulnerability rated as critical in some non-default configurations was incomplete. In such configurations, both may allow for remove code execution. The other new vulnerability in 2.4.49 allows for the server to be crashed. To fix these, update to httpd-2.4.51 or later. 11.0-013
Several vulnerabilities have been fixed in Apache HTTPD 2.4.49, one of which is rated high and another as critical. To fix these, update to httpd-2.4.51 or later. 11.0-006
On December 13th, 2021, the BLFS project discovered 13 security issues in AudioFile, and generated a patch. Note that AudioFile is only used in BLFS by KWave. If you have KWave or AudioFile installed, applying this patch should be done immediately. These include arbitrary command execution, arbitrary code execution, and denial of service vulnerabilities. 11.0-034
In BIND-9.16.22, a security vulnerability was fixed that could allow for a remote denial of service attack on servers that use the 'lame cache', which is enabled by default. NOTE: This only impacts the server, not the client side utilities. Update to BIND-9.16.22 if you have the server installed and configured. 11.0-024
In cryptsetup-2.3.6, a security vulnerability exists that could allow for a local attacker to decrypt a LUKS2 device without a user passphrase. This is done via manipulation of filesystem metadata while the disk is unmounted. Update to cryptsetup-2.4.3 immediately if you use an encrypted device. 11.0-053
In cURL-7.79.0, three security vulnerabilities were fixed that could allow for denial of service, malicious data injection, and encryption protocol downgrades. Updating to cURL-7.79.0 if you use FTP, SMTP, POP3, or IMAP is suggested as soon as possible. 11.0-008
In Epiphany-41.3, four cross-site scripting vulnerabilities were fixed. These vulnerabilities existed in several areas, but most notably the internal error pages and the about:overview screen. Update to Epiphany-41.3. 11.0-055
In Exempi-2.6.1, several security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, denial of service, and information disclosure. Most of these are due to memory safety issues. Update to Exempi-2.6.1 as soon as possible. 11.0-078
In exiv2-0.27.5, six security vulnerabilities were fixed that could lead to a denial of service. Four of them exist in the exiv2 library and two in the exiv2 tool. Update to exiv2-0.27.5. 11.0-021
In fetchmail before version 6.4.22, on IMAP connections without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, if the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. It is recommended to use '--ssl' or the ssl user option in an rcfile. Those were added to BLFS-11.0 in a note just before the release, the BLFS editors believe that using those removes the problem and in that case no update is necessary. In other cases, update to fetchmail-6.4.22 or later. 11.0-011
In ffmpeg-4.4.1 (and 4.3.3/4.2.5), eleven security vulnerabilities were fixed that could lead to remote denial of service, remote extraction of sensitive data, and remote code execution. Updating to ffmpeg-4.4.1 (or 4.3.3/4.2.5) as soon as possible. 11.0-022
In firefox 91.6.0 several CVE issues, two rated High, were fixed. To fix these update to firefox-91.6.0 or later. 11.0-066
In firefox 91.5.0 several CVE issues, some rated High, were fixed. To fix these update to firefox-91.5.0 or later. 11.0-050
In firefox 91.4.0 several CVE issues, some rated High, were fixed as well as memory safety bugs rated as High without a CVE (MOZ-2021-0009). To fix these update to firefox-91.4.0 or later. 11.0-030
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other items. For two of these, the CVE assignment is pending. To fix these update to firefox-91.3.0 or later. 11.0-025
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other CVEs to which mozilla give a lower severity, but for one of these NVD has now rated it as critical. To fix these update to firefox-91.2.0 or later (Firefox-78 is now End of Life). 11.0-012
In firefox 78.14.0 and 91.1.0, the usual 'Memory Safety bugs' were fixed. To fix these update to firefox-91.1.0 or later (Firefox-78 is now End of Life). 11.0-002
In gfbgraph-0.2.5, a security vulnerability was fixed that causes remote code execution and injection/modifications of graphs because of a failure to perform TLS certificate validation. Update to gfbgraph-0.2.5 or later. 11.0-052
A vulnerability in the ghostscript library libgs.so which allows arbitrary code execution, for example by invoking the convert program from ImageMagick on a user-supplied image file, was announced in August with a public PoC provided. This was initially reported as applying to version 9.50. It has now been reported upstream and determined to apply to all current versions from 9.50 onwards. To fix this apply the upstream_fix-2 patch from the development books, or upgrade to a later release when that is available. 11.0-005
A security advisory has been published by the GnuTLS team: When a single trust list object is shared among multiple threads, calls to gnutls_x509_trust_list_verify_crt2() was able to corrupt temporary memory where internal copy of an issuer certificate is stored. The code path is only taken when a PKCS#11 based trust store is enabled and the issuer certificate is already stored as trusted. To fix this upgrade to GnuTLS 3.7.3 or later. 11.0-058
In Grilo-0.3.14, a security vulnerability was fixed that could allow for silent TLS encryption downgrades and man-in-the-middle attacks. This could result in a high confidentiality impact. Update to Grilo-0.3.14 as soon as possible. 11.0-048
In gst-plugins-base-1.20.0 (and 1.18.6), a security vulnerability was fixed that can cause a denial of service when processing tags in files due to a race condition. Update to gst-plugins-base-1.20.0 (or 1.18.6). 11.0-074.
Two vulnrabilities have been found in ImageMagick, a Heap-based buffer overflow in the TIFF coder, and a stack overflow when parsing a malicious ps image file. To fix these update to ImageMagick-7.1.0-25 or later. 11.0-080.
Intel microcode for Skylake and later processors has been updated to fix two vulnerabilities, a privilege escalation on certain recent Pentium, Celeron and Atom processors, and for all Skylake and later processors a local Denial of Service. To fix these, update affected machines to microcode-20220207 or later. 11.0-067
In libarchive-3.6.0, two security vulnerabilities were fixed that could allow for a symbolic link attack and for a denial of service. Update to libarchive-3.6.0 or later. 11.0-071
In libexif-0.6.23, two security vulnerabilities that could lead to denial of service were fixed in addition to the ones that were patched separately in BLFS 10.1. Update to libexif-0.6.23 or later. 11.0-009
In libgcrypt-1.10.0, a security vulnerability that could lead to plaintext encryption key recovery was fixed. Update to libgcrypt-1.10.0 or later. 11.0-070
In libgrss-0.7.0, a security vulnerability was discovered that allows for remote code execution and silent manipulation of RSS feeds. The BLFS developers have modified the existing bugfixes patch. Rebuild with the new bugfixes patch to fix this vulnerability. 11.0-051
In libxml2-2.9.13, a security vulnerability was fixed that could allow for remote attackers to cause remote code execution in any XML document that has ID or IDREF attributes contained within it. Update to libxml2-2.9.13 or later as soon as possible. 11.0-085
In libxslt-1.1.35, a security vulnerability was fixed that could allow for remote attackers to cause remote code execution in any XML document that would trigger the xsltApplyTemplates function. Update to libxslt-1.1.35 or later as soon as possible. 11.0-083
In lxml-4.7.1, two security vulnerabilities were resolved that could allow for crafted script content to pass through the HTML Cleaner using SVG files or CSS. Update to lxml-4.7.1 or later. 11.0-036
In Lynx-2.8.9rel.1, a security vulnerability exists that could allow for passwords to be leaked in cleartext when using HTTPS connections. The BLFS Editors have created a patch that should be applied if you use Lynx. 11.0-039
In make-ca-1.9, a security vulnerability exists that could allow a MIM attack for a remote attacker holding fraudulent certificates from some hacked CAs explicitly untrusted by Mozilla. Update to make-ca-1.10 or later. 11.0-047
In MariaDB-10.6.7, several security vulnerabilties were fixed that could lead to application crashes and information disclosure. Most of these vulnerabilities have to do with API calls, but some also occur with certain SELECT statements. Update to MariaDB-10.6.7. 11.0-079
In MIT Kerberos V5-1.18.2, a security vulnerability exists that could allow for a remote attacker to crash the KRB5 Key Distribution Center service. If you are using MIT Kerberos V5 for authentication, apply the sed in the development books or update to a newer version when available. 11.0-016
In node.js-16.13.2, four medium-severity vulnerabilities were fixed. Update to node.js-16.13.2 or later. 11.0-049
In node.js-14.18.1, two HTTP Request Smuggling vulnerabilities were fixed. Update to node.js-14.18.1 or later. 11.0-014
In node.js-14.17.6, five security vulnerabilities have been fixed that could allow for arbitrary file creation/overwrite and arbitrary code execution. Update to node.js-14.17.6 or later. 11.0-001
Versions of NSS before 3.73 or 3.68.1-ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Update to nss-3.73 or later. 11.0-029
In OpenJDK-17.0.1, several security vulnerabilities were fixed that could allow for remote code execution, remote denial of service, and information modification. In addition, this version also assists with protecting your system from Log4Shell. Update to OpenJDK-17.0.1 immediately to protect yourself from exploitation. 11.0-035
In PHP-8.1.3, a security vulnerability was fixed that could allow for a denial of service when using the php_filter_float() function. Update to php-8.1.3 if you are using the php_filter_float() function. 11.0-084
In PHP-8.1.1, a security vulnerability was fixed that could allow for an out-of-bounds read when using the preg_replace function. This only affects users who are using preg_replace in their PHP applications. If you are using preg_replace, update to PHP-8.1.1 as soon as possible. 11.0-041
In php-8.0.13, a security vulnerability was fixed that could allow for a remote attacker to read a different file than what a programmer originally intended. If you use XML functions inside of PHP, you should update to php-8.0.13 as soon as possible. 11.0-031
In php-8.0.12, a security vulnerability in php-fpm was fixed that allows for remote attackers to elevate privileges to root and execude code on a server running PHP-FPM and Apache HTTPD. If you have PHP-FPM installed/started, update to php-8.0.12 immediately. 11.0-020
In polkit-0.120, a security vulnerability allowing allowing local privilege escalation has been identified. This affects polkit since 0.94. Apply the patch to fix the vulnerability and rebuild polkit immediately. 11.0-059
In PostgreSQL-14.1 (and other versions), two security vulnerabilities were fixed that could allow for remote attackers to inject SQL queries into an encrypted connection and allow for the PostgreSQL Client to process unencrypted bytes using a man-in-the-middle attack. If you use the PostgreSQL server over the network, update to PostgreSQL-14.1 or later. 11.0-033
In Python3 before 3.9.7, three security vulnerabilities were fixed that could cause SMTP command injection, crashes, and performance degredation. Update to Python-3.9.7 or later. 11.0-007
An Out Of Bounds Write was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. 11.0-061
Thirty-one more CVEs (from Chromium) in QtWebEngine, of which at least seventeen are rated as High, have been fixed in the 5.15.8 version. Update to 5.15.8 or use a later version. 11.0-057
Twenty more CVEs (from Chromium) in QtWebEngine, most rated as High but two rated as Critical, have been fixed in the 5.15.7 version. Patch the BLFS qtwebengine-5.15.6 tarball up to 5.15.7 or use a later version. 11.0-028
In Ruby-3.0.3, three security vulnerabilities were patched that could allow for denial of service, content/cookie spoofing, and arbitrary code execution via a buffer overflow. Update to ruby-3.0.3 or later. 11.0-032
In all versions of rust before 1.58.1 an attacker can exploit a race condition to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Update to rust-1.58.1 or later, and if necessary rebuild any privileged rust programs. 11.0-060
In Samba-4.15.5, three security vulnerabilities were fixed, including one which allows for trivial remote code execution as root on Samba servers with the vfs_fruit module installed. Another vulnerability allows for impersonation of Active Directory users and computers. Update to Samba-4.15.5 immediately. 11.0-076
In Samba-4.15.2 (and 4.14.10), eight vulnerabilities have been identified. To fix them, update to samba-4.15.2 (or 4.14.10). The details can be found in the links given in 11.0-026.
In Samba-4.15.1 (and 4.14.9), a security vulnerability was fixed that could allow for a remote attacker to bypass authentication using Samba's internal Kerberos implementation. Update to Samba-4.15.1 (or 4.14.9) if you are using the Samba server. 11.0-023
In Samba-4.15.0, a security vulnerability was fixed that could allow for a remote attacker to crash the Samba server process. Note that this only affects LFS users if they are running an Active Directory Domain Controller through Samba. If you are running one, upgrade to Samba-4.15.0 or later. 11.0-017
In Seamonkey-2.53.10.1, several security vulnerabilities were fixed that could lead to remote code execution, content spoofing, remotely exploitable crashes, and more. Seamonkey-2.53.10.1 as soon as possible. 11.0-043
In Seamonkey-2.53.9.1, the memory safety bug that was fixed in Firefox 78.14.0 was fixed, which prevents remote code execution. Update to Seamonkey-2.53.9.1 or later. 11.0-018
In sane-backends-1.0.32, several security vulnerabilities with Epson scanners were resolved that could lead to malicious scanners reading important information from programs that use SANE, executing arbitrary code, or crashing programs that use SANE. Update to sane-backends-1.0.32 if you have an Epson scanner on your network. 11.0-003
In systemd-249 (and systemd-250), a security vulnerability was discovered that allows for symlink attacks and infinite recursion (leading to a crash of systemd-tmpfiles). The BLFS Editors have developed patches for 249 and 250. See the advisory for instructions on updating your system. 11.0-054
In Thunderbird-91.6.1, a security vulnerability was fixed that could allow for trivial remote code execution when Thunderbird processes a crated email message. Update to Thunderbird-91.6.1. 11.0-088
In Thunderbird-91.6.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, arbitrary code execution, content security policy bypasses, and more. Update to Thunderbird-91.6.0. 11.0-077
In Thunderbird-91.5.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, remote code execution, and content spoofing. Update to Thunderbird-91.5.0. 11.0-056
In Thunderbird-91.4.1, several security vulnerabilities were fixed. There are a variety of impacts, from remote code execution to unencrypting emails and querying installed applications on a system remotely. At least three vulnerabilities have been rated critical. Update to Thunderbird-91.4.1 as soon as possible. 11.0-040
In Thunderbird-91.2.0, several security vulnerabilities were fixed. One that is notable allows for silent downgrades of STARTTLS connections to mail servers. Updating is recommended as soon as possible. Update to Thunderbird-91.2.0. 11.0-019
In thunderbird 91.1.0, a few Memory Safety bugs were fixed. To fix this, update to thunderbird-91.1.0. 11.0-004
Another heap-based buffer overflow, causing a crash when repeatedly using :retab, was fixed in vim-8.2.4359. To fix this update to vim-8.2.4383 or later. 11.0-081
Many security vulnerabilities in vim have been fixed in versions up to vim-8.2.4236. Fifteen of these have been rated as High by the NVD. Unfortunately, the details are minimal. 11.0-063
In VIM-8.2.3508, three security vulnerabilities were fixed that could lead to crashes and arbitrary code execution. Updating to vim-8.2.3508 is suggested if you're using UTF-8 encoded files or XML files. 11.0-015
In WebKitGTK+-2.34.6, a critical zero-day security vulnerability was fixed that could allow for remote code execution. This vulnerability is known to be exploited in the wild. Update to WebKitGTK+-2.34.6 immediately. 11.0-087
In WebKitGTK+-2.34.5, several security vulnerabilities were fixed that could allow for denial of service, remote code execution, security policy bypasses, and for information disclosure. Public proof-of-concept exploits exist for the information disclosure vulnerability. Update to WebKitGTK+-2.34.5 immediately. 11.0-075
In WebKitGTK+-2.34.3, two security vulnerabilities were fixed that could allow for universal cross-site scripting and for a content security policy to be bypassed (if one is enabled). Update to WebKitGTK+-2.34.3. 11.0-044
In WebKitGTK+-2.34.0, a security vulnerability named "FORCEDENTRY" was patched. This security vulnerability allows for silent execution of arbitrary code through malicious advertisements or web pages, and is being actively exploited in the wild. Update to WebKitGTK+-2.34.1 immediately. 11.0-010
In Wireshark-3.6.2, several security vulnerabilities were fixed that could allow for denial-of-service conditions, including application crashes and resource exhaustion. These can also be exploited when viewing packet capture files. There is a long list of protocol dissectors affected. Update to Wireshark-3.6.2 as soon as possible. 11.0-072
In Wireshark-3.6.1, several security vulnerabilities were fixed in packet dissectors that could lead to denial-of-service conditions, including application crashes and resource exhaustion. These can also occur when dissecting *.pcapng and RFC 7468 files. Update to Wireshark-3.6.1 as soon as possible. 11.0-046
In Wireshark-3.4.10, several security vulnerabilities were fixed in packet dissectors that could lead to denial-of-service conditions, including application crashes and resource exhaustion. If you use Wireshark to dissect packets often, update to Wireshark-3.4.10 as soon as possible. 11.0-027
The BLFS Editors became aware of six security vulnerabilities in wpa_supplicant and has developed a patch to fix them. If you use wpa_supplicant, apply the patch as soon as possible. See the advisory for more details. 11.0-045
In xorg-server-21.1.2, four security vulnerabilities were fixed that could allow for remote code execution on systems with SSH forwarding enabled, or local privilege escalation on local systems. These vulnerabilities are due to input validation failures in several extensions. Update to xorg-server-21.1.2. 11.0-038
In XWayland-21.1.4, four security vulnerabilities were fixed that could allow for remote code execution on systems with SSH forwarding enabled, or local privilege escalation on local systems. These vulnerabilities are due to input validation failures in several extensions. Update to XWayland-21.1.4. 11.0-037
In zsh-5.8.1, a security vulnerability was fixed during PROMPT_SUBST expansion that could lead to arbitrary code execution. A proof-of-concept exploit exists. Update to zsh-5.8.1 immediately if you use zsh. 11.0-073