Errata for BLFS Version 8.4

Known Security Vulnerabilities

A few packages are good at reporting that a new release fixes a vulnerability. For some others, such as firefox, virtually every new release includes security fixes. But in many cases the fixes are not documented as security issues.

Updates to the packages in the book may be available in the development version of the book.

A vulnerability in kf5's kcodecs package now has a fix for CVE-2013-0779. See the build instructions that add a sed to the script in ../../view/svn/kde/krameworks5.html.

Two critical zero-day security vulnerabilities were discovered in Firefox and Thunderbird. The BLFS team recommends upgrading to the new versions immediately. See the build instructions in ../../view/svn/xsoft/firefox.html and ../../view/svn/xsoft/thunderbird.html.

After release, seven vulnerabilities were discovered in Apache HTTPD. These include two privilege escalation vulnreabilities and one access control bypass. The BLFS team recommends upgrading to the new version ASAP. See the build instructions in ../../view/svn/server/apache.html.

In May 2018, a vulnerability dubbed "ZombieLoad" was discovered in Intel CPUs. In order to fix this, apply the microcode using the instructions in ../../view/svn/postlfs/firmware.html.

Post-release, critical vulnerabilities were discovered in Samba, with all versions from 4.0.x to 4.10.3 impacted. These allow for arbitrary file overwrite, authentication bypass, password hash leaks, unauthorized modification/reading of files, and symlink traversal. The BLFS team recommends upgrading to the 4.10.4 release of Samba as soon as possible, using the instructions in ../../view/svn/basicnet/samba.html.

Post-release, a vulnerability was discovered in GLib that allows modification of files and ACLs through the GIO subsystem. This was fixed by clamping down on permissions in version GLib-2.60.4. The BLFS team recommends updating to GLib-2.60.4 or later as soon as possible, using the instructions in ../../view/svn/general/glib2.html.

Post-release, a vulnerability was discovered in D-Bus that allows for authentication bypass through an open D-Bus socket. To fix this, upgrade to version 1.12.16 or later using the instructions at ../../view/svn/general/dbus.xml.

In June,, a security problem with vim was discovered: Remote attackers can execute arbitrary OS commands via the :source! command in a modeline. This has been fixed in version 8.1.1365, see the instructions in ../../view/svn/postlfs/editors/vim.html.

In June, 23 security vulnerabilities that allow for arbitrary code execution, sandbox escape, URL forging, denial of service, and remote modification of memory were discovered in QtWebEngine. This has been fixed by updating to Qt/QtWebEngine 5.12.4, and upgrading ASAP is recommended. See the instructions in ../../view/svn/x/qt5.html.

In June, 3 security vulnerabilities that allow for arbitrary code execution, unauthorized modification of data, and information disclosure were discovered in WebKitGTK+ before 2.24.2. The BLFS team recommends upgrading to WebKitGTK+-2.24.2 using the instructions in ../../view/svn/x/webkitgtk.html.

In June, more 0-days were discovered in Thunderbird and Firefox. The ones in Thunderbird allow for a repeatable crash and subsequent profile corruption simply by receiving a .ics file because of the way that Thunderbird processes mails while it downloads them (indexing attachments and contents). The ones in Firefox allow for Arbitrary Code Execution through the JavaScript and IPC layers. The BLFS team recommends upgrading to Thunderbird-60.7.2 and Firefox-67.0.4 immediately, using the instructions in ../../view/svn/xsoft/thunderbird.html and ../../view/svn/xsoft/firefox.html.