On 2018-10-09 16:46, Ken Moffat via blfs-support wrote:
I'm sure you are all keeping up to date with fixing vulnerabilities, so I won't detail today's update to texlive source, or the other security fixes in the past few days, but exceptionally I'm going to mention the update to ghostscript which I've just committed.For gs-9.25, apply the ghostscript-9.25-security_fixes-1.patch which is in lfs patches, and should be directly linked from the book when it is next rendered. The reason I'm mentioning this is that a reasonably-benign proof of concept is available, as well as others, and can be triggered by opening malicious postscript files. In particular, opening in gimp and evince (known to be possible with gs-9.24) and probably several others. The vulnerability applies to all versions of ghostscript that are likely to still be in use, although the patch probably only applies to 9.25. ĸen -- Is it about a bicycle ?
I'd like to add onto this by saying that, for 8.3, I have some errata that needs to be generated.
In GDM, there is a security vulnerability that allows a user to unlock a GNOME-based system, as used in 8.3, with a couple of simple keypresses. This will be fixed in SVN within the next day or two, and if you are running GNOME on BLFS 8.3, I highly recommend patching this. Unfortunately, the CVE ID for this is still under embargo as Red Hat has not patched RHEL yet.
There is a critical security vulnerability with the version of OpenSSH shipped with BLFS 8.3 that allows remote attackers to enumerate usernames from the OpenSSH server. This should be patched IMMEDIATELY if you are running BLFS 8.3 and have OpenSSH installed. This has the identifier of CVE-2018-15473, and more information about it can be found on the Qualys website.
There have been numerous vulnerabilities fixed in WebKitGTK+ and QTWebEngine in the versions that came out extremely soon after BLFS 8.3. If you have WebKitGTK installed, please update to 2.22.x, and if you have QtWebEngine installed, please update to 5.11.2. These updates should be considered urgent, as they lead to crashes, information disclosure, and remote shell access.
There was a PHP security update that was added recently to BLFS. If you're running either SVN or 8.3, I highly recommend patching this.
For glib2, two security patches were released for glib2-2.56.2 ONLY (as used in BLFS 8.3). These have the CVE IDs of 2018-16428 and 2018-16429, and patches are available upstream (although I have plans on generating one for BLFS 8.3). PoCs are readily available for these two vulnerabilities.
There have been Firefox and Thunderbird security updates since BLFS 8.3 was released.
For Samba users, there was a data corruption issue fixed in Samba 4.9.1. I highly recommend patching to that version if you have Samba installed.
Last month, YouTube made some changes that made videos unplayable in Epiphany and other WebKit-based browsers due to lack of proper codecs (MSE support). This issue is still ongoing, I'm working on it in ticket #11170. This will hit with the rest of the GNOME updates that are needed (one of which is needed urgently, detailed below).
With gnome-settings-daemon-3.26.0 and above, there is a critical data corruption problem with systems that have ACPI support for standby and hibernation. When a system wakes from sleep or hibernation, it has a chance of not restarting services properly, and may cause file corruption as a result. gnome-settings-daemon-3.30.1.1 was released a day or two ago that solves this issue. I'm treating this issue as the most critical one on my list next to verifying that the ghostscript issue was fixed in Okular and Nautilus, and there should hopefully be an update in the next day or two. If you are running GNOME on SVN or 8.3, I highly recommend applying this update when it becomes available. There are also memory leaks in Evolution as shipped in BLFS 8.3 that will be fixed by the version coming soon in SVN.
Finally, there were 30+ vulnerabilities fixed in ghostscript between 9.23 and 9.25, not including the patch that was just added to BLFS. If you are running a BLFS 8.3 system, I highly recommend updating to this IMMEDIATELY.
I'm going to update the errata page for BLFS 8.3 when all of my updates and verification processes are completed.
Douglas R. Reno -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
