BLFS Security Advisories for BLFS 10.1 and the current development books.
BLFS-10.1 was released on 2021-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Apache ANT
10.1 076 Apache ANT Date: 2021-07-17 Severity: Moderate
Two security vulnerabilities were fixed in apache-ant-1.10.11 that could lead to out-of-memory conditions when extracting JARs, ZIPs, and TARs during a build process. To fix these, update to apache-ant-1.10.11 or later. 10.1-076
Apache HTTPD
10.1 060 Apache HTTPD Updated: 2021-06-15 Severity: Moderate
Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream. To fix these update to Apache HTTPD-2.4.48 or later. 10.1-060
APR
10.1 102 APR Date: 2021-08-26 Severity: High
In apr-1.7.0, an easily-exploitable security vulnerability exists that allows for an out-of-bounds array read by using a month greater than 12 inside of an input to some APR functions. This vulnerability was originally fixed in 2017, but the fix was not carried over into the apr-1.7.x branch due to a problem in Apache's Subversion repositories. It has been fixed with a sed in the development book, which you should apply. 10.1-102
Avahi
10.1 028 Avahi Date: 2021-04-14 Severity: Medium
A security vulnerability was discovered in Avahi that could allow a local attacker to trigger an infinite loop by writing long lines to /run/avahi-daemon/socket. To fix this, apply a sed in the Avahi page. For more details, see the advisory linked here: 10.1-028
BIND
10.1 097 BIND Date: 2021-08-19 Severity: High
In BIND-9.16.20, a trivial-to-exploit remote denial of service vulnerability was fixed. The National Vulnerability Database and ISC have rated this vulnerability as High. To fix this, update to BIND-9.16.20 or later. 10.1-097
10.1 037 BIND Date: 2021-05-01 Severity: High
In BIND-9.16.15, three security vulnerabilities were fixed, one of which can result in remote code execution on 32-bit platforms. The other two vulnerabilities result in crashes when certain queries are executed against the DNS server. To fix these, update to BIND-9.16.15 or later. 10.1-037
c-ares
10.1 090 c-ares Date: 2021-08-12 Severity: Moderate
In c-ares-1.17.2, a security vulnerability was fixed that could allow for domain hijacking due to improper input validation. The developers suggest upgrading immediately to c-ares-1.17.2. Update to c-ares-1.17.2 or later. 10.1-090
cifs-utils
10.1 030 cifs-utils Date: 2021-04-13 Severity: Medium
In cifs-utils-6.13, a security vulnerability was fixed that could lead to privilege escalation or authentication credential leaks when running the "cifs.upcall" command when Kerberos support is enabled. Update to cifs-utils-6.13 or later. 10.1-030
cURL
10.1 079 cURL Date: 2021-07-23 Severity: Critical
In cURL-7.78.0, four security vulnerabilities were fixed. Two of them could allow for passwords to be disclosed when using the metalink feature and also for the metalink feature to download malicious content due to a lack of verification on hashes. Another security vulnerability allows for certificate store bypass, and the last vulnerability allows for TELNET stack leaks again, including sensitive information such as passwords being leaked over a plain-text network protocol. This is due to an incomplete fix being released in cURL-7.77.0. To fix these, update to cURL-7.78.0 or later. 10.1-079
10.1 051 cURL Date: 2021-05-26 Severity: Critical
In cURL-7.77.0, three security vulnerabilities were fixed. One of them only applies to Windows. The second vulnerability allows for the contents of the stack to be leaked to a remote attacker while TELNET sessions are in use, and the third allows for remote code execution through an HTTPS session. To fix these, update to cURL-7.77.0 or later. 10.1-051
10.1 020 cURL Date: 2021-03-31 Severity: Medium
In cURL-7.76.0 two vulnerabilities were fixed. They may lead to disclosure of sensitive information or authentication bypass. To fix these, update to cURL-7.76.0 or later. 10.1-020
DHCP
10.1 053 ISC DHCP Date: 2021-05-29 Severity: High
ISC DHCP-4.4.2-P1 fixed a buffer overrun vulnerability that could lead to a disruption of network services or for DHCP leases to be improperly terminated. Update to DHCP-4.4.2-P1 or later to fix this. 10.1-053
Dovecot
10.1 066 Dovecot Date: 2021-06-29 Severity: High
Dovecot-2.3.15 fixed two security vulnerabilities which could allow for command injection and path traversal. The highest risk is emails and passwords being forwarded to an attacker-controlled address, but the path traversal is known to allow for an authentication bypass over OAuth2. Update to dovecot-2.3.15 or later to fix these. 10.1-066
Exim
10.1 038 Exim Date: 2021-05-04 Severity: Critical
Exim-4.92.4 fixed 21 vulnerabilities, several of which allowing for remote code execution, modification of mails, privilege escalation, arbitary code execution, modification/deletion of system files, and more. If you have Exim installed, update to Exim-4.92.4 immediately. 10.1-038
Exiv2
10.1 063 Exiv2 Date: 2021-06-19 Severity: High
Nine CVEs were fixed in Exiv2-0.27.4, all of which can be exploited remotely through a web browser. Most of these vulnerabilities are classified as denial of service, but some are information disclosure vulnerabilities as well as arbitrary code execution vulnerabilities. To fix these, update to exiv2-0.27.4 or later. 10.1-063.
10.1 046 Exiv2 Date: 2021-05-17 Severity: High
Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release. To fix these apply the patch from the development books or upgrade to a later version when one is released. 10.1-046.
Fetchmail
10.1 085 Fetchmail Date: 2021-07-30 Severity: Low
Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. To fix this, update to fetchmail-6.4.20 or later. 10.1-085
Firefox
Firefox-78 series Updated: 2021-11-02 Severity: at End of life
If you are still using firefox-78 you should update to the current version of the firefox-91 series. See the updates for the BLFS-11.0 books.
10.1 095 Firefox Date: 2021-08-17 Severity: High
In firefox 91.0.1 one vulnerabilitiy rated as High was fixed. This vulnerability does not apply to normal builds of legacy firefox-78. To fix this, update to firefox-91.0.1 or later. 10.1-095
10.1 089 Firefox Date: 2021-08-11 Severity: High
In firefox 78.13.0 and 91.0, five vulnerabilities rated as High and one rated as moderate were fixed. To fix these either update to firefox-91.0 or later, or to legacy firefox-78.13.0 or later. 10.1-089
10.1 075 Firefox Date: 2021-07-13 Severity: High
In firefox 78.12.0 two vulnerabilities rated as High were fixed. To fix these, update to firefox-78.12.0 or later. 10.1-075
10.1 055 Firefox Date: 2021-06-01 Severity: High
In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. To fix these, update to firefox-78.11.0 or later. 10.1-055
10.1 032 Firefox Date: 2021-04-19 Severity: High
In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.10.0 or later. 10.1-032
10.1 008 Firefox Date: 2021-03-23 Severity: High
In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.9.0 or later. 10.1-008
Flac
10.1 022 Flac Date: 2021-04-02 Severity: Medium
In Flac up to and including 1.3.3, a heap buffer overflow could lead to remote information disclosure. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-022.
glib2
10.1 017 glib2 Updated: 2021-04-14 Severity: High
A medium severity security vulnerability was discovered in glib2 that may allow for arbitrary file overwrites to happen via a symlink attack. An additional high severity security vulnerabilty was discovered that allowed for unintended length truncation. To fix this, update to glib2-2.66.8 or later. 10-1-017
GnuTLS
10.1 004 GnuTLS Date: 2021-03-12 Severity: Low
The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). To fix this, upgrade to GnuTLS 3.7.1 or later versions. 10.1-004
Gstreamer
10.1 007 Gstreamer Date: 2021-03-16 Severity: High
Five security vulnerabilities were fixed in gstreamer-1.18.4. These vulnerabilities may lead to arbitrary code execution and application crashes. To fix this, upgrade the gstreamer stack to 1.18.4 or later. 10.1-007
Intel Microcode
10.1 059 Intel Microcode Date: 2021-06-08 Severity: High
Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High, and two potential disclosures of sensitive information via local access. To fix these, update affected machines to microcode-20210608 or later. 10.1-059
JS78
10.1 088 JS78 Date: 2021-08-11 Severity: High (low for BLFS packages using this)
In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984. In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.
To apply these fixes, upgrade to JS-78.13.0 or later. 10.1-08810.1 009 JS78 Date: 2021-03-23 Severity: Medium
In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks. To apply these, upgrade to JS-78.9.0 or later. 10.1-009
libarchive
10.1 100 libarchive Date: 2021-08-26 Severity: Medium
Some vulnerabilities (mishandling of symlinks) have been fixed in libarchive-3.5.2. The vulnerabilities may be exploited to overwrite file contents, flags, or ACL entries. To fix these, update to libarchive-3.5.2 or later. 10.1-100.
libgcrypt
10.1 101 libgcrypt Date: 2021-08-26 Severity: High
A denial of service and decryption vulnerability was fixed in libgcrypt-1.9.4. This vulnerability has existed since the year 2000. If you have libgcrypt installed, update to libgcrypt-1.9.4 as soon as possible. 10.1-101.
libjpeg-turbo
10.1 042 libjpeg-turbo Date: 2021-05-12 Severity: Low
A denial of service vulnerability (divide by zero) was fixed in libjpeg-turbo-2.1.0. Note that only the 'cjpeg' tool is affected, and the worst impact is the 'cjpeg' program crashing, thus it has been rated as Low. Update to libjpeg-turbo-2.1.0 or later. 10.1-042.
librsvg
10.1 031 librsvg Date: 2021-04-14 Severity: Medium
In librsvg-2.50.4, a security vulnerability in a bundled rust crate was fixed that could lead to variables lasting for longer than originally expected, leading to memory corruption scenarios. Update to librsvg-2.50.4 or later. 10.1-031.
Libssh2
10.1 023 Libssh2 Date: 2021-04-02 Severity: High
In Libssh2-1.9.0 and earlier, a crafted SSH server may be able to disclose sensitive information or cause a denial of service when the client connects. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-023.
libuv
10.1 073 libuv Date: 2021-07-09 Severity: Moderate
A security vulnerability was fixed in libuv-1.41.1 that could lead to information disclosure in applications that use libuv's ASCII converter or the uv_getaddrinfo() function. To fix this, update to libuv-1.41.1 or later. 10.1-073.
libX11
10.1 050 libX11 Date: 2021-05-18 Severity: Critical
A security vulnerability was fixed in libX11-1.7.1 that could allow for API protocol command injection. This vulnerability has existed since 1986. This vulnerability is rated as critical because it can be exploited without user interaction and can lead to the X server's authorization protocol being disabled. Update to libX11-1.7.1 or later as soon as possible. 10.1-050.
libxml2
10.1 047 libxml2 Date: 2021-05-18 Severity: Medium
A security vulnerability was fixed in libxml2-2.9.12 that may allow for resource exhaustion when processing a crafted XML file. This may occur through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. Update to libxml2-2.9.12 or later. 10.1-047.
lxml
10.1 014 lxml Date: 2021-03-27 Severity: Medium
Improper input sanitization may lead to cross-site-scripting via JavaScript code being inserted into the output of an HTML file. This was fixed by adding proper input sanitization for the HTML5 formaction attribute. To fix this, update to lxml-4.6.3. 10.1-014.
MariaDB
10.1 087 MariaDB Date: 2021-08-08 Severity: Medium
Two difficult to exploit remote denial of service vulnerabilities were fixed in MariaDB-10.6.4. Successful exploitation may result in hangs or repeatable crashes of the MariaDB database server. Update to MariaDB-10.6.4. 10.1-087
10.1 044 MariaDB Date: 2021-05-12 Severity: Medium
Two easily exploitable remote denial of service vulnerabilities were fixed in MariaDB-10.5.10. Successful exploitation may result in repeatable crashes of the MariaDB database server. Update to MariaDB-10.5.10. 10.1-004
MC
10.1 096 MC Date: 2021-08-19 Severity: High
A security vulnerability exists in MC before 4.8.27 that could allow for a spoofing attack because SSH Fingerprints are not verified upon a successful SFTP connection. To fix this, update to MC-4.8.27. 10.1-096
MIT Kerberos V5
10.1 086 MIT Kerberos V5 Date: 2021-08-08 Severity: Medium
A denial of service attack (daemon crash) may be performed by a rare attacker in a rarely used configuration. If you are using Kerberos as anything other than a build dependency, you should update immediately. To fix this, update to MIT Kerberos V5-1.19.2. 10.1-086
MuPDF
10.1 003 MuPDF Date: 2021-03-10 Severity: Medium
A double free may lead to memory corruption and other potential consequences. To fix this, apply the patch in the link. 10.1-003
Nettle
10.1 013 Nettle Date: 2021-03-27 Severity: High
A serious bug was found in the way that Nettle handles ECDSA signature verification that can lead to crashes, improper output, or other unspecified impacts. Update to Nettle-3.7.2 as soon as possible. 10.1-013.
NetworkManager
10.1 068 NetworkManager Date: 2021-06-30 Severity: Medium
In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network settings in rare circumstances if a rare plugin (dhcp=systemd) was enabled. If you're using systemd-networkd to handle getting IP addresses via DHCP, update to NetworkManager-1.32.2 or later. 10.1-068
10.1 029 NetworkManager Date: 2021-04-14 Severity: Low
In NetworkManager-1.30.2, a security vulnerability was discovered that could result in an attacker crashing NetworkManager by setting a 'match.path' value in a Network file. To fix this, apply the sed in BLFS linked in the advisory. 10.1-029
Node.js
10.1 091 node.js Updated: 2021-08-31 Severity: Critical
Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. To fix these, update to v14.17.5 or later. 10.1-091
10.1 084 node.js Date: 2021-07-30 Severity: High
Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. Update to v14.17.4 or later. 10.1-084
10.1 070 node.js Date: 2021-07-09 Severity: Medium
Node.JS-14.17.2 fixed a security vulnerability that could lead to information disclosures in programs using Node's DNS module lookup() function. Update to v14.17.3 or later. 10.1-070
10.1 025 node.js Date: 2021-04-09 Severity: High
Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL and you should have already fixed those (10.1-011), the third is in the y18n package used in npm. Update to v14.16.1 or later. 10.1-025
ntfs-3g
10.1 105 ntfs-3g Date: 2021-08-31 Severity: Critical
21 security vulnerabilites were fixed in ntfs-3g-2021.8.22 that could lead to arbitrary code execution when processing NTFS metadata. The ntfs-3g developers suggest updating to 2021.8.22 immediately. These vulnerabilities can be exploited automatically when automounting is setup in Desktop Environments. Update to ntfs-3g-2021.8.22 or higher. 10.1-105
OpenJDK
10.1 094 OpenJDK Date: 2021-08-17 Severity: High
Six vulnerabilities were fixed in OpenJDK-16.0.2 that could allow for complete takeover of the JDK environment, unauthorized modification of data, and denial of service. Updating to OpenJDK-16.0.2 via the binary or the source version is recommended. Update to OpenJDK-16.0.2 or higher. 10.1-094
OpenSSH
10.1 036 OpenSSH Date: 2021-05-01 Severity: Medium
A vulnerability was fixed in OpenSSH-8.6p1 that was introduced in OpenSSH-8.5p1. OpenSSH-8.5p1 added the LogVerbose flag, which can be used to escape the sandbox of the lower-privileged process and lead to privilege escalation. Update to OpenSSH-8.6p1 if you use the LogVerbose option. 10.1-036
10.1 001 OpenSSH Date: 2021-03-03 Severity: Medium
A difficult to exploit double-free security vulnerability was discovered in OpenSSH. Update to OpenSSH-8.5p1 if you use the "ssh-agent" program. 10.1-001
PDFBox (FOP)
10.1 061 PDFBox (FOP) Date: 2021-06-15 Severity: Medium
Two security vulnerabilities were fixed that could lead to infinite loops or OutOfMemory exceptions when processing crafted input. Update the supplemental JARs (PDFBox and FontBox) in FOP to 2.0.24 if you have FOP installed. 10.1-061
10.1 010 PDFBox (FOP) Date: 2021-03-25 Severity: Medium
Two security vulnerabilities were fixed that could lead to infinite loops or OutOfMemory exceptions when processing crafted input. Update the supplemental JARs (PDFBox and FontBox) in FOP to 2.0.23 if you have FOP installed. 10.1-010
PHP
10.1 069 PHP Date: 2021-07-01 Severity: Moderate
In PHP-8.0.8, two security vulnerabilities were fixed that could lead to remote code execution and attacker-controlled redirects. However, both options are used in uncommon situations. Update to PHP-8.0.8 if you use a Firebird database or if you are processing URLs in a PHP file. 10.1-069
Polkit
10.1 058 Polkit Date: 2021-06-06 Severity: High
In Polkit-0.119, a security vulnerability was fixed that could allow for local users to bypass authentication checks and execute commands in the context of the root user. This is due to improper error value detection. Update to Polkit-0.119 to fix this. 10.1-058
PostgreSQL
10.1 092 PostgreSQL Date: 2021-08-13 Severity: High
A security vulnerability was fixed in PostgreSQL-13.4 that could allow for authenticated database users to read arbitrary bytes in server memory via a purpose crafted query. A workaround is present in the advisory, but updating to PostgreSQL-13.4 or later is suggested. 10.1-092
10.1 049 PostgreSQL Date: 2021-05-18 Severity: Medium
Three security vulnerabilities were fixed in PostgreSQL-13.3 that could allow for a remote attacker to read and write arbitrary locations in memory by executing certain database commands. Update to PostgreSQL-13.3 or later. 10.1-049
Python 2
10.1 019 Python 2 Date: 2021-03-31 Severity: Critical
Multiple vulnerabilities are fixed in Python 3, but Python 2 has not (and won't) receive any fixes since it is EOL'ed. It's recommended to stop using Python 2 and port the applications to use Python 3 instead. If you decide to keep using Python 2 anyway, you should at least rebuild it with a security patch. 10.1-019
Python 3
10.1 071 Python (LFS and BLFS) Date: 2021-07-09 Severity: Medium
In Python3 before 3.9.6, a security vulnerability exists that could allow for resource exhaustion due to an infinite loop in the mod:http.client Python module. Update to Python-3.9.6 or later. 10.1-071
10.1 035 Python (LFS and BLFS) Date: 2021-04-29 Severity: High
In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. Update to Python-3.9.4 or later. 10.1-035
Qt5
10.1 064 Qt5 Date: 2021-06-21 Severity: Medium
An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. 10.1-064
QtWebEngine
10.1 103 QtWebEngine Date: 2021-08-29 Severity: High
Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version. Update to this or to a later version. 10.1-103
10.1 065 QtWebEngine Date: 2021-06-21 Severity: High
Several more CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-2 patch on top of the 20210401 tarball, or to a later version. 10.1-065
10.1 040 QtWebEngine Updated: 2021-05-07 Severity: Critical
Many CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-1 patch on top of the 20210401 tarball, or to a later version. 10.1-040
10.1 026 QtWebEngine Updated: 2021-04-09 Severity: High
Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401. Update to this, or a later BLFS snapshot, using the instructions to install it as 5.15.2 to match the installed Qt5 version. 10.1-026
10.1 002 QtWebEngine UpDated: 2021-03-19 Severity: High
Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Update to qtwebengine-5.15.3 (using a tarball taken from git, with instructions to install it as 5.15.2 to match the installed Qt5 version). 10.1-002
Ruby
10.1 074 Ruby Date: 2021-07-09 Severity: High
Three security vulnerabilities were fixed in Ruby-3.0.2, ranging from attackers executing arbitrary commands via malicious RDoc files, manipulation of Net::FTP to return information about other systems, and a TLS bypass in Net::SMTP. It's suggested that you update to Ruby-3.0.2 as soon as possible. 10.1-074
10.1 039 Ruby Date: 2021-05-04 Severity: Medium
An XML round-trip vulnerability was discovered in the REXML gem bundled with Ruby, and was fixed and released with ruby-3.0.1. This could lead to malicious code injection in XML files, or other unspecified impacts. Update to ruby-3.0.1 or later. 10.1-039
Rust
10.1 041 Rust Date: 2021-05-11 Severity: Critical
Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. Update to rustc-1.52.0 or later. 10.1-041
rxvt-unicode
10.1 048 rxvt-unicode Date: 2021-05-18 Severity: Critical
A flaw in rxvt-unicode may result in remote code execution, and an exploit is available in the wild. This was fixed in rxvt-unicode-9.26. Update to rxvt-unicode-9.26 as soon as possible. 10.1-048
Samba
10.1 045 Samba Date: 2021-05-12 Severity: Critical
Samba-4.14.4 fixed a security vulnerability which, in some rare cases, could allow for a user to delete or modify files on network shares that they are not supposed to have access to. This vulnerability could allow for data confidentiality and integrity impacts, but also for crashes of the smbd server process. Update to Samba-4.14.4 (or 4.13.8) as soon as possible. 10.1-045
10.1 016 Samba Date: 2021-03-28 Severity: High
Samba-4.14.2 fixed two security vulnerabilities, which may lead to denial of service or disclosure of sensitive information. Update to Samba-4.14.2 or 4.13.7 as soon as possible. 10.1-016
Seamonkey
10.1 104 Seamonkey Date: 2021-08-29 Severity: High
The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. To fix these, update to seamonkey-2.53.9 or later. 10.1-104
10.1 082 Seamonkey Date: 2021-07-23 Severity: High
Fixes from firefox-78.12.0 were included in seamonkey-2.53.8.1. To fix these, update to seamonkey-2.53.8.1 or later. 10.1-082
10.1 067 Seamonkey Date: 2021-06-30 Severity: Critical
Fixes from firefox-78.8.0 to 78.11.0 were included in seamonkey-2.53.8. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.8 or later as soon as possible. 10.1-067
10.1 021 Seamonkey Date: 2021-03-31 Severity: Critical
Fixes from firefox-78.6.1 to 78.8.0 were included in seamonkey-2.53.6. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.7 or later as soon as possible. 10.1-021
systemd
10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High
In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.1/systemd-247. See the advisory linked for more information. The patch replaces the current systemd-247-security_fix-1.patch. 10.1-081
10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Medium
In systemd-249, a security vulnerability was fixed that could allow for a remote attacker to reconfigure the network on your system. Because of the changes coming in LFS 11.0, updating to systemd-249 is not feasible. However, a patch has been created for LFS 10.1/systemd-249. See the advisory linked for more information. 10.1-072
Thunderbird
In general, flaws in Mozilla advisories for Thunderbird cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
10.1 093 Thunderbird Date: 2021-08-13 Severity: Critical
Several security vulnerabilities were fixed in Thunderbird-91.0, including some that deal with Thunderbird itself and not it's HTML engine. One of the vulnerabilities can allow for remote attackers to inject attachments, mails, and folders into an IMAP session configured with STARTTLS. Update to Thunderbird-91.0 or later. 10.1-093
10.1 056 Thunderbird Date: 2021-06-06 Severity: High
One security vulnerability was fixed in Thunderbird-78.11.0 which was rated as high. This has to do with a memory safety problem. To fix these, update to Thunderbird-78.11.0 or later. 10.1-056
10.1 033 Thunderbird Date: 2021-04-26 Severity: High
Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. To fix these update to 78.10.0 or later. 10.1-033
10.1 027 Thunderbird Date: 2021-04-11 Severity: Moderate
In Thunderbird before 78.9.1 there were three vulnerabilities rated as Moderate. To fix these update to 78.9.1 or later. 10.1-027
10.1 012 Thunderbird Date: 2021-02-26 Severity: High
In Thunderbird before 78.9.0 there were two vulnerabilities rated as High. To fix these update to 78.9.0 or later. 10.1-012
WebKitGTK
10.1 083 WebKitGTK Date: 2021-07-26 Severity: Critical
WebKitGTK+-2.32.3 fixed six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. Several of these are being exploited in the wild. Update to WebKitGTK+-2.32.3 as soon as possible. 10.1-083
10.1 018 WebKitGTK Date: 2021-03-31 Severity: Critical
WebKitGTK-2.32.0 fixed three security arbitary code execution vulnerabilities. Update to WebKitGTK-2.32.0 as soon as possible. 10.1-018
10.1 015 WebKitGTK Date: 2021-03-28 Severity: Critical
WebKitGTK-2.30.6 fixed seven security vulnerabilities, one of which is currently being exploited in the wild. The vulnerabilities include improper data deletion, sandbox escapes, arbitrary code execution, and access to restricted ports on arbitrary servers. Update to WebKitGTK-2.30.6 as soon as possible. 10.1-015
Wireshark
10.1 077 Wireshark Date: 2021-07-20 Severity: Low
Wireshark-3.4.7 fixed a vulnerability that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet into the stream. If you use the DNP protocol (unlikely unless you are working on an automation system), update to Wireshark-3.4.7. 10.1-077
10.1 057 Wireshark Date: 2021-06-05 Severity: Low
In Wireshark before 3.4.6, a security vulnerability existed that could allow a remote attacker to crash the Wireshark process due to a CPU resource exhaustion issue. This existed in the DVB-S2-BB packet, which is very uncommon. Update to Wireshark-3.4.6 if you are on a network with a satellite receiver installed. 10.1-057
10.1 043 Wireshark Date: 2021-05-21 Severity: Medium
In Wireshark before 3.4.5, a security vulnerability existed that could allow a remote attacker to consume excessive amounts of RAM and CPU resources through a malformed packet in the MS-WSP packet dissector. Update to Wireshark-3.4.5 if you are on a network with Windows PCs. 10.1-043
10.1 006 Wireshark Date: 2021-03-16 Severity: High
In Wireshark before 3.4.4, a security vulnerability existed that could result in unsafe URLs being opened via a malicious capture packet file. This vulnerability existed for 17 years. Update to Wireshark-3.4.4. 10.1-006
XDG-Utils
10.1 024 XDG-Utils Date: 2021-04-02 Severity: Medium
In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. Until this is fixed upstream, either do not use mailto links, or always double-check there are no unwanted attachments before sending emails. 10.1-024
Xorg-Server
10.1 034 Xorg-Server Date 2021-04-29 Severity: High
In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.11 or later. 10.1-034
