A security vulnerability, or a CVE, is a flaw in source code that can be used to harm the user(s) and/or the system in use, sometimes by abusing buffer overflows to achieve privilege escalation, modifying generated build scripts to use ssh at startup, or even messing with stale memory.
There are many packages that push out updates that fix vulnerabilties, and some packages fix CVEs pretty often. GLFS will ocassionally have an update that upgrades a package that fixes a CVE. It's important to always upgrade packages on your system that contain security vulnerabilities, and there is a way for checking for those updates.
To check for packages that have had a CVE fixed, go to the GLFS Advisories page. It both covers broken changes and security information for each release.
You can also go to the
GLFS issue page that has a filter enabled (is:closed is:issue label:security
). All
packages listed there that have the security
label are packages that fixed a
CVE in the version listed. Newer versions will be at the top of the
list. When there are two versions of the same package, always go
with the one that appears first in the list, or the top of it.
Newer doesn't always mean safer, and it may sometimes be necessary
to use an older version of a package, plus maybe a patch or two.
Take note that in the latter method, the packages listed there are issues that have already been closed and are now in the book. You can go to the open section of the page to see if there are packages there that are still having details worked out and have yet to be fixed in the book.