BLFS Security Advisories for 12.3

BLFS Security Advisories for BLFS 12.3.

BLFS-12.3 was released on 2025-03-05

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the released books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

7zip

12.3 089 7zip Date: 2025-08-10 Severity: High

In 7zip-25.01, a security vulnerability was fixed that could allow for arbitrary file writes when extracting a crafted file. The reporter of the vulnerability has also noted that depending on the location, it is possible for arbitrary code execution to occur because of this, and they have published a proof of concept that overwrites a user's ~/.bashrc. Note that this vulnerability can be exploited by extracting any kind of file that 7zip supports, and it is not limited to just *.7z files. Update to 7zip-25.01. 12.3-089

12.3 078 7zip Date: 2025-07-22 Severity: Medium

In 7zip-25.00, two security vulnerabilities were fixed that could allow for memory corruption and denial of service. These vulnerabilities occue due to heap buffer overflows and null pointer dereferences. This can occur when processing RAR files or when processing compound documents. Update to 7zip-25.00. 12.3-078

Apache HTTPD

12.3 082 Apache HTTPD Date: 2025-07-27 Severity: Medium

In httpd-2.4.65, a security vulnerability was resolved that causes all RewriteCond expressions tests to evaluate as true. This vulnerability is caused by a regression introduced with the security fixes in httpd-2.4.64. As a result, all users who updated to httpd-2.4.64 should update to this version immediately. Update to httpd-2.4.65. 12.3-082

12.3 076 Apache HTTPD Date: 2025-07-17 Severity: Critical

In httpd-2.4.64, seven security vulnerabilties were fixed that could allow for a denial of service (server crash) when using HTTP/2, for a man-in-the-middle attack to hijack an HTTP session via a TLS upgrade when using the mod_ssl module, for a remotely-exploitable crash when using the mod_proxy_http2 module, for access control bypasses when using the mod_ssl module with multiple virtual hosts, for remote injection of escape characters into error logs when using the mod_ssl module, for server side request forgery when using the mod_headers module to set the Content-Type header, and for HTTP response splitting. Update to httpd-2.4.64. 12.3-076

Bind

12.3 074 Bind Date: 2025-07-17 Severity: High

In bind-9.20.11, a security vulnerability was fixed that could allow for a remote attacker to crash the DNS server. If the server is configured with server-stale-enable set to yes and stale-answer-client-timeout configured to 0, and the resolver encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. The standard BLFS configuration is NOT impacted, but if you are running a bind server with the server-stale-enable-set and stale-answer-client-timeout options set, you should apply this update. Users of the standard BLFS configuration or who are just using the utilities can safely ignore this update. Update to bind-9.20.11 if you are using this configuration. 12.3-074

12.3 036 Bind Date: 2025-05-24 Severity: High

A fix has been made ISC Bind server software which prevents a stop of the server in case of malformed data in a TSIG transaction. It is recommended to upgrade to at least 9.20.9 as soon as possible. 12.3-036

c-ares

12.3 016 c-ares Date: 2025-05-20 Severity: High

In c-ares-1.34.5, a security vulnerability was fixed that could allow a crash when processing DNS queries where a DNS Cookie Failure occurs, where an upstream server does not properly support EDNS, or possibly on TCP queries if the remote server closed the connection immediately after a response. Update to c-ares-1.34.5. 12.3-016

cURL

12.3 048 cURL Date: 2025-06-04 Severity: Low

In cURL-8.14.1, a security vulnerability was fixed that could allow for an infinite loop to occur when processing a maliciously crafted WebSocket packet. Upstream has stated that there is no way to exit an affected program other than by killing the process. Update to cURL-8.14.1. 12.3-048

Epiphany

12.3 024 Epiphany Date: 2025-05-20 Severity: High

In Epiphany-48.1, a security vulnerability was fixed that allows websites to trigger URL handlers with no user interaction or warning. If the handler application that is called is vulnerable, remote code execution is possible under the user's current context. Update to Epiphany-48.3. 12.3-024

Exempi

12.3 015 Exempi Date: 2025-05-20 Severity: Medium

In Exempi-2.6.6, five security vulnerabilities were fixed that could allow for denial of service (application crashes) or for information disclosure of sensitive memory when processing crafted XMP metadata. The issues are all caused by out-of-bounds reads in the Adobe XMP Toolkit SDK that comes bundled with Exempi. Update to Exempi-2.6.6. 12.3-015

Exim

12.3 009 Exim Date: 2025-05-20 Severity: High

In Exim-4.98.2, a security vulnerability was fixed that could allow users with command line access to the server to cause privilege escalation. The issue occurs due to a use-after-free. Update to Exim-4.98.2. 12.3-009

File::Find::Rule

12.3 050 File::Find::Rule Date: 2025-06-09 Severity: High

In File::Find::Rule-0.35, a security vulnerability was fixed that could allow for arbitrary code execution when 'grep()' encounters a maliciously crafted file name. Update to File::Find::Rule-0.35. 12.3-050

Firefox

12.3 095 Firefox Date: 2025-08-21 Severity: High

In Firefox-140.2.0esr, seven security vulnerabilities were fixed that could allow for a sandbox escape when playing encrypted videos, for a same-origin policy bypass when using 2D graphics, for uninitialized memory to cause an unexpected crash in the JavaScript engine, for a potential denial-of-service (application crash) due to an infinite loop causing out-of-memory conditions in the WebRender component, for spoofing attacks to occur via the Address Bar, and for remote code execution. Update to Firefox-140.2.0esr, or if you wish to stay on the 128 ESR series, update to Firefox-128.14.0esr. 12.3-095

12.3 080 Firefox Date: 2025-07-22 Severity: High

In Firefox-140.1.0esr, fourteen security vulnerabilities were fixed that could allow for writing a partial return value to the stack on 64-bit systems, large branch tables leading to truncated instructions, URLs being executed on object and embed tags via JavaScript, cirmcumventing CORS via DNS rebinding, nameless cookies shadowing secure cookies, potential code execution via the "Copy as cURL" command, incorrect URL stripping in CSP reports, XSLT documents bypassing CSP, CSP frame-src not being correctly enforced for paths, search terms persiting in the URL bar, incorrectly handling closed generators via JavaScript, and various memory safety bugs.

Update to Firefox-140.1.0esr. Alternatively, if you have not installed ICU-76.1 or later, you can stay on the 128 ESR series and upgrade to Firefox-128.13.0esr. 12.3-080

12.3 064 Firefox Date: 2025-06-26 Severity: High

In Firefox-140.0esr, ten security vulnerabilities were fixed that could allow for use-after-free attacks, exposure of persistent UUIDs, Content Security Policy restriction can be bypassed, incorrect parsing leading to allowing embedded of YouTube, ignorance of the Content-Disposition header, DNS request leakage outside a configured SOCKS proxy, singage of a challenge with an invalid TLS certificate, clickjacking via the HTTPS-only exception, Save as action in Devtools not santizing the downloaded files extensions, and exploitable memory safety bugs. Two of the vulnerabilities are rated as High.

Update to Firefox-140.0esr. Alternatively, if you have not installed ICU-76.1 or later, you can stay on the 128 ESR series and upgrade to Firefox-128.12.0esr. 12.3-064

ghostscript

12.3 025 ghostscript Updated: 2025-05-28 Severity: Critical

In ghostscript-10.05.0, nine security vulnerabilities were fixed that could result in remote code execution or arbitrary file accesses. The arbitrary file execution vulnerability occurs due to issues with truncated paths with invalid UTF-8 characters. The remainder of the issues occur due to buffer overflows in various contexts, including processing PDF files, serializing fonts, utilising the BJ10V, DOCXWRITE TXTWRITE, and NPDL devices, and when converting glyphs to Unicode. All users who have Ghostscript installed are encouraged to update as soon as possible. At the time of this advisory, the book had ghostscript-10.05.1 but it was not known that an additional security vulnerability was fixed in 10.05.1. The issue allows for passwords to be stored in plaintext in encrypted PDF files. Update to ghostscript-10.05.1. 12.3-025

Updated on 2025-05-28 to include information about CVE-2025-48708, which was already fixed in the book when this advisory was filed, though the vulnerability was not known at the time.

giflib

12.3 023 giflib Date: 2025-05-20 Severity: High

In giflib-5.2.2, several security vulnerabilities were discovered. Only one of them has a functional patch, and the BLFS team has adopted a patch from the OpenMandriva team to resolve the issue. The issue is a heap buffer overflow in the gif2rgb utility, that causes a crash and has a chance to cause arbitrary code execution. Rebuild giflib with the security fixes patch. 12.3-023

Gimp

12.3 032 Gimp Date: 2025-05-20 Severity: High

In Gimp-3.0.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted .ICO file. The vulnerability appears to have been introduced in an early release candidate for gimp3, and is caused by an integer overflow. Update to Gimp-3.0.4, but note that you must update babl to 0.1.114 and gegl to 0.4.62 first. 12.3-032

git

12.3 069 git Date: 2025-07-10 Severity: Critical

In git-2.50.1, four security vulnerabilities were fixed that could allow for arbitrary code execution, for files to be created elsewhere on the filesystem without a user's knowledge, for submodules to unintentionally execute scripts when checking out a module, and for protocol injection when cloning repositories from the internet (when a CDN is configured by the remote server). Two of these vulnerabilities affect Git as a whole, while the other two only impact Gitk. ALL users are encouraged to upgrade git if they have it installed. Update to git-2.50.1. 12.3-069

glib

12.3 090 glib Date: 2025-08-11 Severity: Medium

In glib-2.84.4, a security vulnerability was fixed that can allow for an arbitrary file write or an application crash. The problem occurs due to a buffer under-read when using the get_tmp_file() function, provided in glib/gfileutils.c. Update to glib-2.84.4. 12.3-090

GnuTLS

12.3 070 GnuTLS Date: 2025-07-10 Severity: Medium

In GnuTLS-3.8.10, four security vulnerabilities were fixed that could allow for a denial of service when processing templates, processing X.509 SCTS timestamps in certificates, when exporting otherName in SAN in a certificate, and when a 2nd Client Hello omits PSK. These vulnerabilities occur due to a buffer overrun, a double-free, a heap read buffer overrun, and a NULL pointer dereference. Update to GnuTLS-3.8.10. 12.3-070

gstreamer

12.3 066 gstreamer Date: 2025-07-02 Severity: High

In gst-plugins-bad, a security vulnerability was resolved that could allow for remote code execution or crashes when processing a crafted video file that uses the H.266 codec. The vulnerability occurs due to a stack buffer overflow in the bitstream parser. Update the gstreamer stack to 1.26.3. 12.3-066

12.3 041 gstreamer Date: 2025-05-30 Severity: Medium

In gst-plugins-base and gst-plugins-good 1.26.2, five security vlnerabilitities were resolved that could allow for remotely exploitable denial of service (application crashes) or information disclosure. The vulnerabilities occur when processing SubRip or TMPlayer format subtitles, as well as when reading crafted MOV and MP4 files. Update the gstreamer stack to 1.26.2. 12.3-041

12.3 026 gstreamer Date: 2025-05-20 Severity: High

In gst-plugins-bad-1.26.1, a security vulnerability was fixed that can allow for a crash or remote code execution when processing malformed streams in a video file using the H.265 codec. The issue is caused by a stack buffer overflow that occurs when processing slice headers. Update to gstreamer-1.26.1. 12.3-026

ImageMagick

12.3 092 ImageMagick Date: 2025-08-16 Severity: High

In ImageMagick-7.1.2-1, five security vulnerabilities were fixed that could allow for arbitrary code execution and crashes when processing PNG and MNG images. These vulnerabilities occur due to undefined behavior, stack buffer overflows, integer overflows, and heap buffer overflows. If you use ImageMagick to perform operations on untrusted MNG or PNG files, you should update to this version immediately. Update to ImageMagick-7.1.2-1. 12.3-092

intel-microcode

12.3 094 intel-microcode Date: 2025-08-20 Severity: High

In intel-microcode-20250812, nine security vulnerabilities were fixed that could allow for privilege escalation or for a denial of service (application crash). The first privilege escalation vulnerability affects all Intel Core CPUs from the 12th generation onwards, as well as some CPUs from the Intel Pentium Gold and Celeron families. The Core i9-1900HX is also listed as affected, and the Intel Core 9 series as well as Core Series 1, 2, and U series are also affected. The Xeon E, Core Ultra, 4th/5th Generation Xeon Scalable, Platinum, Gold, Silver, and Bronze series of CPUs, the Xeon CPU Max series processor, and the Xeon W-2400 and W-3400 processors are also impacted. The rest of the privilege escalation and denial of service vulnerabilities affect the 4th, 5th, and 6th generation of Intel Xeon Scalable CPUs and the W-2400/W-3400 CPUs. Several functionality issues with the 13th generation Intel CPUs and later were also resolved in this update. For more information, please consult the Intel Security Advisories:

To check if you are impacted and update your system, please follow the instructions in the advisory. 12.3-094

12.3 029 intel-microcode Date: 2025-05-20 Severity: Medium

In intel-microcode-20250512, eight processor-level security issues were addressed. Six of the security vulnerabilities allow for information disclosure, and two allow for denial of service. These vulnerabilities impact the 8th, 9th, 10th, 11th, 12th, 13th, and 14th Generation of Intel Core CPUs as well as some Intel Atom, Celeron, and Pentium models. They also impact the Xeon E and D series of CPUs, the Xeon Max series of CPUs, the Core Ultra series, and some Intel Xeon Scalable CPUs. For more information, please consult the Intel Security Adivisories: INTEL-SA-01153 (CVE-2024-28956), INTEL-SA-01247 (CVE-2024-43420, CVE-2025-20623, and CVE-2024-45332), INTEL-SA-01322 (CVE-2025-24495 and CVE-2025-20012), and INTEL-SA-01244 (CVE-2025-20103 and CVE-2025-20054).

To check if you are impacted and update your system, please follow the instructions in the advisory. 12.3-029

Kea DHCP server

12.3 098 Kea DHCP server Date: 2025-08-27 Severity: High

A security issue has been made public by ISC. It is fixed by upgrading to 3.0.1 or later. For more information, check the ISC Security Adivisories:

CVE-2025-40779: Denial of service by sending a request directly to Kea

If you have Kea installed, see details at 12.3-098

12.3 040 Kea DHCP server Date: 2025-05-28 Severity: High

Three security flaws has been made public by ISC. Two of them are fixed by upgrading to version 2.6.3 or above and one is fixed by proper configuration and setup. For more information, check the ISC Security Adivisories:

CVE-2025-32801: Loading a malicious hook library can lead to local privilege escalation
CVE-2025-32802: Insecure handling of file paths allows multiple local attacks
CVE-2025-32803: Insecure file permissions can result in confidential information leakage

If you have Kea installed, see details at 12.3-040

Konsole

12.3 054 Konsole Date: 2025-06-13 Severity: Critical

In Konsole-25.04.2, a security vulnerability was fixed that allows for attackers to trick users into executing arbitrary code with a malicious link. The vulnerability occurs because Konsole allows loading URLs from various scheme handlers (such as telnet://), but it does not check first to see if the program to handle the scheme is present. If it isn't present, it will execute 'bash' instead, allowing for arbitrary code execution. Update to Konsole-25.04.2, or remove the telnet service for Konsole by removing the $KF6_PREFIX/share/applications/ktelnetservice6.desktop file from your system.

libarchive

12.3 037 libarchive Date: 2025-05-28 Severity: High

In libarchive-3.8.0, five security vulnerabilities were fixed that could allow for crashes and memory corruption when processing RAR archives, TAR archives, and WARC archives. The issues are due to heap buffer overflows, signed integer overflows, and double-frees. Update to libarchive-3.8.0. 12.3-037

12.3 008 libarchive Date: 2025-05-20 Severity: Medium

In libarchive-3.7.9, three security vulnerabilities were fixed that could allow for denial of service (application crashes) or potential memory corruption when processing ZIP or TAR archives. Update to libarchive-3.7.9. 12.3-008

libblockdev

12.3 062 libblockdev Date: 2025-06-22 Severity: High

In libblockdev-3.3.1, a security vulnerability was fixed that could allow for local privilege escalation. The vulnerability occurs due to a bug in udisks, and both packages need to be adjusted to fix the vulnerability. The vulnerability is part of a chain with Linux-PAM and udisks which allows for remote attackers to achieve local privilege escalation, and a detailed proof of concept exploit and details are now publicly available. All users who have libblockdev installed should update to libblockdev-3.3.1 immediately to protect their systems. 12.3-062

LibreOffice

12.3 027 LibreOffice Date: 2025-05-20 Severity: Critical

In LibreOffice-25.2.2.2, a security vulnerability was fixed that allows for PDF signature forgery when using the adbe.pkcs7.sha1 SubFilter. The bug causes invalid signatures to be accepted as valid, and the vulnerability has been rated Critical by NVD as it meets the criteria of "Improper Verification of Cryptographic Signature" and "PDF Signature Spoofing by Improper Validation". All users who use LibreOffice to open PDFs should update to LibreOffice-25.2.2.2 or later, as this could allow for phishing. Update to Libreoffice-25.2.2.2. 12.3-027

libsoup2

12.3 022 libsoup2 Updated: 2025-05-28 Severity: Critical

In libsoup-2.74.3, fourteen security vulnerabilities were discovered that could allow for remotely exploitable crashes, remote code execution, HTTP Request Smuggling, and memory corruption. These are very similar to the vulnerabilities fixed in the recent libsoup3 update, however it includes fixes for several vulnerabilities that are specific to libsoup2. Because of the security vulnerabilities in libsoup2, and the fact that the only packages in BLFS that require it are abandoned, the BLFS team has archived libsoup2 as well as consumers such as AbiWord and libgdata. However, the BLFS team has also developed a patch for libsoup2 to fix these known vulnerabilities for users who have libsoup2 installed. At this time though, we will not be producing further patches for this package to fix further issues after BLFS 12.4 is released, and we recommend that all users who have libsoup2 installed discontinue usage of the library. as well as libgdata and AbiWord. If you are using libsoup2, use the instructions in the advisory to apply the patch and fix the vulnerabilities.

Updated on 2025-05-28 to add additional text about rebuilding gst-plugins-good with -Dsoup-version=3. Thanks goes to Rainer Fiebig for the information!

libsoup3

12.3 021 libsoup3 Date: 2025-05-20 Severity: Critical

In libsoup-3.6.5, ten security vulnerabilities were fixed that could allow for remotely exploitable crashes, remote code execution, and memory corruption. All users who have libsoup3 installed should update to libsoup-3.6.5 as soon as possible, and keep an eye on the security advisories to monitor for new updates as there are many CVEs still yet unresolved upstream. 12.3-021

libvpx

12.3 051 libvpx Date: 2025-06-09 Severity: Medium

In libvpx-1.15.2, a security vulnerability was fixed that could allow for arbitrary code execution when processing VP8 and VP9 files, or for a denial of service (application crash). Update to libvpx-1.15.2, but also rebuild the packages listed in the security advisory. 12.3-051

libxml2

12.3 073 libxml2 Date: 2025-07-17 Severity: Critical

In libxml2-2.14.5, four security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution when processing a crafted XML file. One of the vulnerabilities affects the xmllint utility, and is a stack buffer overflow. The others affect functionality in the Schematron component, and are type confusion, null pointer dereference, and heap use after free vulnerabilities. All users are recommended to update to libxml2-2.14.5 or apply the patch mentioned in the advisory immediately. Users who are on BLFS 12.3 are recommended to use the patch as you will need to apply several fixes to different packages and you will need to rebuild all packages which use libxml2. 12.3-073

12.3 060 libxml2 Date: 2025-06-21 Severity: High

In libxml2-2.14.4, a security vulnerability was fixed that could allow for a denial of service or memory corruption when an application uses the xmlBuildQName() function. Only one package in BLFS is known to use this functionality, and that is PHP. Users who have Wine installed are also impacted as it makes heavy usage of this function. If you use PHP or Wine, update to libxml2-2.14.4 or apply the patch the BLFS developers have made available for libxml2-2.13.8. The patch method is recommended for BLFS 12.3 users since updating to libxml2-2.14 will require several fixes and a rebuild of all packages that use libxml2. 12.3-060

12.3 014 libxml2 Date: 2025-05-20 Severity: High

In libxml2-2.14.2 (and 2.13.8), two security vulnerabilities were fixed that could result in a denial of service (application crash) or arbitrary code execution when processing XML documents. Update to libxml2-2.13.8. The BLFS team does not recommend updating systems to the libxml2-2.14 series because the 2.14 series is ABI incompatible with 2.13, and in addition to rebuilding all packages that use libxml2, the libxkbcommon and localsearch packages will also need to be updated. 12.3-014

libxslt

12.3 004 libxslt Date: 2025-03-14 Severity: High

In libxslt-1.1.43, two security vulnerabilities were fixed which could allow for arbitrary code execution and crashes when processing XSL documents. Both of these vulnerabilities are use-after-free bugs. Update to libxslt-1.1.43. 12.3-004

Linux-PAM

12.3 061 Linux-PAM Date: 2025-06-22 Severity: High

In Linux-PAM-1.7.1, two security vulnerabilities were fixed that could allow for privilege escalation and for unauthorized access to systems. The privilege escalation vulnerability was disclosed by the French government, and detailed proof of concept exploits and exploitiation information are available for using this vulnerability in a chain with libblockdev and udisks to achieve privilege escalation. All users who have Linux-PAM installed should update to Linux-PAM-1.7.1 immedately to protect their systems.. 12.3-061

lxml (Python Module)

12.3 013 lxml (Python Module) Date: 2025-05-20 Severity: High

In lxml-5.4.0, the bundled copies of libxml2 and libxslt were updated to fix five security vulnerabilities. These vulnerabilities are known to cause crashes and arbitrary code execution when processing XML and XSLT documents. Update to lxml-5.4.0. 12.3-013

MariaDB

12.3 045 MariaDB Date: 2025-06-02 Severity: Medium

In MariaDB-11.4.7, five security vulnerabilities were fixed that could allow for unauthorized access to data within MySQL databases, as well as for remotely exploitable crashes. Users who have MariaDB installed as more than a build dependency should update. Update to MariaDB-11.4.7. 12.3-045

Mercurial

12.3 010 Mercurial Date: 2025-05-20 Severity: Medium

In Mercurial-7.0.1, a security vulnerability was fixed that could allow for cross-site scripting through the web interface (hgweb). A default installation of Mercurial on BLFS is NOT vulnerable as the system must be configured to use the 'hgweb' program, and the BLFS configuration does not enable this functionality. If you are using hgweb though, please update to Mercurial-7.0.1 as soon as possible. Otherwise, there is no need to install this update. 12.3-010

MIT Kerberos V5

12.3 099 MIT Kerberos V5 Date: 2025-08-31 Severity: High

In krb5-1.22.1, a security vulnerability was fixed that causes GSS MIC verification to pass in all circumstances, even if the data provided is incorrect. There are very few details available about this vulnerability, but if you are running a Kerberos server, it's highly recommended that you update to this version immediately to prevent an authentication bypass. Update to krb5-1.22.1. 12.3-099

OpenJDK

12.3 084 OpenJDK Date: 2025-07-28 Severity: High

In OpenJDK-24.0.2, give security vulnerabilities were fixed that could allow for remote code execution, remote information disclosure, and also remotely exploitable denial of service. One of the vulnerabilties is trivial to exploit, but the other four vulnerabilities have a high attack complexity. The vulnerabilities are in the Networking, 2D, JSSE, and Compiler components. None of the exploits require any user interaction or authentication to exploit, and the most serious of the vulnerabilities is the low complexity remote code execution vulnerability in the Networking component. All users who have OpenJDK installed should update to OpenJDK-24.0.2 immediately. Update to OpenJDK-24.0.2 or the pre-built Java binaries. 12.3-084

12.3 031 OpenJDK Date: 2025-05-20 Severity: High

In OpenJDK-24.0.1, three security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, and unauthorized data modification. No user interaction or privileges are required to exploit these vulnerabilities. Update to OpenJDK-24.0.1. 12.3-031

PHP

12.3 068 PHP Date: 2025-07-10 Severity: High

In PHP-8.4.10, three security vulnerabilities were fixed that could allow for a remotely exploitable denial of service, SQL Injection, and for Server Side Request Forgery. The vulnerabilities exist in the Standard, SOAP, and PGSQL components of PHP. All users who use PHP for web applications are encouraged to update to this version to fix these vulnerabilities. Update to PHP-8.4.10. 12.3-068

12.3 005 PHP Date: 2025-03-14 Severity: Medium

In PHP-8.4.5, seven security vulnerabilities were fixed that could allow for crashes, arbitrary code execution, unauthorized HTTP redirects, authentication bypasses, remote system crashes, and for invalid HTTP headers to be processed. The vulnerabilities exist in the Streams, libxml, and the Core components of PHP. All users who use PHP for web applications are encounraged to update to this version to fix these vulnerabilities. Update to PHP-8.4.5. 12.3-005

poppler

12.3 071 poppler Date: 2025-07-16 Severity: Medium

In poppler-25.06.0, a security vulnerability was fixed that could allow for a denial of service (application crash), or potentially arbitrary code execution. The vulnerability is due to a use-after-free, but the chances of exploitation are low due to the amount of time it takes to successfully exploit on a system. Update to poppler-25.06.0. 12.3-071

PostgreSQL

12.3 093 PostgreSQL Date: 2025-08-16 Severity: High

In PostgreSQL-17.6, three security vulnerabilities were fixed that could allow for optimizer statistics to expose sampled data within a view, partition, or a child table; and for arbitrary code execution in the psql client when using the pg_dump command. All users who have PostgreSQL installed for anything other than satisfying a build dependency are advised to upgrade to PostgreSQL-17.6. Alternatively, users on older versions of PostgreSQL can upgrade to 16.10, 15.14, 14.19, or 13.22. 12.3-093

12.3 028 PostgreSQL Date: 2025-05-20 Severity: Medium

In PostgreSQL-17.5, a security vulnerability was fixed that can allow for a database input provider to achieve temporary denial of service on any platform where a 1-byte over-read can trigger process termination. Both libpq and the database server are impacted, so it is possible for client applications to crash as well. Update to PostgreSQL-17.5. 12.3-028

Python

12.3 088 Python (LFS and BLFS) Date: 2025-08-10 Severity: High

In Python-3.13.6, four security vulnerabilities were fixed in the HTML Parser functionality that can allow for cross-site scripting, denial of service (unbounded resource consumption), and for hidden HTML code to be processed. These vulnerabilities mostly occur because the previous versions of Python did not adhere to the HTML 5 standard correctly. Update to Python-3.13.6, or follow the instructions in the advisory if you are on an older version of Python. 12.3-088

12.3 087 Python (LFS and BLFS) Date: 2025-08-05 Severity: High

A security vulnerability was discovered in Python-3.13.5 that can allow the tarfile module to process tar archives with negative offsets without an error, which would result in an infinite loop and a deadlock when processing maliciously crafted tar archives. Upstream has prepared a patch for the vulnerability which the BLFS editors have turned into a sed. Users who process tar files using the tarfile module in Python should rebuild Python with the sed command to resolve this vulnerability. 12.3-087

12.3 047 Python (LFS and BLFS) Date: 2025-06-04 Severity: Critical

In Python-3.13.4, five security vulnerabilities were fixed that could allow for a denial of service when processing long IPv6 addresses, and for tarfile extraction filters to be bypassed using crafted symlinks and hard links. The extraction filter bypasses allow attackers to write arbitrary files onto a user's filesystem when decompressing a tar file using the 'tarfile' python module. Update to Python-3.13.4. 12.3-047

12.3 018 Python (LFS and BLFS) Date: 2025-05-20 Severity: Medium

In Python-3.13.3, two security vulnerabilities were fixed that could allow for email header spoofing and a denial-of-service (unbounded memory usage). In addition, another vulnerability was resolved after this release of Python that can cause a crash when using the unicode_escape encoding or an error handler when decoding bytes using the bytes.decode() function. Update to Python-3.13.3 and apply the patch for the bytes.decode() vulnerability. 12.3-018

Qt6

12.3 083 Qt6 Date: 2025-07-27 Severity: Low

In Qt-6.9.1, a security vulnerability was discovered that can allow for a denial of service when processing a specially crafted ICC profile. The crash occurs when an ICC profile causes a value outside of the expected range to QColorTransferGenericFunction, and this can be exploited by an application using QColorSpace::fromICCProfile to set color profiles. The only known impacts at this time are application crashes. Updating Qt6 to 6.9.1 can be risky and requires some package rebuilds due to the usage of private API that was changed in Qt 6.9.1, but the BLFS team has tested it and if you want to take the risk, update to Qt 6.9.0. A patch is also available for Qt 6.8 but has not been tested by the BLFS team. 12.3-083

12.3 011 Qt6 Date: 2025-05-20 Severity: Low

In Qt-6.9.0, a security vulnerability has been fixed that could allow for a heap buffer overflow when passing an incorrectly formatted Markdown file to QTextMarkdownImporter. The only known impacts at this time are application crashes. Updating Qt6 to 6.9.0 can be risky and requires some package rebuilds due to the usage of private API that was changed in Qt 6.9.0, but the BLFS team has tested it and if you want to take the risk, update to Qt 6.9.0. A patch is also available for Qt 6.8 but has not been tested by the BLFS team. 12.3-011

QtWebEngine

12.3 101 QtWebEngine Date: 2025-08-31 Severity: Critical

In QtWebEngine-6.9.2, 21 security vulnerabilities were fixed that can allow for sandbox escapes, unauthorized user information disclosure, cross origin information leakage, remote code execution, user interface spoofing, arbitrary file read/writes, arbitrary code execution, and bypass of the Content Security Policy (if one is enforced). Several of these vulnerabilities are extremely severe, but two of them are known to be actively exploited in the wild and are often chained together. These are the sandbox escape and arbitrary file read/write vulnerabilities, which attackers will leverage to implant or read files in a protected area of a user's filesystem, since the sandbox is supposed to tie QtWebEngine to only being able to operate in certain directories on the system. The sandbox escape vulnerability being actively exploited significantly amplifies the severity of all vulnerabilities fixed here. ALL USERS WHO HAVE QTWEBENGINE INSTALLED MUST UPDATE TO 6.9.2 AS SOON AS POSSIBLE, EVEN IF THEY ARE ONLY USING IT AS A BUILD DEPENDENCY. Update to QtWebEngine-6.9.2. 12.3-101

12.3 046 QtWebEngine Date: 2025-06-03 Severity: Critical

In QtWebEngine-6.9.1, nineteen security vulnerabilities were fixed that could allow for remote code execution, information retrieval about peripherals, malicious extension installation, file restriction bypasses, same origin policy bypasses, remotely exploitable privilege escalation, remotely exploitable sandbox escapes, cross origin information leakage, and for access control bypasses. Update to QtWebEngine-6.9.1. 12.3-046

12.3 012 QtWebEngine Date: 2025-05-20 Severity: Critical

In QtWebEngine-6.9.0, fifteen security vulnerabilities were fixed that could allow for sensitive system data exfiltration, user interface spoofing, remote code execution, arbitrary code execution, and sandbox escapes. All users who have QtWebEngine installed should update to QtWebEngine-6.9.0 as one of the vulnerabilities is known to be exploited in the wild. 12.3-012

Requests (Python Module)

12.3 055 Requests (Python Module) Date: 2025-06-13 Severity: Medium

In Requests-2.32.4, a security vulnerability was fixed where a crafted URL and trusted environment can retrieve credentials from the wrong hostname from a .netrc file. Users who do not have a ~/.netrc file with credentials are not impacted by this vulnerability, and there is no reason for them to update to this version. If you do have a ~/.netrc file though, you should update to Requests-2.32.4 immediately, as the workaround requires modifying every requests session to specify "trust_env=False". 12.3-055

Ruby

12.3 077 Ruby Date: 2025-07-17 Severity: High

In Ruby-3.4.5, a security vulnerability was fixed that can allow for a denial of service (application hang) when processing malicious DNS packets that contain a highly compressed domain name. The vulnerability is in the bundled 'resolv' gem, and is caused by an insufficient check on the length of a decompressed domain name with a DNS packet. Update to Ruby-3.4.5. 12.3-077

Samba

12.3 052 Samba Date: 2025-06-09 Severity: Medium

In Samba-4.22.2, a security vulnerability was fixed that could allow for file shares to be exposed to clients until client computers disconnect from an SMB server and reconnect again. The problem occurs because the smbd service daemon did not pick up group membership changes when it reset an expired SMB session. This however only affects Kerberos authentication, which is not part of the standard BLFS configuration. Users who are using the standard BLFS configuration are not impacted, nor are they impacted if they are just using the client side components of Samba. Update to Samba-4.22.2 if you are using Kerberos in your server's configuration. 12.3-052

Screen

12.3 030 Screen Updated: 2025-05-28 Severity: High

In Screen-5.0.1, five security vulnerabilities were fixed that could allow for a reliable local privilege escalation to root, for leaking of file existence information, for TTY hijacking while attaching to a multi user session, for race conditions when sending signals, and for PTYs to be created world-writable. A serious buffer overflow bug caused by a bad strncpy() was also fixed in this release. Because the default configuration of Screen in BLFS is setuid-root, all systems with Screen installed are impacted by these vulnerabilities, some dating back to Screen releases all the way back to 2025. If you have Screen installed, please update to Screen-5.0.1 immediately. 12.3-030

Updated on 2025-05-28 to include the correct CVE number for the last vulnerability.

Seamonkey

12.3 091 Seamonkey Date: 2025-08-15 Severity: Critical

In Seamonkey-2.53.21, sixteen security vulnerabilites were fixed that could allow for use-after-free operations in XSLT, Custom Highlight, WebTransportChild, XSLTProcessor, during concurrent delazification, and the Browser process via AudioIPC StreamData, a buffer overflow, incomplete returns on x86_64 CPUs, sandbox escapes via incorrect handles, privilege escalation in the updater, process isolation bypass, potential local code execution, out-of-bounds access when resolving Promise objects and optimizing linear sums, and memory safety bug fixes. This brings Seamonkey up to date with the security issues fixed in Firefox 115.23.1. Update to Seamonkey-2.53.21 urgently. 12.3-091

SpiderMonkey

12.3 097 SpiderMonkey Date: 2025-08-21 Severity: Medium

In SpiderMonkey-140.2.0esr, a security vulnerability was fixed that could allow for uninitialized memory access, which can lead to a denial of service (application crash). In order to use SpiderMonkey-140 with the version of gjs used in BLFS 12.3, you must update to gjs-1.84.2 with the spidermonkey_140 patch that is currently in the development version of BLFS. Alternatively, you can update to Spidermonkey-128.14.0esr. Update to SpiderMonkey-140.2.0esr and update gjs to gjs-1.84.2 with the patch, or update to SpiderMonkey-128.14.0esr. 12.3-097

12.3 079 SpiderMonkey Date: 2025-07-22 Severity: High

In SpiderMonkey-128.13.0, two security vulnerabilities were fixed that could allow for writing a partial return value to the stack on 64-bit systems and incorrectly handling closed generators. Update to SpiderMonkey-128.13.0. 12.3-079

12.3 033 SpiderMonkey Date: 2025-05-20 Severity: Critical

In SpiderMonkey-128.10.1, two critical security vulnerabilities were fixed that could allow for an attacker to read and write out of bounds memory through executing malicious JavaScript. These vulnerabilities were shown at Vancouver Pwn2Own to achieve remote code execution and JavaScript manipulation. All users with SpiderMonkey installed need to update to 128.10.1 urgently. 12.3-033

12.3 001 SpiderMonkey Date: 2025-03-07 Severity: High

In SpiderMonkey-128.8.0, two security vulnerabilities were fixed that could allow for arbitrary code execution (due to type confusion), as well as arbitrary code execution due to unexpected garbage collection occuring during Regular Expression bailout processing. Note that the type confusion vulnerability only impacts 64-bit CPUs. Update to SpiderMonkey-128.8.0. 12.3-001

sudo

12.3 065 sudo Date: 2025-07-02 Severity: Critical

In sudo-1.9.17p1, two security vulnerabilities were fixed that could allow for Local Privilege Escalation. The first vulnerability affects the 'host' option, and requires that a hostname is specified in a sudoers rule to exploit. The other vulnerability affects the chroot functionality. The default BLFS sudoers configuration is not affected, but if you have made any modifications to /etc/sudoers to use hostnames or CHROOT, you should update your system to sudo-1.9.17p1 immediately. 12.3-065

systemd

12.3 044 systemd (LFS and BLFS) Date: 2025-06-02 Severity: Medium

In systemd-257.6, a security vulnerability was fixed that allows an attacker to force SUID processes to crash and allows them to replace the program with a non-SUID binary to access the original privileged process's coredump. This allows the attacker to read extremely sensitive data, such as /etc/shadow content. Update to systemd-257.6. 12.3-044

Thunderbird

12.3 096 Thunderbird Date: 2025-08-21 Severity: High

In Thunderbird-140.2.0esr, seven security vulnerabilities were fixed that could allow for a sandbox escape when playing encrypted videos, for a same-origin policy bypass when using 2D graphics, for uninitialized memory to cause an unexpected crash in the JavaScript engine, for a potential denial-of-service (application crash) due to an infinite loop causing out-of-memory conditions in the WebRender component, for spoofing attacks to occur via the Address Bar, and for remote code execution. Update to Thunderbird-140.2.0esr, or alternatively Thunderbird-128.14.0esr if you wish to stay on the 128 ESR series. 12.3-096

12.3 081 Thunderbird Date: 2025-07-22 Severity: High

In Thunderbird-140.1.0esr, fourteen security vulnerabilities were fixed that could allow for writing a partial return value to the stack on 64-bit systems, large branch tables leading to truncated instructions, URLs being executed on object and embed tags via JavaScript, cirmcumventing CORS via DNS rebinding, nameless cookies shadowing secure cookies, potential code execution via the "Copy as cURL" command, incorrect URL stripping in CSP reports, XSLT documents bypassing CSP, CSP frame-src not being correctly enforced for paths, search terms persiting in the URL bar, incorrectly handling closed generators via JavaScript, and various memory safety bugs.

Update to Thunderbird-140.1.0esr. Alternatively, if you have not installed ICU-76.1 or later, you can stay on the 128 ESR series and upgrade to Thunderbird-128.13.0esr. 12.3-081

12.3 067 Thunderbird Date: 2025-07-03 Severity: High

In Thunderbird-140.0esr, ten security vulnerabilities were fixed that could allow for use-after-free attacks, exposure of persistent UUIDs, Content Security Policy restriction can be bypassed, incorrect parsing leading to allowing embedded of YouTube, ignorance of the Content-Disposition header, DNS request leakage outside a configured SOCKS proxy, singage of a challenge with an invalid TLS certificate, clickjacking via the HTTPS-only exception, Save as action in Devtools not santizing the downloaded files extensions, and exploitable memory safety bugs. Two of the vulnerabilities are rated as High. Update to Thunderbird-140esr. 12.3-067

12.3 053 Thunderbird Date: 2025-06-11 Severity: High

In Thunderbird-128.11.1esr, a security vulnerability was fixed that could allow for credential linkage, disk space exhaustion, and unsolicited file downloads by using crafted HTML mailbox:/// links. This was the same vulnerability that was claimed to be fixed in Thunderbird-128.10.2esr. Due to different code landing, the vulnerability was never fixed until this release. This vulnerability is rated as high and was unfixed for 22 days. Update immediately to Thunderbird-128.11.1esr. 12.3-053

12.3 039 Thunderbird Date: 2025-05-28 Severity: Critical

In Thunderbird-128.11.0esr, seven security vulnerabilities were fixed that could allow for remotely exploitable crashes, memory corruption, remote code execution, cross-origin information leakage, local code execution through the "Copy as cURL" command, and for clickjacking to trick users into leaking saved payment card details. One of the vulnerabilities is rated as Critical, and thus all users should update immediately. Update to Thunderbird-128.11.0esr. 12.3-039

12.3 035 Thunderbird Date: 2025-05-20 Severity: Critical

In Thunderbird-128.10.2esr (as well as 128.9.1, 128.9.2, 128.10.0, and 128.10.1), eighteen security vulnerabilities were fixed that could allow for remote code execution, URL bar spoofing, arbitrary code execution, leaks of hashed Window credentials, information disclosure of the directory listing of /tmp, UI misrepresentation of attachment URLs, sandbox escapes, remotely exploitable crashes, unsafe attribute accesses (leading to memory corruption and out-of-bounds memory access), sender spoofing (leading to extremely trivial phishing attacks), unsolicited file downloads, disk space exhaustion, credential leakage to remote attackers via compromised emails and attachments, JavaScript execution via spoofed PDF attachments, and tracking links in attachments bypassing remote content blocking. All users who have Thunderbird installed need to update to Thunderbird-128.10.2esr urgently to protect their systems. 12.3-035

12.3 003 Thunderbird Date: 2025-03-07 Severity: Critical

In Thunderbird-128.8.0esr, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, arbitrary code execution, clickjacking, and for web extensions to be disguised as different elements on a web page. Due to one of the remote code execution vulnerabilities being actively exploited in the wild, and becuase it does not require user interaction, the BLFS team recommends that all users who have Thunderbird installed update to 128.8.0esr as soon as possible. 12.3-003

udisks

12.3 100 udisks Date: 2025-08-31 Severity: High

In udisks-2.10.2, a security vulnerability was fixed that could allow for a local attacker to cause the udisks daemon to crash, or to perform a local privilege escalation by gaining access to files owned by privileged users. The issue occurs due to an out of bounds read. Update to udisks-2.10.2. 12.3-100

12.3 063 udisks Date: 2025-06-22 Severity: High

In udisks-2.10.1, a security vulnerability was discovered that can allow for local privilege escalation attacks when chained together with libblockdev and Linux-PAM. The vulnerability occurs because udisks does not always mount filesystems with the 'nosuid,nodev' parameters, which can allow users to escalate their privileges on systems with SUID executables, and this is not supposed to be the default behavior for filesystems mounted via udisks. A detailed proof-of-concept exploit is available with comprehensive exploit documentation. The BLFS developers have implemented a sed to work around the problem. If you have udisks installed on your system, you should rebuild udisks with the sed command in the book immediately. 12.3-063

Unbound

12.3 075 Unbound Date: 2025-07-17 Severity: High

In Unbound-1.23.1, a security vulnerability was fixed that could allow for DNS cache poisoning attacks in some configurations. This attack has been called the Rebirthday Attack. The standard BLFS configuration is not impacted as we do not pass the '--enable-subnet' option to configure when building Unbound. However, users who have passed this option to configure are affected. Update to Unbound-1.23.1 if you passed this option to configure. 12.3-075

vim

12.3 072 vim (LFS and BLFS) Date: 2025-07-16 Severity: Medium

In vim-9.1.1552, two security vulnerabilities were fixed that could allow for path traveral when using the tar.vim and zip.vim plugins to view a malicious TAR or ZIP file. It is possible for vim to extract arbitrary files into directories on the system if a relative path is used within the TAR/ZIP file, which can be used to place files necessary to exploit other vulnerabilities on the system. Update to vim-9.1.1552. 12.3-071

WebKitGTK

12.3 086 WebKitGTK Date: 2025-08-05 Severity: High

In WebKitGTK-2.48.5, ten security vulnerabilities were fixed that could allow for remote code execution, crashes, sandbox escapes, UI spoofing, internal state disclosure, sensitive user information disclosure, and for download origins to not be associated correctly. Update to WebKitGTK-2.48.5. 12.3-086

12.3 007 WebKitGTK Date: 2025-05-20 Severity: Critical

In WebKitGTK-2.48.2, sixteen security vulnerabilities were fixed that could result in unexpected process crashes, cross-origin data exfiltration, memory corruption, cross-site scripting attacks, type confusion (on ARM architectures), and sandbox escapes. The sandbox escape vulnerability is known to be exploited in the wild, and it is thus recommended that users update WebKitGTK immediately. Update to WebKitGTK-2.48.2. 12.3-007

Wireshark

12.3 049 Wireshark Date: 2025-06-09 Severity: High

In Wireshark-4.4.7, a security vulnerability was fixed that could allow for a crash due to a buffer overflow while processing crafted packets. The crash occurs with many dissectors as it impacts the common Columns module built into Wireshark. Update to Wireshark-4.4.7. 12.3-049

Xorg-Server

12.3 058 Xorg-Server Date: 2025-06-20 Severity; Medium

In Xorg-Server-21.1.18, a security vulnerability was fixed that could allow for an integer overflow. It's to ensure that a CVE that was supposedly fixed in the last release is properly fixed. Update to Xorg-Server-21.1.18. 12.3-058

12.3 056 Xorg-Server Date: 2025-06-17 Severity; Medium

In Xorg-Server-21.1.17, six security vulnerabilities were fixed that could allow for out of bounds reads, integer overflows, old data reads, and a client being able to cause another client to hang. Many of these come from extensions and many of them are very old vulnerabilites, some as old as X11R6. Update to Xorg-Server-21.1.17. 12.3-056

Xwayland

12.3 059 Xwayland Date: 2025-06-20 Severity; Medium

In Xwayland-24.1.8, a security vulnerability was fixed that could allow for an integer overflow. It's to ensure that a CVE that was supposedly fixed in the last release is properly fixed. Update to Xwayland-24.1.8. 12.3-059

12.3 057 Xwayland Date: 2025-06-17 Severity; Medium

In Xwayland-24.1.7, six security vulnerabilities were fixed that could allow for out of bounds reads, integer overflows, old data reads, and a client being able to cause another client to hang. Many of these come from extensions and many of them are very old vulnerabilites, some as old as X11R6. Update to Xwayland-24.1.7. 12.3-057

Yelp

12.3 020 Yelp Updated: 2025-06-22 Severity: High

In Yelp-42.2, a security vulnerability was found that allows help documents to execute arbitrary JavaScript, and also read arbitrary files on the disk. Upstream has not released a patched version to fix this issue, but the BLFS team has adopted patches from upstream to resolve this issue. There is a public exploit and writeup available demonstrating the ability to read a user's SSH Private Key via a crafted help document, and thus ALL BLFS USERS WHO HAVE YELP INSTALLED SHOULD APPLY THE PATCHES AS SOON AS POSSIBLE. Update to yelp-42.3 and yelp-xsl-42.4. 12.3-020

Updated on 2025-06-22 to include details about yelp-xsl-42.4 and yelp-42.3, which fix this vulnerability. Users should use these versions now instead of using the patches.