BLFS Security Advisories for 12.4

BLFS Security Advisories for BLFS 12.4 and the current development books.

BLFS-12.4 was released on 2025-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

Apache HTTPD

12.4 049 Apache HTTPD Date: 2025-12-04 Severity: Medium

In httpd-2.4.66, four security vulnerabilities were fixed that could allow for unintended retry intervals when renewing ACME certificates, for Server Side Includes to unexpectedly pass a shell escaped query string to a command directive, for environment variables to be overridden when using CGI programs, and for users to cause CGI scripts to run under an unexpected username. Update to httpd-2.4.66 or later if you use the mod_cgi, mod_cgid, mod_md, or Server Side Includes functionality. 12.4-049

BIND

12.4 082 BIND Date: 2026-02-05 Severity: High

In BIND-9.20.18, a security vulnerability was fixed that could allow for remote attackers to force the BIND DNS server to terminate unexpectedly. The problem occurs whenever the server receives and attempts to parse malformed BRID or HHIT records. Note that only the BIND server is affected, and the client utilities are not. Users who use the BIND server in any capacity should update to BIND-9.20.18 though because the vulnerability can be exploited during normal usage. 12.4-082.

12.4 025 BIND Date: 2025-11-04 Severity: Critical

In BIND-9.20.15, three security vulnerabilities were fixed that could allow for resource exhaustion as well as cache poisoning attacks. The resource exhaustion vulnerability occurs when querying for records which have a specially crafted zone that contains malformed DNSKEY records. The first cache poisoning vulnerability occurs because BIND is too lenient when accepting records from answers, which allows attackers to trivially inject forged data into the cache. The other cache poisoning vulnerability occurs due to a weakness in the PRNG that is used, which allows attackers to predict the source port and query ID that BIND will use. Users who use the BIND server should update to BIND-9.20.15 immediately, but if you are just using the client utilities, there is no reason to upgrade. 12.4-025

brotli

12.4 027 brotli Date: 2025-11-04 Severity: Low

In brotli-1.2.0, some security mitigations were put into place that allow for mitigation of unexpectedly large output. This was done by adding in the Decompressor::can_accept_more_data method and the optional output_buffer_limit argument into the Decompressor::process method. Note that this is rated as Low because there is no CVE assigned and this change only affects the Python bindings to brotli, which are not commonly used. If you are using the Python bindings to brotli, update to brotli-1.2.0. 12.4-027

c-ares

12.4 055 c-ares Date: 2025-12-08 Severity: Medium

In c-ares-1.34.6, a security vulnerability was fixed that could allow for a remotely exploitable crash due to a use-after-free problem when reading responses from a DNS server. The process_answer() function could terminate a query after something such as maximum attempts, but it would continue to process additional answers after closing the connection in some cases. Update to c-ares-1.34.6. 12.4-055

CUPS

cURL

12.4 068 cURL Date: 2026-01-14 Severity: Medium

In cURL-8.18.0, six security vulnerabilities were fixed that could allow for lack of QUIC certificate pinning with GnuTLS, broken TLS options, bearer token leakage, OpenSSL partial chain store policy bypassing, libssh global known_hosts overriding, and libssh key passphrase bypassing. Update to cURL-8.17.0. 12.4-068

12.4 033 cURL Date: 2025-11-12 Severity: Medium

In cURL-8.17.0, a security vulnerability was fixed that could allow for a path traversal vulnerability when using the 'wcurl' utility with a URL containing percent-encoded slashes (/ or \). Using percent encoded slashes can trick wcurl into saving the output file outside of the current directory, potentially allowing for attackers to place files in a different place on a user's system without their knowledge. However, this only affects users who are using the 'wcurl' utility - users who are just using libcurl as a build dependency or the 'curl' utility are not impacted. If you are using the 'wcurl' utility, update to cURL-8.17.0. 12.4-033

12.4 008 cURL Updated: 2025-11-04 Severity: Low

In cURL-8.16.0, two security vulnerabilities were fixed that could allow for a predictable mask pattern to occur when using WebSockets (which can allow for a malicious server to induce traffic between machines which can be interpreted by an involved proxy as legitimate traffic), and for sites to overwrite the contents of a secure cookie. Update to cURL-8.16.0. 12.4-008

Dovecot

12.4 031 Dovecot Date: 2025-11-07 Severity: High

In Dovecot-2.4.2, a security vulnerability was fixed that could allow for users to access other users' mail in certain situations. This occurs because of a problem with authentication caching, where the first lookup would be cached for all lookups across the server. This is because the cache key was "%u", which no longer expands to the same as "${user}". This does not affect the standard BLFS configuration as authentication caching is disabled, but if you run a server which has auth cache enabled, you should update your server to this version of Dovecot immediately. Alternatively, you can disable authentication caching. If you use a server with an affected configuration, update to Dovecot-2.4.2. 12.4-031

Exim

12.4 062 Exim Date: 2025-12-20 Severity: High

In Exim-4.99.1, a security vulnerability was fixed that could allow for a remote heap buffer overflow in some situations because database records are cast directly to internal structures without validation. This only affects some non-default rate-limit configurations when using SQLite or hintdb as the database backend. The default configuration in BLFS is not affected, but if you have modified the rate limit configurations, you should update to Exim-4.99.1. There is no need to update otherwise. 12.4-062

Exiv2

12.4 010 Exiv2 Date: 2025-09-30 Severity: Low

In Exiv2-0.28.7, two security vulnerability were fixed that could allow for a denial of service (application crash and quadratic resource consumption) when processing EPS files and parsing ICC profiles in JPEG images. Update to Exiv2-0.28.7 if you work with untrusted EPS files or JPEG images. 12.4-010

fetchmail

12.4 017 fetchmail Date: 2025-10-10 Severity: Medium

In fetchmail-6.5.6, a security vulnerability was fixed that could cause a denial of service (application crash) when authenticating using the SMTP client. Note that for this vulnerability to be exploitable, a user must have the esmtpname and esmtppassword options configured, as well as the plugout and mda options to be inactive. This particular configuration is rather uncommon, but if you have fetchmail installed with this configuration and are experiencing crashes, update to fetchmail-6.5.6 or later. 12.4-017

Firefox

12.4 072 Firefox Date: 2026-01-14 Severity: High

In Firefox-140.7.0esr, thirteen security vulnerabilities were fixed that could allow for spoofing, mitigation bypassing, sandbox escapes, use-after-free operations, information disclosure, incorrect boundary conditions, clickjacking, and memory safety exploitation. Update to Firefox-140.7.0esr. Do note that if you want to use NSS and NSPR for Firefox, NSPR must be at version 4.38.2. 12.4-072

12.4 058 Firefox Date: 2025-12-16 Severity: High

In Firefox-140.6.0esr, ten security vulnerabilities were fixed that could allow for use-after-free operations, sandbox escapes, privilege escalation, JIT miscompilations, same-origin bypasses, and memory safety issues. Update to Firefox-140.6.0esr. 12.4-058

12.4 045 Firefox Date: 2025-12-02 Severity: High

In Firefox-140.5.0esr, nine security vulnerabilities were fixed that could allow for race conditions, incorrect boundary conditions in the JavaScript WebAssembly component, same-origin policy bypassing, mitigation bypassing, use-after-free operations, and spoofing. Update to Firefox-140.5.0esr. 12.4-045

12.4 022 Firefox Date: 2025-10-14 Severity: High

In Firefox-140.4.0esr, 8 security vulnerabilities have been fixed that could allow for use-after-free operations, out of bounds reading/writing, information leakage, modification of non-writable object properties, overriding of browser behavior, potential user-assisted code execution, and exploitation of memory safety bugs. These security vulnerabilities do not affect the JavaScript component of Firefox (SpiderMonkey). Update to Firefox-140.3.0esr. 12.4-022

12.4 001 Firefox Date: 2025-09-19 Severity: High

In Firefox-140.3.0esr, 7 security vulnerabilities have been fixed that could allow for sandbox escapes, same-origin policy bypasses, exploitation of incorrect boundary conditions, integer overflows, networking information disclosure, and memory safety bugs. Update to Firefox-140.3.0esr. 12.4-001

ffmpeg

12.4 014 ffmpeg Date: 2025-10-10 Severity: High

In ffmpeg-7.1.2, five security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities is known to be exploited in the wild. These vulnerabilities occur when encoding AAC files, processing MPEG-DASH manifests, and when decoding OpenEXR files. These issues all occur due to heap buffer overflows. Note that ffmpeg is used in several contexts, including in web browsers and media players. Update to ffmpeg-7.1.2. 12.4-014

FreeRDP

12.4 084 FreeRDP Date: 2026-02-05 Severity: High

In FreeRDP-3.22.0, a grand total of 12 security vulnerabilities were fixed that are in the FreeRDP client itself. One of the issues can also affect the FreeRDP proxy handling code. Information on these vulnerabilities isn't available yet other than the CVE numbers, as GitHub advisories have not been issued for this release yet. Users should update FreeRDP however due to the amount of issues resolved. Update to FreeRDP-3.12.0. 12.4-084

12.4 077 FreeRDP Date: 2026-01-21 Severity: High

In FreeRDP-3.21.0, eight security vulnerabilities were fixed that could allow for heap buffer overflows, global buffer overflows, and use-after-free operations which can cause a crash (DOS) and heap corruption. All of these vulnerabilities occur client-side. Update to FreeRDP-3.21.0. 12.4-077

gegl

12.4 015 gegl Date: 2025-10-10 Severity: High

In gegl-0.4.64, a security vulnerability was fixed that could allow for remote code execution when processing HDR files. Note that this vulnerability is only exploitable via GIMP, which has also seen a security update recently. You should update gegl, and then update GIMP. If you are opening untrusted HDR files, you should update to gegl-0.4.64 immediately. 12.4-015

gi_docgen

12.4 021 gi_docgen Date: 2025-10-14 Severity: Medium

In gi_docgen-2025.5, a security vulnerability was fixed that could allow for XSS (cross-site scripting) in documentation that gets generated by gi_docgen. The vulnerability was demonstrated in the libsoup API documentation, but can affect other documentation that gets generated by gi_docgen as well. The vulnerability is in the search functionality and allows attackers to execute arbitrary JavaScript code in the context of of the generated website. Update to gi_docgen-2025.5. 12.4-021

GIMP

12.4 016 GIMP Date: 2025-10-10 Severity: High

In GIMP-3.0.6, six security vulnerabilities were fixed that could allow for remote code execution when processing DCM, WBMP, FF, XWD, and ILBM files. If you are working with DCM, WBMP, FF, XWD, ILBM, or HDR files, you should update to gegl-0.4.64 and GIMP-3.0.6 immediately. 12.4-016

glib

12.4 097 glib Date: 2026-02-14 Severity: Medium

In glib-2.86.4, three security vulnerabilities were fixed that could allow for a denial of service (application crash) and application instability. These issues occur during Unicode case conversion, base64 encoding, and when processing content types. Update to glib-2.86.4. 12.4-097

12.4 056 glib Date: 2025-12-08 Severity: High

In glib-2.86.3, a security vulnerability was fixed that could allow for remote code execution or a denial of service (application crash) when an application uses the g_escape_uri_string() function to escape a URI string. The problem occurs due to a heap-based buffer overflow. Update to glib-2.86.3. 12.4-056

GnuPG

12.4 083 GnuPG Date: 2026-02-05 Severity: High

In GnuPG-2.5.17, three security vulnerabilities were fixed that could allow for remote code execution and denial of service (application crashes) when processing GnuPG data. All users who have GnuPG installed should update to GnuPG-2.5.17 as soon as possible. 12.4-083

GnuTLS

12.4 089 GnuTLS Date: 2026-02-11 Severity: High

In GnuTLS-3.8.12, two security vulnerabilities were fixed that could allow for a denial of service (application crash or resource exhaustion). The first vulnerability is a NULL pointer dereference while verifying PSK binders, and the other is a name constaint performance issue. Update to GnuTLS-3.8.12. 12.4-089

12.4 038 GnuTLS Date: 2025-11-22 Severity: Low

In GnuTLS-3.8.11, a security vulnerability was fixed that could allow for a stack overwrite. Update to GnuTLS-3.8.11. 12.4-038

gstreamer

12.4 080 gst-plugins-bad Date: 2026-02-04 Severity: High

In gst-plugins-bad-1.26.10, two security vulnerabilities were fixed that could allow for out-of-bounds read operations in the MIDI parser, in turn leading to a crash (DOS). Not many packages in BLFS, if any, use the MIDI parser from gst-plugins-bad. Most opt for other solutions like FluidSynth. There is still a possibility of a package using it, so users should update regardless. Update to gstreamer, gst-plugins-base, and gst-plugins-bad 1.26.10 or later. gstreamer-1.28.0 is ABI compatible with 1.26.x. 12.4-080

ImageMagick

12.4 094 ImageMagick Date: 2026-02-14 Severity: Critical

In ImageMagick-7.1.2-13, thirteen security vulnerabilities were fixed that could allow for denial of service (application crash), information disclosure, remote code execution, and arbitrary code execution. These vulnerabilities occur in a variety of different operations, including when processing MSL, BMP, XBM, SVG, MVG, and TIM images, and when presenting errors during normal operations. Users who have ImageMagick installed should update immediately, especially if they process untrusted images or host a website that uses ImageMagick for conversions. Proof of concept exploits are available for many of these vulnerabilities. Some issues are specific to 32-bit systems. Update to ImageMagick-7.1.2-13. 12.4-094

intel-microcode

12.4 092 intel-microcode Date: 2026-02-11 Severity: High

In intel-microcode-20260210, two security vulnerabilities were fixed that could allow for privilege escalation or for a denial of service (application crash). The first privilege escalation vulnerability affects all Intel Core CPUs from the 6th generation to the 11th generation of CPUs, as well as some CPUs from the Intel Pentium Gold and Celeron families. Some CPUs from the Xeon W, E, D, and the 2nd/3rd Generation Intel Xeon Scalable CPU family are also impacted. The other privilege escalation vulnerability affects 10th generation Intel Core CPUs and later, including the Core Ultra processor family, and some Intel Pentium and Celeron CPUs are affected. In addition, the 3rd generation and later of Intel Xeon Scalable Processors are affected, as well as some Xeon E, W, and D series processors. Several functionality issues with the 10th generation and later of Intel Core CPUs have been resolved, including the Core i3 N-series and several Xeon CPU families. For additional information, please review the Intel Security Advisories:

To check if you are impacted and update your system, please follow the instructions in the advisory. 12.4-092

Kea DHCP Server

12.4 061 Kea DHCP Server Date: 2025-12-20 Severity: High

In Kea-3.0.2, a security vulnerability was fixed that could allow for clients to crash the DHCP server. This issue is highly configuration dependent. Unfortunately though, the default BLFS configuration is affected because it uses Dynamic DNS updates. Users who are using the default BLFS configuration of Kea should update to 3.0.2 as soon as possible. 12.4-061

libaom

12.4 007 libaom Date: 2025-09-30 Severity: High

In libaom-3.13.1, a security vulnerability was fixed that could allow for remote code execution when playing a crafted AV1 file. The vulnerability is primarily known to be exploited in a web browser context, such as in QtWebEngine (with it's embedded copy of Chromium). Update to libaom-3.13.1. 12.4-007

libarchive

12.4 037 libarchive Date: 2025-11-22 Severity: High

In libarchive-3.8.3, three security vulnerabilities were fixed that could allow for temporary file creation in an improper directory and buffer overruns. Update to libarchive-3.8.3. 12.4-037

12.4 024 libarchive Date: 2025-10-17 Severity: Medium

In libarchive-3.8.2, a security vulnerability was fixed that could allow for a malicious TAR file to cause a denial of service (application crash) or possibly other impacts when the contents of the TAR file is listed with a verbose value of '2'. An example provided by upstream is that a 100-byte buffer may not be sufficient for a custom locale. Update to libarchive-3.8.2 if you are using it to process TAR files. 12.4-024

libjxl

12.4 091 libjxl Date: 2026-02-11 Severity: High

In libjxl-0.11.2, two security vulnerabilities were fixed that could allow for a denial of service (application crash), information disclosure, or remote code execution. The first vulnerability occurs because a specially crafted file can cause libjxl's decoder to read pixel data from uninitialized memory by referencing an outside image bound area in a subsequent path. The other vulnerability occurs when decoding images that request a colorspace conversion, and particularly affects BLFS because of our usage of lcms2. All users who have libjxl installed should update immediately, as all contexts that libjxl is used can be exploited. Update to libjxl-0.11.2. 12.4-091

libpcap

12.4 066 libpcap Date: 2025-12-31 Severity: Low

In libpcap-1.10.6, a security vulnerability was fixed that could allow for a denial of service (application crash) when applications call the pcap_ether_aton() function with crafted inputs. Upstream has rated the vulnerability as Low because the attack complexity is high and it requires root privileges to exploit. There is no reason to upgrade unless you are having crashes in Wireshark, umockdev, or nmap. Update to libpcap-1.10.6. 12.4-066

libpng

12.4 090 libpng Date: 2026-02-11 Severity: High

In libpng-1.6.55, a security vulnerability was fixed that could allow for information disclosure, remote code execution, and denial of service (application crashes). The vulnerability occurs in valid PNG files, and occurs in the png_set_quantize function. The issue is a heap buffer overflow, and can be exploited in any context where a system may load a PNG image. Unlike the more recent libpng security updates, this affects the low level functions that many more applications use. Users who have libpng installed for any reason should update immediately. Update to libpng-1.6.55. 12.4-090

12.4 076 libpng Date: 2026-01-14 Severity: Medium

In libpng-1.6.54, two security vulnerabilities were fixed that could allow for heap buffer over-read operations. Update to libpng-1.6.54. 12.4-076

12.4 047 libpng Date: 2025-12-04 Severity: High

In libpng-1.6.52, a security vulnerability was fixed that could allow for heap buffer over-reads. This vulnerability, unlike previous libpng vulnerabilities, doesn't need a malformed PNG file to be triggered; instead, a valid image can trigger the issue. Update to libpng-1.6.52. 12.4-047

12.4 043 libpng Date: 2025-12-02 Severity: High

In libpng-1.6.51, four security vulnerabilities were fixed that could allow for heap buffer over-reads, overflows, and out-of-bounds reads. Update to libpng-1.6.51. 12.4-043

librsvg

12.4 098 librsvg Date: 2026-02-14 Severity: Medium

In librsvg-2.61.4, a security vulnerability was fixed in the 'time' crate that is used within librsvg that can allow for a denial of service condition (application crash) via stack exhaustion. Update to librsvg-2.61.4. 12.4-098

libsoup

12.4 034 libsoup Updated: 2025-12-05 Severity: High

There have been several security vulnerabilities found in libsoup-3.6.5. No new release has been made upstream, but the BLFS team has developed a patch to fix the vulnerabilities for which there are patches available. These vulnerabilities can allow for a remotely exploitable denial of service (excessive memory consumption and crashes), for cookie expiration logic to be bypassed (leading to unintended or persistent cookie behavior), for information disclosure in some circumstances, and for arbitrary code execution. Rebuild libsoup-3.6.5 with the patch, and also update to Epiphany-49.2 or later. 12.4-034

libtasn1

12.4 069 libtasn1 Date: 2026-01-14 Severity: High

In libtasn1-4.21.0, one security vulnerability was fixed that could allow for a stack buffer overflow. Update to libtasn1-4.21.0. 12.4-69

libxslt

12.4 051 libxslt Date: 2025-12-05 Severity: High

In libxslt-1.1.45, three security vulnerabilities were fixed that could allow for a denial of service (application crashes), memory corruption, or unexpected behavior. All three vulnerabilities can allow for a denial of service, but two of them also allow for type confusion. Update to libxslt-1.1.45, but read the instructions in the advisory if you are still using libxml2-2.14.x. 12.4-051

Node.js

12.4 071 Node.js Date: 2026-01-14 Severity: High

In Node.js-22.22.0, six security vulnerabilities were fixed that could allow for permission model bypassing, file system permission bypassing, timeout-based race conditions, read-only permission model bypassing, HTTP/2 server crashes, and process crashes. Update to Node.js-22.22.0. 12.4-071

OpenJDK

12.4 067 OpenJDK Date: 2026-01-07 Severity: High

In OpenJDK-21.0.9, three security vulnerabilities were fixed that could allow for unauthenticated attackers to access any data on a system running a Java application, for an unauthenticated attacker to create, modify, or delete data accessible to a Java application, and for remotely exploitable crashes. The data access vulnerability is under active exploitation, and evidence has been shown that it's easy to exploit. The vulnerabilities are in the JAXP, Security, and Libraries components. None of the vulnerabilities require any user interaction or authentication to exploit. BLFS 12.4 shipped with Java 24.0.2, but it's highly recommended that users downgrade to 21.0.9 as it is the current LTS that works with the applications in BLFS. Java 25 causes problems with Apache ANT, fop, and others, and the BLFS team has elected to downgrade to the 21.x series instead. No changes are required to other packages in the book to use this version of Java. Update to OpenJDK-21.0.9 or the prebuilt binaries. 12.4-067

OpenJPEG

12.4 009 OpenJPEG Date: 2025-09-30 Severity: Critical

In OpenJPEG-2.5.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted JPEG2000 file. The issue occurs due to an unbounded out-of-bounds write. Update to OpenJPEG-2.5.4. 12.4-009

OpenSSH

12.4 018 OpenSSH Date: 2025-10-10 Severity: Low

In OpenSSH-10.1p1, a security vulnerability was fixed that could allow for remote code execution in some configurations. Only users who have modified the default configuration in BLFS and set ProxyCommand are vulnerable to the issue, and the issue occurs because OpenSSH allowed control characters in usernames that originate from untrusted sources. If you haven't modified the default BLFS configuration, there is no need to upgrade. If you have modified the configuration and set the ProxyCommand option though, update to OpenSSH-10.1p1. 12.4-018

p11-kit

12.4 087 p11-kit Date: 2026-02-08 Severity: High

In p11-kit-0.26.2, a security vulnerability was fixed that could allow for a remotely exploitable denial of service. The vulnerability is in the C_DeriveKey function, and occurs when using specific NULL parameters. These parameters can be set when processing a remote token with specific IBM kyber or IBM btc derive mechanism parameters. While the issue only allows for a remotely exploitable denial of service, upstream has rated it as High because the attack complexity is low. Update to p11-kit-0.26.2. 12.4-087

PCRE2

12.4 004 PCRE2 Date: 2025-09-29 Severity: Medium

In PCRE2-10.46, a security vulnerability was fixed that can allow for information disclosure and a denial-of-service (application crash) when processing a crafted regular expression. This occurs when using the *ACCEPT and *scs: pattern features together, and upstream has noted that the issue can be used to escalate the severity of other security vulnerabilities in a system. Update to PCRE2-10.46, keeping in mind the note in the advisory about using the BLFS instructions since this package has been moved to LFS. 12.4-005

PHP

12.4 064 PHP Date: 2025-12-28 Severity: Medium

In PHP-8.5.1, four security vulnerabilities were fixed that could allow for information disclosure, heap buffer overflows, and denial of service conditions (resource exhaustion and crashes). One of these vulnerabilities occurs in a common component bundled with PHP that is also used by other packages not in BLFS, known as uriparser. The remainder of the issues occur in the PDO, Standard Library, and URI components. Users who have PHP installed for any reason are recommended to update to this version of PHP because of the vulnerabilities in the Standard Library. Update to PHP-8.5.1 (or alternatively, 8.4.16). 12.4-064

poppler

12.4 020 poppler Date: 2025-10-14 Severity: Medium

In poppler-25.10.0, a security vulnerability was fixed that could allow for a denial-of-service (application crash) when processing a crafted PDF file. Update to poppler-25.10.0, but note the caveats about packages that need to be adjusted in the consolidated advisory. 12.4-020

PostgreSQL

12.4 093 PostgreSQL Date: 2026-02-14 Severity: High

In PostgreSQL-18.2, five security vulnerabilities were fixed that could allow for memory disclosure, arbitrary code execution, and privilege escalation. Update to PostgreSQL-18.2 immediately if you are using PostgreSQL's server functionality, but there is no need to update if you are only using the client libraries. If you are on PostgreSQL-17 and you don't want to update your database to 18.x, update to PostgreSQL-17.8 as described in the consolidated advisory. 12.4-093

12.4 040 PostgreSQL Date: 2025-11-22 Severity: Medium

In PostgreSQL-18.1, two security vulnerabilities were fixed that could allow for a check for the schema CREATE privilege being skipped and undersized allocations via integer wraparounds. Update to PostgreSQL-18.1. If you are on PostgreSQL-17 and don't want to update your database to 18.x, update to PostgreSQL-17.7 instead as described in the consolidated advisory. 12.4-040

Python

12.4 088 Python (LFS and BLFS) Date: 2026-08-08 Severity: High

In Python-3.11.12 and Python-3.14.2, five security vulnerabilities were fixed that could allow for header injection within Python's WSGI support whenever wsgiref.headers.Headers fields, values, and parameters are supplied a C0 control character, for header injection to occur whenever the http.cookie.Morsel function is used with a control character within the cookie parameters, for header injection whenever newlines are supplied in data: URL media types, for header injection when flattening an email message using a modern email policy, and for header injection when using the BytesGenerator class from the "email" module. Note that these vulnerabilities primarily affect web server and email contexts, so users not using that functionality are not affected by these vulnerabilities. If you are on Python 3.13, update to Python 3.13.12. If you are on Python 3.14, update to Python 3.14.3. 12.4-088

12.4 063 Python (LFS and BLFS) Date: 2025-12-23 Severity: Medium

In Python-3.13.11 and Python-3.14.2, seven security vulnerabilities were fixed that could allow for accepting inconsistent zip64 central directory records, incorrect handling of maximum rows, lack of support for the plaintext element, unensured linear complexity for parsing legacy HTTP parameters, incorrect quadratic complexity, and denial of services.

If you are on Python-3.13.x, update to Python-3.13.11. Meanwhile, if you are on Python-3.14.x, update to Python-3.14.2. 12.4-063