BLFS Security Advisories for BLFS 13.0 and the current development books.
BLFS-13.0 was released on 2026-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
BIND
13.0 002 BIND Date: 2026-03-06 Severity: Low
In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002
Exiv2
13.0 004 Exiv2 Date: 2026-03-06 Severity: Low
In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004
FreeRDP
13.0 001 FreeRDP Date: 2026-03-06 Severity: High
In FreeRDP-3.23.0, twelve security vulnerabilities were fixed that could allow for remotely exploitable client and server crashes, information disclosure, and remote code execution. This can occur in a large variety of situations, including when using the clipboard redirection feature, connecting to a server, and resizing the window. Users who have FreeRDP installed should consider updating immediately if they connect to untrusted servers or are hosting a publicly-accessible RDP server. Update to FreeRDP-3.23.0. 13.0-001
FreeType
13.0 003 FreeType2 Date: 2026-03-06 Severity: Medium
In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003
libxml2
13.0 005 libxml2 Date: 2026-03-06 Severity: Medium
In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005