LFS 12.4 Security Advisories

LFS Security Advisories for LFS 12.4.

LFS-12.4 was released on 2025-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the latest advisories come first.

The links at the end of each item point to additional details which have links to the released books.

Glibc

Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

12.4 079 glibc (LFS) Updated: 2026-03-06 Severity: High

In glibc-2.43, three security vulnerabilities were fixed that could allow for heap corruption when using the memalign() function, for stack contents to be leaked to a DNS resolver when using getnetbyaddr() and getnetbyaddr_r(), and for uninitialized memory to be returned when using wordexp() with WRDE_REUSE and WRDE_APPEND. Updating to glibc-2.43 on a LFS 12.4 system can be challenging because it will cause numerous build failures, as well as memory corruption problems in glib2, and problems with valgrind. Users who cannot upgrade to LFS 13.0 are recommended to apply the security patch that was developed by the editors. Update to glibc-2.43 or apply the patch that was developed by the editors. 12.4-079

Expat

12.4 086 Expat (LFS) Date: 2026-02-08 Severity: Medium

In Expat-2.7.4, two security vulnerabilities were fixed that could allow for a denial of service (application crash) or for remote code execution. These vulnerabilities are in the doContent and XML_ExternalEntityParserCreate functions. Update to Expat-2.7.4. 12.4-086

12.4 005 Expat (LFS) Date: 2025-09-30 Severity: High

In Expat-2.7.3, a security vulnerability was fixed that can allow for a denial of service (system out-of-memory condition) when parsing a XML document. The issue is known to be exploited easily and reliably. It was fixed by preventing the usage of disproportional amounts of dynamic memory within an Expat parser context. All users are recommended to update to Expat-2.7.3 because of the amount of places that Expat can be used, including in contexts such as web browsers where untrusted input is processed. 12.4-005

OpenSSL

12.4 078 OpenSSL (LFS) Date: 2026-02-01 Severity: High

In OpenSSL-3.6.1, twelve security vulnerabilities were fixed that could allow for denial of service (DOS) attacks, stack buffer overflows, NULL dereferencing operations, input truncation, excessive memory allocation, out-of-bounds write operations, trailing bytes, missing validation for ASN1, NULL pointer dereferencing operations, and type confusion. Update to OpenSSL-3.6.1 (or 3.5.5). 12.4-078

12.4 012 OpenSSL (LFS) Date: 2025-10-01 Severity: Medium

In OpenSSL-3.5.4, three security vulnerabilities were fixed that could allow for denial of service (application crashes), arbitrary code execution, and private key recovery on ARM64 platforms. Update to OpenSSL-3.5.4. 12.4-012

Python

12.4 088 Python (LFS and BLFS) Date: 2026-08-08 Severity: High

In Python-3.11.12 and Python-3.14.2, five security vulnerabilities were fixed that could allow for header injection within Python's WSGI support whenever wsgiref.headers.Headers fields, values, and parameters are supplied a C0 control character, for header injection to occur whenever the http.cookie.Morsel function is used with a control character within the cookie parameters, for header injection whenever newlines are supplied in data: URL media types, for header injection when flattening an email message using a modern email policy, and for header injection when using the BytesGenerator class from the "email" module. Note that these vulnerabilities primarily affect web server and email contexts, so users not using that functionality are not affected by these vulnerabilities. If you are on Python 3.13, update to Python 3.13.12. If you are on Python 3.14, update to Python 3.14.3. 12.4-088

12.4 063 Python (LFS and BLFS) Date: 2025-12-23 Severity: Medium

In Python-3.13.11 and Python-3.14.2, seven security vulnerabilities were fixed that could allow for accepting inconsistent zip64 central directory records, incorrect handling of maximum rows, lack of support for the plaintext element, unensured linear complexity for parsing legacy HTTP parameters, incorrect quadratic complexity, and denial of services.

If you are on Python-3.13.x, update to Python-3.13.11. Meanwhile, if you are on Python-3.14.x, update to Python-3.14.2. 12.4-063

vim

12.4 108 vim (LFS and BLFS) Date: 2026-03-01 Severity: Medium

In vim-9.2.0078, six security vulnerabilities were fixed that could allow for command injection, heap and stack buffer overflows and underflows, out-of-bounds read operations, and denial of service (DOS) via improper input validation. Update to vim-9.2.0078. 12.4-108

12.4 095 vim (LFS and BLFS) Date: 2026-02-14 Severity: Medium

In vim-9.1.2144, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly arbitrary code execution when the 'helpfile' option is passed to vim. When processing vim helpfile tags, vim copies the user-controlled 'helpfile' option into a fixed-size heap buffer using an unsafe STRCPY() function without any boundary checking. Users who do not use the 'helpfile' option are not affected, and user interaction is required to exploit the vulnerability. Update to vim-9.1.2144 if you use the helpfile option. 12.4-095

zlib

12.4 099 zlib (LFS) Date: 2026-02-20 Severity: High

In zlib-1.3.2, ten security vulnerabilities were fixed that could allow for arbitrary code execution, uninitialized memory disclosure, and for denial of service attacks (some of which can be persistent). The issues were discovered by 7asecurity, who performed a security audit on zlib recently. Update to zlib-1.3.2. 12.4-099.