LFS 12.4 Security Advisories

LFS Security Advisories for LFS 12.4.

LFS-12.4 was released on 2025-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the development books.

Glibc

Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

12.4 079 glibc (LFS) Date: 2026-02-01 Severity: High

In glibc-2.43, four security vulnerabilities were fixed that could allow for buffer overflows, failure to save and restore nonvolatile vectors, and double-free operations. Update to glibc-2.43. 12.4-079

Expat

12.4 086 Expat (LFS) Date: 2026-02-08 Severity: Medium

In Expat-2.7.4, two security vulnerabilities were fixed that could allow for a denial of service (application crash) or for remote code execution. These vulnerabilities are in the doContent and XML_ExternalEntityParserCreate functions. Update to Expat-2.7.4. 12.4-086

12.4 005 Expat (LFS) Date: 2025-09-30 Severity: High

In Expat-2.7.3, a security vulnerability was fixed that can allow for a denial of service (system out-of-memory condition) when parsing a XML document. The issue is known to be exploited easily and reliably. It was fixed by preventing the usage of disproportional amounts of dynamic memory within an Expat parser context. All users are recommended to update to Expat-2.7.3 because of the amount of places that Expat can be used, including in contexts such as web browsers where untrusted input is processed. 12.4-005

OpenSSL

12.4 078 OpenSSL (LFS) Date: 2026-02-01 Severity: High

In OpenSSL-3.6.1, twelve security vulnerabilities were fixed that could allow for denial of service (DOS) attacks, stack buffer overflows, NULL dereferencing operations, input truncation, excessive memory allocation, out-of-bounds write operations, trailing bytes, missing validation for ASN1, NULL pointer dereferencing operations, and type confusion. Update to OpenSSL-3.6.1 (or 3.5.5). 12.4-078

12.4 012 OpenSSL (LFS) Date: 2025-10-01 Severity: Medium

In OpenSSL-3.5.4, three security vulnerabilities were fixed that could allow for denial of service (application crashes), arbitrary code execution, and private key recovery on ARM64 platforms. Update to OpenSSL-3.5.4. 12.4-012

Python

12.4 088 Python (LFS and BLFS) Date: 2026-08-08 Severity: High

In Python-3.11.12 and Python-3.14.2, five security vulnerabilities were fixed that could allow for header injection within Python's WSGI support whenever wsgiref.headers.Headers fields, values, and parameters are supplied a C0 control character, for header injection to occur whenever the http.cookie.Morsel function is used with a control character within the cookie parameters, for header injection whenever newlines are supplied in data: URL media types, for header injection when flattening an email message using a modern email policy, and for header injection when using the BytesGenerator class from the "email" module. Note that these vulnerabilities primarily affect web server and email contexts, so users not using that functionality are not affected by these vulnerabilities. If you are on Python 3.13, update to Python 3.13.12. If you are on Python 3.14, update to Python 3.14.3. 12.4-088

12.4 063 Python (LFS and BLFS) Date: 2025-12-23 Severity: Medium

In Python-3.13.11 and Python-3.14.2, seven security vulnerabilities were fixed that could allow for accepting inconsistent zip64 central directory records, incorrect handling of maximum rows, lack of support for the plaintext element, unensured linear complexity for parsing legacy HTTP parameters, incorrect quadratic complexity, and denial of services.

If you are on Python-3.13.x, update to Python-3.13.11. Meanwhile, if you are on Python-3.14.x, update to Python-3.14.2. 12.4-063

vim

12.4 095 vim (LFS and BLFS) Date: 2026-02-14 Severity: Medium

In vim-9.1.2144, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly arbitrary code execution when the 'helpfile' option is passed to vim. When processing vim helpfile tags, vim copies the user-controlled 'helpfile' option into a fixed-size heap buffer using an unsafe STRCPY() function without any boundary checking. Users who do not use the 'helpfile' option are not affected, and user interaction is required to exploit the vulnerability. Update to vim-9.1.2144 if you use the helpfile option. 12.4-095