LFS Security Advisories for LFS 12.4.
LFS-12.4 was released on 2025-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
Expat
12.4 005 Expat (LFS) Date: 2025-09-30 Severity: High
In Expat-2.7.3, a security vulnerability was fixed that can allow for a denial of service (system out-of-memory condition) when parsing a XML document. The issue is known to be exploited easily and reliably. It was fixed by preventing the usage of disproportional amounts of dynamic memory within an Expat parser context. All users are recommended to update to Expat-2.7.3 because of the amount of places that Expat can be used, including in contexts such as web browsers where untrusted input is processed. 12.4-005
OpenSSL
12.4 012 OpenSSL (LFS) Date: 2025-10-01 Severity: Medium
In OpenSSL-3.5.4, three security vulnerabilities were fixed that could allow for denial of service (application crashes), arbitrary code execution, and private key recovery on ARM64 platforms. Update to OpenSSL-3.5.4. 12.4-012
Python
12.4 063 Python (LFS and BLFS) Date: 2025-12-23 Severity: Medium
In Python-3.13.11 and Python-3.14.2, seven security vulnerabilities were fixed that could allow for accepting inconsistent zip64 central directory records, incorrect handling of maximum rows, lack of support for the plaintext element, unensured linear complexity for parsing legacy HTTP parameters, incorrect quadratic complexity, and denial of services.
If you are on Python-3.13.x, update to Python-3.13.11. Meanwhile, if you are on Python-3.14.x, update to Python-3.14.2. 12.4-063