LFS Security Advisories for LFS 13.0.
LFS-13.0 was released on 2026-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the latest one comes first.
The links at the end of each item point to additional details which have links to the development books.
Glibc
Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.
13.0 021 glibc (LFS) Date: 2026-04-01 Severity: High
In glibc-2.43, two security vulnerabilities were discovered that could allow for applications to treat invalid DNS responses as valid. These issues are both classified as violations of the DNS specification, and were resolved by counting the amount of records expected as well as performing input validation on hostnames in DNS records. Users should rebuild glibc with the sed in the development book. Note that rebuilding glibc should be done with extreme caution, and the instructions for updating glibc on that page should be followed strictly to prevent a broken system. 13.0-021
Expat
13.0 019 Expat (LFS) Date: 2026-04-01 Severity: Medium
In Expat-2.7.5, three security vulnerabilities were fixed that could allow for a denial of service (crashes and resource exhaustion) when processing crafted XML files. Because Expat can be used in a variety of different contexts on an LFS system, including some web browsers, users are recommended to update Expat. Update to Expat-2.7.5. 13.0-019
libcap
13.0 040 libcap (LFS) Date: 2026-04-15 Severity: Medium
In libcap-2.78, a security vulnerability was fixed that could allow for a local unprivileged user with write access to a directory to redirect file capability updates to an attacker-controlled file. Doing so can cause capabilities to be injected into (or stripped) from unintended executables, which leads to privilege escalation. Update to libcap-2.78. 13.0-040
OpenSSL
13.0 039 OpenSSL (LFS) Date: 2026-04-15 Severity: Medium
In OpenSSL-3.6.2, seven security vulnerabilities were fixed that could allow for contents of uninitialized memory to be sent to a malicious peer, for denial of service (application crashes), and arbitrary code execution. These occur in a variety of contexts in OpenSSL, including when applications use RSASVE key encapsulation to establish a secret encryption key, when applications use AES-CFB128 encryption or decryption on systems that support the AVX-512 instruction set, when clients are configured to perform DANE TLSA-based server authentication, when processing a delta CRL, when processing CMS EnvelopedData messages with KeyAgreeRecipientInfo, when processing CMS EnvelopedData messages with KeyTransportRecipientInfo, and when performing hexadecimal strings on 32-bit platforms. Update to OpenSSL-3.6.2. If you are still on a *LFS 12.4 system, use 3.5.5. 13.0-039
Perl
13.0 023 Perl (LFS) Date: 2026-04-01 Severity: Critical
In Perl-5.42.2, a security vulnerability was fixed by updating the bundled Compress::Raw::Zlib module that could cause several of the zlib security advisories from SA-12.4-099 to be exploited, as well as numerous other internal improvements to that module that fix issues with newer versions of zlib. Users are recommended to update immediately as CISA has rated this vulnerability as Critical. Update to Perl-5.42.2 13.0-023
Python
13.0 038 Python (LFS and BLFS) Date: 2026-04-15 Severity: Critical
In Python-3.14.4 (and 3.13.13), four security vulnerabilities were fixed. After release though, an additional four were resolved. These vulnerabilities can allow for a variety of impacts, including denial of service (application crashes), allowing data to be accepted by the base64 module that should've been processed differently, for input validation bypasses when working with cookies in http.Cookies.Morsel (allowing injection of control characters into cookies), for legacy *.pyc files to be incorrectly handled (leading to unintentional behavior at runtime for various programs), for arbitrary code execution when processing LZMA, BZ2, or GZIP compressed files in Python, for CR/LF bytes to not be rejected by HTTP client proxy tunnel headers, for commands to be injected into the underlying shell when a Python script opens a web browser, and for memory corruption to occur when using the remote debugging feature in Python 3.14 and later. Update to Python-3.14.4 with the security fixes patch. BLFS 12.4 users can safely use 3.13.13 with the patch but will need to skip a missing file during the patch process. 13.0-038
13.0 022 Python (LFS and BLFS) Date: 2026-04-01 Severity: High
In Python-3.14.3, three security vulnerabilities were found that could allow for a denial of service (application crash), for control characters to be allowed inside of HTTP cookies, and for Python to accidentally pass unexpected options to web browsers. Rebuild Python with the security fixes patch. 13.0-022
systemd
13.0 008 systemd (LFS and BLFS) Date: 2026-03-21 Severity: Medium
In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008
Util-Linux
13.0 041 Util-Linux (LFS) Date: 2026-04-15 Severity: Medium
In Util-Linux-2.42, two security vulnerabilities were fixed that could allow for unauthorized read access to root protected files and block devices, and for crashes when using udisks and other programs that use the libblkid library. The unauthorized read vulnerability occurs when using the 'mount' command due to a TOCTOU symlink attack via a loop device. Note that in order to be affected, non-root users must be able to mount loop devices. Update to Util-Linux-2.42. 13.0-041
vim
13.0 037 vim (LFS and BLFS) Date: 2026-04-15 Severity: High
In vim-9.2.0340, two security vulnerabilities were fixed that could allow for operating system command injection (resulting from a sandbox escape in the modeline functionality), and for path traversal issues when modifying the contents of Zip archives to cause vim to overwrite files on the underlying system rather than the intended contents of the Zip archive. All users are urged to update to vim-9.2.0340 immediately due to the risk of arbitrary command execution. 13.0-037
13.0 025 vim (LFS and BLFS) Date: 2026-04-01 Severity: Critical
In vim-9.2.0272, a security vulnerability was fixed that could allow for arbitrary OS Command Injection when loading a crafted file. Note that the file just needs to be loaded by VIM, a user does not need to edit it or perform any special commands for the vulnerabiltiy to trigger. All users should update to vim-9.2.0272 immediately, especially if they are regularly viewing source code or other files from untrusted or external sources. 13.0-025
XML-Parser
13.0 020 XML-Parser (LFS) Updated: 2026-04-15 Severity: Critical
In XML-Parser-2.54, two security vulnerabilities were fixed that could allow for remote code execution or denial of service (application crashes) when processing crafted XML documents. Both of these vulnerabilities are known to be exploited in the wild. Update to XML-Parser-2.54 immediately. 13.0-020
Updated on 2026-04-15 to accomodate the move of this package to BLFS.
xz
13.0 018 xz (LFS) Date: 2026-04-01 Severity: Critical
In xz-5.8.3, a security vulnerability was fixed that could allow for a buffer overflow to occur in the lzma_index_append() function that could possibly allow for arbitrary code execution in some rare circumstances. Upstream has noted that it's very unlikely that the bug can be triggered in any real-world application, but the vulnerability has been marked as Critical nonetheless. The vulnerablity occurs if lzma_index_decoder() was used to decode an Index that contains no Records, as the resulting lzma_index was left in a state where a subsequent lzma_index_append() would not allocate enough memory, and thus the buffer overflow occurs. However, there typically isn't a reason to append Records to a decoded lzma_index. Update to xz-5.8.3. 13.0-018