BLFS-12.0 was released on 2023-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In httpd-2.4.58, three security vulnerabilities were fixed. Update to 2.4.58. 12.0-027
In BIND-9.18.19, six security vulnerabilities were fixed that could, among other things, crash the service through high CPU utilization, generate out-of-memory errors that could allow BIND to read from other system memory and others. Update to BIND-9.18.24 12.0-095
In BIND-9.18.19, two security vulnerabilities were fixed that could allow for a remotely-exploitable denial of service (crash of the named server process) when processing DNS queries. Update to BIND-9.18.19. 12.0-011
In CUPS-2.4.7, a security vulnerability was fixed that could allow for remote code execution or denial of service (CUPS service crash) due to a malicious print job. Update to cups-2.4.7. 12.0-009
In cURL-8.6.0, a security vulnerability was fixed that could allow for an OCSP verification bypass due to TLS session reuse. This vulnerability only applies to connections that use TLS 1.2. Update to cURL-8.6.0. 12.0-084
In cURL-8.5.0, two security vulnerabilities were fixed that could allow for cookie hijacking, and could delete HSTS data. Update to cURL-8.5.0. 12.0-053
In cURL-8.4.0, two security vulnerabilities were fixed that could allow for cookie injection, and for remote code execution or crashes when using the SOCKS5 proxy feature. Update to cURL-8.4.0. 12.0-024
In cURL-8.3.0, a security vulnerability was fixed that could allow for a denial of service when processing HTTP headers. The denial of service occurs due to running the cURL process out of memory. Update to cURL-8.3.0. 12.0-007
In Exim-4.97.1, a security vulnerability was fixed that allows for SMTP smuggling in certain configurations. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which will allow bypassing the SPF protection mechanisms. Update to Exim-4.97.1. 12.0-066
In exim 4.96.1 and 4.96.2 five vulnerabilities, three of which are rated as High, were fixed; update to exim-4.96.2. 12.0-025
In Exiv2-0.28.2, two security vulnerabilities were fixed that could allow for a denial-of-service (application crash and excessive resource consumption) when processing QuickTime Videos. Update to Exiv2-0.28.2. 12.0-098
In Exiv2-0.28.1, a security vulnerability was fixed that could allow for arbitrary code execution when reading the metadata from a crafted image file. Update to Exiv2-0.28.1. 12.0-038
In FAAD2-2.11.0, two security vulnerabilities were fixed that could allow for remote code execution or denial of service when processing MP4 files. Several other memory safety issues were fixed as well, but were not assigned CVEs. Update to FAAD2-2.11.0 immediately. 12.0-039
In firefox 115.8.0 seven vulnerabilities were fixed. Upstream rate three of these as High. 12.0-104
In firefox 115.7.0 nine vulnerabilities were fixed. Upstream rate the vulnerability in Angle as High, but Angle appears to only be used on MS Windows. Prevously, mozilla rated memory safety bugs as high impact, with this release they now describe them as moderate impact. However, NVD has now analysed that CVE and rates it as High severity. 12.0-079
In firefox 115.6.0 eleven vulnerabilities were fixed. Upstream rate three of these as High. 12.0-057
In firefox 115.5.0 seven vulnerabilities were fixed. Upstream rate five of these as High. 12.0-046
In firefox 115.4.0 six vulnerabilities applicable to linux users were fixed. Upstream rate two of these as High, but two others could lead to a crash and are therefore rated as High by BLFS until there is an external analysis. 12.0-029
In firefox 115.3.0 four vulnerabilities rated as High were fixed, update to Firefox-115.3.0. 12.0-013
In GIMP-2.10.36, four security vulnerabilities were fixed that could allow for remote code execution or denial of service when processing DDS, PSD, or PSP files. Update to GIMP-2.10.36. 12.0-040
In GnuPG-2.4.4, a security flaw was fixed where Smartcard generation was keeping an unprotected backup copy of the key on disk. Upstream says that all possibly affected users should check whether an unintended copy of a Smartcard key exists and delete it. If you generated a Smartcard using GnuPG-2.4.2, 2.4.3, or 2.2.42, please update to GnuPG-2.4.4 and follow the instructions in the security advisory to check for and remove the unprotected backup keys. 12.0-082
In GnuTLS-3.8.3, two security vulnerabilities were fixed that could allow for a timing side-channel attack (leading to the leakage of sensitive data), and for an application crash. Update to GnuTLS-3.8.3 or later. 12.0-070
In GnuTLS-3.8.2, a security vulnerability was fixed that could allow for a timing side-channel attack. Update to GnuTLS-3.8.2 or later. 12.0-045
In gst-plugins-bad-1.22.9, a security vulnerability was fixed that could allow for remote code execution or crashes when processing AV1-encoded video files with malformed streams. The vulnerability occurs due to a heap buffer overflow. Update the gstreamer stack to 1.22.9. 12.0-081
In gst-plugins-bad-1.22.8, a security vulnerability was fixed that could allow for remote code execution or crashes when processing AV1-encoded video files with malformed streams. Update the gstreamer stack to 1.22.8. 12.0-065
In gst-plugins-bad-1.22.7, two security vulnerabilities were fixed that could allow for crashes or arbitrary code execution. These vulnerabilities can happen when processing MXF or AV1 files, including via web browsers. Update the gstreamer stack to 1.22.7. 12.0-042
In gst-plugins-bad-1.22.6, three security vulnerabilities were fixed that could allow for arbitrary code execution when processing MXF files or H.265 videos. Update the gstreamer stack to 1.22.6. 12.0-010
ImageMagick appears to have become its own CVE Numbering Authority. The changelog between 7.1.1-15 and 7.1.1-28 at ChangeLog.md. mentions at least two GHSA advisories, but those are either missing or inaccessible. 12.0-099
Intel microcode for some processors has been updated to fix a vulnerability which may allow local privilege escalation, information disclosure, and/or denial of service. Read 12.0-043 for the list of affected processors and how to update the microcode to fix the vulnerabilities.
In jasper-4.1.2, a security vulnerability was fixed that could allow for arbitrary code execution or crashes when processing a crafted image that use the JPEG-2000 codec. Update to jasper-4.1.2. 12.0-069
In libarchive-3.7.2, multiple security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service when writing a PAX archive using the libarchive API. Update to libarchive-3.7.2. 12.0-008
In libnotify-0.8.3, a security vulnerability was fixed that could allow for a local user to crash an application running if certain parameters were set when generating a notification. Update to libnotify-0.8.3. 12.0-023
In Libreoffice-7.6.4.1, three security vulnerabilites were fixed. One of these was in in the bundled copy of Skia. This vulnerability is identical to the QtWebEngine/Chromium vulnerability that allows for remote code execution by processing an image that is too large for a buffer. In this case, the attack vector would be a malicious image inside of a document. Additionally, a security vulnerability was fixed that could allow for Gstreamer pipeline injection due to improper input validation, and a security vulnerability was fixed that could allow for arbitrary script execution when processing a link's target. Both of these can be exploited when processing documents. Updating to Libreoffice-7.6.4.1 is recommended as soon as possible. 12.0-054
In libssh2-1.11.0, a vulnerability has been discovered that allows for silent encryption downgrades due to MITM attacks. This vulnerability has been rated as Critical, and is also known as the "Terrapin" attack. Rebuild libssh2 with the patch in the book as soon as possible. 12.0-062
In libuv-1.48.0, a security vulnerability was fixed that could allow for attackers to craft payloads that resolve to unintended IP addresses, which bypass developer checks. Update to libuv-1.48.0. 12.0-094
In libX11-1.8.7, three security vulnerabilities were fixed that could allow for a denial of service (application crash), or for remote code execution on systems where X11 is running as root or on systems with X11 Forwarding enabled. Update to libX11-1.8.7. 12.0-019
In libxml2-2.12.5, a security vulnerability was fixed that could allow for a denial-of-service (application crash) when using the XML Reader interface with DTD validation and XInclude expansion enabled. The issue occurs when processing a crafted XML document, and leads to a use-after-free in xmlValidatePopElement. Update to libxml2-2.12.5. 12.0-087
In libXpm-3.5.17, two security vulnerabilities were fixed that could allow for an attacker to read the contents of memory on a system by opening a malicious XPM image. Update to libXpm-3.5.17. 12.0-020
Google has announced a security vulnerability in libvpx of which an exploit exists in the wild. Update to (or rebuild) libvpx-1.13.0 with a patch to fix the vulnerability. 12.0-017
Chromium and Apple have announced a Critical vulnerability in libwebp which is being actively exploited. It is fixed in libwebp-1.3.2. Upgrade to libwebp-1.3.2. 12.0-003
In Linux-PAM-1.6.0, a security vulnerability was fixed that could allow for a local denial of service (crash) when using the pam_namespace.so PAM module. Note that a standard BLFS installation will not use this module, so most systems are unaffected unless a user has added this module into the system on their own. If you use this module, update to Linux-PAM-1.6.0. 12.0-073
In mariadb-10.11.6 a vulnerability, which allows an attacker with network access to crash (DOS) the server, was fixed. Update to mariadb-10.11.6. 12.0-051
In mutt-2.2.12 a vulnerability which could cause mutt to crash while parsing a malformed header was fixed. Update to mutt-2.2.12. 12.0-002
In nghttp2-1.57.0, a security vulnerability in the HTTP/2 protocol was fixed that allows for a remotely exploitable denial of service attack. This vulnerability is being exploited in the wild to trigger Distributed Denial of Service attacks against various services. Update to nghttp2-1.57.0, especially if you run a web server. 12.0-022
In node.js-18.18.2, four vulnerabilities were fixed, of which two are rated as High. One of those is in the shipped version of nghttp2, so if you follow the book using system nghttp2 you should update nghttp to 1.57.0 12.0-022 as well as updating to node.js-18.18.2. 12.0-026
In node.js-20.11.1, eight vulnerabilities were fixed, some of which were ranked high. Update to node.js-20.11.1. 12.0-102
In NSS-3.98, a security vulnerability was fixed that could allow for RSA cryptography information to be leaked, such as whether the high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger attack against all RSA decryption operations. Update to NSS-3.98. 12.0-100
In OpenJDK-21.0.2, five security vulnerabilities have been fixed in the Hotspot and Security components that could allow for unauthorized creation, modification, and deleation of data on a system, as well as for information disclosure, denial of service, and remote code execution. Four of these vulnerabilities require no privileges or user interaction, and are primarily exploitable over the network. One is exploitable locally but requires some privileges, though still no user interaction. Update to OpenJDK-21.0.2. 12.0-074
In OpenJDK-21.0.1, two security vulnerabilities were fixed that could allow for a remote attacker to modify, add, or delete data that a Java application has access to, as well as for a remote attacker to cause a denial of service. Update to OpenJDK-21.0.1. 12.0-036
In OpenLDAP-2.6.7, a security vulnerability was fixed that could allow for an attacker to malform an LDAP search query thereby giving them a higher access mask than they should have. Update to OpenLDAP-2.6.7 or later. 12.0-088
In OpenSSH-9.6p1, two security vulnerabilities were fixed that could allow for a MITM attack to cause a silent encryption downgrade, and for arbitrary command injection in some circumstances (such as when using git submodules). The MITM attack is rated as Critical and has been codenamed the 'Terrapin' attack. Update to OpenSSH-9.6p1 or later. 12.0-061
In Postfix-3.8.5 (and 3.7.10, 3.6.14, and 3.5.24), improvements to the fix for CVE-2023-51764 (SMTP smuggling) were made that allow for more compatibility with some existing SMTP clients and for better logging. In addition, patches are now available for some unsupported versions of Postfix. For most users, the fixes in Postfix-3.8.4 (and 3.7.9, 3.6.13, and 3.5.24) will be sufficient, but if you encounter problems, upgrading to these improved versions is highly recommended. 12.0-078.
In Postfix-3.8.4 (as well as 3.7.9, 3.6.13, and 3.5.23), a security vulnerability was fixed that allows for SMTP smuggling on public-facing mail servers. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which also allows bypassing SPF protection mechanisms. Update to Postfix-3.8.4 (or one of 3.7.9, 3.6.13, and 3.5.23) as soon as possible if you operate a public facing mail server, and apply the required configuration changes. See 12.0-067 for more details.
In PostgreSQL-16.2 a vulnerability was fixed that could allow for arbitrary command execution through luring a user into running a command (check the CVE for the command). Due to this it is highly recommended to update to PostgreSQL on any older system. 12.0-090
In PostgreSQL-16.1 (and 15.5), three security vulnerabilities were fixed that could allow for memory and information disclosure, arbitrary code execution, signaling superuser processes, and denial of service. It is highly recommended to update PostgreSQL as soon as possible due to the arbitrary code execution and memory/information disclosure vulnerabilities. Update to PostgreSQL-16.1 (or 15.5 if you wish to stay on 15). 12.0-041
In ProFTPD 1.3.8b the 'Terrapin' SSH vulnerability, was fixed. This could allow for an attacker to downgrade the connection to a lesser security level resulting in reduced security and allowing an attacker to login to a victim's client. It is highly recommended to recommended to update ProFTPD as soon as possible due to the broad attack surface of this vulnerability. 12.0-060
In Python-3.12.2, a security vulnerability was fixed that could allow for silent execution of arbitrary code via hidden *.pth files. *.pth files are executed automatically, unlike normal Python files which need explicit importing or passing as an argument to the Python interpreter. The issue was fixed upstream by skipping *.pth files with names starting with a dot (or the hidden file attribute on other systems). Update to Python-3.12.2, or 3.11.8 if you prefer to stay on the 3.11.x series. 12.0-092
In Python-3.11.5, a security vulnerability was fixed that could allow to bypass TLS handshake in SSL sockets. Update to python-3.11.5. 12.0-001
In Qt5-5.15.12, a security vulnerability was discovered that could allow for a buffer overflow when reading a crafted KTX image file. This issue exists in qtbase, and will lead to a denial of service or possibly other impacts when reading the crafted file in an application. Rebuild Qt5 (or qt5-alternate) with the patch. 12.0-101
In Qt6-6.6.2, two security vulnerabilities were fixed that could allow for a denial of service and arbitrary code execution. One of these issues occurs when loading KTX images, and is classified as a buffer overflow. The other vulnerability is classified as an integer overflow and is in the HTTP/2 implementation in QtBase. Due to the severity of the HTTP/2 issue, it is recommended that you update this package immediately if you have it installed. Update to Qt6-6.6.2. 12.0-103
In QtWebEngine-5.15.17, nine security vulnerabilities were fixed that could allow for remotely exploitable crashes and remote code execution. One of these vulnerabilities is under active exploitation and can be triggered when rendering any web page that contains an image or other 2D content. Update to QtWebEngine-5.15.17 immediately to protect your system. 12.0-048
In QtWebEngine-5.15.16, fixes for eight Chromium security vulnerabilities were backported to the branch. All are rated as High. 12.0-033
In samba-4.19.1, several security vulnerabilities were fixed that could allow for an attacker to trigger denial of service, crashing the service, or potentially compromising it. Update to samba-4.19.1. 12.0-021
In Seamonkey-2.53.18, several security vulnerabilities were fixed that could allow for clickjacking, address bar spoofing, crashes, extensions opening arbitrary URLs, out-of-bounds memory access, clipboard contents stealing, and path traversal. Update to Seamonkey-2.53.18. 12.0-059
Seamonkey-2.53.17.1 ships an old version of libvpx with a different API from current libvpx, preventing use of system libvpx. The recent public vulnerability has led upstream to commit fixes for several libvpx issues, but they have not yet been able to complete a new release. Update to Seamonkey-2.53.17.1 plus the consolidated_fixes-1.patch. 12.0-028
In Seamonkey-2.53.17.1, several security vulnerabilities were fixed that could allow for fullscreen window spoofing, denial of service, remote code execution, URL spoofing, push notifications being saved to disk unencrypted, and certificate exception bypasses. This update brings Seamonkey up to date with the security fixes in Firefox 115.3.0 and Thunderbird 115.3.0. Update to Seamonkey-2.53.17.1. 12.0-014
In sendmail-8.18.2, a security vulnerability was fixed that allows for SMTP smuggling on publicly-accessible mail servers. Remote attackers can use a publicly available exploit to inject email messages with a spoofed MAIL FROM address, which also allows bypassing SPF protection mechanisms. Update to sendmail-8.18.2 if you maintain a publicly-accessible mail server. 12.0-086
In SpiderMonkey/mozjs-115.6.0, a security vulnerability was fixed that could allow for memory safety issues. This vulnerability could allow for arbitrary code execution and crashes due to memory corruption. Update to SpiderMonkey-115.6.0. 12.0-064
In the Javascript code of firefox-115.4.0 there is a fix for a potential crash. Upstream rate this as Medium, But BLFS rates it as High pending external analysis. 12.0-030
A security vulnerability was found in systemd-resolved that could allow systemd-resolved to accept records of DNSSEC-signed domains, even when they have no signature. Note that you must have DNSSEC support enabled on your system to be vulnerable to this vulnerability, and that support is not turned enabled by default. If you do have DNSSEC support enabled, rebuild systemd with the new 'sed' using the instructions from BLFS. If you do not have DNSSEC support enabled, no action is necessary. 12.0-068
In Thunderbird-115.8.0, several security vulnerabilities were fixed that could allow for spoofing, notifications being hidden, obscuring the permissions dialog, unintentional permission granting, response header injection, and for arbitrary code execution. Update to Thunderbird-115.8.0. 12.0-105
In Thunderbird-115.7.0, nine security vulnerabilities were fixed that could allow for remotely exploitable crashes, arbitrary code execution, HSTS policy bypasses, privilege escalation, permissions request bypassing, phishing, and a bypass of the Content Security Policy if one is set. Update to Thunderbird-115.7.0. 12.0-080
In Thunderbird-115.6.0, eleven security vulnerabilities were fixed that could allow for remote code execution, exploitable crashes, sandbox escapes, S/MIME signatures being accepted despite mismatching message dates, undefined behavior, and for spoofed messages to be accepted when processing PGP/MIME payloads. Update to Thunderbird-115.6.0. 12.0-063
In Thunderbird-115.5.0, seven security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, clickjacking when permission prompts are presented to the user, memory data leakage onto a canvas, and for text to be copied into the primary selection unexpectedly when running under X11. Update to Thunderbird-115.5.0. 12.0-047.
In Thunderbird-115.4.1, six security vulnerabilities were fixed that could allow for remotely exploitable crashes, arbitrary code execution, clickjacking, address bark spoofing, and for extensions to open arbitrary URLs in the background. Update to Thunderbird-115.4.1. 12.0-037.
In Thunderbird-115.3.0, three security vulnerabilities were fixed that could allow for remotely exploitable crashes and arbitrary code execution. Note that these vulnerabilities only apply when using HTML mail. Update to Thunderbird-115.3.0. 12.0-015
In Thunderbird-115.2.2, a critical security vulnerability in the bundled libwebp was fixed which could allow for remote code execution when loading a malicious HTML mail which contains a webp image embedded in it. The version of Thunderbird shipped with BLFS 12.0 was configured to use the bundled version of libwebp, however it has been changed in the development book to use the system version of libwebp. It is recommended that you update to the patched version of libwebp and that you upgrade Thunderbird immediately to protect your system. 12.0-006
In Unbound-1.19.1, two security vulnerabilities were fixed that could allow for crashing the instance through CPU exhaustion Update to Unbound-1.19.1. 12.0-096
In tracker-miners-3.6.1, a security vulnerability was fixed that allows for a sandbox escape. This vulnerability will allow a maliciously crafted file to execute code outside of the sandbox if the tracker-extract process has been compromised by a vulnerability in another package. Update to tracker-miners-3.6.2 and it's dependency tracker-3.6.0, or alternatively update to tracker-miners-3.5.4. 12.0-034
In WebKitGTK-2.42.5, three security vulnerabilities were fixed that could allow for trivial remote code execution and for a webpage to fingerprint a user. Due to the remote code execution vulnerabilities it is recommended that you update WebKitGTK immediately to protect your system. Update to WebKitGTK-2.42.5. 12.0-089
In WebKitGTK-2.42.4, a security vulnerability was fixed that could allow for an application crash when processing a large SVG image. The issue was resolved with improved memory handling. Update to WebKitGTK-2.42.4 or later. 12.0-058
In WebKitGTK-2.42.3, two security vulnerabilities were fixed that could allow for information disclosure and arbitrary code execution. Both of these vulnerabilities are exploitable when processing crafted web content, and are known to be actively exploited. Update to WebKitGTK-2.42.3 or later immediately to protect your system. 12.0-052
In WebKitGTK+-2.42.2, two security vulnerabilities were fixed those could lead to denial of service and remote code execution when processing crafted web content. Update to WebKitGTK+-2.42.2 or later immediately to protect your system. 12.0-044
In WebKitGTK+-2.42.1, a critical security vulnerability was fixed that could lead to remote code execution when processing crafted web content. The vulnerability was resolved with additional checks when processing JavaScript. Apple is aware of reports that this vulnerability is being actively exploited, and does not require any user interaction to exploit. Update to WebKitGTK+-2.42.1 or later immediately to protect your system. 12.0-016
In wpa_supplicant-2.10, a security vulnerability was discovered that could allow for an attacker to trick a victim into connecting to a malicious clone of an enterprise WiFi network, and in turn allow them to intercept all traffic. The BLFS developers have created a patch for this vulnerability based upon an upstream fix. 12.0-097
In xdg-utils-1.2.1, a security vulnerability was fixed that could allow for attachments to be discretely added to emails sent via the 'xdg-email' command. Update to xdg-utils-1.2.1. 12.0-093
In xorg-server-21.1.11, four security vulnerabilities were fixed that could allow for crashes, privilege escalation, and remote code execution on systems where X11 forwarding is in use. These vulnerabilities are classified as heap buffer overflows and out-of-bounds memory accesses. Update to xorg-server-21.1.11. 12.0-071
In xorg-server-21.1.10, two security vulnerabilities were fixed that could allow for privilege escalation and memory disclosure. If you are using SSH X Forwarding, these vulnerabilities could be used for remote code execution. Update to xorg-server-21.1.10 12.0-055
In xorg-server-21.1.9 a security vulnerability was fixed due to an out-of-bounds write flaw, leading to privilege escalation or denial of service. Update to xorg-server-21.1.9. 12.0-032
In xorg-server-21.1.9 a security vulnerability was fixed that could allow an X server crash in a very specific and legacy configuration. Update to xorg-server-21.1.9. 12.0-031
In Xwayland-23.2.4, four security vulnerabilities were fixed that could allow for crashes and privilege escalation. These vulnerabilities are classified as heap buffer overflows and out-of-bounds memory accesses. Update to Xwayland-23.2.4. 12.0-072
In Xwayland-23.2.3, two security vulnerabilities were fixed due to out-of-bounds reads and writes, leading to privilege escalation and information disclosure. Update to Xwayland-23.2.3. 12.0-056
In xwayland-23.2.2 a security vulnerability was fixed due to an out-of-bounds write flaw, leading to privilege escalation or denial of service. Update to xwayland-23.2.2. 12.0-032