BLFS Security Advisories for BLFS 12.2 and the current development books.

BLFS-12.2 was released on 2024-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

apr

12.2 002 apr Date: 2024-09-04 Severity: Medium

In apr-1.7.5, a security vulnerability was fixed that allows local users to have read access to named shared memory segments, potentially revealing sensitive application data. This occurs due to lax permissions being set by the apr library at runtime. If you are using an application which uses apr (e.g. subversion, serf, or Apache HTTPD) that also utilizes sensitive data, it is highly recommended that you update apr as soon as possible. Update to apr-1.7.5. 12.2-002

cups-filters

12.2 022 cups-filters Updated: 2024-10-21 Severity: Critical

Several security vulnerabilities were discovered in libcupsfilters, libppd, and cups-browsed, which have been chained together to allow for remote code execution. Previously, upstream releases did not exist for these packages. On 2024-10-21, BLFS was updated to handle these vulnerabilities. The vulnerabilities allow for information leakage, remote code execution, and remotely exploitable crashes. These vulnerabilities are currently being actively exploited. The vulnerabilities require no user interaction to exploit, and they do not require any authentication. If you run a CUPS server that is accessible from the internet, or if you use a public WiFi network, you should update the packages to 2.1.0 immediately. 12.2-022

cURL

12.2 039 cURL Date: 2024-11-07 Severity: Low

In cURL-8.11.0, a security vulnerability was fixed that could allow for a minor potential Denial of Service problem when trying to use HTTPS when that no longer works, or a cleartext transmission of data that was otherwise intended to be protected. Update to cURL-8.11.0. 12.2-039

12.2 013 cURL Date: 2024-09-27 Severity: High

In cURL-8.10.0, a security vulnerability was fixed that could allow for an invalid server certificate (SSL certificate) to wrongfully register as valid when built with gnutls. 12.2-013

fetchmail

12.2 035 fetchmail Date: 2024-11-02 Severity: Medium

In fetchmail-6.5.0, a security vulnerability was resolved where users could have another user's passwords due to insufficient permissions on a user's .netrc file. This has been resolved by not allowing .netrc to have any more than 0700 permissions if it contains passwords. If a .netrc file does have more than 0700 permissions, fetchmail will now output a warning and ignore the file. Update to fetchmail-6.5.0. 12.2-035

Firefox

12.2 048 Firefox Date: 2024-11-26 Severity: High

In Firefox-128.5.0esr, six security vulnerabilities were fixed that could allow for select list elements to be shown over another site (leading to website spoofing), content security policy bypasses, cross-site scripting, URL bar spoofing, remotely exploitable crashes, improper keypress handling when executing files, and for remote code execution. Update to Firefox-128.5.0esr (or 115.18.0esr). 12.2-048

12.2 032 Firefox Date: 2024-10-30 Severity: High

In Firefox-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. Update to Firefox-128.4.0esr (or 115.17.0esr). 12.2-032

12.2 023 Firefox Date: 2024-10-09 Severity: Critical

In Firefox-128.3.1esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. One of these issues is known to be exploited in the wild and is rated as critical. It is highly recommend that you update Firefox immediately to 128.3.1esr (or 115.16.1esr if you are on that series). 12.2-023

12.2 004 Firefox Date: 2024-09-06 Severity: Critical

In Firefox-128.2.0esr, seven security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, and for remotely exploitable type confusion vulnerabilities. Update to Firefox-128.2.0esr. 12.2-004

fop

12.2 038 fop Date: 2024-11-05 Severity: High

In fop-2.10, a security vulnerability was fixed that could allow for a remote attacker to execute arbitrary code on a system while processing a crafted FO file. This occurs due to an XML External Entity Reference attack, and can happen without informing the user. Update to fop-2.10. 12.2-038

Ghostscript

12.2 012 Ghostscript Date: 2024-09-26 Severity: High

In Ghostscript-10.04.0, six security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution while processing crafted PostScript and PDF documents. This can also be exploited via a malicious print job. Update to Ghostscript-10.04.0. 12.2-012

glib

12.2 043 glib Date: 2024-11-25 Severity: Critical

In glib-2.82.1, a security vulnerability was fixed that could allow for a buffer overflow in the SOCKS4 proxy support within glib. The issue occurs due to an off-by-one error and then buffer overflow because SOCKS4_CONN_MSG_LEN in gio/gsocks4aproxy.c is not sufficient for a trailing '\0' character that set_connect_msg() appends after a hostname. Update to glib-2.82.1. 12.2-043.

gstreamer

12.2 053 gstreamer Date: 2024-12-04 Severity: Critical

In the 1.24.10 release of the gstreamer stack, over 40 security vulnerabilities were resolved. These issues occur in a variety of plugins, including the MP4/MOV playback support, the ID3v2 tag parser, the JPEG decoder, the WebM demuxer, the Vorbis decoder, the SSA subtitle parser, the Opus decoder, the gdk-pixbuf decoder, the WAV parser, the AVI subtitle parser, and the LRC subtitle parser, as well as in the gst-discoverer-1.0 utility. Because of the amount of these vulnerabilities as well as the plugins that they impact, you should update the gstreamer stack immediately if you have it installed. All of these issues can allow for crashes, but many of them also allow for arbitrary code execution, or remote code execution (in the context of using a web browser playing WebM/MP4/MOV videos or WAV sounds on web pages). Update the gstreamer stack to 1.24.10. 12.2-053

Intel Microcode

12.2 015 Intel Microcode Date: 2024-09-30 Severity: Medium

In intel-microcode-20240910, two hardware vulnerabilities are fixed. The first one may allow for information disclosure when using 3rd Generation Intel Xeon Scalable CPUs. For more information on this vulnerability, please read Intel-SA-01103. The second vulnerability may allow for a denial of service when using 10th-14th Generation Core processors, as well as the Intel Xeon D line of processors and the 3rd Generation Intel Xeon Scalable processors. For more details and a complete list of affected processors, please read Intel-SA-01097. To check if you are impacted and for instructions on updating the microcode, please see the security advisory. 12.2-015

libarchive

12.2 034 libarchive Date: 2024-11-02 Severity: Medium

In libarchive-3.7.7, three security vulnerabilities were fixed that could allow for a denial of service (out-of-memory condition or application crash) when processing crafted GZIP or TAR files. The gzip issue occurs when processing a malformed gzip file inside of another gzip file, and the two tar issues occur when processing headers and truncated tar archives. Update to libarchive-3.7.7. 12.2-034

12.2 009 libarchive Updated: 2024-10-14 Severity: High

In libarchive-3.7.5, four security vulnerabilities were fixed that could allow for remote code execution when processing crafted RAR4 archives. For at least one of these issues, a proof of concept exploit has been made public. All of the vulnerabilities are classified as heap buffer overflows. Update to libarchive-3.7.5. 12.2-009

libgsf

12.2 018 libgsf Date: 2024-10-07 Severity: High

In libgsf-1.14.53, two security vulnerabilities were fxied that could allow for arbitrary code execution when processing a malicious file in compound document binary file format. Both of these issues are heap buffer overflows caused by integer overflows. Update to libgsf-1.14.53 immediately. 12.2-018

libjxl

12.2 050 libjxl Date: 2024-11-29 Severity: High

In libjxl-0.11.1, two security vulnerabilities were fixed that could allow for arbitrary code execution or a denial of service condition (stack exhaustion leading to an out-of-memory condition). Both of these issues can be exploited by opening/loading a malicious JXL image, but the arbitrary code execution problem can occur when calling JxlEncoderAddJPEGFrame to encode a frame into a JXL file. Update to libjxl-0.11.1. 12.2-050

libpcap

12.2 001 libpcap Date: 2024-09-04 Severity: Medium

In libpcap-1.10.5, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when an application uses the pcap_findalldevs_ex() function. Note that the required functionality is not enabled by default. Update to libpcap-1.10.5 if you have remote packet capturing support enabled. 12.2-001

libsoup3

12.2 047 libsoup3 Date: 2024-11-25 Severity: High

In libsoup-3.6.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling, arbitrary code execution, and remotely exploitable crashes (and out-of-memory conditions). Update to libsoup-3.6.1. 12.2-047

mpg123

12.2 031 mpg123 Updated: 2024-11-02 Severity: Medium

In mpg123-1.32.8, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when decoding streams where output properties are changed, together with certain use of libmpg123. The vulnerability needs seeking around in the stream (including scanning it before actual decoding) to occur, but there are use cases where this could apply, such as concatenating several MP3 files together with varying formats or leading Info frames past the first track. This has been named as "Frankenstein's Monster", and has been classified as a buffer overflow. Update to mpg123-1.32.8. 12.2-031

OpenJDK

12.2 037 OpenJDK Date: 2024-11-05 Severity: Medium

In OpenJDK-23.0.1, five security vulnerabilities were fixed that could allow for a remote attacker (with no privileges required) to cause a denial of service condition (application crash) or possibly write/delete/access information on a system running a Java application. Update to OpenJDK-23.0.1. 12.2-037

PHP

12.2 045 PHP Date: 2024-11-25 Severity: Critical

In PHP-8.4.1 (or 8.3.14), five security vulnerabilities were fixed that could allow for remote code execution (when using the CLI interface to SAPI), remote code execution when using LDAP on a 32-bit system, unauthorized disclosure of MySQL query responses, remote code execution when using the Firebird and dblib quoters, CRLF injection when configuring a proxy in a stream context (leading to HTTP request smuggling attacks), and for remotely exploitable crashes when using the convert.quoted-printable-decode filter in a program. Update to PHP-8.4.1 (or 8.3.14). 12.2-045

12.2 014 PHP Date: 2024-09-30 Severity: Medium

In PHP-8.3.12, three security vulnerabilities were fixed that could allow for unauthorized modification of logs, bypass of the force_redirect configuration, and for data integrity violations when processing multipart form data. The unauthorized modification of logs vulnerability occurs in the FPM module, and the vulnerability can also be used to remove data from system logs if PHP is confused to use syslog. The data integrity violation vulnerability occurs in the SAPI module, and the bypass of the force_redirect configuration happens in the CGI module. Update to PHP-8.3.12. 12.2-014

PostgreSQL

12.2 044 PostgreSQL Date: 2024-11-25 Severity: High

In PostgreSQL-17.1, four security vulnerabilities were fixed that could allow for users to complete unauthoried reads and modifications, for man-in-the-middle attackers to send fabricated error messages, for SET ROLE and SET SESSION AUTHORIZATION to be set to wrong user IDs, and for an unprivileged database user to change sensitive process environment variables to achieve arbitrary code execution. Update to PostgreSQL-17.2. 12.2-044

Python3

12.2 008 Python3 (LFS and BLFS) Date: 2024-09-17 Severity: High

In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. Update to Python-3.12.6. 12.2-008

Qt6

12.2 016 Qt6 Date: 2024-10-02 Severity: High

In Qt6-6.7.3, a security vulnerability was fixed in the HTTP/2 component that could cause decisions regarding encryption on an established connection to execute too early, because the encrypted() signal was not yet emitted and processed. This could allow for data to accidentally end up unencrypted when transmitted over HTTP/2 using an application that uses Qt. Update to Qt6-6.7.3. 12.2-016

12.2 052 QtWebEngine Date: 2024-12-04 Severity: Critical

In QtWebEngine-6.8.1, seventeen security vulnerabilities were fixed that could allow for remote code execution, unauthorized access to data, UI spoofing, and remotely exploitable crashes. These vulnerabilities are in a variety of subsystems in Chromium, including Mojo, Dawn, V8, Extensions, DevTools, Navigation, Web Authentication, Paint, FileSystem, Blink, Media, Views, and Serial; and all of them are exploitable via maliciously crafted web pages (and in some cases, malicious advertisements on web pages). Update to QtWebEngine-6.8.1. 12.2-052

12.2 025 QtWebEngine Date: 2024-10-14 Severity: High

In QtWebEngine-6.8.0, three security vulnerabilities were fixed that could allow for remote code execution. These vulnerabilities occur in the bundled copy of Chromium, and are in the Skia, V8, and Dawn components. If you have QtWebEngine installed, you should update this package as soon as you can. Update to QtWebEngine-6.8.0. 12.2-025

12.2 017 QtWebEngine Date: 2024-10-02 Severity: Critical

In QtWebEngine-6.7.3, 45 security vulnerabilities were fixed that could allow for remote code execution, sandbox escapes, information disclosure, UI spoofing, policy bypasses, and arbitrary reading/writing of files on the system. These can all be exploited by malicious extensions, malicious HTML files, malicious PDF files, or in some cases malicious fonts. The issues are all in the bundled copy of Chromium, and they impact the ANGLE, V8, WebAudio, Frames, CSS, FedCM, Dawn, Loader, Navigation, Screen Capture, WebAssembly, Swiftshader, CORS, Audio, PDFium, Skia, Permissions, Fonts, and Scheduling components. Because of the amount of vulnerabilities and the severity of them, all users who have this package installed should update to QtWebEngine-6.7.3 immediately. Update to QtWebEngine-6.7.3. 12.2-017

Ruby

12.2 003 Ruby Date: 2024-09-06 Severity: High

In Ruby-3.3.5, four security vulnerabilities were fixed that could allow for a denial of sercice (application crash) when processing crafted XML files with the REXML gem which is built into Ruby. If you process untrusted XML using Ruby, it's highly recommended to update to Ruby-3.3.5 immediately. 12.2-003

Seamonkey

12.2 011 Seamonkey Date: 2024-09-26 Severity: Critical

In Seamonkey-2.53.19, 37 security vulnerabilities were fixed that could allow for remote code execution, decryption of data to plaintext (on Intel Sandy Bridge machines), memory corruption, remotely exploitable application crashes, cross-site scripting, sandbox escapes, information disclosure, and bypass of the content security policy. The 0.0.0.0 day security issue is also resolved in Seamonkey, though it has not been resolved in QtWebEngine or Firefox yet. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Some examples of this attack being exploited include eBay performing port scans on systems upon loading a page. The port scan was performed via JavaScript. This update brings Seamonkey up to the level of Firefox 115.14.0esr for security fixes. Update to Seamonkey-2.53.19. 12.2-011

Spidermonkey

12.2 027 Spidermonkey Date: 2024-10-21 Severity: Moderate

In Spidermonkey-128.3.1esr, a security vulnerability was fixed that could allow for memory corruption due to the JavaScript garbage collector mis-coloring cross-compartment objects if an Out Of Memory condition was detected at the right point between two passes. Note that if you do not wish to upgrade to 128.3.1esr (and thus also update gjs), you can use Spidermonkey-115.16.1esr. Update to Spidermonkey-128.3.1esr (or 115.16.1esr). 12.2-027

tiff

12.2 010 tiff Date: 2024-09-20 Severity: High

In tiff-4.7.0, two security vulnerabilities were fixed that could allow for a denial of service (application crash via a segmentation fault) when processing crafted TIFF files. This occurs in the TIFFReadRGBATileExt() function, as well as in tir_difinfo.c. Both of these flaws can be exploited via a web browser or an image viewer. Update to tiff-4.7.0. 12.2-010

Thunderbird

12.2 049 Thunderbird Date: 2024-11-26 Severity: High

In Thunderbird-128.5.0esr, six security vulnerabilities were fixed that could allow for select list elements to be shown over another site (leading to website spoofing), content security policy bypasses, cross-site scripting, URL bar spoofing, remotely exploitable crashes, improper keypress handling when executing files, and for remote code execution. Update to Thunderbird-128.5.0esr. 12.2-049

12.2 033 Thunderbird Date: 2024-11-15 Severity: High

In Thunderbird-128.4.3esr, one security vulnerability was fixed that could allow for messages encrypted with OpenPGP to be sent in plain text. Update to Thunderbird=128.4.3esr. 12.2-042

12.2 033 Thunderbird Date: 2024-10-30 Severity: High

In Thunderbird-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. Update to Thunderbird-128.4.0esr. 12.2-033

12.2 026 Thunderbird Date: 2024-10-18 Severity: Critical

In Thunderbird-128.3.2esr, a security vulnerability was fixed that could allow for remote code execution. The vulnerability occurs in the Animation component of the shared Gecko component, and thus could be exploited by a malicious HTML email. Due to the critical nature of this vulnerability, it is highly recommended that you update Thunderbird immediately. The issue is being actively exploited in the wild. Update to Thunderbird-128.3.2esr. 12.2-026

12.2 024 Thunderbird Date: 2024-10-09 Severity: High

In Thunderbird-128.3.0esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. Update to Thunderbird-128.3.0esr. 12.2-024

12.2 005 Thunderbird Date: 2024-09-06 Severity: Critical

In Thunderbird-128.2.0esr, eight security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, remotely exploitable type confusion vulnerabilities, and remotely exploitable crashes. Update to Thunderbird-128.2.0esr. 12.2-005

Unbound

12.2 020 Unbound Date: 2024-10-07 Severity: Medium

In Unbound-1.21.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service. It can be exploited by the attacker by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query, it will try to apply name compression, which had no boundaries until this update, and would lock the CPU until the packet was done compressing. Update to Unbound-1.21.1. 12.2-020

WebKitGTK

12.2 051 WebKitGTK Date: 2024-11-29 Severity: Critical

In WebKitGTK-2.46.4, two security vulnerabilities were fixed that could allow for remote code execution and cross site scripting attacks. These issues can occur when processing maliciously crafted web content, and there are numerous reports of the issues being exploited in the wild. They were fixed with improved checks and improved state management. If you have WebKitGTK installed, you need to update to 2.46.4 or later immediately. Update to WebKitGTK-2.46.4. 12.2-051

12.2 036 WebKitGTK Date: 2024-11-02 Severity: Medium

In WebKitGTK-2.46.3, two security vulnerabilities were fixed that could allow for unexpected process crashes and content security policy bypasses. These both happen when processing maliciously crafted web content, and were resolved with improved input validation and other checks. Update to WebKitGTK-2.46.3. 12.2-036

12.2 021 WebKitGTK Date: 2024-10-09 Severity: Critical

In WebKitGTK-2.46.1, three security vulnerabilities were fixed that could allow for universal cross site scripting, address bar spoofing, and cross-origin data exfiltration. In addition,the 0.0.0.0 day security vulnerability was fixed. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Note that you must update Epiphany to 46.4 or later after this update is installed. Update to WebKitGTK-2.46.1. 12.2-021

wget

12.2 040 wget Date: 2024-11-10 Severity: High

In wget-1.25.0, a security vulnerability was fixed that could allow for server-side request forgery, phishing, data leakage, and man in the middle attacks when using shorthand FTP URLs. Update to wget-1.25.0. 12.2-040

Wireshark

12.2 046 Wireshark Date: 2024-11-25 Severity: Medium

In Wireshark-4.4.2, two security vulnerabilities were fixed that could allow for a denial of service condition (application crash and out-of-memory condition) when dissecting FiveCo RAP and ECMP packets. These issues can be exploited by crafted PCAP files, but users do not need to update if they are not capturing packets that use either of those protocols. Update to Wireshark-4.4.2. 12.2-046

12.2 028 Wireshark Date: 2024-10-21 Severity: High

In Wireshark-4.4.1, two security vulnerabilities were fixed that could allow for denial of service conditions (application crashes) via capturing faulty packets, or opening a crafted capture file. The issues occur in the AppleTalk, RELOAD, and ITS packet dissectors. If you use any of these three protocols, you should update Wireshark to prevent crashes. Update to Wireshark-4.4.1. 12.2-028

xdg-desktop-portal

12.2 019 xdg-desktop-portal Date: 2024-10-07 Severity: Critical

In xdg-desktop-portal-1.18.4, a security vulnerability was fixed that allows for a sandbox escape via the RequestBackground portal. This also allows for arbitrary command execution, in some cases with privileges escalated to root. This update should be considered urgent. It requires an update to Bubblewrap as well to be effective. Update to Bubblewrap-0.10.0 and xdg-desktop-portal-1.18.4 as soon as possible. 12.2-019

Xorg-Server

12.2 029 Xorg-Server Date: 2024-10-30 Severity: High

In Xorg-Server-21.1.14, a security vulnerability was fixed that could allow for denial of service or remote code execution (if the server is run over VNC or with SSH X Forwarding). On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. Update to Xorg-Server-21.1.14 and upgrade TigerVNC if it is also installed. 12.2-029

Xwayland

12.2 030 Xwayland Date: 2024-10-30 Severity: High

In Xwayland-24.1.4, a security vulnerability was fixed that could allow for denial of service. On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. Update to Xwayland-24.1.4. 12.2-030