SLFS Advisories
This page covers advisories, notably in relation with security and changes that may have broken earlier versions of the book.
This page is ordered like the Changelog of the book, with newest items first.
13.0 to 13.1
Security Advisories
slfs-sa-13.0-009: Mbed-TLS - Rating: Critical (Date: April 8th, 2026)
In Mbed-TLS-3.6.6, eleven security vulnerabilities were fixed that could allow for client impersonation while resuming a TLS 1.3 session, for entropy on some systems to fall back to /dev/urandom (causing insufficient randomness for operations), for PSA random generator cloning (causing insufficient randomness), for compiler-induced constant-time violations (causing a timing based side channel leakage while performing RSA and CBC/ECB decryption), for arbitrary code execution when setting a distinguished name, for memory corruption when exporting FFDH public keys (allowing for arbitrary code execution and system instability), for signature algorithm injection, for an out-of-bounds read leading to information disclosure when using the CCM API due to a multipart finish tag-length validation bypass, for insufficient protection of serialized session or context data (leading to potential arbitrary code execution or denial of service), and for a buffer underread when using the x509_inet_pton_ipv6() function. The overall impacts are denial of service (application crashes and system instability), arbitrary code execution, information disclosure, and insufficient randomness when performing a variety of operations using Mbed-TLS. All users who have Mbed-TLS installed are recommended to update immediately. These vulnerabilities have been assigned CVE-2026-34873, CVE-2026-34871, CVE-2026-25835, CVE-2025-66442, CVE-2026-34874, CVE-2026-34875, CVE-2026-34872, CVE-2026-25834, CVE-2026-34876, CVE-2026-34877, and CVE-2026-25833.
To fix these vulnerabilities, update to Mbed-TLS-3.6.6 by following the Mbed-TLS installation page.
slfs-sa-13.0-008: libdatachannel - Rating: Medium (Date: April 8th, 2026)
In libdatachannel-0.24.2, a security vulnerability was fixed that could allow for denial of service (application crashes) and potentially arbitrary code execution when processing RTP and RTCP packets. These issues were caused by a lack of size checks on untrusted input. The only place where this package is used in SLFS is OBS Studio, so users who have OBS Studio should update if they are regularly using OBS Studio to stream. Note that users who only use OBS Studio for recording are not affected. No CVE has been assigned for this vulnerability, but additional details can be found at the upstream pull request.
To fix this vulnerability, update to libdatachannel-0.24.2 by following the libdatachannel installation page.
slfs-sa-13.0-007: Go - Rating: High (Date: April 8th, 2026)
In Go-1.26.2, ten security vulnerabilities were fixed that could allow for the Root.Chmod function to follow symlinks on the target of a symlink even when the target lies outside of the root, for JavaScript template literal contexts to be incorrectly tracked, for excluded DNS contraints in certificates to not be properly applied to wildcard domains, for no-op interface conversions to bypass overlap checking, for possible memory corruption after boundary check elimination, for unbounded allocation when parsing old format GNU sparse maps in tarballs, for multiple key update handshake messages to cause connection deadlocks, for a trust layer bypass when using cgo and SWIG together, for unexpected work during chain building (leading to a denial of service), and for inefficient certificate policy validation leading to a denial of service. These vulnerabilities occur in a variety of Go components, including crypto/x509, cmd/go, crypto/tls, archive/tar, cmd/compile, html/template, and os. These vulnerabilities have been assigned CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, CVE-2026-27144, CVE-2026-27143, CVE-2026-32288, CVE-2026-32283, CVE-2026-27140, CVE-2026-32280, and CVE-2026-32281.
To fix these vulnerabilities, update to Go-1.26.2 by following the Go installation page.
Note that after you reinstall Go, you must reinstall any packages that use it. This is because the Go standard library is statically linked into every program that you compile with it, and thus just updating the compiler isn't enough to resolve most issues.
slfs-sa-13.0-006: Flatpak - Rating: Critical (Date: April 8th, 2026)
In Flatpak-1.16.5, four security vulnerabilities were fixed that could allow for a complete and total sandbox escape, for arbitrary file deletion on the host filesystem, for arbitrary read access to files in the system-helper context, and for orphaning cross-user pull operations. The sandbox escape vulnerability has been rated as Critical. The arbitrary file deletion vulnerability has NO restriction, and every Flatpak app can delete files on the host system. This update is urgent, and all users who have Flatpak installed need to update to this version IMMEDIATELY to protect their system and their data. These vulnerabilities have been assigned CVE-2026-34078, CVE-2026-34079, GHSA-2fxp-43j9-pwvc, and GHSA-89xm-3m96-w3jg.
To fix these vulnerabilities, update to Flatpak-1.16.5 by following the Flatpak installation page.
slfs-sa-13.0-005: NGINX - Rating: Medium (Date: April 8th, 2026)
In NGINX-1.29.8, a security vulnerability was fixed in the ngx_http_upstream_copy_content_type() function that could allow for an integer underflow while processing character sets. This is classified as an out-of-bounds memory access vulnerability. This can cause a denial of service (application crash) or possibly information disclosure. This vulnerability has not been assigned a CVE, but additional information about it can be found at the upstream pull request.
To fix this vulnerability, update to NGINX-1.29.8 by following the NGINX installation page.
slfs-sa-13.0-004: NGINX - Rating: High (Date: April 7th, 2026)
In NGINX-1.29.7, six security vulnerabilities were fixed that could allow for buffer overflows, NULL pointer dereferences, arbitrary header injection, and OCSP (Online Certificate Status Protocol) result bypassing in the ngx_http_dav_module and ngx_http_mp4_module modules, while using CRAM-MD5 or APOP, and within auth_http, stream, and XCLIENT. These security vulnerabilities have been assigned CVE-2026-27651, CVE-2026-27654, CVE-2026-27784, CVE-2026-28753, CVE-2026-28755, and CVE-2026-32647.
You can update to NGINX-1.29.7 by following the NGINX installation page.
slfs-sa-13.0-003: Capstone - Rating: Critical (Date: April 7th, 2026)
In Capstone-5.0.7, two security vulnerabilities were fixed that could allow for a heap buffer overflow and stack buffer overflow and underflow. These security vulnerabilities have been assigned CVE-2025-67873 and CVE-2025-68114. You can update to Capstone-5.0.7 by following the Capstone installation page.
slfs-sa-13.0-002: OBS-Studio - Rating: High (Date: April 7th, 2026)
In OBS-Studio-32.1.0, general security was improved for configurations that use browser sources which use local files. If you use such a configuration, update to OBS-Studio-32.1.0 by following the OBS-Studio installation page.
slfs-sa-13.0-001: tornado - Rating: High (Date: March 21st, 2026)
In tornado-6.5.5, two security vulnerabilities were fixed that could allow for a denial of service attack and incomplete validation on cookie attributes. These security vulnerabilities have been assigned GHSA-qjxf-f2mg-c6mc and GHSA-78cv-mqj4-43f7. You can update to tornado-6.5.5 by following the tornado installation page.
12.4 to 13.0
Broken changes
Packages removed from SLFS that are in BLFS may have gotten security updates. Read BLFS 12.4 Security Advisories and BLFS Consolidated Security Advisories for such packages.
slfs-brk-12.4-004: GNAT/GCC-Ada (Date: January 17th, 2026)
The GNAT/GCC-Ada package has been dropped from SLFS. It was originally in GLFS from the belief that it was needed for the MinGW-w64 toolchain as Wine might need that Ada support. This is not the case as every DLL in Wine is written in C. After learning this, the GNAT package was removed from GLFS. After a year or so, it was added in SLFS. The grounds for its addition weren't particularly strong, especially so since no package in SLFS, GLFS, or BLFS needed it. It took time to ensure it works, with no benefit. Another issue is that its installation could be potentially dangerous for multiple reasons, namely for multilib support. This is because GNAT is just GCC with Ada, a part of normal GCC, so the installed GCC from LFS/MLFS/BLFS will get reinstalled, which can result in something important lost, like x32-bit support for example. One wrong mistake can also result in 32-bit support being removed from the toolchain. It's much safer and easier for the SLFS team to say good-bye to GNAT. GNAT won't be coming to GLFS or BLFS.
slfs-brk-12.4-003: CUDA (Date: December 23rd, 2025)
The CUDA package has been moved to GLFS. NVIDIA recently released the r590 major branch, dropping support for pre-Turing NVIDIA cards, and CUDA followed. GLFS now has both NVIDIA r580 and r590 to support pre and post-Turing. Two CUDA versions are also included for each branch. Please refer to the GLFS Graphics Drivers - NVIDIA page for future updates to both NVIDIA and CUDA's multiple versions.
slfs-brk-12.4-002: nv-codec-headers (ffnvcodec) (Date: November 24th, 2025)
The nv-codec-headers (ffnvcodec) package has been moved to GLFS to be more convenient and concise when installing the NVIDIA driver and other related components. Please refer to the GLFS nv-codec-headers (ffnvcodec) page for future updates.
slfs-brk-12.4-001: SDL3 (Date: November 18th, 2025)
SLFS used to provide instructions for installing SDL3 and sdl2-compat. This was done as a reference implementation of what it may look like when it'd inevitably land in BLFS. Eventually, other packages like the Dolphin emulator required SDL3, so it became a necessary part of SLFS. Now, BLFS has SDL3 and instructions for sdl2-compat. SLFS has thus removed the instructions for installing SDL3 and sdl2-compat. GLFS has followed suit with BLFS. Please go to BLFS or GLFS for updates to SDL3 and sdl2-compat.
Security Advisories
slfs-sa-12.4-007: yt-dlp - Rating: High (Date: February 24th, 2026)
In yt-dlp-2026.02.21, a security vulnerability was fixed that could allow for code injection via a crafted link using the --netrc-cmd option. This works by pushing special characters to the shell outside of Python, like Bash or Zsh, which in turn allows for ACI. If you use the --netrc-cmd option or use scripts that use yt-dlp, you should update immediately to yt-dlp-2026.02.21. This security vulnerability has been assigned CVE-2026-26331. You can update to yt-dlp-2026.02.21 by following the yt-dlp installation page.
slfs-sa-12.4-006: OpenJDK-17 - Rating: High (Date: January 28th, 2026)
In OpenJDK-17.0.18, four security vulnerabilties were fixed that could allow for denial of service (DOS) attacks and modification of both critical and Java data. In most cases, these attacks, allowing attackers with network access to go through multiple protocols, don't require human interaction. Some are very easy to exploit while others are more difficult. These vulnerabilties are already being exploited, notably for Minecraft servers. Because of this, it is highly recommended to update OpenJDK to 17.0.18 immediately. These security vulnerabilities have been assigned CVE-2025-21925, CVE-2025-21932, CVE-2025-21933, and CVE-2025-21945. These exploits are shared with OpenJDK-21.
To update to OpenJDK-17.0.18, follow the OpenJDK-17 installation page. SysVinit and Systemd instructions for the page do not differ. It is also highly recommended to update to OpenJDK-21.0.10 if you have OpenJDK-21 installed by following the BLFS OpenJDK installation page.
slfs-sa-12.4-005: CDE - Rating: High (Date: January 7th, 2026)
In CDE-2.5.3, along with numerous other improvements, several memory safety problems were fixed. There were no CVEs assigned, but because of the sensitive nature of some of the bugs, users should update to CDE-2.5.3 by following the instructions from the CDE installation page. The SysVinit and systemd instructions for the page do differ in the installation of bootscripts and systemd units, but users can use the systemd-specific instructions from the SLFS 12.4 stable release if this is a fresh installation, as no changes were made to the units.
slfs-sa-12.4-004: i3 - Rating: High (Date: December 30th, 2025)
In i3-4.25, along with other code improvements, the update fixed a memory leak and use-after-free. These weren't assigned any IDs with any security authority. To be safe, users should update to i3-4.25 or later by following the i3 installation page. SysVinit and Systemd instructions for the page do not differ.
slfs-sa-12.4-003: tornado - Rating: High (Date: December 15th, 2025)
In tornado-6.5.3, three security vulnerabilties were fixed that could allow for header injection, cross-site scription, and denial of service attacks. These security vulnerabilities have been assigned CVE-2025-67724, CVE-2025-67725, and CVE-2025-67726.
To update to tornado-6.5.3, follow the tornado installation page. SysVinit and Systemd instructions for the page do not differ.
slfs-sa-12.4-002: Mbed-TLS - Rating: Medium (Date: December 15th, 2025)
In Mbed-TLS-3.6.5, two security vulnerabilties were fixed that could allow for partial recovery of CBC-PKCS7-encrypted plaintext and private key material disclosure. These security vulnerabilities have been assigned CVE-2025-54764 and CVE-2025-59438.
To update to Mbed-TLS-3.6.5, follow the Mbed-TLS installation page. SysVinit and Systemd instructions for the page do not differ.
slfs-sa-12.4-001: OpenJDK-17 - Rating: High (Date: October 23rd, 2025)
In OpenJDK-17.0.17-ga, two security vulnerabilties were fixed that could allow for exploitation of APIs via multiple network protocols, leading to creation, modification, and deletion of data. This is especially an issue with Minecraft servers, as an affected JDK version will have elevated privileges because of calls to mods/modpacks. These vulnerabilities affect other major JDK versions. If you have multiple OpenJDK versions built, update all of them if there is an update present. These security vulnerabilities have been assigned CVE-2025-53057 and CVE-2025-53066.
To update to OpenJDK-17.0.17-ga, follow the OpenJDK installation page. SysVinit and Systemd instructions for the page do not differ. The Java page also has the new version.