BLFS Security Advisories for BLFS 12.3 and the current development books.
BLFS-12.3 was released on 2025-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Bind
12.3 036 Bind Date: 2025-05-24 Severity: High
A fix has been made ISC Bind server software which prevents a stop of the server in case of malformed data in a TSIG transaction. It is recommended to upgrade to at least 9.20.9 as soon as possible. 12.3-036
c-ares
12.3 016 c-ares Date: 2025-05-20 Severity: High
In c-ares-1.34.5, a security vulnerability was fixed that could allow a crash when processing DNS queries where a DNS Cookie Failure occurs, where an upstream server does not properly support EDNS, or possibly on TCP queries if the remote server closed the connection immediately after a response. Update to c-ares-1.34.5. 12.3-016
Epiphany
12.3 024 Epiphany Date: 2025-05-20 Severity: High
In Epiphany-48.1, a security vulnerability was fixed that allows websites to trigger URL handlers with no user interaction or warning. If the handler application that is called is vulnerable, remote code execution is possible under the user's current context. Update to Epiphany-48.3. 12.3-024
Exempi
12.3 015 Exempi Date: 2025-05-20 Severity: Medium
In Exempi-2.6.6, five security vulnerabilities were fixed that could allow for denial of service (application crashes) or for information disclosure of sensitive memory when processing crafted XMP metadata. The issues are all caused by out-of-bounds reads in the Adobe XMP Toolkit SDK that comes bundled with Exempi. Update to Exempi-2.6.6. 12.3-015
Exim
12.3 009 Exim Date: 2025-05-20 Severity: High
In Exim-4.98.2, a security vulnerability was fixed that could allow users with command line access to the server to cause privilege escalation. The issue occurs due to a use-after-free. Update to Exim-4.98.2. 12.3-009
Firefox
12.3 038 Firefox Date: 2025-05-28 Severity: Critical
In Firefox-128.11.0esr, seven security vulnerabilities were fixed that could allow for remotely exploitable crashes, memory corruption, remote code execution, cross-origin information leakage, local code execution through the "Copy as cURL" command, and for clickjacking to trick users into leaking saved payment card details. One of the vulnerabilities is rated as Critical, and thus all users should update immediately. Update to Firefox-128.11.0esr. 12.3-03812.3 034 Firefox Date: 2025-05-20 Severity: Critical
In Firefox-128.10.1esr (and 128.9.0/128.10.0), nine security vulnerabilities were fixed that could allow for remote code execution, URL bar spoofing, sandbox escapes, and unsafe attribute access (leading to out-of-bounds memory access and memory corruption). Most of these vulnerabilities are exploitable via standard web browsing, and two of the remote code execution vulnerabilities are known to be exploited in the wild. The two remote code execution vulnerabilities mentioned were demonostrated at the Vancouver Pwn2Own conference. All users who have Firefox installed must urgently update to Firefox-128.10.1esr to protect their system. 12.3-034
12.3 002 Firefox Date: 2025-03-07 Severity: Critical
In Firefox-128.8.0esr, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, arbitrary code execution, clickjacking, and for web extensions to be disguised as different elements on a web page. Due to one of the remote code execution vulnerabilities being actively exploited in the wild, and because it does not require user interaction, the BLFS team recommends that all users who have Firefox installed update to 128.8.0esr as soon as possible. 12.3-002
ghostscript
12.3 025 ghostscript Updated: 2025-05-28 Severity: Critical
In ghostscript-10.05.0, nine security vulnerabilities were fixed that could result in remote code execution or arbitrary file accesses. The arbitrary file execution vulnerability occurs due to issues with truncated paths with invalid UTF-8 characters. The remainder of the issues occur due to buffer overflows in various contexts, including processing PDF files, serializing fonts, utilising the BJ10V, DOCXWRITE TXTWRITE, and NPDL devices, and when converting glyphs to Unicode. All users who have Ghostscript installed are encouraged to update as soon as possible. At the time of this advisory, the book had ghostscript-10.05.1 but it was not known that an additional security vulnerability was fixed in 10.05.1. The issue allows for passwords to be stored in plaintext in encrypted PDF files. Update to ghostscript-10.05.1. 12.3-025
Updated on 2025-05-28 to include information about CVE-2025-48708, which was already fixed in the book when this advisory was filed, though the vulnerability was not known at the time.
giflib
12.3 023 giflib Date: 2025-05-20 Severity: High
In giflib-5.2.2, several security vulnerabilities were discovered. Only one of them has a functional patch, and the BLFS team has adopted a patch from the OpenMandriva team to resolve the issue. The issue is a heap buffer overflow in the gif2rgb utility, that causes a crash and has a chance to cause arbitrary code execution. Rebuild giflib with the security fixes patch. 12.3-023
Gimp
12.3 032 Gimp Date: 2025-05-20 Severity: High
In Gimp-3.0.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted .ICO file. The vulnerability appears to have been introduced in an early release candidate for gimp3, and is caused by an integer overflow. Update to Gimp-3.0.4, but note that you must update babl to 0.1.114 and gegl to 0.4.62 first. 12.3-032
gstreamer
12.3 041 gstreamer Date: 2025-05-30 Severity: Medium
In gst-plugins-base and gst-plugins-good 1.26.2, five security vlnerabilitities were resolved that could allow for remotely exploitable denial of service (application crashes) or information disclosure. The vulnerabilities occur when processing SubRip or TMPlayer format subtitles, as well as when reading crafted MOV and MP4 files. Update the gstreamer stack to 1.26.2. 12.3-041
12.3 026 gstreamer Date: 2025-05-20 Severity: High
In gst-plugins-bad-1.26.1, a security vulnerability was fixed that can allow for a crash or remote code execution when processing malformed streams in a video file using the H.265 codec. The issue is caused by a stack buffer overflow that occurs when processing slice headers. Update to gstreamer-1.26.1. 12.3-026
intel-microcode
12.3 029 intel-microcode Date: 2025-05-20 Severity: Medium
In intel-microcode-20250512, eight processor-level security issues were addressed. Six of the security vulnerabilities allow for information disclosure, and two allow for denial of service. These vulnerabilities impact the 8th, 9th, 10th, 11th, 12th, 13th, and 14th Generation of Intel Core CPUs as well as some Intel Atom, Celeron, and Pentium models. They also impact the Xeon E and D series of CPUs, the Xeon Max series of CPUs, the Core Ultra series, and some Intel Xeon Scalable CPUs. For more information, please consult the Intel Security Adivisories: INTEL-SA-01153 (CVE-2024-28956), INTEL-SA-01247 (CVE-2024-43420, CVE-2025-20623, and CVE-2024-45332), INTEL-SA-01322 (CVE-2025-24495 and CVE-2025-20012), and INTEL-SA-01244 (CVE-2025-20103 and CVE-2025-20054).
To check if you are impacted and update your system, please follow the instructions in the advisory.
12.3-029Kea DHCP server
12.3 040 Kea DHCP server Date: 2025-05-28 Severity: High
Three security flaws has been made public by ISC. Two of them are
fixed by upgrading to version 2.6.3 or above and one is fixed by proper
configuration and setup. For more information, check the ISC
Security Adivisories:
CVE-2025-32801:
Loading a malicious hook library can lead to local privilege escalation
CVE-2025-32802:
Insecure handling of file paths allows multiple local attacks
CVE-2025-32803:
Insecure file permissions can result in confidential information leakage
If you have Kea installed, see details at 12.3-040
libarchive
12.3 037 libarchive Date: 2025-05-28 Severity: High
In libarchive-3.8.0, five security vulnerabilities were fixed that could allow for crashes and memory corruption when processing RAR archives, TAR archives, and WARC archives. The issues are due to heap buffer overflows, signed integer overflows, and double-frees. Update to libarchive-3.8.0. 12.3-037
12.3 008 libarchive Date: 2025-05-20 Severity: Medium
In libarchive-3.7.9, three security vulnerabilities were fixed that could allow for denial of service (application crashes) or potential memory corruption when processing ZIP or TAR archives. Update to libarchive-3.7.9. 12.3-008
LibreOffice
12.3 027 LibreOffice Date: 2025-05-20 Severity: Critical
In LibreOffice-25.2.2.2, a security vulnerability was fixed that allows for PDF signature forgery when using the adbe.pkcs7.sha1 SubFilter. The bug causes invalid signatures to be accepted as valid, and the vulnerability has been rated Critical by NVD as it meets the criteria of "Improper Verification of Cryptographic Signature" and "PDF Signature Spoofing by Improper Validation". All users who use LibreOffice to open PDFs should update to LibreOffice-25.2.2.2 or later, as this could allow for phishing. Update to Libreoffice-25.2.2.2. 12.3-027
libsoup2
12.3 022 libsoup2 Updated: 2025-05-28 Severity: Critical
In libsoup-2.74.3, fourteen security vulnerabilities were discovered that could allow for remotely exploitable crashes, remote code execution, HTTP Request Smuggling, and memory corruption. These are very similar to the vulnerabilities fixed in the recent libsoup3 update, however it includes fixes for several vulnerabilities that are specific to libsoup2. Because of the security vulnerabilities in libsoup2, and the fact that the only packages in BLFS that require it are abandoned, the BLFS team has archived libsoup2 as well as consumers such as AbiWord and libgdata. However, the BLFS team has also developed a patch for libsoup2 to fix these known vulnerabilities for users who have libsoup2 installed. At this time though, we will not be producing further patches for this package to fix further issues after BLFS 12.4 is released, and we recommend that all users who have libsoup2 installed discontinue usage of the library. as well as libgdata and AbiWord. If you are using libsoup2, use the instructions in the advisory to apply the patch and fix the vulnerabilities.
Updated on 2025-05-28 to add additional text about rebuilding gst-plugins-good with -Dsoup-version=3. Thanks goes to Rainer Fiebig for the information!
libsoup3
12.3 021 libsoup3 Date: 2025-05-20 Severity: Critical
In libsoup-3.6.5, ten security vulnerabilities were fixed that could allow for remotely exploitable crashes, remote code execution, and memory corruption. All users who have libsoup3 installed should update to libsoup-3.6.5 as soon as possible, and keep an eye on the security advisories to monitor for new updates as there are many CVEs still yet unresolved upstream. 12.3-021
libxml2
12.3 014 libxml2 Date: 2025-05-20 Severity: High
In libxml2-2.14.2 (and 2.13.8), two security vulnerabilities were fixed that could result in a denial of service (application crash) or arbitrary code execution when processing XML documents. Update to libxml2-2.13.8. The BLFS team does not recommend updating systems to the libxml2-2.14 series because the 2.14 series is ABI incompatible with 2.13, and in addition to rebuilding all packages that use libxml2, the libxkbcommon and localsearch packages will also need to be updated. 12.3-014
libxslt
12.3 004 libxslt Date: 2025-03-14 Severity: High
In libxslt-1.1.43, two security vulnerabilities were fixed which could allow for arbitrary code execution and crashes when processing XSL documents. Both of these vulnerabilities are use-after-free bugs. Update to libxslt-1.1.43. 12.3-004
lxml (Python Module)
12.3 013 lxml (Python Module) Date: 2025-05-20 Severity: High
In lxml-5.4.0, the bundled copies of libxml2 and libxslt were updated to fix five security vulnerabilities. These vulnerabilities are known to cause crashes and arbitrary code execution when processing XML and XSLT documents. Update to lxml-5.4.0. 12.3-013
Mercurial
12.3 010 Mercurial Date: 2025-05-20 Severity: Medium
In Mercurial-7.0.1, a security vulnerability was fixed that could allow for cross-site scripting through the web interface (hgweb). A default installation of Mercurial on BLFS is NOT vulnerable as the system must be configured to use the 'hgweb' program, and the BLFS configuration does not enable this functionality. If you are using hgweb though, please update to Mercurial-7.0.1 as soon as possible. Otherwise, there is no need to install this update. 12.3-010
OpenJDK
12.3 031 OpenJDK Date: 2025-05-20 Severity: High
In OpenJDK-24.0.1, three security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, and unauthorized data modification. No user interaction or privileges are required to exploit these vulnerabilities. Update to OpenJDK-24.0.1. 12.3-031
PHP
12.3 005 PHP Date: 2025-03-14 Severity: Medium
In PHP-8.4.5, seven security vulnerabilities were fixed that could allow for crashes, arbitrary code execution, unauthorized HTTP redirects, authentication bypasses, remote system crashes, and for invalid HTTP headers to be processed. The vulnerabilities exist in the Streams, libxml, and the Core components of PHP. All users who use PHP for web applications are encounraged to update to this version to fix these vulnerabilities. Update to PHP-8.4.5. 12.3-005
PostgreSQL
12.3 028 PostgreSQL Date: 2025-05-20 Severity: Medium
In PostgreSQL-17.5, a security vulnerability was fixed that can allow for a database input provider to achieve temporary denial of service on any platform where a 1-byte over-read can trigger process termination. Both libpq and the database server are impacted, so it is possible for client applications to crash as well. Update to PostgreSQL-17.5. 12.3-028
Python
12.3 018 Python (LFS and BLFS) Date: 2025-05-20 Severity: Medium
In Python-3.13.3, two security vulnerabilities were fixed that could allow for email header spoofing and a denial-of-service (unbounded memory usage). In addition, another vulnerability was resolved after this release of Python that can cause a crash when using the unicode_escape encoding or an error handler when decoding bytes using the bytes.decode() function. Update to Python-3.13.3 and apply the patch for the bytes.decode() vulnerability. 12.3-018
Qt6
12.3 011 Qt6 Date: 2025-05-20 Severity: Low
In Qt-6.9.0, a security vulnerability has been fixed that could allow for a heap buffer overflow when passing an incorrectly formatted Markdown file to QTextMarkdownImporter. The only known impacts at this time are application crashes. Updating Qt6 to 6.9.0 can be risky and requires some package rebuilds due to the usage of private API that was changed in Qt 6.9.0, but the BLFS team has tested it and if you want to take the risk, update to Qt 6.9.0. A patch is also available for Qt 6.8 but has not been tested by the BLFS team. 12.3-011
QtWebEngine
12.3 012 QtWebEngine Date: 2025-05-20 Severity: Critical
In QtWebEngine-6.9.0, fifteen security vulnerabilities were fixed that could allow for sensitive system data exfiltration, user interface spoofing, remote code execution, arbitrary code execution, and sandbox escapes. All users who have QtWebEngine installed should update to QtWebEngine-6.9.0 as one of the vulnerabilities is known to be exploited in the wild. 12.3-012
Screen
12.3 030 Screen Updated: 2025-05-28 Severity: High
In Screen-5.0.1, five security vulnerabilities were fixed that could allow for a reliable local privilege escalation to root, for leaking of file existence information, for TTY hijacking while attaching to a multi user session, for race conditions when sending signals, and for PTYs to be created world-writable. A serious buffer overflow bug caused by a bad strncpy() was also fixed in this release. Because the default configuration of Screen in BLFS is setuid-root, all systems with Screen installed are impacted by these vulnerabilities, some dating back to Screen releases all the way back to 2025. If you have Screen installed, please update to Screen-5.0.1 immediately. 12.3-030
Updated on 2025-05-28 to include the correct CVE number for the last vulnerability.
Spidermonkey
12.3 033 Spidermonkey Date: 2025-05-20 Severity: Critical
In Spidermonkey-128.10.1, two critical security vulnerabilities were fixed that could allow for an attacker to read and write out of bounds memory through executing malicious JavaScript. These vulnerabilities were shown at Vancouver Pwn2Own to achieve remote code execution and JavaScript manipulation. All users with Spidermonkey installed need to update to 128.10.1 urgently. 12.3-033
12.3 001 Spidermonkey Date: 2025-03-07 Severity: High
In Spidermonkey-128.8.0, two security vulnerabilities were fixed that could allow for arbitrary code execution (due to type confusion), as well as arbitrary code execution due to unexpected garbage collection occuring during Regular Expression bailout processing. Note that the type confusion vulnerability only impacts 64-bit CPUs. Update to Spidermonkey-128.8.0. 12.3-001
Thunderbird
12.3 039 Thunderbird Date: 2025-05-28 Severity: Critical
In Thunderbird-128.11.0esr, seven security vulnerabilities were fixed that could allow for remotely exploitable crashes, memory corruption, remote code execution, cross-origin information leakage, local code execution through the "Copy as cURL" command, and for clickjacking to trick users into leaking saved payment card details. One of the vulnerabilities is rated as Critical, and thus all users should update immediately. Update to Thunderbird-128.11.0esr. 12.3-03912.3 035 Thunderbird Date: 2025-05-20 Severity: Critical
In Thunderbird-128.10.2esr (as well as 128.9.1, 128.9.2, 128.10.0, and 128.10.1), eighteen security vulnerabilities were fixed that could allow for remote code execution, URL bar spoofing, arbitrary code execution, leaks of hashed Window credentials, information disclosure of the directory listing of /tmp, UI misrepresentation of attachment URLs, sandbox escapes, remotely exploitable crashes, unsafe attribute accesses (leading to memory corruption and out-of-bounds memory access), sender spoofing (leading to extremely trivial phishing attacks), unsolicited file downloads, disk space exhaustion, credential leakage to remote attackers via compromised emails and attachments, JavaScript execution via spoofed PDF attachments, and tracking links in attachments bypassing remote content blocking. All users who have Thunderbird installed need to update to Thunderbird-128.10.2esr urgently to protect their systems. 12.3-035
12.3 003 Thunderbird Date: 2025-03-07 Severity: Critical
In Thunderbird-128.8.0esr, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, arbitrary code execution, clickjacking, and for web extensions to be disguised as different elements on a web page. Due to one of the remote code execution vulnerabilities being actively exploited in the wild, and becuase it does not require user interaction, the BLFS team recommends that all users who have Thunderbird installed update to 128.8.0esr as soon as possible. 12.3-003
WebKitGTK
12.3 007 WebKitGTK Date: 2025-05-20 Severity: Critical
In WebKitGTK-2.48.2, sixteen security vulnerabilities were fixed that could result in unexpected process crashes, cross-origin data exfiltration, memory corruption, cross-site scripting attacks, type confusion (on ARM architectures), and sandbox escapes. The sandbox escape vulnerability is known to be exploited in the wild, and it is thus recommended that users update WebKitGTK immediately. Update to WebKitGTK-2.48.2. 12.3-007
Yelp
12.3 020 Yelp Date: 2025-05-20 Severity: High
In Yelp-42.2, a security vulnerability was found that allows help documents to execute arbitrary JavaScript, and also read arbitrary files on the disk. Upstream has not released a patched version to fix this issue, but the BLFS team has adopted patches from upstream to resolve this issue. There is a public exploit and writeup available demonstrating the ability to read a user's SSH Private Key via a crafted help document, and thus ALL BLFS USERS WHO HAVE YELP INSTALLED SHOULD APPLY THE PATCHES AS SOON AS POSSIBLE. Rebuild yelp and yelp-xsl with the security patches. 12.3-020