BLFS-12.2 was released on 2024-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In apr-1.7.5, a security vulnerability was fixed that allows local users to have read access to named shared memory segments, potentially revealing sensitive application data. This occurs due to lax permissions being set by the apr library at runtime. If you are using an application which uses apr (e.g. subversion, serf, or Apache HTTPD) that also utilizes sensitive data, it is highly recommended that you update apr as soon as possible. Update to apr-1.7.5. 12.2-002
Several security vulnerabilities were discovered in libcupsfilters, libppd, and cups-browsed, which have been chained together to allow for remote code execution. Previously, upstream releases did not exist for these packages. On 2024-10-21, BLFS was updated to handle these vulnerabilities. The vulnerabilities allow for information leakage, remote code execution, and remotely exploitable crashes. These vulnerabilities are currently being actively exploited. The vulnerabilities require no user interaction to exploit, and they do not require any authentication. If you run a CUPS server that is accessible from the internet, or if you use a public WiFi network, you should update the packages to 2.1.0 immediately. 12.2-022
In cURL-8.11.0, a security vulnerability was fixed that could allow for a minor potential Denial of Service problem when trying to use HTTPS when that no longer works, or a cleartext transmission of data that was otherwise intended to be protected. Update to cURL-8.11.0. 12.2-039
In cURL-8.10.0, a security vulnerability was fixed that could allow for an invalid server certificate (SSL certificate) to wrongfully register as valid when built with gnutls. 12.2-013
In fetchmail-6.5.0, a security vulnerability was resolved where users could have another user's passwords due to insufficient permissions on a user's .netrc file. This has been resolved by not allowing .netrc to have any more than 0700 permissions if it contains passwords. If a .netrc file does have more than 0700 permissions, fetchmail will now output a warning and ignore the file. Update to fetchmail-6.5.0. 12.2-035
In Firefox-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. Update to Firefox-128.4.0esr (or 115.17.0esr). 12.2-032
In Firefox-128.3.1esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. One of these issues is known to be exploited in the wild and is rated as critical. It is highly recommend that you update Firefox immediately to 128.3.1esr (or 115.16.1esr if you are on that series). 12.2-023
In Firefox-128.2.0esr, seven security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, and for remotely exploitable type confusion vulnerabilities. Update to Firefox-128.2.0esr. 12.2-004
In fop-2.10, a security vulnerability was fixed that could allow for a remote attacker to execute arbitrary code on a system while processing a crafted FO file. This occurs due to an XML External Entity Reference attack, and can happen without informing the user. Update to fop-2.10. 12.2-038
In Ghostscript-10.04.0, six security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution while processing crafted PostScript and PDF documents. This can also be exploited via a malicious print job. Update to Ghostscript-10.04.0. 12.2-012
In intel-microcode-20240910, two hardware vulnerabilities are fixed. The first one may allow for information disclosure when using 3rd Generation Intel Xeon Scalable CPUs. For more information on this vulnerability, please read Intel-SA-01103. The second vulnerability may allow for a denial of service when using 10th-14th Generation Core processors, as well as the Intel Xeon D line of processors and the 3rd Generation Intel Xeon Scalable processors. For more details and a complete list of affected processors, please read Intel-SA-01097. To check if you are impacted and for instructions on updating the microcode, please see the security advisory. 12.2-015
In libarchive-3.7.7, three security vulnerabilities were fixed that could allow for a denial of service (out-of-memory condition or application crash) when processing crafted GZIP or TAR files. The gzip issue occurs when processing a malformed gzip file inside of another gzip file, and the two tar issues occur when processing headers and truncated tar archives. Update to libarchive-3.7.7. 12.2-034
In libarchive-3.7.5, four security vulnerabilities were fixed that could allow for remote code execution when processing crafted RAR4 archives. For at least one of these issues, a proof of concept exploit has been made public. All of the vulnerabilities are classified as heap buffer overflows. Update to libarchive-3.7.5. 12.2-009
In libgsf-1.14.53, two security vulnerabilities were fxied that could allow for arbitrary code execution when processing a malicious file in compound document binary file format. Both of these issues are heap buffer overflows caused by integer overflows. Update to libgsf-1.14.53 immediately. 12.2-018
In libpcap-1.10.5, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when an application uses the pcap_findalldevs_ex() function. Note that the required functionality is not enabled by default. Update to libpcap-1.10.5 if you have remote packet capturing support enabled. 12.2-001
In mpg123-1.32.8, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when decoding streams where output properties are changed, together with certain use of libmpg123. The vulnerability needs seeking around in the stream (including scanning it before actual decoding) to occur, but there are use cases where this could apply, such as concatenating several MP3 files together with varying formats or leading Info frames past the first track. This has been named as "Frankenstein's Monster", and has been classified as a buffer overflow. Update to mpg123-1.32.8. 12.2-031
In OpenJDK-23.0.1, five security vulnerabilities were fixed that could allow for a remote attacker (with no privileges required) to cause a denial of service condition (application crash) or possibly write/delete/access information on a system running a Java application. Update to OpenJDK-23.0.1. 12.2-037
In PHP-8.3.12, three security vulnerabilities were fixed that could allow for unauthorized modification of logs, bypass of the force_redirect configuration, and for data integrity violations when processing multipart form data. The unauthorized modification of logs vulnerability occurs in the FPM module, and the vulnerability can also be used to remove data from system logs if PHP is confused to use syslog. The data integrity violation vulnerability occurs in the SAPI module, and the bypass of the force_redirect configuration happens in the CGI module. Update to PHP-8.3.12. 12.2-014
In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. Update to Python-3.12.6. 12.2-008
In Qt6-6.7.3, a security vulnerability was fixed in the HTTP/2 component that could cause decisions regarding encryption on an established connection to execute too early, because the encrypted() signal was not yet emitted and processed. This could allow for data to accidentally end up unencrypted when transmitted over HTTP/2 using an application that uses Qt. Update to Qt6-6.7.3. 12.2-016
In QtWebEngine-6.8.0, three security vulnerabilities were fixed that could allow for remote code execution. These vulnerabilities occur in the bundled copy of Chromium, and are in the Skia, V8, and Dawn components. If you have QtWebEngine installed, you should update this package as soon as you can. Update to QtWebEngine-6.8.0. 12.2-025
In QtWebEngine-6.7.3, 45 security vulnerabilities were fixed that could allow for remote code execution, sandbox escapes, information disclosure, UI spoofing, policy bypasses, and arbitrary reading/writing of files on the system. These can all be exploited by malicious extensions, malicious HTML files, malicious PDF files, or in some cases malicious fonts. The issues are all in the bundled copy of Chromium, and they impact the ANGLE, V8, WebAudio, Frames, CSS, FedCM, Dawn, Loader, Navigation, Screen Capture, WebAssembly, Swiftshader, CORS, Audio, PDFium, Skia, Permissions, Fonts, and Scheduling components. Because of the amount of vulnerabilities and the severity of them, all users who have this package installed should update to QtWebEngine-6.7.3 immediately. Update to QtWebEngine-6.7.3. 12.2-017
In Ruby-3.3.5, four security vulnerabilities were fixed that could allow for a denial of sercice (application crash) when processing crafted XML files with the REXML gem which is built into Ruby. If you process untrusted XML using Ruby, it's highly recommended to update to Ruby-3.3.5 immediately. 12.2-003
In Seamonkey-2.53.19, 37 security vulnerabilities were fixed that could allow for remote code execution, decryption of data to plaintext (on Intel Sandy Bridge machines), memory corruption, remotely exploitable application crashes, cross-site scripting, sandbox escapes, information disclosure, and bypass of the content security policy. The 0.0.0.0 day security issue is also resolved in Seamonkey, though it has not been resolved in QtWebEngine or Firefox yet. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Some examples of this attack being exploited include eBay performing port scans on systems upon loading a page. The port scan was performed via JavaScript. This update brings Seamonkey up to the level of Firefox 115.14.0esr for security fixes. Update to Seamonkey-2.53.19. 12.2-011
In Spidermonkey-128.3.1esr, a security vulnerability was fixed that could allow for memory corruption due to the JavaScript garbage collector mis-coloring cross-compartment objects if an Out Of Memory condition was detected at the right point between two passes. Note that if you do not wish to upgrade to 128.3.1esr (and thus also update gjs), you can use Spidermonkey-115.16.1esr. Update to Spidermonkey-128.3.1esr (or 115.16.1esr). 12.2-027
In tiff-4.7.0, two security vulnerabilities were fixed that could allow for a denial of service (application crash via a segmentation fault) when processing crafted TIFF files. This occurs in the TIFFReadRGBATileExt() function, as well as in tir_difinfo.c. Both of these flaws can be exploited via a web browser or an image viewer. Update to tiff-4.7.0. 12.2-010
In Thunderbird-128.4.3esr, one security vulnerability was fixed that could allow for messages encrypted with OpenPGP to be sent in plain text. Update to Thunderbird=128.4.3esr. 12.2-042
In Thunderbird-128.4.0esr, ten security vulnerabilities were fixed that could allow for permissions leaks, remotely exploitable crashes, user confusion (for external protocol handlers), cross-site scripting attacks, origin spoofing, video frame leaks, clipboard spoofing, and remote code execution. Update to Thunderbird-128.4.0esr. 12.2-033
In Thunderbird-128.3.2esr, a security vulnerability was fixed that could allow for remote code execution. The vulnerability occurs in the Animation component of the shared Gecko component, and thus could be exploited by a malicious HTML email. Due to the critical nature of this vulnerability, it is highly recommended that you update Thunderbird immediately. The issue is being actively exploited in the wild. Update to Thunderbird-128.3.2esr. 12.2-026
In Thunderbird-128.3.0esr, twelve security updates were fixed that could allow for remote code execution, sandbox bypasses, cross-origin access to PDF and JSON contents through multipart responses, permission bypasses, unauthorized directory uploads, clickjacking, and remotely exploitable crashes. Update to Thunderbird-128.3.0esr. 12.2-024
In Thunderbird-128.2.0esr, eight security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, remotely exploitable type confusion vulnerabilities, and remotely exploitable crashes. Update to Thunderbird-128.2.0esr. 12.2-005
In Unbound-1.21.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service. It can be exploited by the attacker by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query, it will try to apply name compression, which had no boundaries until this update, and would lock the CPU until the packet was done compressing. Update to Unbound-1.21.1. 12.2-020
In WebKitGTK-2.46.3, two security vulnerabilities were fixed that could allow for unexpected process crashes and content security policy bypasses. These both happen when processing maliciously crafted web content, and were resolved with improved input validation and other checks. Update to WebKitGTK-2.46.3. 12.2-036
In WebKitGTK-2.46.1, three security vulnerabilities were fixed that could allow for universal cross site scripting, address bar spoofing, and cross-origin data exfiltration. In addition,the 0.0.0.0 day security vulnerability was fixed. The 0.0.0.0 day vulnerability allows for localhost APIs to be exploited by cross-site request forgery, and several proof of concept exploits exist. Note that you must update Epiphany to 46.4 or later after this update is installed. Update to WebKitGTK-2.46.1. 12.2-021
In wget-1.25.0, a security vulnerability was fixed that could allow for server-side request forgery, phishing, data leakage, and man in the middle attacks when using shorthand FTP URLs. Update to wget-1.25.0. 12.2-040
In Wireshark-4.4.1, two security vulnerabilities were fixed that could allow for denial of service conditions (application crashes) via capturing faulty packets, or opening a crafted capture file. The issues occur in the AppleTalk, RELOAD, and ITS packet dissectors. If you use any of these three protocols, you should update Wireshark to prevent crashes. Update to Wireshark-4.4.1. 12.2-028
In xdg-desktop-portal-1.18.4, a security vulnerability was fixed that allows for a sandbox escape via the RequestBackground portal. This also allows for arbitrary command execution, in some cases with privileges escalated to root. This update should be considered urgent. It requires an update to Bubblewrap as well to be effective. Update to Bubblewrap-0.10.0 and xdg-desktop-portal-1.18.4 as soon as possible. 12.2-019
In Xorg-Server-21.1.14, a security vulnerability was fixed that could allow for denial of service or remote code execution (if the server is run over VNC or with SSH X Forwarding). On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. Update to Xorg-Server-21.1.14 and upgrade TigerVNC if it is also installed. 12.2-029
In Xwayland-24.1.4, a security vulnerability was fixed that could allow for denial of service. On systems where X is running as root, this can be used to also cause local privilege escalation, but BLFS has not run the X.org server as root since the introduction of elogind in BLFS 9.0. The vulnerability occurs due to a heap buffer overflow in the _XkbSetCompatMap function. Update to Xwayland-24.1.4. 12.2-030