BLFS Security Advisories for BLFS 12.3 and the current development books.
BLFS-12.3 was released on 2025-03-05
- There are currently no known security vulnerabilities for BLFS-12.3.
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Firefox
12.3 002 Firefox Date: 2025-03-07 Severity: Critical
In Firefox-128.8.0esr, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, arbitrary code execution, clickjacking, and for web extensions to be disguised as different elements on a web page. Due to one of the remote code execution vulnerabilities being actively exploited in the wild, and because it does not require user interaction, the BLFS team recommends that all users who have Firefox installed update to 128.8.0esr as soon as possible. 12.3-002
libxslt
12.3 004 libxslt Date: 2025-03-14 Severity: High
In libxslt-1.1.43, two security vulnerabilities were fixed which could allow for arbitrary code execution and crashes when processing XSL documents. Both of these vulnerabilities are use-after-free bugs. Update to libxslt-1.1.43. 12.3-004
PHP
12.3 005 PHP Date: 2025-03-14 Severity: Medium
In PHP-8.4.5, seven security vulnerabilities were fixed that could allow for crashes, arbitrary code execution, unauthorized HTTP redirects, authentication bypasses, remote system crashes, and for invalid HTTP headers to be processed. The vulnerabilities exist in the Streams, libxml, and the Core components of PHP. All users who use PHP for web applications are encounraged to update to this version to fix these vulnerabilities. Update to PHP-8.4.5. 12.3-005
Spidermonkey
12.3 001 Spidermonkey Date: 2025-03-07 Severity: High
In Spidermonkey-128.8.0, two security vulnerabilities were fixed that could allow for arbitrary code execution (due to type confusion), as well as arbitrary code execution due to unexpected garbage collection occuring during Regular Expression bailout processing. Note that the type confusion vulnerability only impacts 64-bit CPUs. Update to Spidermonkey-128.8.0. 12.3-001
Thunderbird
12.3 003 Thunderbird Date: 2025-03-07 Severity: Critical
In Thunderbird-128.8.0esr, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, arbitrary code execution, clickjacking, and for web extensions to be disguised as different elements on a web page. Due to one of the remote code execution vulnerabilities being actively exploited in the wild, and becuase it does not require user interaction, the BLFS team recommends that all users who have Thunderbird installed update to 128.8.0esr as soon as possible. 12.3-003