BLFS-11.2 was released on 2022-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In httpd-2.4.55, three security vulnerabilities were fixed in the mod_proxy, mod_proxy_ajp, and mod_dav modules that could allow for HTTP Response Splitting, Request Smuggling, and remotely exploitable crahses. Update to httpd-2.4.55 if you are using those modules. 11.2-072
In apr-1.7.2, three security vulnerabilities were fixed regarding out-of-bounds writes. Update to apr-1.7.2. 11.2-077
In apr-util-1.6.3, a security vulnerability was fixed that allowed an attacker to write beyond bounds of a buffer. Update to apr-util-1.6.3. 11.2-076
In BIND-9.18.7, six security vulnerabilities were fixed that could allow for denial of service or arbitrary code execution. Update to BIND-9.18.7 if you are using it for anything other than the client utilities. 11.2-012
In cURL-7.88.1, three security vulnerabilities were fixed that could allow for HSTS bypasses and denial of service. Update to cURL-7.88.1 or later. 11.2-099
In cURL-7.87.0, two security vulnerabilities were fixed that could allow for an HSTS bypass when using IDN, and for secure tunnel failure when using SMB and TELNET protocols with cURL and stunnel. Update to cURL-7.87.0 or later. 11.2-063
In cURL-7.86.0, three security vulnerabilities were fixed that could allow for denial-of-service (application crashes), PUT confusion, and for HSTS bypasses. Update to cURL-7.86.0 or later. 11.2-027
In cURL-7.85.0, a security vulnerability was fixed that could allow for some sites to deny access to other sites when processing control codes in cookies. Update to cURL-7.85.0 or later. 11.2-002
In dbus-1.14.4, three security vulnerabilities were fixed that could allow for unprivileged attackers to cause denial-of-service conditions (system dbus-daemon crashes, as well as crashes of any programs which use the libdbus library). Update to dbus-1.14.4 or later. 11.2-018
In DHCP-4.4.3-P1, two security vulnerabilites were fixed that could allow for a denial-of-service and memory leak in the DHCPD server. Update to DHCP-4.4.3-P1 if you are using the DHCPD server. 11.2-019
In Epiphany-43.1, a security vulnerability was fixed that could allow for password exfiltration through autofill when in a sandboxed environment. Update to Epiphany-43.1 immediately if you use it's password manager. 11.2-102
In Firefox-102.8.0esr, eleven security vulnerabilities applicable to linux systems were fixed, eight of them rated as High by upstream. 11.2-093
In Firefox-102.7.0esr, seven security vulnerabilities were fixed, three of them rated as High by upstream. 11.2-067
In Firefox-102.6.0esr, six security vulnerabilities were fixed, four of them rated as High by upstream. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. 11.2-052
In Firefox-102.5.0esr, twelve security vulnerabilities were fixed, seven of them rated as High by upstream. 11.2-043
In Firefox-102.4.0esr, four security vulnerabilities were fixed, two of them rated as High by upstream. Details at 11.2-015
In Firefox-102.3.0esr several security vulnerabilities, of which three were rated as high, were fixed. Update to firefox-102.3.0esr. 11.2-007
In glib-2.74.4, several security vulnerabilities were fixed in the GVariant normalization code and GDBusMenuModel. Update to glib-2.74.4. 11.2-062
In git-2.39.2, two security vulnerabilities were fixed that could allow for data exfiltration and path traversal/arbitrary file overwrites when using repositories with symbolic links. Update to git-2.39.2, especially if you are using a repository from an untrusted source with submodules. 11.2-095
In git-2.39.1, two security vulnerabilities were fixed that could allow for remote code execution on git clients and servers when using repositories with a .gitattributes file, or when running the 'git log' and 'git archive' commands. Update to git-2.39.1 immediately. 11.2-071
In git-2.38.1, two security vulnerabilities were fixed that could allow for remote code execution on servers which have 'git' installed, and for leakage of sensitive information on systems where untrusted repositories are cloned when symbolic links exist within the repository. Update to git-2.38.1 immediately, especially if you run a git server. 11.2-024
In GnuTLS-3.8.0, a security vulnerability which allowed a remote attacker to perform a man-in-the-middle attack was fixed. Update to GnuTLS-3.8.0. 11.2-089
In HTTP-Daemon-6.15 a vulnerability was fixed which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. Update to HTTP-Daemon-6.15. 11.2-103
BLFS updated to ImageMagick-7.1.0-61 from 7.1.0-46. Belatedly, two CVEs have been raised against 7.1.0-49 (each with the same one-line fix in 7.1.0-52). These were for a Denial of Service and possible information disclosure on png files. The relevant code in 7.1.0-49 was identical in 7.1.0-46. Update to ImageMagick-7.1.0-61 or later. 11.2-090
Intel microcode for some processors has been updated to fix two information disclosure vulnerabilities exploitable by local privileged users, and one privilege escalation vulnerability exploitable via adjacent network address. Read 11.2-094 for the list of affected processors and how to update the microcode to fix the vulnerabilities.
In jasper-4.0.0, two security vulnerabilities were fixed that could allow for a denial of service when processing crafted JPEG2000 images. Update to jasper-4.0.0 if you use gegl (GIMP), Qt5 (KDE Applications such as Gwenview and Okular), or ImageMagick. 11.2-034
In OpenJDK-19.0.2, two security vulnerabilities were fixed that could allow an unauthenticated attacker with network access to compromise a Java VM. Update to OpenJDK-19.0.2 immediately. 11.2-101
In OpenJDK-19.0.1, five security vulnerabilities were fixed that could allow an unauthenticated attacker with network access through Kerberos, HTTP, or (more difficult) other protocols, to compromise a Java VM. Update to OpenJDK-19.0.1 immediately. 11.2-028
In the Javascript code of firefox-102.8.0 there is a fix for a Use After Free, which could cause a potentially exploitable crash. 11.2-092
In the Javascript code of firefox-102.5.0 there is a fix for a Use After Free of a Javascript Realm, which could cause a potentially exploitable crash. 11.2-042
In krb5-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service on 32-bit systems. Update to krb5-1.20.1 if you are using a 32-bit system, especially if you are using one in a server role. 11.2-044
In libksba-1.6.3 another severe bug in parsing ASN.1 structures was fixed. 11.2-059
In libksba-1.6.2 a severe bug in parsing ASN.1 structures was fixed. 11.2-014
In libtiff-4.5.0, ten security vulnerabilities in the libtiff library and the 'tiffcrop' utility were fixed that could allow for arbitrary code execution and denial of service. Update to libtiff-4.5.0. 11.2-064
In libtiff-4.4.0, five security vulnerabilities exist which can cause crashes when using the 'tiffcrop' and 'tiffsplit' utilities provided by that package. The BLFS team has created a patch to fix these issues. Rebuild libtiff with the patch. 11.2-026
In libxml2-2.10.3, two security vulnerabilites were fixed that could allow for denial-of-service conditions or arbitrary code execution depending on the context that an XML document is loaded. Update to libxml2-2.10.3. 11.2-020
In node.js-18.14.1, five security vulnerabilities were fixed. One of these is rated as High. Update to Node.js-v18.14.1 (or v16.19.1 if you intend to stay with v16 and will be monitoring that for future updates). 11.2-097
In Node.js-18.12.1, three security vulnerabilities were fixed. Only one applies to the version (16.18.0) which is in the stable book. It allows an attacker to perform DNS rebinding and execute arbitrary code. Update to Node.js-18.12.1. 11.2-035
In Node.js-16.17.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling and weak randomness in the WebCrypto Cryptography system. Update to Node.js-16.17.1. 11.2-010
In NSS-3.88.1, 3.79.4 and 3.87.1 a bug where an attacker could construct a PKCS 12 cert bundle in such a way that it could allow for arbitrary memory writes was fixed. Update to nss-3.88.1 or later. 11.2-091
In ntfs-3g-2022.10.3, a security vulnerability was fixed that could allow for arbitrary code execution at the kernel level. Update to ntfs-3g-2022.10.3. 11.2-038
In OpenSSH-9.1p1, three potential security vulnerabilities were fixed in the ssh-keyscan, ssh-keysign, and ssh-keygen utilities. Update to OpenSSH-9.1p1 if you begin to experience crashes when using these utilities. 11.2-017
In PHP-8.2.3, three security vulnerabilities were fixed that could allow for denial of service or authentication bypass. If you are using the Password_verify() function in an application, it is imperative that you update to PHP-8.2.3 immediately since it will always return true with some hashes. 11.2-096
In PHP-8.2.1, a security vulnerability was fixed in PDO_SQLite which could allow for the module to return an unquoted string. Update to PHP-8.2.1 if you use the PDO_SQLite module. 11.2-073
In PHP-8.1.12, two security vulnerabilities were fixed that could allow for arbitrary code execution, remotely-exploitable crashes, and for memory contents to be read. These only impact users who use the GD or Hash modules in a program. Update to PHP-8.1.12 immediately if you use either of those two modules. 11.2-039
In PHP-8.1.11, two security vulnerabilities were fixed that could allow for cookie spoofing, and for denial-of-service when using the 'phar' command (due to an infinite loop). Update to PHP-8.1.11 if you use an application which uses cookies, or if you use the 'phar' command. 11.2-023
In Pixman-0.42.2, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service when certain pixmaps are processed, depending on the context of the application. Update to pixman-0.42.2 or later. 11.2-037
In Poppler-22.09.0, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing PDF files. Update to poppler-22.09.0 immediately, but take note of build failures and their solutions described in the consolidated advisory. 11.2-001
In PostgreSQL-15.2, a security vulnerability was fixed that could allow for leakage of confidential information in special circumstances when using Kerberos encryption. Update to PostgreSQL-15.2 if you are using PostgreSQL with Kerberos. 11.2-085.
In Python-3.11.1 five vulnerabilities were fixed, with one rated as High. Because updating from an old Python3 series to a new one requires rebuilding all the modules, if you are remaining on Python-3.10 you should update to Python-3.10.9 which includes a Critical fix as well as an additional fix rated as High and already fixed in 3.11.0. Update to 3.11.1 or later, or 3.10.9 or later as appropriate. 11.2-060
In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection when some modules are used. Update to Python-3.10.8 or later. 11.2-021
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005
In QtWebEngine-5.15.12, many Chromium security vulnerabilities were fixed, including two rated as Critical that allow a remote attacker who has compromised the render to escape the sandbox, as well as many rated High allowing a remote attacker to potentially exploit heap corruption. Most of these are via a crafted HTML page, two are via a crafted PDF file, a few require the user to install a malicious extension (which might not apply to users of qtwebengine). Update to QtWebEngine-5.15.12 or later. 11.2-065
In QtWebEngine-5.15.11, several security vulnerabilities were fixed that could allow for denial-of-service attacks, remote code execution, information disclosure, and arbitrary file creation and deletion. Update to QtWebEngine-5.15.11 immediately. 11.2-006
In Ruby-3.1.3, a security vulnerability was fixed that could allow for HTTP response splitting in applications which use the 'CGI' gem. Update to Ruby-3.1.3. 11.2-050
In all versions of Rust before 1.66.1, Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. This can allow an attacker to perform man-in-the-middle attacks when SSH is used. 11.2-066
In rxvt-unicode-9.31, a critical security vulnerability was fixed that could allow for remote code execution in some cases when using the Perl background extension. Update to rxvt-unicode-9.31 immediately. 11.2-069.
In Samba-4.17.5, an improvement to a security fix for the Netlogon RPC Elevation of Privilege vulnerability was made. Update to Samba-4.17.5 immediately. 11.2-086
In Samba-4.17.4, four security vulnerabilities were fixed that could allow for privilege escalation. These are identical to vulnerabilities disclosed in Microsoft Windows on November 8th, 2022. Update to Samba-4.17.4 immediately. 11.2-057
In Samba-4.17.3, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service on 32-bit systems. Update to Samba-4.17.3 immediately if you are using Samba in a server capacity on a 32-bit system. 11.2-045
In Samba-4.15.2, three security vulnerabilities were fixed that could allow for bad passwords to be accepted in some circumstances, as well as for attackers to escape an exported share using symbolic links, and for a crash when using GSSAPI. Update to Samba-4.15.2. 11.2-025
In Seamonkey-2.53.15, several security vulnerabilities that were fixed in Firefox and Thunderbird's 102.x series were fixed. These could allow for remote code execution, email spoofing, content security bypasses, UI spoofing, DNS redirection, remotely exploitable crashes, and keystroke leakage. Update to Seamonkey-2.53.15 immediately. 11.2-088
In Sudo-1.9.12p2, a flaw in sudo’s -e option (aka sudoedit) was fixed that could allow a malicious user with sudoedit privileges to edit arbitrary files. Update to Sudo-1.9.12p2 or later. 11.2-074
In Sudo-1.9.12p1, a security vulnerability was fixed that could allow for arbitrary code execution, privilege escalation, or denial of service. Update to Sudo-1.9.12p1 or later. 11.2-033
In sysstat-12.6.1, a security vulnerability was fixed that could allow for remote code execution on 32-bit systems. You should update to sysstat-12.6.1 immediately if you are using a 32-bit system. 11.2-040
In systemd-241 and higher, a security vulnerability was discovered that could allow for a local information leak and privilege escalation due to systemd-coredump not respecting a kernel option. Rebuild systemd with the patch. 11.2-061
In Thunderbird-102.8.0, several security vulnerabilities were fixed that could allow for content security policy bypasses, crashes, UI lockups, remote code execution, execution of code without a user's knowledge, and screen hijack. Update to Thunderbird-102.8.0. 11.2-098.
In Thunderbird-102.7.2, several security vulnerabilities were fixed that could allow for content security policy bypasses, remote code execution, notification bypasses, website spoofing attacks, and invalid signature verification of S/MIME email messages. Update to Thunderbird-102.7.2. 11.2-087
In Thunderbird-102.6.0, six security vulnerabilities weres fixed, four of them rated as High by upstream. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. 11.2-053
In Thunderbird-102.5.1, a security vulnerability was fixed that could trigger downloading remote content, even if remote content is blocked. Update to Thunderbird-102.5.1 immediately. 11.2-048
In Thunderbird-102.5.0, several security vulnerabilities were fixed that could allow for disclosure of information, spoofing attacks, exploitable crashes, removal of cookie protection, and denial-of-service conditions. Update to Thunderbird-102.5.0 immediately. 11.2-046
In Thunderbird-102.4.0, several security vulnerabilities were fixed that could allow for arbitrary code execution, impersonation attacks, device verification attacks, and denial-of-service conditions. Update to Thunderbird-102.4.0 immediately, especially if you use the Matrix chat protocol. 11.2-022
In Thunderbird-102.3.0, several security vulnerabilities were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Update to Thunderbird-102.3.0 immediately. 11.2-013
In Thunderbird-102.2.1, several security vulnerabilities were fixed that could allow for leakage of sensitive information, unauthorized content access, unexpected network requests, and denial-of-service attacks. Update to Thunderbird-102.2.1 immediately. 11.2-003
In Unbound-1.16.3, a security vulnerability was fixed that could allow for a denial of service (excess resource consumption) due to a non-responsive delegation attack. Update to Unbound-1.16.3. 11.2-011
In WebKitGTK+-2.35.5, a critical security vulnerability was fixed that could allow for remote code execution. The vulnerability is under active exploitation. Update to WebKitGTK+-2.38.5 immediately, but note the special instructions in the advisory. 11.2-100
In WebKitGTK+-2.38.4, three security vulnerabilities were fixed that could allow for remote code execution. Update to WebKitGTK+-2.38.4 immediately, but note the special instructions in the advisory. 11.2-080
In WebKitGTK+-2.38.3, several security vulnerabilities were fixed that could allow for remote code execution, denial of service, and sensitive information disclosure. Update to WebKitGTK+-2.38.3 immediately, but note the special instructions in the advisory. 11.2-068
In WebKitGTK+-2.38.2, five security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, UI spoofing, application state disclosure, and disclosure of sensitive user information. Update to WebKitGTK+-2.38.2 immediately, but note the special instructions in the advisory. 11.2-056
In WebKitGTK+-2.36.8, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. A proof of concept exploit exists. Update to WebKitGTK+-2.36.8. 11.2-008
In Wireshark-4.0.3, several security vulnerabilities were fixed that could allow for denial of service (excessive resource consumption, crashes, and memory leaks) when capturing (or reading packets) from a network which has EAP, NFS, GNW, iSCSI, TIPC, NCP, RTPS, or BPv6 packets traveling across it. Update to Wireshark-4.0.3 if you are on such a network. 11.2-079
In Wireshark-4.0.2, two security vulnerabilities were fixed that could allow for a denial-of-service (excessive resource consumption) when capturing (or reading packets) from a network which uses Kafka, BPv6, or OpenFlow packets. Update to Wireshark-4.0.2 if you are on such a network. 11.2-051
In Wireshark-3.6.8, a security vulnerability was fixed that could allow for a denial-of-service when capturing packets on a network that uses F5 Ethernet Trailer packets. Update to Wireshark-3.6.8 if you're on such a network. 11.2-004
In xfce4-settings-4.16.5, a security vulnerability was fixed that could allow for argument injection when processing MIME types. Update to xfce4-settings-4.16.5 or later. 11.2-041
In xorg-server-21.1.7, a vulnerability was fixed that could lead to local privileges elevation on systems where the X server is running privileged remote code execution for ssh X forwarding sessions. 11.2-078
In xorg-server-21.1.6, two vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-058
In xorg-server-21.1.5, six vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-054
In xwayland-22.1.8, a vulnerability was fixed that could lead to local privileges elevation on systems where xwayland is running privileged, or remote code execution for ssh X forwarding sessions. 11.2-084
In xwayland-22.1.6, six vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-055