BLFS-11.3 was released on 2023-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
An information disclosure issue known as "Inception" or "SRSO" has been publicised. Update the linux kernel to version 6.4.9 or later (6.1.44 or later if you use the LTS 6.1 version) and update the microcode when it is available for your CPU. 11.3-078.
A High-severity vulnerability (information disclosure in 16-byte chunks by a non-privileged user) has been publicised. Update the linux kernel to version 6.4.6 or later (6.1.41 or later if you use the LTS 6.1 version) and update the microcode when it is available for your CPU. 11.3-067.
This advisory has beeen replaced by advisory SA 11.3-067 above.
In httpd-2.4.56, two security vulnerabilities were fixed that could allow for HTTP Request Smuggling when mod_proxy and mod_rewrite are enabled in combination with one another, or when mod_proxy_uwsgi is enabled. Update to httpd-2.4.56 if you use either of those configurations. 11.3-002
In BIND-9.18.16, two security vulnerabilities were fixed that could allow for denial-of-service (application crashes and exhaustion of system memory). One of these vulnerabilities affects the default BIND configuration in BLFS. This does not affect the client utilities. If you use BIND as a DNS server, you should update to BIND-9.18.16 immediately. 11.3-046
In c-ares-1.19.1, three security vulnerabilities were fixed, one of them rated as high. 11.3-026
In CUPS-2.4.6, a security vulnerability was fixed that could allow for a denial-of-service or for information disclosure. Note that all print jobs on the system will be lost once the cupsd process crashes. If you print regularly or share printers with other systems, update to CUPS-2.4.6. 11.3-044
In CUPS-2.4.5, a security vulnerability was fixed that could allow for a remote attacker to trigger a denial of service on a CUPS server. Update to CUPS-2.4.5 if you're sharing printers with other systems. 11.3-039
In cups-filters-1.28.16, a security vulnerability exists that allows for remote code execution on IPP printers which use the 'beh' backend. Upstream is aware of the problem and has patched it, but has not cut a new release. The BLFS team has developed a patch and implemented it into the book. Apply the patch and rebuild cups-filters if you use a printer with the 'beh' backend. 11.3-043
In cURL-8.2.1, a security vulnerability was fixed that could allow for an attacker to trick a user into overwriting or creating protected files holding cookie, HSTS, or alt-svc data. This occurs due to a TOCTOU race condition, which causes symbolic links to be followed instead of overwritten. Update to cURL-8.2.1. 11.3-066
In cURL-8.1.0, several security vulnerabilities were fixed that could allow for IDN wildcard matches, unexpected application behavior, race conditions, and for information leakage when verifying sha256 fingerprints in the SSH functions of cURL. Update to cURL-8.1.0. 11.3-031
In cURL-8.0.1, six security vulnerabilities were fixed that could allow for authentication bypass, arbitrary file writes, content filter bypasses, command injection, and remotely exploitable crashes. Update to cURL-8.0.1 if you use SFTP/SSH/TELNET/GSS/FTP with cURL or if you use HTTP sites which redirect to HTTPS. 11.3-007
In dbus-1.14.8, a security vulnerability was fixed that could allow for an unprivileged user to cause a denial-of-service (system message bus daemon crash) by sending an unreplyable message when an administrator is monitoring the dbus daemon. Update to dbus-1.14.8 or later. 11.3-041
In Exiv2-0.28.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial-of-service when processing image metadata. Update to exiv2-0.28.0 or later. 11.3-035
In firefox 115.1.0 twelve vulnerabilities applicable to BLFS were fixed, six of them rated as High. 11.3-083
In firefox 115.1.0 seven vulnerabilities appliccable to BLFS and rated as High were fixed. 11.3-068
In firefox 115.0.2 a vulnerability rated as High was fixed. 11.3-056
In both firefox 115.0 and 102.13.0 several vulnerabilities were fixed, of which three were rated high. 11.3-048
In Firefox-102.12.0esr, two security vulnerabilities rated as High by upstream were fixed. 11.3-037
In Firefox-102.11.0esr, six security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream. 11.3-026
In Firefox-102.10.0esr, seven security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream, as well as a fix in the shipped version of libwebp (see SA 11.3-016). 11.3-017
In Firefox-102.9.0esr, five security vulnerabilities applicable to linux systems were fixed, two of them rated as High by upstream. 11.3-005
In Git-2.40.1, three security issues were fixed. They allowed to write outside a working tree when applying a specially crafted patch, allowed for malicious placement of crafted messages under certain circumstances, and arbitrary configuration injection. Update to git-2.40.1. 11.3-023
In ghostscript-10.01.2, a security vulnerability was fixed that allows for arbitrary code execution and denial of service when processing PostScript files with contain a %pipe% or "|" character. The problem is due to mishandling of permission validation. Update to ghostscript-10.01.2. 11.3-051
In ghostscript-10.01.1, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing crafted PostScript files. It is known as "Shell in the Ghost", and is known to be actively exploited with a public proof of concept available. Update to ghostscript-10.01.1 immediately. 11.3-019
In gst-plugins-ugly-1.22.5, two security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service when using RealMedia files. Update the gstreamer stack to 1.22.5 if you use the RealMedia plugin. 11.3-064
In gst-plugins-base and gst-plugins-good 1.22.4, three security issues were fixed that could allow for arbitrary code execution and denial of service when processing malformed FLAC titles or parsing subtitles. Update the gstreamer stack to 1.22.4. 11.3-054
Intel microcode for some processors has been updated to fix three information disclosure vulnerabilities. Read 11.3-075 for the list of affected processors and how to update the microcode to fix the vulnerabilities.
Since ImageMagick-7.1.0-61 several vulnerabilites have come to light, one rated as High. These were fixed between 7.1.0-62 and 7.1.1-10. 11.3-049
In the Javascript code of firefox-102.13.0 there is a fix for a potential use after free. 11.3-047
In the Javascript code of firefox-102.11.0 there are various changes, including what appears to be the fix for a type-checking bug reported against firefox, see CVE-2023-32211 in 11.3-025
In the Javascript code of firefox-102.10.0 there is a fix for a potentially exploitable invalid free. 11.3-016
In the Javascript code of firefox-102.9.0 there is a fix for a potentially exploitable crash when invalidating JIT code. 11.3-004
In libjpeg-turbo-3.0.0, a security vulnerability was fixed that could allow for a denial-of-service when processing a crafted 12-bit JPEG image that contains values which go out-of-range. 11.3-050
In librsvg-2.56.3, a security vulnerability was fixed that could allow for arbitrary file reads when an xinclude href has special characters in it. Update to librsvg-2.56.3. 11.3-063
The update to firefox-102.10.0 makes public a double-free vulnerability in libwebp which the mozilla developers say could lead to memory corruption and a potentially exploitable crash. In the absence of a new release, apply the patch from upstream. 11.3-015
In LibX11-1.8.6, a security vulnerability was fixed. A malicious X server (or a malicious proxy-in-the-middle) may corrupt client memory and at least cause the client to crash. Update to LibX11-1.8.6 or later. 11.3-038
In libxml2-2.10.4, three security vulnerabilities were fixed that could cause crashes due to null pointer dereferences and improper resource management. Update to libxml2-2.10.4. 11.3-020
In LWP-Protocol-https-6.11, a security vulnerability was fixed that could for attackers to disable server certificate validation via passing the HTTPS_CA_DIR or HTTPS_CA_FILE environment variable. Update to LWP-Protocol-https-6.11 or later. 11.3-055
In MariaDB-10.11.4 (and 10.6.14), a security vulnerability was fixed that could allow for a denial of service (database server crash). Update to MariaDB-10.11.4 (and run mariadb-upgrade), or MariaDB-10.6.14. 11.3-071
In krb5-1.21.2, two security vulnerabilities were fixed that could allow for crashes of the KDC process and of the kadm5 process. These vulnerabilities can be exploited remotely. Update to krb5-1.21.2 or later. 11.3-080
In nghttpp2-, a security vulnerability was fixed that could allow for denial of service through memory exhaustion. 11.3-058
In node.js-18.17.1, three security vulnerabilities were fixed that could allow for permission policy bypass via the Module._load function, the module.constructor.createRequre function, and the process.binding function. Note that at this time, these features are experimental, but are enabled by default. Update to node.js-18.17.1. 11.3-077
In node.js-18.16.1, four security vulnerabilities were fixed that could allow for denial of service, HTTP Request Smuggling, keys to not be generated, and for policy bypasses. Update to node.js-18.16.1. 11.3-045
In OpenJDK-20.0.2, six security vulnerabilities were fixed that could allow for unauthorized access to data on a system and for a denial of service. All but one of these require no authentication and can be exploited remotely without user interaction. Update to OpenJDK-20.0.2. 11.3-062
In OpenJDK-20.0.1, six security vulnerabilities were fixed that could allow for denial of service or unauthorized creation, modification, or deletion of data. These require no authentication and can be exploited remotely. Update to OpenJDK-20.0.1. 11.3-053
In OpenSSH-9.3p2, a remote code execution vulnerability was fixed in the ssh-agent utility, which can occur when ssh-agent connects to an attacker controlled server. Update to OpenSSH-9.3p2 immediately if you use ssh-agent. 11.3-059
In PHP-8.2.9, two security vulnerabilities were fixed which could allow for unauthorized disclosure of local files on a server, for remote code execution, and for remotely exploitable denial of service. Update to PHP-8.2.9 immediately if you use the libxml or Phar modules. 11.3-082
In PostgreSQL-15.4, two security vulnerabilities were fixed that could allow for SQL Injection when using extension scripts, and for security policy bypasses when row security policies are in effect. Update to PostgreSQL-15.4. 11.3-076
In PostgreSQL-15.3, two security vulnerabilities were fixed that could allow for arbitrary code execution as root for some users, and for incorrect security policies to be applied to users. Update to PostgreSQL-15.3. 11.3-034
In Python-3.11.4, three security vulnerabilities were fixed that could allow for directory traversal, disk location exposure over HTTP, and for policy bypasses. Update to Python-3.11.4. 11.3-040
In QtWebEngine-5.15.15, fixes for seven Chromium security vulnerabilities were backported to the branch. All are rated as High. 11.3-070
In QtWebEngine-5.15.14, fixes for several recent Chromium security vulnerabilities were backported to the branch used for 5.15. One of these is rated as Critical, 11 others are rated as High. Qt-5.15 reaches End of Life on 2023-05-26, it is unclear if any further vulnerability fixes will be available. Update to QtWebEngine-5.15.14. 11.3-027
In QtWebEngine-5.15.13, fixes for several recent Chromium security vulnerabilities rated as High were backported to the branch used for 5.15. Update to 5.15.13. 11.3-003
In Requests-2.31.0, a security vulnerability was fixed, rated as moderate. Update to Requests-2.31.0. 11.3-029
In Ruby-3.2.2, two security vulnerabilities were fixed that could allow for denial of service when using the URI and Time gems. Update to ruby-3.2.2 or use the workaround described in the consolidated advisory. 11.3-013
In rustc-1.71.1, a security vulnerability was fixed in the Cargo portion of rustc which could allow a local user to change the source code compiled and executed by another user. Update to rustc-1.71.1 or later. 11.3-074
In Samba-4.18.5, five security vulnerabilities were fixed that could allow for remotely exploitable crashes, absolute path disclosure for files located on the server, and for packet signature enforcement bypass. Note that the remotely exploitable crashes occur when using winbindd and Spotlight, and the Spotlight service also causes the absolute path disclosure. The packet signature enforcement vulnerability also causes intermittent connection problems with Windows systems running the July 2023 security updates. Update to Samba-4.18.5, especially if you are on a network with Windows systems that connect to your Samba server. 11.3-060
In Samba-4.18.1, three security vulnerabilities were fixed. Note that they only affect Samba in LDAP/AD DC mode, which is not the book's default configuration. However, the security vulnerabilites are severe enough that if you have LDAP or AD DC enabled, you must take immediate action to protect yourself and assume that BitLocker recovery keys have been compromised. One vulnerability allows for cleartext password resets as well and for unauthorized attribute detection. If you are using LDAP/AD DC functionality in Samba, you must update immediately. 11.3-008
In Screen-4.9.1, a security vulnerability was fixed that could allow for local users to send a privileged SIGHUP signal to any PID on the system, which could cause a denial of service or disruption of the target process. If you are on a multi-user system and use Screen, you should upgrade to Screen-4.9.1 or later. 11.3-079.
In Seamonkey-2.53.17, several security patches up to Firefox and Thunderbird 102.11.0esr were applied to Seamonkey. This includes fixes for remote code execution, arbitrary code execution, denial of service, invalid GPG key verification, browser spoofing attacks, and for unauthorized downloads of files. Update to Seamonkey-2.53.17 immediately. 11.3-072
In Seamonkey-2.53.16, three versions worth of Firefox and Thunderbird security vulnerabilities were resolved. This includes fixes for issues that could cause remotely exploitable crashes, remote code execution, invalid JavaScript execution, arbitrary file reads, content security policy bypass, screen hijacking, and content spoofing. Update to Seamonkey-2.53.16. 11.3-014
All users of the luatex programs with versions of TexLive from 2017 to 2023 are advised to update to v1.17.0 because of a potential privilege escalation vulnerability if you use an untrusted tex file or on a multiuser system. For users who installed the v2023 binary, use tlmgr. For those who built from source, reinstall with the texlive-20230313-source-security_fix-1.patch and (if using ConTeXt) apply the sed to support luatex-v1.17.0 in mtxrun.lua.
For Texlive before 2023 no new versions are available, so only use those old versions if you need to recreate output from known-good old tex files on single-user systems. 11.3-024
In Thunderbird-115.2.0, twelve security vulnerabilities were fixed that could allow for potentially exploitable crashes, spoofing attacks, out of memory exceptions, leakage of sensitive information, for the browsing context to not be cleared, and for remote code execution. Most of these vulnerabilities are only applicable to HTML mail. Update to Thunderbird-115.2.0. 11.3-084
In Thunderbird-115.1.1, several security vulnerabilities were fixed that could allow for file extension spoofing using the Text Direction Override Character, cross-origin restriction bypasses, remote code execution, remotely exploitable crashes, bypass of permissions requests, and for notifications to be obscured. Update to Thunderbird-115.1.1. 11.3-081
In Thunderbird-102.12.0, several security vulnerabilities were fixed that could allow for crashes, browser outputs to be obscured by popups, memory corruption, spoofing, unauthorized certificate exceptions, and remote code execution. Most of these vulnerabilities are only exploitable via HTML mail. Update to Thunderbird-102.12.0. 11.3-042
In Thunderbird-102.10.0, several security vulnerabilities were fixed that could allow for remote code execution, denial of service, spoofing, encrypted emails accepting revoked certificates, and more. Update to Thunderbird-102.10.0. 11.3-018
In Thunderbird-102.9.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service when using the Matrix chat protocol. Update to Thunderbird-102.9.1 if you use that protocol. 11.3-010
In Thunderbird-102.9.0, five security vulnearabilities which can mostly be exploited via HTML mail were resolved. These can allow for spoofing, potentially exploitable crashes, and potentially remote code execution. Update to Thunderbird-102.9.0. 11.3-006
In WebKitGTK+-2.41.6 (with a patch developed by the BLFS team applied), several security vulnerabilities were fixed that could allow for remote code execution, sensitive information disclosure, and bypasses of the Same Origin Policy. Rebuild WebKitGTK+-2.41.6 with the patch applied (or update to WebKitGTK+-2.40.5 if you are still on the 2.40.x series) immediately. 11.3-073
In WebKitGTK+-2.41.6 with a patch applied, a critical security vulnerability was fixed which could lead to remote code execution. This vulnerability is known to be under active exploitation, and it's recommended that you update to WebKitGTK+-2.41.6 with the patch (or WebKitGTK+-2.40.4) immediately. 11.3-061
In WebKitGTK+-2.40.2, two security vulnerabilities which could lead to remote code execution and information disclosure were fixed. They are both known to be actively exploited, and require no user interaction. If you have WebKitGTK+ installed, it is critical that you update to WebKitGTK+-2.40.2 or later immediately. 11.3-036
In WebKitGTK+-2.40.1, six security vulnerabilities were fixed, including one which is known to be actively exploited through crafted advertisements or other web content. If you have WebKitGTK+ installed, it is critical that you update this package to protect yourself and your system. Update to WebKitGTK+-2.40.1 immediately, and note the instruction recommendations in the advisory. 11.3-022
In Wireshark-4.0.7, two security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. Update to Wireshark-4.0.7 to fix these issues. 11.3-057
In Wireshark-4.0.6, nine security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. Update to Wireshark-4.0.6 to fix these issues. 11.3-030
In Wireshark-4.0.5, three security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These vulnerabilities can occur when Wireshark is run on a network with GQUIC, RPCoRDMA, or LISP packets. Update to Wireshark-4.0.5 if you are on such a network. 11.3-021
In xorg-server-21.1.8, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xorg-server-21.1.8. 11.3-009
In xwayland-23.1.1, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xwayland-23.1.1. 11.3-012