BLFS-12.4 was released on 2025-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In CUPS-2.4.14, two security vulnerabilities were fixed that can allow for a remotely exploitable authentication bypass and denial of service. The authentication bypass vulnerability occurs on systems where the AuthType is set to anything other than Basic, and the denial of service vulnerability occurs on systems that listen for IPP printers through cups-browsed or CUPS itself. Users who have cups-browsed installed, or who have modified the AuthType configuration items, are recommended to update as soon as possible. Update to CUPS-2.4.14. 12.4-006
In cURL-8.16.0, two security vulnerabilities were fixed that could allow for a predictable mask pattern to occur when using WebSockets (which can allow for a malicious server to induce traffic between machines which can be interpreted by an involved proxy as legitimate traffic), and for sites to overwrite the contents of a secure cookie. Update to cURL-8.16.0. 12.4-008
In Exiv2-0.28.7, two security vulnerability were fixed that could allow for a denial of service (application crash and quadratic resource consumption) when processing EPS files and parsing ICC profiles in JPEG images. Update to Exiv2-0.28.7 if you work with untrusted EPS files or JPEG images. 12.4-010
In fetchmail-6.5.6, a security vulnerability was fixed that could cause a denial of service (application crash) when authenticating using the SMTP client. Note that for this vulnerability to be exploitable, a user must have the esmtpname and esmtppassword options configured, as well as the plugout and mda options to be inactive. This particular configuration is rather uncommon, but if you have fetchmail installed with this configuration and are experiencing crashes, update to fetchmail-6.5.6 or later. 12.4-017
In Firefox-140.4.0esr, 8 security vulnerabilities have been fixed that could allow for use-after-free operations, out of bounds reading/writing, information leakage, modification of non-writable object properties, overriding of browser behavior, potential user-assisted code execution, and exploitation of memory safety bugs. These security vulnerabilities do not affect the JavaScript component of Firefox (SpiderMonkey). Update to Firefox-140.3.0esr. 12.4-022
In Firefox-140.3.0esr, 7 security vulnerabilities have been fixed that could allow for sandbox escapes, same-origin policy bypasses, exploitation of incorrect boundary conditions, integer overflows, networking information disclosure, and memory safety bugs. Update to Firefox-140.3.0esr. 12.4-001
In ffmpeg-7.1.2, five security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities is known to be exploited in the wild. These vulnerabilities occur when encoding AAC files, processing MPEG-DASH manifests, and when decoding OpenEXR files. These issues all occur due to heap buffer overflows. Note that ffmpeg is used in several contexts, including in web browsers and media players. Update to ffmpeg-7.1.2. 12.4-014
In gegl-0.4.64, a security vulnerability was fixed that could allow for remote code execution when processing HDR files. Note that this vulnerability is only exploitable via GIMP, which has also seen a security update recently. You should update gegl, and then update GIMP. If you are opening untrusted HDR files, you should update to gegl-0.4.64 immediately. 12.4-015
In gi_docgen-2025.5, a security vulnerability was fixed that could allow for XSS (cross-site scripting) in documentation that gets generated by gi_docgen. The vulnerability was demonstrated in the libsoup API documentation, but can affect other documentation that gets generated by gi_docgen as well. The vulnerability is in the search functionality and allows attackers to execute arbitrary JavaScript code in the context of of the generated website. Update to gi_docgen-2025.5. 12.4-021
In GIMP-3.0.6, six security vulnerabilities were fixed that could allow for remote code execution when processing DCM, WBMP, FF, XWD, and ILBM files. If you are working with DCM, WBMP, FF, XWD, ILBM, or HDR files, you should update to gegl-0.4.64 and GIMP-3.0.6 immediately. 12.4-016
In libaom-3.13.1, a security vulnerability was fixed that could allow for remote code execution when playing a crafted AV1 file. The vulnerability is primarily known to be exploited in a web browser context, such as in QtWebEngine (with it's embedded copy of Chromium). Update to libaom-3.13.1. 12.4-007
In libarchive-3.8.2, a security vulnerability was fixed that could allow for a malicious TAR file to cause a denial of service (application crash) or possibly other impacts when the contents of the TAR file is listed with a verbose value of '2'. An example provided by upstream is that a 100-byte buffer may not be sufficient for a custom locale. Update to libarchive-3.8.2 if you are using it to process TAR files. 12.4-024
In OpenJPEG-2.5.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted JPEG2000 file. The issue occurs due to an unbounded out-of-bounds write. Update to OpenJPEG-2.5.4. 12.4-009
In OpenSSH-10.1p1, a security vulnerability was fixed that could allow for remote code execution in some configurations. Only users who have modified the default configuration in BLFS and set ProxyCommand are vulnerable to the issue, and the issue occurs because OpenSSH allowed control characters in usernames that originate from untrusted sources. If you haven't modified the default BLFS configuration, there is no need to upgrade. If you have modified the configuration and set the ProxyCommand option though, update to OpenSSH-10.1p1. 12.4-018
In PCRE2-10.46, a security vulnerability was fixed that can allow for information disclosure and a denial-of-service (application crash) when processing a crafted regular expression. This occurs when using the *ACCEPT and *scs: pattern features together, and upstream has noted that the issue can be used to escalate the severity of other security vulnerabilities in a system. Update to PCRE2-10.46, keeping in mind the note in the advisory about using the BLFS instructions since this package has been moved to LFS. 12.4-005
In poppler-25.10.0, a security vulnerability was fixed that could allow for a denial-of-service (application crash) when processing a crafted PDF file. Update to poppler-25.10.0, but note the caveats about packages that need to be adjusted in the consolidated advisory. 12.4-020
In Ruby-3.4.7, a security vulnerability was fixed that could allow for credential leakage to occur when using the URI gem. This occurs when using the + operator to combine URIs. If you are using Subversion with the Ruby bindings, or using the URI gem, update to Ruby-3.4.7. There is no reason to upgrade otherwise. 12.4-019
In QtWebEngine-6.9.3, fifteen security vulnerabilities were fixed that could allow for remote code execution, information leakage, and content security policy bypasses. At least three of these vulnerabilities are known to be under active exploitation, and users are advised to update QtWebEngine immediately, even if it is only used as a build dependency. Update to QtWebEngine-6.9.3. 12.4-013
In SpiderMonkey from Firefox-140.3.0esr, 1 security vulnerability has been fixed that could allow for exploitation of incorrect boundary conditions. Update to SpiderMonkey from Firefox-140.3.0esr. 12.4-002
In Thunderbird-140.4.0esr, 8 security vulnerabilities have been fixed that could allow for use-after-free operations, out of bounds reading/writing, information leakage, modification of non-writable object properties, overriding of browser behavior, potential user-assisted code execution, and exploitation of memory safety bugs. Update to Thunderbird-140.4.0esr. 12.4-003
In Thunderbird-140.3.0esr, 7 security vulnerabilities have been fixed that could allow for sandbox escapes, same-origin policy bypasses, exploitation of incorrect boundary conditions, integer overflows, networking information disclosure, and memory safety bugs. Update to Thunderbird-140.3.0esr. 12.4-003
In Wireshark-4.4.9, a security vulnerability was fixed that could allow for a denial of service (application crash) when processing a crafted SSH packet. This can occur both during live packet captures and when reading a previously saved PCAP file. If you are using Wireshark to dissect SSH packets, updating Wireshark is recommended. Update to Wireshark-4.4.9 if you use Wireshark to dissect SSH packets. 12.4-011