BLFS Security Advisories for BLFS 11.1 and the current development books.

BLFS-11.1 was released on 2022-03-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the released books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

Apache HTTPD

11.1 061 Apache HTTPD Date: 2022-06-13 Severity: High

In httpd-2.4.54, eight security vulnerabilities were fixed that could allow for authentication bypass, request smuggling, denial of service, and information disclosure, all depending on what configuration the server is using. Note that mod_proxy, mod_proxy_ajp, mod_sed, mod_lua, and the standard Apache HTTP server are affected. Update to httpd-2.4.54 or later. 11.1-061

11.1 013 Apache HTTPD Date: 2022-03-18 Severity: Critical

In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. Update to httpd-2.4.53 or later. 11.1-013

BIND

11.1 042 BIND Date: 2022-05-19 Severity: Medium

In BIND-9.18.12, a security vulnerability was fixed that could cause BIND to crash in some circumstances. Update to BIND-9.18.3 or later if you are using the DNS server component. 11.1-042

11.1 015 BIND Date: 2022-03-21 Severity: High

In BIND-9.18.1, four security vulnerabilities were fixed that could allow for remote attackers to cause BIND to crash and for DNS cache poisoning. Update to BIND-9.18.1 or later if you are using the DNS server component. 11.1-015

cifs-utils

11.1 049 cifs-utils Date: 2022-05-26 Severity: High

In cifs-utils-6.15, two security vulnerabilties were fixed that could allow for privilege escalation and information disclosure (credential leakage). Update to cifs-utils-6.15 immediately. 11.1-049

CUPS

11.1 057 CUPS Date: 2022-06-13 Severity: Medium

In CUPS-2.4.2, a security vulnerability was fixed that could allow for trivial local privilege escalation due to a logic issue. Update to CUPS-2.4.2 or later. 11.1-057

cURL

11.1 070 cURL Date: 2022-07-13 Severity: Medium

In cURL-7.84.0, four security vulnerabilities were fixed that could allow for denial of service, improper message verification, and files to have different permissions than intended when downloaded. To fix them, update to cURL-7.84.0 or later. 11.1-070

11.1 039 cURL Date: 2022-05-13 Severity: Medium

In cURL-7.83.1, six security vulnerabilities were fixed. Five of them are medium. The remaining one does not affect the configuration of BLFS and is rated low. To fix them, update to cURL-7.83.1 or later. 11.1-039

Cyrus-SASL

11.1 002 Cyrus-SASL Date: 2022-03-03 Severity: High

Two security vulnerabilities were fixed in cyrus-sasl-2.1.28 that could allow for remote unauthenticated attackers to steal passwords or cause a remote denial of service. Update to cyrus-sasl-2.1.28 or later if you use it for anything other than a build dependency. 11.1-002

Dovecot

11.1 077 Dovecot Date: 2022-07-13 Severity: High

A security vulnerability was discovered in Dovecot-2.3.19.1 that could result in privilege escalation when a system administrator has misconfigured multiple identical password databases. Rebuild Dovecot with the security patch. 11.1-077

Epiphany

11.1 046 Epiphany Date: 2022-05-26 Severity: High

In Epiphany-42.2, a security vulnerability was fixed that could alow for remote code execution when visiting web pages with overly long titles. The root cause is a client buffer overflow which occurs when processing the title. Update to Epiphany-42.2 or later. 11.1-046

Exo

11.1 063 Exo Date: 2022-06-13 Severity: Critical

In Exo-4.16.4, a security vulnerability was fixed that could allos for remote code execution due to Exo processing remote .desktop files in addition to local .desktop files. Update to Exo-4.16.4 immediately if you use XFCE. 11.1-063

Firefox

11.1 103 Firefox Date: 2022-08-25 Severity: High

In Firefox-102.2.0, five security vulnerabilities were fixed that could allow for remote code execution, browser spoofing, and other impacts. Update to firefox-102.2.0esr. 11.1-103

11.1 083 Firefox Date: 2022-07-26 Severity: High

In firefox 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to firefox-102.1.0esr. 11.1-083

11.1 068 Firefox Date: 2022-06-28 Severity: High

In firefox 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high and at least one other SA 11.1-067 sounds as if it is high. Update to firefox-102.0esr or later for the new ESR series. As a short term fix (to avoid updating dependencies which were adequate for the 91ESR series) update to firefox-91.11.0 or later while you prepare the updated dependencies. 11.1-068

11.1 054 Firefox Date: 2022-05-31 Severity: High

In firefox 91.10.0 several vulnerabilities were fixed, of which five were rated high and one rated medium. Update to firefox-91.10.0 or later. 11.1-054

11.1 043 Firefox Date: 2022-05-22 Severity: Critical

In firefox 91.9.1 two critical javascript vulnerabilities were fixed. Update to firefox-91.9.1 or later. 11.1-043

11.1 036 Firefox Date: 2022-05-03 Severity: High

In firefox 91.9.0 six CVE issues, five rated High, were fixed. Update to firefox-91.9.0 or later. 11.1-036

11.1 019 Firefox Date: 2022-04-05 Severity: High

In firefox 91.8.0 eight CVE issues, three rated High, were fixed. Update to firefox-91.8.0 or later. 11.1-019

11.1 006 Firefox Date: 2022-03-08 Severity: Critical

In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, Update to firefox-91.7.0 or later. 11.1-006

FLAC

11.1 003 FLAC Date: 2022-03-03 Severity: Medium

Two security vulnerabilities were fixed in FLAC-1.3.4 that could allow for remote information disclosure when playing crafted FLAC files. Update to FLAC-1.3.4 or later. 11.1-003

Git

11.1 073 Git Date: 2022-07-13 Severity: High

In git-2.37.1, a security vulnerability was fixed that could lead to privilege escalation due to an incomplete fix for CVE-2022-24765. This vulnerability allows users to be tricked into running commands as 'root' when navigating through repositories in a multi-user system. Update to git-2.37.1 or later if you're using Git on a multi-user system. 11.1-073

11.1 029 Git Date: 2022-04-15 Severity: Moderate

In git-2.35.3, a security vulnerability was fixed that could allow for a configuration mixup, including command execution, on multi-user systems due to insufficient validation when processing directory names in Git. Update to git-2.35.3 or later if you're using Git on a multi-user system. 11.1-029

GnuPG

11.1 078 GnuPG Date: 2022-07-13 Severity: Medium

In GnuPG-2.3.7, a security vulnerability was fixed that could allow for signature forgery and denial of service (crashes in applications which use GPGME, as well as Evolution and Mutt). Update to GnuPG-2.3.7. 11.1-078

GnuTLS

11.1 091 GnuTLS Date: 2022-08-18 Severity: High

In GnuTLS-3.7.7, a security vulnerability was fixed that could allow for remotely-exploitable crashes when verifying PKCS#7 certificates. Update to GnuTLS-3.6.6 or later. 11.1-091

Gstreamer (and plugins)

11.1 064 gstreamer Date: 2022-06-18 Severity: High

In gstreamer-1.20.3 (as well as the plugins), seven vulnerabilities were fixed that could allow for denial of service and arbitrary code execution when processing AVI, MKV, MP4, and Matroska video files. Update to gstreamer-1.20.3 (and the plugins). 11.1-064

Intel microcode

11.1 101 Intel Microcode Date: 2022-08-24 Severity: Medium

Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability. Ensure x2APIC is enabled, or update to intel-microcode-20220809 or later. 11.1-101

11.1 038 Intel Microcode Date: 2022-05-10 Severity: Medium

Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Update to microcode-20220510 or later. 11.1-038

Java binaries

11.1 095 Java binaries Date: 2022-08-18 Severity: Critical

In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the Java binaries provided by BLFS, update to the Java-18.0.2 (or later) binaries. 11.1-095

11.1 034 Java binaries Date: 2022-04-26 Severity: High

In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the Java binaries provided by BLFS, update to java-18.0.1 (or later) binaries. 11.1-034

JS91

10.1 067 JS91 Date: 2022-06-28 Severity: High

In the javascript code of firefox-91.11.0 and 102.0 there is a fix for attackers setting undesired attributes on a Javascript object, leading to privileged code execution. Update to JS91-11.0 or later. 11.1-067

libarchive

11.1 026 libarchive Date: 2022-04-12 Severity: High

In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes or arbitrary code execution. These vulnerabilities exist in the RAR, ISO, 7zip, and ZIP readers, as well as in the API for the library itself. Update to libarchive-3.6.1 or later. 11.1-026

libinput

11.1 033 libinput Date: 2022-04-21 Severity: High

In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution when attaching devices to a system. This vulnerability has existed since libinput-1.10.0, released in February of 2018. The primary attack method would be via /dev/uinput or Bluetooth devices. Update to libinput-1.20.1 or later. 11.1-033.

libsndfile

11.1 022 libsndfile Date: 2022-04-12 Severity: High

In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. Note that these vulnerabilities were found by oss-fuzz and were not assigned CVEs, but upstream has stated that they are security fixes. Update to libsndfile-1.1.0 or later. 11.1-022

libtiff

11.1 058 libtiff Date: 2022-06-13 Severity: Medium

In libtiff-4.4.0, two security vulnerabilities were fixed in the 'tiffcp' and 'tiffinfo' tools that could allow for application crashes and memory corruption. Update to libtiff-4.4.0 if you use those tools. 11.1-058

libwebp

11.1 087 libwebp Date: 2022-08-18 Severity: Medium

In libwebp-1.2.3 (which has been replaced with 1.2.4), a security vulnerability was fixed that could allow for denial of service (memory leaks and segmentation faults) when processing JPEG images to convert them to WEBP images. Update to libwebp-1.2.4 or later. 11.1-087

libxml2

11.1 098 libxml2 Date: 2022-08-18 Severity: High

In libxml2-2.10.0, a security vulnerability was fixed that could allow for denial-of-service conditions (application crashes) when processing forged input data. The primary application affected is lxml. Several other vulnerablilities were fixed as well, which were not given CVEs. Update to libxml2-2.10.0 or later. 11.1-098

11.1 045 libxml2 Date: 2022-05-26 Severity: Medium

In libxml2-2.9.14, a security vulnerability was fixed that could allow for out-of-bounds writes when processing crafted XML files that are multiple gigabytes in size. Update to libxml2-2.9.14 or later. 11.1-045

logrotate

11.1 052 logrotate Date: 2022-05-27 Severity: High

In logrotate-3.20.1, a security vulnerability was fixed that could allow an unprivileged user to block rotation of the files. Update to logrotate-3.20.1 or later. 11.1-052

MariaDB

11.1 097 MariaDB Date: 2022-08-18 Severity: Critical

In MariaDB-10.6.9, five security vulnerabilities were fixed that could allow for remote code execution and remotely-exploitable crashes when processing database queries and committing data to disk. Update to MariaDB-10.6.9. 11.1-097

11.1 050 MariaDB Date: 2022-05-26 Severity: High

In MariaDB-10.6.8, 24 security vulnerabilties were fixed that could allow for unauthorized creation/deletion/modification of database records, remote code execution, and denial of service. Update to MariaDB-10.6.8. 11.1-050

Mutt

11.1 032 Mutt Updated: 2022-04-15 Severity: Medium

In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. To fix this update to mutt-2.2.3 or later. 11.1-032

Node.js

11.1 074 Node.js Date: 2022-07-13 Severity: High

In node.js-16.16.0, several security vulnerabilities were fixed that could allow for HTTP Request Smuggling, DNS rebinding, and modification of system defaults by local attackers. Update to Node.js-16.16.0 or later. 11.1-074

11.1 014 Node.js Date: 2022-03-18 Severity: High

In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 has been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the shared system OpenSSL library without upgrading Node.js would be an adequate remedy. Therefore update to Node-v16.14.2 or later. 11.1-014

NSS

11.1 055 NSS Updated: 2022-06-01 Severity: High

In NSS-3.68.4, 3.78.1 and 3.79 two bugs with restricted access were fixed. One of these has now been confirmed as a high severity vulnerability. Update to nss-3.79 or later. 11.1-055

ntfs-3g

11.1 060 ntfs-3g Date: 2022-06-13 Severity: Critical

In ntfs-3g-2022.5.17, several security vulnerabilities were fixed that could allow for kernel-level code execution when processing NTFS metadata during mount time, occurring due to buffer overflows. Update to ntfs-3g-2022.5.17 immediately if you have this package installed. 11.1-060

OpenJDK

11.1 095 Java binaries Date: 2022-08-18 Severity: Critical

In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the most recent of OpenJDK, update to OpenJDK-18.0.2 or later. You may also update to OpenJDK-17.0.4.1 or OpenJDK-11.0.16.1 if you prefer the LTS versions. 11.1-095

11.1 034 OpenJDK Date: 2022-04-26 Severity: High

In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the most recent version of OpenJDK, update to openjdk-18.0.1 or later. You may also update to openjdk-17.0.3 or openjdk-11.0.15 if you prefer the LTS versions. 11.1-034

OpenJPEG

11.1 047 OpenJPEG Date: 2022-05-26 Severity: Medium

In OpenJPEG-2.5.0, a security vulnerability was fixed that allows for remote attackers to cause application crashes when OpenJPEG utilities are run in directories with 1048576 files. Update to OpenJPEG-2.5.0 if you use OpenJPEG utilities in directories with large amounts of files. 11.1-047

PHP

11.1 075 PHP Date: 2022-07-13 Severity: Medium

In PHP-8.1.8, a security vulnerability was fixed that could allow for a heap buffer overflow when trying to determine the file type of a given file. Update to PHP-8.1.8 if you are processing untrusted files. 11.1-075

11.1 062 PHP Date: 2022-06-13 Severity: Medium

In PHP-8.1.7, two security vulnerabilities were fixed that could allow for remote code execution when using the mysqlnd and pgsql modules in PHP. Update to PHP-8.1.7 immediately if you are using either of these modules. 11.1-062

Pidgin

11.1 035 Pidgin Date: 2022-04-30 Severity: Low

Pidgin developers have removed the _xmppconnect TXT record support in version 2.4.19, because it is intrinsically insecure (unless using DNSSEC). If you need the service provided by those records, there are others way to achieve this. To be sure not to use those, update to pidgin-2.4.19 or later. 11.1-035

Polkit

11.1 004 Polkit Date: 2022-03-03 Severity: Low

A security vulnerability was identified in polkit-0.120 that can allow for a denial of service due to resource exhaustion. However, polkitd will be automatically restarted the next time user authentication is required, so the impact is low. Rebuild polkit-0.120 with the security_fixes-1 patch or update to a newer version once available. 11.1-004

PostgreSQL

11.1 048 PostgreSQL Date: 2022-05-26 Severity: High

In PostgreSQL-14.3, a security vulnerability was fixed that allows for users with permissions to create objects in a database to run commands as a superuser the next time that an autovacuum operation takes place, or when some commands are executed. Update to PostgreSQL-14.3 immediately if you use PostgreSQL's server functionality. 11.1-048

11.1 086 PostgreSQL Date: 2022-08-18 Severity: Medium

In PostgreSQL-14.5, a security vulnerability was fixed that allows arbitry code execution through the use of extension scripts. Update to PostgreSQL-14.5 immediately if you or your users make use of extension scripts. 11.1-086

Python3

11.1 092 Python3 (LFS and BLFS) Date: 2022-08-18 Severity: High

In Python-3.10.6, two security vulnerabilities were fixed that could allow for open redirection in the HTTP server, and for a use-after-free when using the memoryview function. Update to Python-3.10.6 or later. 11.1-092

Qt5

11.1 065 Qt5 Date: 2022-06-22 Severity: High

An out-of-bound write has been fixed in (commercial) Qt 5.15.6, and the fix has been backported to the repository maintained by kde folks, so that it is included in the patch provided for QT-5.15.5 in the BLFS book. Update to Qt-5.15.5 or to a later version. 11.1-065

QtWebEngine

11.1 020 QtWebEngine Date: 2022-04-11 Severity: High

Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. Update to QtWebengine-5.15.9 or to a later version. 11.1-020

rsync

11.1 093 rsync Date: 2022-08-18 Severity: High

In rsync-3.2.5, a security vulnerability was fixed that could allow for malicious rsync servers to overwrite arbitrary files and directories on client systems. Update to rsync-3.2.5 or later, especially if you are using rsync's client. 11.1-093

Ruby

11.1 030 Ruby Date: 2022-04-15 Severity: Moderate

In Ruby-3.1.2, two security vulnerabilities were fixed that could allow for a denial-of-service (application crash) or for invalid memory reads. Update to Ruby-3.1.2 or later if you are using code with regular expressions or that converts a string object to a float object. 11.1-030

Samba

11.1 089 Samba Date: 2022-08-18 Severity: Critical

In Samba-4.16.4, several security vulnerabilities were fixed that could allow for password change restriction bypasses, password change forgery, crashes, and information leaks when using Active Directory or the SMB1 protocol. None of these are enabled by default in BLFS, but if you use them, you should update to Samba-4.16.4 immediately. 11.1-089

Seamonkey

11.1 076 Seamonkey Date: 2022-07-13 Severity: High

Several security vulnerabilities were fixed in Seamonkey-2.35.13 that were fixed in Firefox-91.10.0 and Firefox-91.11.0 (as well as the relevant Thunderbird vulnerabilities). There are a variety of impacts. Update to Seamonkey-2.53.13 or later. 11.1-076.

11.1 051 Seamonkey Date: 2022-05-26 Severity: Critical

A security vulnerability was discovered in Seamonkey-2.53.12 which could lead to remote code execution in a privileged context when processing crafted JavaScript code, identical to CVE-2022-1802 in Firefox. Rebuild Seamonkey-2.53.12 with the patch immediately. 11.1-051

11.1 040 Seamonkey Date: 2022-05-12 Severity: High

In Seamonkey-2.53.12, all security vulnerabilities from Firefox/Thunderbird 91.9.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.12 or later. 11.1-040

11.1 023 Seamonkey Date: 2022-04-12 Severity: High

In Seamonkey-2.53.11.1, all security vulnerabilities from Firefox/Thunderbird 91.7.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.11.1 or later. 11.1-023

11.1 008 Seamonkey Date: 2022-03-08 Severity: Critical

Seamonkey is also vulnerable to one of the actively exploited vulnerabilities from Firefox and Thunderbird. The BLFS Editors have created a patch which resolves the vulnerability. Rebuild Seamonkey with the patch or upgrade to a later version. 11.1-008

11.1 005 Seamonkey Date: 2022-03-03 Severity: Critical

In Seamonkey-2.53.11, all security vulnerabilities from Firefox-91.5-91.6 and Thunderbird-91.6.1 were fixed. This includes a fix for a vulnerability where a remote attacker can take over your system via a crafted email, along with other vulnerabilities which have various impacts. Update to seamonkey-2.53.11 or later. 11.1-005

Shadow

11.1 100 Shadow Date: 2022-08-23 Severity: Low

In Shadow-1.12.2, two security vulnerabilities were fixed that could allow a symlink attack while a shadow utility is running by an administrator and operating on a directory writable by the attacker. Update to shadow-1.12.2 or you'll need to take caution when you run the shadow utilities as root. 11.1-100

Speex

11.1 072 Speex Date: 2022-07-13 Severity: Medium

In Speex-1.2.1, two security vulnerabilities were fixed that could allow for denial of service conditions as well as stack overflows when using the 'speexenc' and 'speexdec' programs to do operations on crafted WAV files. Update to Speex-1.2.1 or later. 11.1-072

sqlite

11.1 088 sqlite Date: 2022-08-18 Severity: High

In sqlite-3.39.2, a security vulnerability was fixed that could allow for denial of service when a C API is passed a string argument with billions of bytes contained in it (such as an overly large SQL query). Update to sqlite-3.39.2 or later. 11.1-088

Subversion

11.1 025 Subversion Date: 2022-04-12 Severity: High

In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for a remotely exploitable denial of service and for arbitrary paths to be read. Update to subversion-1.14.2 or later, especially if mod_dav_svn is in use within your configuration. 11.1-025

Thunderbird

11.1 104 Thunderbird Date: 2022-08-25 Severity: High

In Thunderbird-102.2.0, several security vulnerabilities were fixed that could allow for remote code execution, browser window spoofing, and other impacts. Update to Thunderbird-102.2.0 or later. 11.1-104

11.1 084 Thunderbird Date: 2022-08-02 Severity: High

In thunderbird 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to Thunderbird-102.1.0 or later. 11.1-084

11.1 069 Thunderbird Date: 2022-06-29 Severity: High

In thunderbird 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others SA 11.1-067 sounds as if it is high. Update to Thunderbird-102.0 or later, or as a short-term fix to avoid building the updated dependencies (particularly newer rustc, cbindgen, icu) on older systems update to Thunderbird-91.11.0 and plan to update to 102.0 or later. 11.1-069

11.1 056 Thunderbird Date: 2022-06-01 Severity: High

In thunderbird 91.10.0 several vulnerabilites were fixed, of which six were rated high and one medium. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.10.0 or later. 11.1-056

11.1 044 Thunderbird Date: 2022-05-22 Severity: Critical

In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, It appears these vulnerabilities cannot be exploited via email, but javascript is enabled by default (perhaps only for rss feeds) unless you have disabled it in the Config settings. Update to Thunderbird-91.9.1 or later. 11.1-044

11.1 041 Thunderbird Date: 2025-04-13 Severity: High

In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.9.0 or later. 11.1-041

11.1 021 Thunderbird Date: 2022-04-12 Severity: High

In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, browser window spoofing, remote code execution, and PGP keys to stay active when revoked. Update to Thunderbird-91.8.0 or later. 11.1-021

11.1 016 Thunderbird Date: 2022-03-22 Severity: High

In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, sandbox escapes, unauthorized add-on modification, browser window spoofing, and for unauthorized access to temporary downloaded files in /tmp. Update to Thunderbird-91.7.0 or later. 11.1-016

11.1 007 Thunderbird Date: 2022-03-08 Severity: Critical

In Thunderbird-91.6.2, two security vulnerabilities which are being actively abused in the wild to conduct attacks were fixed. Update to Thunderbird-91.6.2 or later. 11.1-007

tumbler

11.1 096 tumbler Date: 2022-08-18 Severity: High

In tumbler-4.16.1, a security vulnerability was fixed that could allow for server-side request forgery and arbitrary code execution when indexing crafted files using the gstreamer plugin. Update to tumbler-4.16.1 or later. 11.1-096.

Unbound

11.1 085 Unbound Date: 2022-08-02 Severity: Medium

Unbound versions up to and including 1.16.1 are vulnerable to several ghost domain names attacks. To fix them update to unbound-1.16.2 or later. 11.1-085

unrar

11.1 094 unrar Date: 2022-08-18 Severity: High

In unrar-6.1.7, a path traversal vulnerability was fixed that could allow for malicious archives to place files anywhere on the system. Update to unrar-6.1.7 or later. 11.1-094

VIM

11.1 053 VIM (LFS and BLFS) Date: 2022-05-29 Severity: Medium

11 vulnerabilities causing heap-based buffer overflow, use after free, NULL pointer dereference, or uncontrolled recursion and leading to crashes have been fixed in vim-8.2.5014. To fix them update to vim-8.2.5014 or later. 11.1-053

11.1 037 VIM (LFS and BLFS) Date: 2022-05-06 Severity: High

Three vulnerabilities causing heap-based buffer overflow or use after free and leading to crashes have been fixed in vim-8.2.4814. To fix them update to vim-8.2.4814 or later. 11.1-037

11.1 010 VIM (LFS and BLFS) Date: 2022-03-15 Severity: High

One vulnerability causing heap-based buffer overflow and crashing have been fixed in vim-8.2.4567. To fix them update to vim-8.2.4567 or later. 11.1-010

11.1 001 VIM (LFS and BLFS) Date: 2022-03-02 Severity: High

Four vulnerabilities which cause crashes under certain circumstances have been fixed in vim-8.2.4489. To fix them update to vim-8.2.4489 or later. 11.1-001

WebKitGTK+

11.1 105 WebKitGTK+ Date: 2022-08-25 Severity: Critical

In WebKitGTK+-2.36.7, a critical 0day security vulnerability was fixed that can allow for trivial remote code execution, and it is under active exploitation. Update to WebKitGTK+-2.36.7 or later immediately. 11.1-105.

11.1 090 WebKitGTK+ Date: 2022-08-18 Severity: High

In WebKitGTK+-2.36.5 (and subsequently fixed in 2.36.6), two security vulnerabilities were fixed that could allow for remote code execution and UI spoofing when processing malicious web content. Update to WebKitGTK+-2.36.6 or later. 11.1-090.

11.1 071 WebKitGTK+ Date: 2022-07-13 Severity: Medium

In WebKitGTK+-2.36.4, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content, and for undesirable behavior (crashing video calls). Update to WebKitGTK+-2.36.4 or later. 11.1-071.

11.1 059 WebKitGTK+ Date: 2022-06-13 Severity: High

In WebKitGTK+-2.36.3, five security vulnerabilities were fixed that could allow for remote code execution when processing crafted web content. Update to WebKitGTK+-2.36.3 or later. 11.1-059.

11.1 024 WebKitGTK+ Date: 2022-04-12 Severity: High

In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. Update to WebKitGTK+-2.36.0 or later. 11.1-024.

xorg-server

11.1 079 xorg-server Date: 2022-07-13 Severity: High

Two security vulnerabilities were fixed in xorg-server-21.1.4 that could allow for local privilege escalation and remote code execution due to improper input validation. Update to xorg-server-21.1.4 or later as soon as possible. 11.1-079.

Xwayland

11.1 080 Xwayland Date: 2022-07-13 Severity: High

Two security vulnerabilities were fixed in Xwayland-22.1.3 that could allow for local privilege escalation due to improper input validation. Update to Xwayland-22.1.3 or later as soon as possible. 11.1-080.