BLFS Security Advisories for BLFS 11.1 and the current development books.
BLFS-11.1 was released on 2022-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Apache HTTPD
11.1 061 Apache HTTPD Date: 2022-06-13 Severity: High
In httpd-2.4.54, eight security vulnerabilities were fixed that could allow for authentication bypass, request smuggling, denial of service, and information disclosure, all depending on what configuration the server is using. Note that mod_proxy, mod_proxy_ajp, mod_sed, mod_lua, and the standard Apache HTTP server are affected. Update to httpd-2.4.54 or later. 11.1-061
11.1 013 Apache HTTPD Date: 2022-03-18 Severity: Critical
In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. Update to httpd-2.4.53 or later. 11.1-013
BIND
11.1 042 BIND Date: 2022-05-19 Severity: Medium
In BIND-9.18.12, a security vulnerability was fixed that could cause BIND to crash in some circumstances. Update to BIND-9.18.3 or later if you are using the DNS server component. 11.1-042
11.1 015 BIND Date: 2022-03-21 Severity: High
In BIND-9.18.1, four security vulnerabilities were fixed that could allow for remote attackers to cause BIND to crash and for DNS cache poisoning. Update to BIND-9.18.1 or later if you are using the DNS server component. 11.1-015
cifs-utils
11.1 049 cifs-utils Date: 2022-05-26 Severity: High
In cifs-utils-6.15, two security vulnerabilties were fixed that could allow for privilege escalation and information disclosure (credential leakage). Update to cifs-utils-6.15 immediately. 11.1-049
CUPS
11.1 057 CUPS Date: 2022-06-13 Severity: Medium
In CUPS-2.4.2, a security vulnerability was fixed that could allow for trivial local privilege escalation due to a logic issue. Update to CUPS-2.4.2 or later. 11.1-057
cURL
11.1 070 cURL Date: 2022-07-13 Severity: Medium
In cURL-7.84.0, four security vulnerabilities were fixed that could allow for denial of service, improper message verification, and files to have different permissions than intended when downloaded. To fix them, update to cURL-7.84.0 or later. 11.1-070
11.1 039 cURL Date: 2022-05-13 Severity: Medium
In cURL-7.83.1, six security vulnerabilities were fixed. Five of them are medium. The remaining one does not affect the configuration of BLFS and is rated low. To fix them, update to cURL-7.83.1 or later. 11.1-039
Cyrus-SASL
11.1 002 Cyrus-SASL Date: 2022-03-03 Severity: High
Two security vulnerabilities were fixed in cyrus-sasl-2.1.28 that could allow for remote unauthenticated attackers to steal passwords or cause a remote denial of service. Update to cyrus-sasl-2.1.28 or later if you use it for anything other than a build dependency. 11.1-002
Dovecot
11.1 077 Dovecot Date: 2022-07-13 Severity: High
A security vulnerability was discovered in Dovecot-2.3.19.1 that could result in privilege escalation when a system administrator has misconfigured multiple identical password databases. Rebuild Dovecot with the security patch. 11.1-077
Epiphany
11.1 046 Epiphany Date: 2022-05-26 Severity: High
In Epiphany-42.2, a security vulnerability was fixed that could alow for remote code execution when visiting web pages with overly long titles. The root cause is a client buffer overflow which occurs when processing the title. Update to Epiphany-42.2 or later. 11.1-046
Exo
11.1 063 Exo Date: 2022-06-13 Severity: Critical
In Exo-4.16.4, a security vulnerability was fixed that could allos for remote code execution due to Exo processing remote .desktop files in addition to local .desktop files. Update to Exo-4.16.4 immediately if you use XFCE. 11.1-063
Firefox
11.1 103 Firefox Date: 2022-08-25 Severity: High
In Firefox-102.2.0, five security vulnerabilities were fixed that could allow for remote code execution, browser spoofing, and other impacts. Update to firefox-102.2.0esr. 11.1-103
11.1 083 Firefox Date: 2022-07-26 Severity: High
In firefox 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to firefox-102.1.0esr. 11.1-083
11.1 068 Firefox Date: 2022-06-28 Severity: High
In firefox 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high and at least one other SA 11.1-067 sounds as if it is high. Update to firefox-102.0esr or later for the new ESR series. As a short term fix (to avoid updating dependencies which were adequate for the 91ESR series) update to firefox-91.11.0 or later while you prepare the updated dependencies. 11.1-068
11.1 054 Firefox Date: 2022-05-31 Severity: High
In firefox 91.10.0 several vulnerabilities were fixed, of which five were rated high and one rated medium. Update to firefox-91.10.0 or later. 11.1-054
11.1 043 Firefox Date: 2022-05-22 Severity: Critical
In firefox 91.9.1 two critical javascript vulnerabilities were fixed. Update to firefox-91.9.1 or later. 11.1-043
11.1 036 Firefox Date: 2022-05-03 Severity: High
In firefox 91.9.0 six CVE issues, five rated High, were fixed. Update to firefox-91.9.0 or later. 11.1-036
11.1 019 Firefox Date: 2022-04-05 Severity: High
In firefox 91.8.0 eight CVE issues, three rated High, were fixed. Update to firefox-91.8.0 or later. 11.1-019
11.1 006 Firefox Date: 2022-03-08 Severity: Critical
In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, Update to firefox-91.7.0 or later. 11.1-006
FLAC
11.1 003 FLAC Date: 2022-03-03 Severity: Medium
Two security vulnerabilities were fixed in FLAC-1.3.4 that could allow for remote information disclosure when playing crafted FLAC files. Update to FLAC-1.3.4 or later. 11.1-003
Git
11.1 073 Git Date: 2022-07-13 Severity: High
In git-2.37.1, a security vulnerability was fixed that could lead to privilege escalation due to an incomplete fix for CVE-2022-24765. This vulnerability allows users to be tricked into running commands as 'root' when navigating through repositories in a multi-user system. Update to git-2.37.1 or later if you're using Git on a multi-user system. 11.1-073
11.1 029 Git Date: 2022-04-15 Severity: Moderate
In git-2.35.3, a security vulnerability was fixed that could allow for a configuration mixup, including command execution, on multi-user systems due to insufficient validation when processing directory names in Git. Update to git-2.35.3 or later if you're using Git on a multi-user system. 11.1-029
GnuPG
11.1 078 GnuPG Date: 2022-07-13 Severity: Medium
In GnuPG-2.3.7, a security vulnerability was fixed that could allow for signature forgery and denial of service (crashes in applications which use GPGME, as well as Evolution and Mutt). Update to GnuPG-2.3.7. 11.1-078
GnuTLS
11.1 091 GnuTLS Date: 2022-08-18 Severity: High
In GnuTLS-3.7.7, a security vulnerability was fixed that could allow for remotely-exploitable crashes when verifying PKCS#7 certificates. Update to GnuTLS-3.6.6 or later. 11.1-091
Gstreamer (and plugins)
11.1 064 gstreamer Date: 2022-06-18 Severity: High
In gstreamer-1.20.3 (as well as the plugins), seven vulnerabilities were fixed that could allow for denial of service and arbitrary code execution when processing AVI, MKV, MP4, and Matroska video files. Update to gstreamer-1.20.3 (and the plugins). 11.1-064
Intel microcode
11.1 101 Intel Microcode Date: 2022-08-24 Severity: Medium
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability. Ensure x2APIC is enabled, or update to intel-microcode-20220809 or later. 11.1-101
11.1 038 Intel Microcode Date: 2022-05-10 Severity: Medium
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Update to microcode-20220510 or later. 11.1-038
Java binaries
11.1 095 Java binaries Date: 2022-08-18 Severity: Critical
In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the Java binaries provided by BLFS, update to the Java-18.0.2 (or later) binaries. 11.1-095
11.1 034 Java binaries Date: 2022-04-26 Severity: High
In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the Java binaries provided by BLFS, update to java-18.0.1 (or later) binaries. 11.1-034
JS91
10.1 067 JS91 Date: 2022-06-28 Severity: High
In the javascript code of firefox-91.11.0 and 102.0 there is a fix for attackers setting undesired attributes on a Javascript object, leading to privileged code execution. Update to JS91-11.0 or later. 11.1-067
libarchive
11.1 026 libarchive Date: 2022-04-12 Severity: High
In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes or arbitrary code execution. These vulnerabilities exist in the RAR, ISO, 7zip, and ZIP readers, as well as in the API for the library itself. Update to libarchive-3.6.1 or later. 11.1-026
libinput
11.1 033 libinput Date: 2022-04-21 Severity: High
In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution when attaching devices to a system. This vulnerability has existed since libinput-1.10.0, released in February of 2018. The primary attack method would be via /dev/uinput or Bluetooth devices. Update to libinput-1.20.1 or later. 11.1-033.
libsndfile
11.1 022 libsndfile Date: 2022-04-12 Severity: High
In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. Note that these vulnerabilities were found by oss-fuzz and were not assigned CVEs, but upstream has stated that they are security fixes. Update to libsndfile-1.1.0 or later. 11.1-022
libtiff
11.1 058 libtiff Date: 2022-06-13 Severity: Medium
In libtiff-4.4.0, two security vulnerabilities were fixed in the 'tiffcp' and 'tiffinfo' tools that could allow for application crashes and memory corruption. Update to libtiff-4.4.0 if you use those tools. 11.1-058
libwebp
11.1 087 libwebp Date: 2022-08-18 Severity: Medium
In libwebp-1.2.3 (which has been replaced with 1.2.4), a security vulnerability was fixed that could allow for denial of service (memory leaks and segmentation faults) when processing JPEG images to convert them to WEBP images. Update to libwebp-1.2.4 or later. 11.1-087
libxml2
11.1 098 libxml2 Date: 2022-08-18 Severity: High
In libxml2-2.10.0, a security vulnerability was fixed that could allow for denial-of-service conditions (application crashes) when processing forged input data. The primary application affected is lxml. Several other vulnerablilities were fixed as well, which were not given CVEs. Update to libxml2-2.10.0 or later. 11.1-098
11.1 045 libxml2 Date: 2022-05-26 Severity: Medium
In libxml2-2.9.14, a security vulnerability was fixed that could allow for out-of-bounds writes when processing crafted XML files that are multiple gigabytes in size. Update to libxml2-2.9.14 or later. 11.1-045
logrotate
11.1 052 logrotate Date: 2022-05-27 Severity: High
In logrotate-3.20.1, a security vulnerability was fixed that could allow an unprivileged user to block rotation of the files. Update to logrotate-3.20.1 or later. 11.1-052
MariaDB
11.1 097 MariaDB Date: 2022-08-18 Severity: Critical
In MariaDB-10.6.9, five security vulnerabilities were fixed that could allow for remote code execution and remotely-exploitable crashes when processing database queries and committing data to disk. Update to MariaDB-10.6.9. 11.1-097
11.1 050 MariaDB Date: 2022-05-26 Severity: High
In MariaDB-10.6.8, 24 security vulnerabilties were fixed that could allow for unauthorized creation/deletion/modification of database records, remote code execution, and denial of service. Update to MariaDB-10.6.8. 11.1-050
Mutt
11.1 032 Mutt Updated: 2022-04-15 Severity: Medium
In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. To fix this update to mutt-2.2.3 or later. 11.1-032
Node.js
11.1 074 Node.js Date: 2022-07-13 Severity: High
In node.js-16.16.0, several security vulnerabilities were fixed that could allow for HTTP Request Smuggling, DNS rebinding, and modification of system defaults by local attackers. Update to Node.js-16.16.0 or later. 11.1-074
11.1 014 Node.js Date: 2022-03-18 Severity: High
In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 has been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the shared system OpenSSL library without upgrading Node.js would be an adequate remedy. Therefore update to Node-v16.14.2 or later. 11.1-014
NSS
11.1 055 NSS Updated: 2022-06-01 Severity: High
In NSS-3.68.4, 3.78.1 and 3.79 two bugs with restricted access were fixed. One of these has now been confirmed as a high severity vulnerability. Update to nss-3.79 or later. 11.1-055
ntfs-3g
11.1 060 ntfs-3g Date: 2022-06-13 Severity: Critical
In ntfs-3g-2022.5.17, several security vulnerabilities were fixed that could allow for kernel-level code execution when processing NTFS metadata during mount time, occurring due to buffer overflows. Update to ntfs-3g-2022.5.17 immediately if you have this package installed. 11.1-060
OpenJDK
11.1 095 Java binaries Date: 2022-08-18 Severity: Critical
In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the most recent of OpenJDK, update to OpenJDK-18.0.2 or later. You may also update to OpenJDK-17.0.4.1 or OpenJDK-11.0.16.1 if you prefer the LTS versions. 11.1-095
11.1 034 OpenJDK Date: 2022-04-26 Severity: High
In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the most recent version of OpenJDK, update to openjdk-18.0.1 or later. You may also update to openjdk-17.0.3 or openjdk-11.0.15 if you prefer the LTS versions. 11.1-034
OpenJPEG
11.1 047 OpenJPEG Date: 2022-05-26 Severity: Medium
In OpenJPEG-2.5.0, a security vulnerability was fixed that allows for remote attackers to cause application crashes when OpenJPEG utilities are run in directories with 1048576 files. Update to OpenJPEG-2.5.0 if you use OpenJPEG utilities in directories with large amounts of files. 11.1-047
PHP
11.1 075 PHP Date: 2022-07-13 Severity: Medium
In PHP-8.1.8, a security vulnerability was fixed that could allow for a heap buffer overflow when trying to determine the file type of a given file. Update to PHP-8.1.8 if you are processing untrusted files. 11.1-075
11.1 062 PHP Date: 2022-06-13 Severity: Medium
In PHP-8.1.7, two security vulnerabilities were fixed that could allow for remote code execution when using the mysqlnd and pgsql modules in PHP. Update to PHP-8.1.7 immediately if you are using either of these modules. 11.1-062
Pidgin
11.1 035 Pidgin Date: 2022-04-30 Severity: Low
Pidgin developers have removed the _xmppconnect TXT record support in version 2.4.19, because it is intrinsically insecure (unless using DNSSEC). If you need the service provided by those records, there are others way to achieve this. To be sure not to use those, update to pidgin-2.4.19 or later. 11.1-035
Polkit
11.1 004 Polkit Date: 2022-03-03 Severity: Low
A security vulnerability was identified in polkit-0.120 that can allow for a denial of service due to resource exhaustion. However, polkitd will be automatically restarted the next time user authentication is required, so the impact is low. Rebuild polkit-0.120 with the security_fixes-1 patch or update to a newer version once available. 11.1-004
PostgreSQL
11.1 048 PostgreSQL Date: 2022-05-26 Severity: High
In PostgreSQL-14.3, a security vulnerability was fixed that allows for users with permissions to create objects in a database to run commands as a superuser the next time that an autovacuum operation takes place, or when some commands are executed. Update to PostgreSQL-14.3 immediately if you use PostgreSQL's server functionality. 11.1-048
11.1 086 PostgreSQL Date: 2022-08-18 Severity: Medium
In PostgreSQL-14.5, a security vulnerability was fixed that allows arbitry code execution through the use of extension scripts. Update to PostgreSQL-14.5 immediately if you or your users make use of extension scripts. 11.1-086
Python3
11.1 092 Python3 (LFS and BLFS) Date: 2022-08-18 Severity: High
In Python-3.10.6, two security vulnerabilities were fixed that could allow for open redirection in the HTTP server, and for a use-after-free when using the memoryview function. Update to Python-3.10.6 or later. 11.1-092
Qt5
11.1 065 Qt5 Date: 2022-06-22 Severity: High
An out-of-bound write has been fixed in (commercial) Qt 5.15.6, and the fix has been backported to the repository maintained by kde folks, so that it is included in the patch provided for QT-5.15.5 in the BLFS book. Update to Qt-5.15.5 or to a later version. 11.1-065
QtWebEngine
11.1 020 QtWebEngine Date: 2022-04-11 Severity: High
Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. Update to QtWebengine-5.15.9 or to a later version. 11.1-020
rsync
11.1 093 rsync Date: 2022-08-18 Severity: High
In rsync-3.2.5, a security vulnerability was fixed that could allow for malicious rsync servers to overwrite arbitrary files and directories on client systems. Update to rsync-3.2.5 or later, especially if you are using rsync's client. 11.1-093
Ruby
11.1 030 Ruby Date: 2022-04-15 Severity: Moderate
In Ruby-3.1.2, two security vulnerabilities were fixed that could allow for a denial-of-service (application crash) or for invalid memory reads. Update to Ruby-3.1.2 or later if you are using code with regular expressions or that converts a string object to a float object. 11.1-030
Samba
11.1 089 Samba Date: 2022-08-18 Severity: Critical
In Samba-4.16.4, several security vulnerabilities were fixed that could allow for password change restriction bypasses, password change forgery, crashes, and information leaks when using Active Directory or the SMB1 protocol. None of these are enabled by default in BLFS, but if you use them, you should update to Samba-4.16.4 immediately. 11.1-089
Seamonkey
11.1 076 Seamonkey Date: 2022-07-13 Severity: High
Several security vulnerabilities were fixed in Seamonkey-2.35.13 that were fixed in Firefox-91.10.0 and Firefox-91.11.0 (as well as the relevant Thunderbird vulnerabilities). There are a variety of impacts. Update to Seamonkey-2.53.13 or later. 11.1-076.
11.1 051 Seamonkey Date: 2022-05-26 Severity: Critical
A security vulnerability was discovered in Seamonkey-2.53.12 which could lead to remote code execution in a privileged context when processing crafted JavaScript code, identical to CVE-2022-1802 in Firefox. Rebuild Seamonkey-2.53.12 with the patch immediately. 11.1-051
11.1 040 Seamonkey Date: 2022-05-12 Severity: High
In Seamonkey-2.53.12, all security vulnerabilities from Firefox/Thunderbird 91.9.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.12 or later. 11.1-040
11.1 023 Seamonkey Date: 2022-04-12 Severity: High
In Seamonkey-2.53.11.1, all security vulnerabilities from Firefox/Thunderbird 91.7.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.11.1 or later. 11.1-023
11.1 008 Seamonkey Date: 2022-03-08 Severity: Critical
Seamonkey is also vulnerable to one of the actively exploited vulnerabilities from Firefox and Thunderbird. The BLFS Editors have created a patch which resolves the vulnerability. Rebuild Seamonkey with the patch or upgrade to a later version. 11.1-008
11.1 005 Seamonkey Date: 2022-03-03 Severity: Critical
In Seamonkey-2.53.11, all security vulnerabilities from Firefox-91.5-91.6 and Thunderbird-91.6.1 were fixed. This includes a fix for a vulnerability where a remote attacker can take over your system via a crafted email, along with other vulnerabilities which have various impacts. Update to seamonkey-2.53.11 or later. 11.1-005
Shadow
11.1 100 Shadow Date: 2022-08-23 Severity: Low
In Shadow-1.12.2, two security vulnerabilities were fixed that could allow a symlink attack while a shadow utility is running by an administrator and operating on a directory writable by the attacker. Update to shadow-1.12.2 or you'll need to take caution when you run the shadow utilities as root. 11.1-100
Speex
11.1 072 Speex Date: 2022-07-13 Severity: Medium
In Speex-1.2.1, two security vulnerabilities were fixed that could allow for denial of service conditions as well as stack overflows when using the 'speexenc' and 'speexdec' programs to do operations on crafted WAV files. Update to Speex-1.2.1 or later. 11.1-072
sqlite
11.1 088 sqlite Date: 2022-08-18 Severity: High
In sqlite-3.39.2, a security vulnerability was fixed that could allow for denial of service when a C API is passed a string argument with billions of bytes contained in it (such as an overly large SQL query). Update to sqlite-3.39.2 or later. 11.1-088
Subversion
11.1 025 Subversion Date: 2022-04-12 Severity: High
In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for a remotely exploitable denial of service and for arbitrary paths to be read. Update to subversion-1.14.2 or later, especially if mod_dav_svn is in use within your configuration. 11.1-025
Thunderbird
11.1 104 Thunderbird Date: 2022-08-25 Severity: High
In Thunderbird-102.2.0, several security vulnerabilities were fixed that could allow for remote code execution, browser window spoofing, and other impacts. Update to Thunderbird-102.2.0 or later. 11.1-104
11.1 084 Thunderbird Date: 2022-08-02 Severity: High
In thunderbird 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to Thunderbird-102.1.0 or later. 11.1-084
11.1 069 Thunderbird Date: 2022-06-29 Severity: High
In thunderbird 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others SA 11.1-067 sounds as if it is high. Update to Thunderbird-102.0 or later, or as a short-term fix to avoid building the updated dependencies (particularly newer rustc, cbindgen, icu) on older systems update to Thunderbird-91.11.0 and plan to update to 102.0 or later. 11.1-069
11.1 056 Thunderbird Date: 2022-06-01 Severity: High
In thunderbird 91.10.0 several vulnerabilites were fixed, of which six were rated high and one medium. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.10.0 or later. 11.1-056
11.1 044 Thunderbird Date: 2022-05-22 Severity: Critical
In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, It appears these vulnerabilities cannot be exploited via email, but javascript is enabled by default (perhaps only for rss feeds) unless you have disabled it in the Config settings. Update to Thunderbird-91.9.1 or later. 11.1-044
11.1 041 Thunderbird Date: 2025-04-13 Severity: High
In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.9.0 or later. 11.1-041
11.1 021 Thunderbird Date: 2022-04-12 Severity: High
In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, browser window spoofing, remote code execution, and PGP keys to stay active when revoked. Update to Thunderbird-91.8.0 or later. 11.1-021
11.1 016 Thunderbird Date: 2022-03-22 Severity: High
In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, sandbox escapes, unauthorized add-on modification, browser window spoofing, and for unauthorized access to temporary downloaded files in /tmp. Update to Thunderbird-91.7.0 or later. 11.1-016
11.1 007 Thunderbird Date: 2022-03-08 Severity: Critical
In Thunderbird-91.6.2, two security vulnerabilities which are being actively abused in the wild to conduct attacks were fixed. Update to Thunderbird-91.6.2 or later. 11.1-007
tumbler
11.1 096 tumbler Date: 2022-08-18 Severity: High
In tumbler-4.16.1, a security vulnerability was fixed that could allow for server-side request forgery and arbitrary code execution when indexing crafted files using the gstreamer plugin. Update to tumbler-4.16.1 or later. 11.1-096.
Unbound
11.1 085 Unbound Date: 2022-08-02 Severity: Medium
Unbound versions up to and including 1.16.1 are vulnerable to several
ghost domain names
attacks. To fix them update to
unbound-1.16.2 or later.
11.1-085
unrar
11.1 094 unrar Date: 2022-08-18 Severity: High
In unrar-6.1.7, a path traversal vulnerability was fixed that could allow for malicious archives to place files anywhere on the system. Update to unrar-6.1.7 or later. 11.1-094
VIM
11.1 053 VIM (LFS and BLFS) Date: 2022-05-29 Severity: Medium
11 vulnerabilities causing heap-based buffer overflow, use after free, NULL pointer dereference, or uncontrolled recursion and leading to crashes have been fixed in vim-8.2.5014. To fix them update to vim-8.2.5014 or later. 11.1-053
11.1 037 VIM (LFS and BLFS) Date: 2022-05-06 Severity: High
Three vulnerabilities causing heap-based buffer overflow or use after free and leading to crashes have been fixed in vim-8.2.4814. To fix them update to vim-8.2.4814 or later. 11.1-037
11.1 010 VIM (LFS and BLFS) Date: 2022-03-15 Severity: High
One vulnerability causing heap-based buffer overflow and crashing have been fixed in vim-8.2.4567. To fix them update to vim-8.2.4567 or later. 11.1-010
11.1 001 VIM (LFS and BLFS) Date: 2022-03-02 Severity: High
Four vulnerabilities which cause crashes under certain circumstances have been fixed in vim-8.2.4489. To fix them update to vim-8.2.4489 or later. 11.1-001
WebKitGTK+
11.1 105 WebKitGTK+ Date: 2022-08-25 Severity: Critical
In WebKitGTK+-2.36.7, a critical 0day security vulnerability was fixed that can allow for trivial remote code execution, and it is under active exploitation. Update to WebKitGTK+-2.36.7 or later immediately. 11.1-105.
11.1 090 WebKitGTK+ Date: 2022-08-18 Severity: High
In WebKitGTK+-2.36.5 (and subsequently fixed in 2.36.6), two security vulnerabilities were fixed that could allow for remote code execution and UI spoofing when processing malicious web content. Update to WebKitGTK+-2.36.6 or later. 11.1-090.
11.1 071 WebKitGTK+ Date: 2022-07-13 Severity: Medium
In WebKitGTK+-2.36.4, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content, and for undesirable behavior (crashing video calls). Update to WebKitGTK+-2.36.4 or later. 11.1-071.
11.1 059 WebKitGTK+ Date: 2022-06-13 Severity: High
In WebKitGTK+-2.36.3, five security vulnerabilities were fixed that could allow for remote code execution when processing crafted web content. Update to WebKitGTK+-2.36.3 or later. 11.1-059.
11.1 024 WebKitGTK+ Date: 2022-04-12 Severity: High
In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. Update to WebKitGTK+-2.36.0 or later. 11.1-024.
xorg-server
11.1 079 xorg-server Date: 2022-07-13 Severity: High
Two security vulnerabilities were fixed in xorg-server-21.1.4 that could allow for local privilege escalation and remote code execution due to improper input validation. Update to xorg-server-21.1.4 or later as soon as possible. 11.1-079.
Xwayland
11.1 080 Xwayland Date: 2022-07-13 Severity: High
Two security vulnerabilities were fixed in Xwayland-22.1.3 that could allow for local privilege escalation due to improper input validation. Update to Xwayland-22.1.3 or later as soon as possible. 11.1-080.