BLFS Security Advisories for BLFS 11.3 and the current development books.
BLFS-11.3 was released on 2023-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
AMD Microcode
11.3 078 AMD Zen/Zen2/Zen3/Zen4 CPUs Date: 2023-08-14 Severity: Medium
An information disclosure issue known as "Inception" or "SRSO" has been publicised. Update the linux kernel to version 6.4.9 or later (6.1.44 or later if you use the LTS 6.1 version) and update the microcode when it is available for your CPU. 11.3-078.
11.3 067 AMD Zen2 CPUs Date: 2023-08-01 Severity: High
A High-severity vulnerability (information disclosure in 16-byte chunks by a non-privileged user) has been publicised. Update the linux kernel to version 6.4.6 or later (6.1.41 or later if you use the LTS 6.1 version) and update the microcode when it is available for your CPU. 11.3-067.
11.3 065 AMD Microcode Date: 2023-07-24 Severity: High
This advisory has beeen replaced by advisory SA 11.3-067 above.
Apache HTTPD
11.3 002 Apache HTTPD Date: 2023-03-07 Severity: High
In httpd-2.4.56, two security vulnerabilities were fixed that could allow for HTTP Request Smuggling when mod_proxy and mod_rewrite are enabled in combination with one another, or when mod_proxy_uwsgi is enabled. Update to httpd-2.4.56 if you use either of those configurations. 11.3-002
BIND
11.3 046 BIND Date: 2023-06-23 Severity: High
In BIND-9.18.16, two security vulnerabilities were fixed that could allow for denial-of-service (application crashes and exhaustion of system memory). One of these vulnerabilities affects the default BIND configuration in BLFS. This does not affect the client utilities. If you use BIND as a DNS server, you should update to BIND-9.18.16 immediately. 11.3-046
c-ares
11.3 028 c-ares Date: 2023-05-22 Severity: High
In c-ares-1.19.1, three security vulnerabilities were fixed, one of them rated as high. 11.3-026
CUPS
11.3 044 CUPS Date: 2023-06-23 Severity: Medium
In CUPS-2.4.6, a security vulnerability was fixed that could allow for a denial-of-service or for information disclosure. Note that all print jobs on the system will be lost once the cupsd process crashes. If you print regularly or share printers with other systems, update to CUPS-2.4.6. 11.3-044
11.3 039 CUPS Date: 2023-06-17 Severity: Medium
In CUPS-2.4.5, a security vulnerability was fixed that could allow for a remote attacker to trigger a denial of service on a CUPS server. Update to CUPS-2.4.5 if you're sharing printers with other systems. 11.3-039
cups-filters
11.3 043 cups-filters Date: 2023-06-17 Severity: High
In cups-filters-1.28.16, a security vulnerability exists that allows for remote code execution on IPP printers which use the 'beh' backend. Upstream is aware of the problem and has patched it, but has not cut a new release. The BLFS team has developed a patch and implemented it into the book. Apply the patch and rebuild cups-filters if you use a printer with the 'beh' backend. 11.3-043
cURL
11.3 066 cURL Date: 2023-07-26 Severity: Medium
In cURL-8.2.1, a security vulnerability was fixed that could allow for an attacker to trick a user into overwriting or creating protected files holding cookie, HSTS, or alt-svc data. This occurs due to a TOCTOU race condition, which causes symbolic links to be followed instead of overwritten. Update to cURL-8.2.1. 11.3-066
11.3 031 cURL Date: 2023-06-05 Severity: Medium
In cURL-8.1.0, several security vulnerabilities were fixed that could allow for IDN wildcard matches, unexpected application behavior, race conditions, and for information leakage when verifying sha256 fingerprints in the SSH functions of cURL. Update to cURL-8.1.0. 11.3-031
11.3 007 cURL Date: 2023-03-27 Severity: Medium
In cURL-8.0.1, six security vulnerabilities were fixed that could allow for authentication bypass, arbitrary file writes, content filter bypasses, command injection, and remotely exploitable crashes. Update to cURL-8.0.1 if you use SFTP/SSH/TELNET/GSS/FTP with cURL or if you use HTTP sites which redirect to HTTPS. 11.3-007
D-Bus
11.3 041 D-Bus (LFS and BLFS) Date: 2023-06-17 Severity: High
In dbus-1.14.8, a security vulnerability was fixed that could allow for an unprivileged user to cause a denial-of-service (system message bus daemon crash) by sending an unreplyable message when an administrator is monitoring the dbus daemon. Update to dbus-1.14.8 or later. 11.3-041
Exiv2
11.3 035 Exiv2 Date: 2023-06-05 Severity: Critical
In Exiv2-0.28.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial-of-service when processing image metadata. Update to exiv2-0.28.0 or later. 11.3-035
Firefox
11.3 083 Firefox Date: 2023-08-29 Severity: High
In firefox 115.1.0 twelve vulnerabilities applicable to BLFS were fixed, six of them rated as High. 11.3-083
11.3 068 Firefox Date: 2023-08-01 Severity: High
In firefox 115.1.0 seven vulnerabilities appliccable to BLFS and rated as High were fixed. 11.3-068
11.3 056 Firefox Date: 2023-07-12 Severity: High
In firefox 115.0.2 a vulnerability rated as High was fixed. 11.3-056
11.3 048 Firefox Date: 2023-07-05 Severity: High
In both firefox 115.0 and 102.13.0 several vulnerabilities were fixed, of which three were rated high. 11.3-048
11.3 037 Firefox Date: 2023-06-06 Severity: High
In Firefox-102.12.0esr, two security vulnerabilities rated as High by upstream were fixed. 11.3-037
11.3 026 Firefox Date: 2023-05-09 Severity: High
In Firefox-102.11.0esr, six security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream. 11.3-026
11.3 017 Firefox Date: 2023-03-11 Severity: High
In Firefox-102.10.0esr, seven security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream, as well as a fix in the shipped version of libwebp (see SA 11.3-016). 11.3-017
11.3 005 Firefox Date: 2023-03-14 Severity: High
In Firefox-102.9.0esr, five security vulnerabilities applicable to linux systems were fixed, two of them rated as High by upstream. 11.3-005
Git
11.3 023 Git Date: 2023-04-28 Severity: High
In Git-2.40.1, three security issues were fixed. They allowed to write outside a working tree when applying a specially crafted patch, allowed for malicious placement of crafted messages under certain circumstances, and arbitrary configuration injection. Update to git-2.40.1. 11.3-023
Ghostscript
11.3 051 ghostscript Date: 2023-07-06 Severity: High
In ghostscript-10.01.2, a security vulnerability was fixed that allows for arbitrary code execution and denial of service when processing PostScript files with contain a %pipe% or "|" character. The problem is due to mishandling of permission validation. Update to ghostscript-10.01.2. 11.3-051
11.3 019 ghostscript Date: 2023-04-13 Severity: Critical
In ghostscript-10.01.1, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing crafted PostScript files. It is known as "Shell in the Ghost", and is known to be actively exploited with a public proof of concept available. Update to ghostscript-10.01.1 immediately. 11.3-019
gstreamer
11.3 064 gstreamer Date: 2023-07-23 Severity: High
In gst-plugins-ugly-1.22.5, two security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service when using RealMedia files. Update the gstreamer stack to 1.22.5 if you use the RealMedia plugin. 11.3-064
11.3 054 gstreamer Date: 2023-07-06 Severity: High
In gst-plugins-base and gst-plugins-good 1.22.4, three security issues were fixed that could allow for arbitrary code execution and denial of service when processing malformed FLAC titles or parsing subtitles. Update the gstreamer stack to 1.22.4. 11.3-054
Intel microcode
11.3 075 Intel Microcode Date: 2023-08-09 Severity: Medium
Intel microcode for some processors has been updated to fix three information disclosure vulnerabilities. Read 11.3-075 for the list of affected processors and how to update the microcode to fix the vulnerabilities.
ImageMagick
11.3 049 ImageMagick Date: 2023-07-06 Severity: High
Since ImageMagick-7.1.0-61 several vulnerabilites have come to light, one rated as High. These were fixed between 7.1.0-62 and 7.1.1-10. 11.3-049
JS-102
11.3 047 JS-102 Date: 2023-07-05 Severity: High
In the Javascript code of firefox-102.13.0 there is a fix for a potential use after free. 11.3-047
11.3 025 JS-102 Date: 2023-05-09 Severity: Medium
In the Javascript code of firefox-102.11.0 there are various changes, including what appears to be the fix for a type-checking bug reported against firefox, see CVE-2023-32211 in 11.3-025
11.3 016 JS-102 Date: 2023-04-11 Severity: High
In the Javascript code of firefox-102.10.0 there is a fix for a potentially exploitable invalid free. 11.3-016
11.3 004 JS-102 Date: 2023-03-14 Severity: High
In the Javascript code of firefox-102.9.0 there is a fix for a potentially exploitable crash when invalidating JIT code. 11.3-004
libjpeg-turbo
11.3 050 libjpeg-turbo Date: 2023-07-06 Severity: Medium
In libjpeg-turbo-3.0.0, a security vulnerability was fixed that could allow for a denial-of-service when processing a crafted 12-bit JPEG image that contains values which go out-of-range. 11.3-050
librsvg
11.3 063 librsvg Date: 2023-07-23 Severity: High
In librsvg-2.56.3, a security vulnerability was fixed that could allow for arbitrary file reads when an xinclude href has special characters in it. Update to librsvg-2.56.3. 11.3-063
Libwebp
11.3 015 Libwebp Date: 2023-04-11 Severity: High
The update to firefox-102.10.0 makes public a double-free vulnerability in libwebp which the mozilla developers say could lead to memory corruption and a potentially exploitable crash. In the absence of a new release, apply the patch from upstream. 11.3-015
LibX11
11.3 038 LibX11 Date: 2023-06-17 Severity: Moderate
In LibX11-1.8.6, a security vulnerability was fixed. A malicious X server (or a malicious proxy-in-the-middle) may corrupt client memory and at least cause the client to crash. Update to LibX11-1.8.6 or later. 11.3-038
libxml2
11.3 020 libxml2 Date: 2023-04-13 Severity: Medium
In libxml2-2.10.4, three security vulnerabilities were fixed that could cause crashes due to null pointer dereferences and improper resource management. Update to libxml2-2.10.4. 11.3-020
LWP-Protocol-https
11.3 055 LWP-Protocol-https Date: 2023-07-10 Severity: Medium
In LWP-Protocol-https-6.11, a security vulnerability was fixed that could for attackers to disable server certificate validation via passing the HTTPS_CA_DIR or HTTPS_CA_FILE environment variable. Update to LWP-Protocol-https-6.11 or later. 11.3-055
MariaDB
11.3 071 MariaDB Date: 2023-08-07 Severity: Medium
In MariaDB-10.11.4 (and 10.6.14), a security vulnerability was fixed that could allow for a denial of service (database server crash). Update to MariaDB-10.11.4 (and run mariadb-upgrade), or MariaDB-10.6.14. 11.3-071
MIT Kerberos V5
11.3 080 MIT Kerberos V5 Date: 2023-08-17 Severity: Medium
In krb5-1.21.2, two security vulnerabilities were fixed that could allow for crashes of the KDC process and of the kadm5 process. These vulnerabilities can be exploited remotely. Update to krb5-1.21.2 or later. 11.3-080
nghttp2
11.3 058 nghttpp2 Date: 2023-07-19 Severity: Low
In nghttpp2-, a security vulnerability was fixed that could allow for denial of service through memory exhaustion. 11.3-058
node.js
11.3 077 node.js Date: 2023-08-11 Severity: High
In node.js-18.17.1, three security vulnerabilities were fixed that could allow for permission policy bypass via the Module._load function, the module.constructor.createRequre function, and the process.binding function. Note that at this time, these features are experimental, but are enabled by default. Update to node.js-18.17.1. 11.3-077
11.3 045 node.js Date: 2023-06-23 Severity: High
In node.js-18.16.1, four security vulnerabilities were fixed that could allow for denial of service, HTTP Request Smuggling, keys to not be generated, and for policy bypasses. Update to node.js-18.16.1. 11.3-045
OpenJDK
11.3 062 OpenJDK Date: 2023-07-23 Severity: High
In OpenJDK-20.0.2, six security vulnerabilities were fixed that could allow for unauthorized access to data on a system and for a denial of service. All but one of these require no authentication and can be exploited remotely without user interaction. Update to OpenJDK-20.0.2. 11.3-062
11.3 053 OpenJDK Date: 2023-07-06 Severity: High
In OpenJDK-20.0.1, six security vulnerabilities were fixed that could allow for denial of service or unauthorized creation, modification, or deletion of data. These require no authentication and can be exploited remotely. Update to OpenJDK-20.0.1. 11.3-053
OpenSSH
11.3 059 OpenSSH Date: 2023-07-21 Severity: High
In OpenSSH-9.3p2, a remote code execution vulnerability was fixed in the ssh-agent utility, which can occur when ssh-agent connects to an attacker controlled server. Update to OpenSSH-9.3p2 immediately if you use ssh-agent. 11.3-059
PHP
11.3 082 PHP Date: 2023-08-23 Severity: Critical
In PHP-8.2.9, two security vulnerabilities were fixed which could allow for unauthorized disclosure of local files on a server, for remote code execution, and for remotely exploitable denial of service. Update to PHP-8.2.9 immediately if you use the libxml or Phar modules. 11.3-082
PostgreSQL
11.3 076 PostgreSQL Date: 2023-08-11 Severity: High
In PostgreSQL-15.4, two security vulnerabilities were fixed that could allow for SQL Injection when using extension scripts, and for security policy bypasses when row security policies are in effect. Update to PostgreSQL-15.4. 11.3-076
11.3 034 PostgreSQL Date: 2023-06-05 Severity: High
In PostgreSQL-15.3, two security vulnerabilities were fixed that could allow for arbitrary code execution as root for some users, and for incorrect security policies to be applied to users. Update to PostgreSQL-15.3. 11.3-034
Python
11.3 040 Python3 (LFS and BLFS) Date: 2023-06-17 Severity: High
In Python-3.11.4, three security vulnerabilities were fixed that could allow for directory traversal, disk location exposure over HTTP, and for policy bypasses. Update to Python-3.11.4. 11.3-040
QtWebEngine
11.3 070 QtWebEngine Date: 2023-08-07 Severity: High
In QtWebEngine-5.15.15, fixes for seven Chromium security vulnerabilities were backported to the branch. All are rated as High. 11.3-070
11.3 027 QtWebEngine Date: 2023-05-13 Severity: Critical
In QtWebEngine-5.15.14, fixes for several recent Chromium security vulnerabilities were backported to the branch used for 5.15. One of these is rated as Critical, 11 others are rated as High. Qt-5.15 reaches End of Life on 2023-05-26, it is unclear if any further vulnerability fixes will be available. Update to QtWebEngine-5.15.14. 11.3-027
11.3 003 QtWebEngine Date: 2023-03-10 Severity: High
In QtWebEngine-5.15.13, fixes for several recent Chromium security vulnerabilities rated as High were backported to the branch used for 5.15. Update to 5.15.13. 11.3-003
Requests (python module)
11.3 029 Requests Date: 2023-05-24 Severity: Moderate
In Requests-2.31.0, a security vulnerability was fixed, rated as moderate. Update to Requests-2.31.0. 11.3-029
Ruby
11.3 013 Ruby Date: 2023-04-06 Severity: Medium
In Ruby-3.2.2, two security vulnerabilities were fixed that could allow for denial of service when using the URI and Time gems. Update to ruby-3.2.2 or use the workaround described in the consolidated advisory. 11.3-013
rustc
11.3 074 rustc Date: 2023-08-07 Severity: High
In rustc-1.71.1, a security vulnerability was fixed in the Cargo portion of rustc which could allow a local user to change the source code compiled and executed by another user. Update to rustc-1.71.1 or later. 11.3-074
Samba
11.3 060 Samba Date: 2023-07-21 Severity: High
In Samba-4.18.5, five security vulnerabilities were fixed that could allow for remotely exploitable crashes, absolute path disclosure for files located on the server, and for packet signature enforcement bypass. Note that the remotely exploitable crashes occur when using winbindd and Spotlight, and the Spotlight service also causes the absolute path disclosure. The packet signature enforcement vulnerability also causes intermittent connection problems with Windows systems running the July 2023 security updates. Update to Samba-4.18.5, especially if you are on a network with Windows systems that connect to your Samba server. 11.3-060
11.3 008 Samba Date: 2023-03-30 Severity: High
In Samba-4.18.1, three security vulnerabilities were fixed. Note that they only affect Samba in LDAP/AD DC mode, which is not the book's default configuration. However, the security vulnerabilites are severe enough that if you have LDAP or AD DC enabled, you must take immediate action to protect yourself and assume that BitLocker recovery keys have been compromised. One vulnerability allows for cleartext password resets as well and for unauthorized attribute detection. If you are using LDAP/AD DC functionality in Samba, you must update immediately. 11.3-008
Screen
11.3 079 Screen Date: 2023-08-17 Severity: Medium
In Screen-4.9.1, a security vulnerability was fixed that could allow for local users to send a privileged SIGHUP signal to any PID on the system, which could cause a denial of service or disruption of the target process. If you are on a multi-user system and use Screen, you should upgrade to Screen-4.9.1 or later. 11.3-079.
Seamonkey
11.3 072 Seamonkey Date: 2023-08-07 Severity: High
In Seamonkey-2.53.17, several security patches up to Firefox and Thunderbird 102.11.0esr were applied to Seamonkey. This includes fixes for remote code execution, arbitrary code execution, denial of service, invalid GPG key verification, browser spoofing attacks, and for unauthorized downloads of files. Update to Seamonkey-2.53.17 immediately. 11.3-072
11.3 014 Seamonkey Date: 2023-04-07 Severity: High
In Seamonkey-2.53.16, three versions worth of Firefox and Thunderbird security vulnerabilities were resolved. This includes fixes for issues that could cause remotely exploitable crashes, remote code execution, invalid JavaScript execution, arbitrary file reads, content security policy bypass, screen hijacking, and content spoofing. Update to Seamonkey-2.53.16. 11.3-014
TeXLive and install-tl-unx
11.3 024 Texlive (source and binary) Revised: 2023-05-24 Severity: High
All users of the luatex programs with versions of TexLive from 2017 to 2023 are advised to update to v1.17.0 because of a potential privilege escalation vulnerability if you use an untrusted tex file or on a multiuser system. For users who installed the v2023 binary, use tlmgr. For those who built from source, reinstall with the texlive-20230313-source-security_fix-1.patch and (if using ConTeXt) apply the sed to support luatex-v1.17.0 in mtxrun.lua.
For Texlive before 2023 no new versions are available, so only use those old versions if you need to recreate output from known-good old tex files on single-user systems. 11.3-024
Thunderbird
11.3 084 Thunderbird Date: 2023-08-30 Severity: High
In Thunderbird-115.2.0, twelve security vulnerabilities were fixed that could allow for potentially exploitable crashes, spoofing attacks, out of memory exceptions, leakage of sensitive information, for the browsing context to not be cleared, and for remote code execution. Most of these vulnerabilities are only applicable to HTML mail. Update to Thunderbird-115.2.0. 11.3-084
11.3 081 Thunderbird Date: 2023-08-23 Severity: High
In Thunderbird-115.1.1, several security vulnerabilities were fixed that could allow for file extension spoofing using the Text Direction Override Character, cross-origin restriction bypasses, remote code execution, remotely exploitable crashes, bypass of permissions requests, and for notifications to be obscured. Update to Thunderbird-115.1.1. 11.3-081
11.3 042 Thunderbird Date: 2023-06-17 Severity: High
In Thunderbird-102.12.0, several security vulnerabilities were fixed that could allow for crashes, browser outputs to be obscured by popups, memory corruption, spoofing, unauthorized certificate exceptions, and remote code execution. Most of these vulnerabilities are only exploitable via HTML mail. Update to Thunderbird-102.12.0. 11.3-042
11.3 018 Thunderbird Date: 2023-04-13 Severity: High
In Thunderbird-102.10.0, several security vulnerabilities were fixed that could allow for remote code execution, denial of service, spoofing, encrypted emails accepting revoked certificates, and more. Update to Thunderbird-102.10.0. 11.3-018
11.3 010 Thunderbird Date: 2023-03-30 Severity: High
In Thunderbird-102.9.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service when using the Matrix chat protocol. Update to Thunderbird-102.9.1 if you use that protocol. 11.3-010
11.3 006 Thunderbird Date: 2023-03-26 Severity: High
In Thunderbird-102.9.0, five security vulnearabilities which can mostly be exploited via HTML mail were resolved. These can allow for spoofing, potentially exploitable crashes, and potentially remote code execution. Update to Thunderbird-102.9.0. 11.3-006
WebKitGTK+
11.3 073 WebKitGTK+ Date: 2023-08-07 Severity: Critical
In WebKitGTK+-2.41.6 (with a patch developed by the BLFS team applied), several security vulnerabilities were fixed that could allow for remote code execution, sensitive information disclosure, and bypasses of the Same Origin Policy. Rebuild WebKitGTK+-2.41.6 with the patch applied (or update to WebKitGTK+-2.40.5 if you are still on the 2.40.x series) immediately. 11.3-073
11.3 061 WebKitGTK+ Date: 2023-07-21 Severity: Critical
\In WebKitGTK+-2.41.6 with a patch applied, a critical security vulnerability was fixed which could lead to remote code execution. This vulnerability is known to be under active exploitation, and it's recommended that you update to WebKitGTK+-2.41.6 with the patch (or WebKitGTK+-2.40.4) immediately. 11.3-061
11.3 036 WebKitGTK+ Date: 2023-06-05 Severity: Critical
In WebKitGTK+-2.40.2, two security vulnerabilities which could lead to remote code execution and information disclosure were fixed. They are both known to be actively exploited, and require no user interaction. If you have WebKitGTK+ installed, it is critical that you update to WebKitGTK+-2.40.2 or later immediately. 11.3-036
11.3 022 WebKitGTK+ Date: 2023-04-23 Severity: Critical
In WebKitGTK+-2.40.1, six security vulnerabilities were fixed, including one which is known to be actively exploited through crafted advertisements or other web content. If you have WebKitGTK+ installed, it is critical that you update this package to protect yourself and your system. Update to WebKitGTK+-2.40.1 immediately, and note the instruction recommendations in the advisory. 11.3-022
Wireshark
11.3 057 Wireshark Date: 2023-07-19 Severity: Medium
In Wireshark-4.0.7, two security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. Update to Wireshark-4.0.7 to fix these issues. 11.3-057
11.3 030 Wireshark Date: 2023-04-13 Severity: Medium
In Wireshark-4.0.6, nine security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. Update to Wireshark-4.0.6 to fix these issues. 11.3-030
11.3 021 Wireshark Date: 2023-04-13 Severity: Medium
In Wireshark-4.0.5, three security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These vulnerabilities can occur when Wireshark is run on a network with GQUIC, RPCoRDMA, or LISP packets. Update to Wireshark-4.0.5 if you are on such a network. 11.3-021
xorg-server
11.3 009 xorg-server Date: 2023-03-30 Severity: High
In xorg-server-21.1.8, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xorg-server-21.1.8. 11.3-009
xwayland
11.3 012 xwayland Date: 2023-04-02 Severity: High
In xwayland-23.1.1, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xwayland-23.1.1. 11.3-012