BLFS Security Advisories for BLFS 12.1 and the current development books.
BLFS-12.1 was released on 2024-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Apache HTTPD
12.1 023 Apache HTTPD Date: 2024-04-08 Severity: High
In httpd-2.4.59, three security vulnerabilities were fixed that could allow for denial-of-service and HTTP Response Splitting. One of these vulnerabilities is the "HTTP/2 CONTINUATION attack", and allows for remotely exploitable memory exhaustion. Update to httpd-2.4.59 immediately to protect yourself against the "HTTP/2 CONTINUATION" attack. 12.1-023
c-ares
12.1 002 c-ares Date: 2024-03-02 Severity: Medium
In c-ares-1.27.0, a security vulnerability was fixed that could allow for a crash when reading a malformed /etc/resolv.conf, /etc/nsswitch.conf, or HOSTALIASES files. Update to c-ares-1.27.0. 12.1-002
cURL
12.1 015 cURL Date: 2024-03-27 Severity: Medium
In cURL-8.7.1, a security vulnerability was fixed that could allow for a crash due to leaked memory after an aborted HTTP/2 server push. Update to cURL-8.7.1. 12.1-015
Emacs
12.1 014 Emacs Date: 2024-03-26 Severity: High
In Emacs-29.3, four security vulnerabilities were fixed that could allow for arbitrary Lisp code execution, arbitrary code execution via displaying a LaTeX preview for email attachments, and for untrusted content to be displayed in Org mode and when processing emails. If you use Emacs for displaying email or use the Org functionality for document editing, formatting, or organizing, you should update to Emacs-29.3 immediately. 12.1-014
Firefox
12.1 032 Firefox Date: 2024-04-17 Severity: High
In Firefox-115.10.0esr, eight security vulnerabilities were fixed that could allow for arbitrary code execution, remotely exploitable denial of service conditions (using HTTP/2 CONTINUATION frames), remotely exploitable crashes, and clickjacking. Some of these vulnerabilities occur when using the JIT compiler, but one of the vulnerabilities is 32-bit specific and allows for an Integer Overflow when processing a crafted OpenType font. Updating Firefox is recommended due to the HTTP/2 CONTINUATION attack. Update to Firefox-115.10.0esr. 12.1-032
12.1 013 Firefox Date: 2024-03-22 Severity: Critical
In firefox 115.9.1 one critical vulnerability revealed at this week's pwn2own was fixed. Update to firefox-115.9.1. 12.1-013
12.1 008 Firefox Date: 2024-03-19 Severity: High
In firefox 115.9.0 eight vulnerabilities applicable to linux X86 were fixed. Update to firefox-115.9.0. 12.1-008
FontForge
12.1 028 FontForge Date: 2024-04-15 Severity: Medium
In FontForge-20230101, two security vulnerabilities were discovered that could allow for Command Injection via malicious filenames and malicious archives. The vulnerabilities were resolved via modifying the code to use the g_spawn_sync/async() functions instead of the system() functions, which causes commands to not be executed through a shell. Rebuild FontForge with the patch using the instructions in the book. 12.1-028
ghostscript
12.1 006 ghostscript Date: 2024-03-09 Severity: High
In ghostscript-10.03.0, a security vulnerability was fixed that could allow for arbitrary code execution in the shipped fork of the tesseract library used for OCR. 12.1-006
giflib
12.1 001 giflib Date: 2024-03-02 Severity: High
In giflib-5.2.2, two security vulnerabilities were fixed that could allow for a local attacker to obtain sensitive information and for a crash. These vulnerabilities exist in the DumpScreen2RGB() function in the gif2rgb utility. Update to giflib-5.2.2 if you use the gif2rgb utility. 12.1-001
gnutls
12.1 012 gnutls Date: 2024-03-23 Severity: Medium
In gnutls-3.8.4, two security vulnerabilities were fixed. One fixed a bug where certtool crashed when verifying a certificate chain with more than 16 certificates and the other fixes a side-channel in the deterministic ECDSA. Update to gnutls-3.8.4. 12.1-012
Intel microcode
12.0 043 Intel Microcode Date: 2024-03-20 Severity: Medium
Intel microcode for some processors has been updated to fix two hardware vulnerabilities which may allow a denial of service via remote access, or an information disclosure via local access. Read 12.1-017 for the list of affected processors and how to update the microcode and the kernel to mitigate the vulnerability.
12.0 043 Intel Microcode Date: 2024-03-20 Severity: Medium
Intel microcode for some processors has been updated to provide a mitigation for an hardware vulnerability known as RFDS, or Register File Data Sampling, which may allow an information disclosure if the attacker can run code locally. Read 12.1-009 for the list of affected processors and how to update the microcode and the kernel to mitigate the vulnerability.
libarchive
12.1 025 libarchive Date: 2024-04-10 Severity: Medium
In libarchive-3.7.3, a possible security vulnerability was fixed that could allow for command injection via terminal escape sequences when decompressing or viewing an archive. Update to libarchive-3.7.3. 12.1-025
nghttp2
12.1 022 nghttp2 Date: 2024-04-08 Severity: Medium
In nghttp2-1.61.0, a security vulnerability was fixed that could allow for an denial-of-service (excessive CPU usage and OOM crash) because nghttp2 continues reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. Update to nghttp2-1.61.0 or later especially if you host a server. 12.1-022
Node.js
12.1 019 Node.js Date: 2024-04-07 Severity: High
In Node.js-20.12.1, two security vulnerabilities were fixed that could allow for a server crash or bad http requests through obfuscation of content length. Update to Node.js-20.12.1 or later. 12.1-019
12.1 034 Node.js Date: 2024-04-20 Severity: Low
In Node.js-20.12.2, a vulnerabilty was fixed where command injection could be performed, so far this is only known to affect Windows hosts. Regardless updating is advised. 12.1-034
OpenJPEG
12.1 003 OpenJPEG Date: 2024-03-02 Severity: High
In OpenJPEG-2.5.2, a security vulnerability was fixed that could allow for arbitrary code execution with the permissions of the application which uses OpenJPEG. Update to OpenJPEG-2.5.2. 12.1-003
PHP
12.1 030 PHP Date: 2024-04-17 Severity: High
In PHP-8.3.6, three security vulnerabilities were fixed that could allow for insecure cookies to be set and thus a bypass of __Host/__Secure cookies, as well as for an attacker to trivially compromise a victim's account if a password is started with a null byte, and for an infinite loop when using the mb_encode_mimeheader function with certain crafted inputs. If you use PHP to run a website that accepts passwords, you should update immediately. Update to PHP-8.3.6. 12.1-030
QtWebEngine
12.1 024 QtWebEngine-5.15-20240403 Date: 2024-04-09 Severity: Critical
In the QtWebEngine-5.15-20240403 snapshot 16 vulnerabilities, of which 2 were rated Critical by NVD, have been fixed. The development books have moved on to Qt6 and the build instructions have changed slightly. Either update to current Qt6, or follow the instructions at 12.1-024
12.1 026 QtWebEngine-6.6.3 Date: 2024-04-11 Severity: Critical
The QtWebengine-6 releases do not provide any summary of bug fixes. The 6.6.3 and 6.7.0 releases each contain a similar set of fixes to security bugs, some of which are rated as Critical. In future, update to the latest version once it is in BLFS. 12.1-026
Ruby
12.1 035 Ruby Date: 2024-04-24 Severity: High
In Ruby-3.3.1, three security vulnerabilities were fixed that could allow for arbitrary memory address reading and remote code execution. The arbitrary memory reading vulnerabilities occur in StringIO and also in the Regex search functionality. The RCE vulnerability occurs in RDoc. Update to Ruby-3.3.1. 12.1-035
Samba
12.1 018 Samba Date: 2024-04-07 Severity: High
In Samba-4.20.0 a security vulnerability was fixed that could allow for privilege escalation through altering certificates. Update to Samba-4.20.0. 12.1-018
Seamonkey
12.1 027 Seamonkey Date: 2024-04-15 Severity: High
In Seamonkey-2.53.18.2, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, content spoofing, cookie injection, arbitrary code execution, timing attacks, and content security policy bypasses. These are the same vulnerabilities fixed in Firefox and Thunderbird 115.8.0 and 115.9.0. Update to Seamonkey-2.53.18.2. 12.1-027
12.1 005 Seamonkey Date: 2024-03-07 Severity: High
In Seamonkey-2.53.18.1, several security vulnerabilities were fixed that could allow for remote code execution, exploitable crashes, sandbox escapes, S/MIME signatures being accepted in circumstances where they are not valid, undefined behavior, spoofed messages to be accepted when processing PGP/MIME payloads, HSTS policy bypasses, privilege escalation, phishing, permissions request bypassing, and a crash when listing printers on a system. These vulnerabilities are all identical to those fixed in Firefox/Thunderbird 115.6 and 115.7.0esr. Update to Seamonkey-2.53.18.1. 12.1-005
SpiderMonkey
12.1 031 SpiderMonkey Date: 2024-04-17 Severity: High
In SpiderMonkey/mozjs-115.10.0, three security vulnerabilities were fixed in the JIT compiler which could allow for GetBoundName to return the wrong object, for crashes after a mis-optimized switch statement, and for incorrect JITting of arguments to lead for crashes during garbage collection. This could allow for unexpected crashes in some applications. Update to SpiderMonkey/mozjs-115.10.0. 12.1-031
Thunderbird
12.1 033 Thunderbird Date: 2024-04-17 Severity: High
In Thunderbird-115.10.0, eight security vulnerabilities were fixed that could allow for arbitrary code execution, remotely exploitable denial of service conditions (using HTTP/2 CONTINUATION frames), remotely exploitable crashes, and clickjacking. Some of these vulnerabilities occur when using the JIT compiler, but one of the vulnerabilities is 32-bit specific and allows for an Integer Overflow when processing a crafted OpenType font. Updating Thunderbird is recommended due to the HTTP/2 CONTINUATION attack, since some HTML mails may use this protocol. Update to Thunderbird-115.10.0. 12.1-032
12.1 011 Thunderbird Date: 2024-03-20 Severity: High
In Thunderbird-115.9.0, nine security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable crashes, clickjacking (allowing a user to accidentally grant permissions), RSA decryption timing attacks, content security bypasses, and arbitrary code execution. Update to Thunderbird-115.9.0. 12.1-011
12.1 004 Thunderbird Date: 2024-03-06 Severity: High
In Thunderbird-115.8.1, a security vulnerability was fixed that could allow for leaking an encrypted email subject to another conversation. When this issue occurs, a user might accidentally leak the confidential subject to a third party. Additional steps are required if this subject mixing problem has occurred. Update to Thunderbird-115.8.1 or later and follow the instructions in the security advisory. 12.1-004
Unbound
12.1 007 Unbound Date: 2024-03-15 Severity: High
In Unbound-1.19.3, a security vulnerability was fixed that could allow an attack to cause a denial of service attack (DoS) exploting a code path that can lead to an infinite loop due to faulty code in the feature that removes EDE records. This vulnerability has been assigned 12.1-007
Wireshark
12.1 016 Wireshark Date: 2024-03-30 Severity: Medium
In Wireshark 4.2.0 to 4.2.3 and 4.0.0 to 4.0.13 a T.38 dissector crash allows denial of service via packet injection or a crafted capture file. Update to Wireshark-4.2.3. 12.1-016
Xorg-Server
12.1 020 Xorg-Server Updated: 2024-04-12 Severity: High
In Xorg-Server-21.1.12, four security vulnerabilities were fixed that could allow for memory leakage, exploitable crashes (segmentation faults), and arbitrary code execution to occur. On systems where SSH X Forwarding is enabled, this can lead to remote code execution. Update to xorg-server-21.1.13. If you have TigerVNC installed, rebuild it against xorg-server-21.1.13 as well. 12.1-020
Xwayland
12.1 021 Xwayland Updated: 2024-04-12 Severity: High
In Xwayland-23.2.5, three security vulnerabilities were fixed that could allow for memory leakage, exploitable crashes (segmentation faults), and arbitrary code execution to occur. Update to Xwayland-23.2.6. 12.1-021