BLFS Security Advisories for BLFS 12.2 and the current development books.

BLFS-12.2 was released on 2024-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

apr

12.2 002 apr Date: 2024-09-04 Severity: Medium

In apr-1.7.5, a security vulnerability was fixed that allows local users to have read access to named shared memory segments, potentially revealing sensitive application data. This occurs due to lax permissions being set by the apr library at runtime. If you are using an application which uses apr (e.g. subversion, serf, or Apache HTTPD) that also utilizes sensitive data, it is highly recommended that you update apr as soon as possible. Update to apr-1.7.5. 12.2-002

Firefox

12.2 004 Firefox Date: 2024-09-06 Severity: Critical

In Firefox-128.2.0esr, seven security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, and for remotely exploitable type confusion vulnerabilities. Update to Firefox-128.2.0esr. 12.2-004

libarchive

12.2 009 libarchive Date: 2024-09-17 Severity: High

In libarchive-3.7.5, two security vulnerabilities were fixed that could allow for remote code execution when processing crafted RAR4 archives. For at least one of these issues, a proof of concept exploit has been made public. Both of the vulnerabilities are classified as heap buffer overflows. Update to libarchive-3.7.5. 12.2-009

libpcap

12.2 001 libpcap Date: 2024-09-04 Severity: Medium

In libpcap-1.10.5, a security vulnerability was fixed that could allow for a denial of service condition (application crash) when an application uses the pcap_findalldevs_ex() function. Note that the required functionality is not enabled by default. Update to libpcap-1.10.5 if you have remote packet capturing support enabled. 12.2-001

Python3

12.2 008 Python3 (LFS and BLFS) Date: 2024-09-17 Severity: High

In Python-3.12.6, three security vulnerabilities were fixed that could allow for denial of service conditions (crashes and excessive resource usage). These issues occur in the HTTP functionality as well as handling of TAR and ZIP archives in Python. Update to Python-3.12.6. 12.2-008

Ruby

12.2 003 Ruby Date: 2024-09-06 Severity: High

In Ruby-3.3.5, four security vulnerabilities were fixed that could allow for a denial of sercice (application crash) when processing crafted XML files with the REXML gem which is built into Ruby. If you process untrusted XML using Ruby, it's highly recommended to update to Ruby-3.3.5 immediately. 12.2-003

Thunderbird

12.2 005 Thunderbird Date: 2024-09-06 Severity: Critical

In Thunderbird-128.2.0esr, eight security vulnerabilities were fixed that could allow for remote code execution, spoofing attacks, memory corruption, unexpected opening of external applications, internal event interfaces being exposed to web content unexpectedly, remotely exploitable type confusion vulnerabilities, and remotely exploitable crashes. Update to Thunderbird-128.2.0esr. 12.2-005