BLFS-11.1 was released on 2022-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In httpd-2.4.54, eight security vulnerabilities were fixed that could allow for authentication bypass, request smuggling, denial of service, and information disclosure, all depending on what configuration the server is using. Note that mod_proxy, mod_proxy_ajp, mod_sed, mod_lua, and the standard Apache HTTP server are affected. Update to httpd-2.4.54 or later. 11.1-061
In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. Update to httpd-2.4.53 or later. 11.1-013
In BIND-9.18.12, a security vulnerability was fixed that could cause BIND to crash in some circumstances. Update to BIND-9.18.3 or later if you are using the DNS server component. 11.1-042
In BIND-9.18.1, four security vulnerabilities were fixed that could allow for remote attackers to cause BIND to crash and for DNS cache poisoning. Update to BIND-9.18.1 or later if you are using the DNS server component. 11.1-015
In cifs-utils-6.15, two security vulnerabilties were fixed that could allow for privilege escalation and information disclosure (credential leakage). Update to cifs-utils-6.15 immediately. 11.1-049
In CUPS-2.4.2, a security vulnerability was fixed that could allow for trivial local privilege escalation due to a logic issue. Update to CUPS-2.4.2 or later. 11.1-057
In cURL-7.84.0, four security vulnerabilities were fixed that could allow for denial of service, improper message verification, and files to have different permissions than intended when downloaded. To fix them, update to cURL-7.84.0 or later. 11.1-070
In cURL-7.83.1, six security vulnerabilities were fixed. Five of them are medium. The remaining one does not affect the configuration of BLFS and is rated low. To fix them, update to cURL-7.83.1 or later. 11.1-039
Two security vulnerabilities were fixed in cyrus-sasl-2.1.28 that could allow for remote unauthenticated attackers to steal passwords or cause a remote denial of service. Update to cyrus-sasl-2.1.28 or later if you use it for anything other than a build dependency. 11.1-002
A security vulnerability was discovered in Dovecot-2.3.19.1 that could result in privilege escalation when a system administrator has misconfigured multiple identical password databases. Rebuild Dovecot with the security patch. 11.1-077
In Epiphany-42.2, a security vulnerability was fixed that could alow for remote code execution when visiting web pages with overly long titles. The root cause is a client buffer overflow which occurs when processing the title. Update to Epiphany-42.2 or later. 11.1-046
In Exo-4.16.4, a security vulnerability was fixed that could allos for remote code execution due to Exo processing remote .desktop files in addition to local .desktop files. Update to Exo-4.16.4 immediately if you use XFCE. 11.1-063
In Firefox-102.2.0, five security vulnerabilities were fixed that could allow for remote code execution, browser spoofing, and other impacts. Update to firefox-102.2.0esr. 11.1-103
In firefox 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to firefox-102.1.0esr. 11.1-083
In firefox 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high and at least one other SA 11.1-067 sounds as if it is high. Update to firefox-102.0esr or later for the new ESR series. As a short term fix (to avoid updating dependencies which were adequate for the 91ESR series) update to firefox-91.11.0 or later while you prepare the updated dependencies. 11.1-068
In firefox 91.10.0 several vulnerabilities were fixed, of which five were rated high and one rated medium. Update to firefox-91.10.0 or later. 11.1-054
In firefox 91.9.1 two critical javascript vulnerabilities were fixed. Update to firefox-91.9.1 or later. 11.1-043
In firefox 91.9.0 six CVE issues, five rated High, were fixed. Update to firefox-91.9.0 or later. 11.1-036
In firefox 91.8.0 eight CVE issues, three rated High, were fixed. Update to firefox-91.8.0 or later. 11.1-019
In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, Update to firefox-91.7.0 or later. 11.1-006
Two security vulnerabilities were fixed in FLAC-1.3.4 that could allow for remote information disclosure when playing crafted FLAC files. Update to FLAC-1.3.4 or later. 11.1-003
In git-2.37.1, a security vulnerability was fixed that could lead to privilege escalation due to an incomplete fix for CVE-2022-24765. This vulnerability allows users to be tricked into running commands as 'root' when navigating through repositories in a multi-user system. Update to git-2.37.1 or later if you're using Git on a multi-user system. 11.1-073
In git-2.35.3, a security vulnerability was fixed that could allow for a configuration mixup, including command execution, on multi-user systems due to insufficient validation when processing directory names in Git. Update to git-2.35.3 or later if you're using Git on a multi-user system. 11.1-029
In GnuPG-2.3.7, a security vulnerability was fixed that could allow for signature forgery and denial of service (crashes in applications which use GPGME, as well as Evolution and Mutt). Update to GnuPG-2.3.7. 11.1-078
In GnuTLS-3.7.7, a security vulnerability was fixed that could allow for remotely-exploitable crashes when verifying PKCS#7 certificates. Update to GnuTLS-3.6.6 or later. 11.1-091
In gstreamer-1.20.3 (as well as the plugins), seven vulnerabilities were fixed that could allow for denial of service and arbitrary code execution when processing AVI, MKV, MP4, and Matroska video files. Update to gstreamer-1.20.3 (and the plugins). 11.1-064
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability. Ensure x2APIC is enabled, or update to intel-microcode-20220809 or later. 11.1-101
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Update to microcode-20220510 or later. 11.1-038
In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the Java binaries provided by BLFS, update to the Java-18.0.2 (or later) binaries. 11.1-095
In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the Java binaries provided by BLFS, update to java-18.0.1 (or later) binaries. 11.1-034
In the javascript code of firefox-91.11.0 and 102.0 there is a fix for attackers setting undesired attributes on a Javascript object, leading to privileged code execution. Update to JS91-11.0 or later. 11.1-067
In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes or arbitrary code execution. These vulnerabilities exist in the RAR, ISO, 7zip, and ZIP readers, as well as in the API for the library itself. Update to libarchive-3.6.1 or later. 11.1-026
In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution when attaching devices to a system. This vulnerability has existed since libinput-1.10.0, released in February of 2018. The primary attack method would be via /dev/uinput or Bluetooth devices. Update to libinput-1.20.1 or later. 11.1-033.
In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. Note that these vulnerabilities were found by oss-fuzz and were not assigned CVEs, but upstream has stated that they are security fixes. Update to libsndfile-1.1.0 or later. 11.1-022
In libtiff-4.4.0, two security vulnerabilities were fixed in the 'tiffcp' and 'tiffinfo' tools that could allow for application crashes and memory corruption. Update to libtiff-4.4.0 if you use those tools. 11.1-058
In libwebp-1.2.3 (which has been replaced with 1.2.4), a security vulnerability was fixed that could allow for denial of service (memory leaks and segmentation faults) when processing JPEG images to convert them to WEBP images. Update to libwebp-1.2.4 or later. 11.1-087
In libxml2-2.10.0, a security vulnerability was fixed that could allow for denial-of-service conditions (application crashes) when processing forged input data. The primary application affected is lxml. Several other vulnerablilities were fixed as well, which were not given CVEs. Update to libxml2-2.10.0 or later. 11.1-098
In libxml2-2.9.14, a security vulnerability was fixed that could allow for out-of-bounds writes when processing crafted XML files that are multiple gigabytes in size. Update to libxml2-2.9.14 or later. 11.1-045
In logrotate-3.20.1, a security vulnerability was fixed that could allow an unprivileged user to block rotation of the files. Update to logrotate-3.20.1 or later. 11.1-052
In MariaDB-10.6.9, five security vulnerabilities were fixed that could allow for remote code execution and remotely-exploitable crashes when processing database queries and committing data to disk. Update to MariaDB-10.6.9. 11.1-097
In MariaDB-10.6.8, 24 security vulnerabilties were fixed that could allow for unauthorized creation/deletion/modification of database records, remote code execution, and denial of service. Update to MariaDB-10.6.8. 11.1-050
In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. To fix this update to mutt-2.2.3 or later. 11.1-032
In node.js-16.16.0, several security vulnerabilities were fixed that could allow for HTTP Request Smuggling, DNS rebinding, and modification of system defaults by local attackers. Update to Node.js-16.16.0 or later. 11.1-074
In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 has been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the shared system OpenSSL library without upgrading Node.js would be an adequate remedy. Therefore update to Node-v16.14.2 or later. 11.1-014
In NSS-3.68.4, 3.78.1 and 3.79 two bugs with restricted access were fixed. One of these has now been confirmed as a high severity vulnerability. Update to nss-3.79 or later. 11.1-055
In ntfs-3g-2022.5.17, several security vulnerabilities were fixed that could allow for kernel-level code execution when processing NTFS metadata during mount time, occurring due to buffer overflows. Update to ntfs-3g-2022.5.17 immediately if you have this package installed. 11.1-060
In OpenJDK-18.0.2, 17.0.4.1 (LTS), and 11.0.16.1 (LTS), three security vulnerabilites were fixed that could allow for remote code execution, class file overwrites, and unauthorized access (create/delete/ modify/read) of data. If you use the most recent of OpenJDK, update to OpenJDK-18.0.2 or later. You may also update to OpenJDK-17.0.4.1 or OpenJDK-11.0.16.1 if you prefer the LTS versions. 11.1-095
In openjdk-18.0.1, -17.0.3(LTS), and -11.0.15 (LTS), several vulnerabilities have been fixed, that could allow for remote unauthenticated access to, creation, deletion, or modification of files/data. If you use the most recent version of OpenJDK, update to openjdk-18.0.1 or later. You may also update to openjdk-17.0.3 or openjdk-11.0.15 if you prefer the LTS versions. 11.1-034
In OpenJPEG-2.5.0, a security vulnerability was fixed that allows for remote attackers to cause application crashes when OpenJPEG utilities are run in directories with 1048576 files. Update to OpenJPEG-2.5.0 if you use OpenJPEG utilities in directories with large amounts of files. 11.1-047
In PHP-8.1.8, a security vulnerability was fixed that could allow for a heap buffer overflow when trying to determine the file type of a given file. Update to PHP-8.1.8 if you are processing untrusted files. 11.1-075
In PHP-8.1.7, two security vulnerabilities were fixed that could allow for remote code execution when using the mysqlnd and pgsql modules in PHP. Update to PHP-8.1.7 immediately if you are using either of these modules. 11.1-062
Pidgin developers have removed the _xmppconnect TXT record support in version 2.4.19, because it is intrinsically insecure (unless using DNSSEC). If you need the service provided by those records, there are others way to achieve this. To be sure not to use those, update to pidgin-2.4.19 or later. 11.1-035
A security vulnerability was identified in polkit-0.120 that can allow for a denial of service due to resource exhaustion. However, polkitd will be automatically restarted the next time user authentication is required, so the impact is low. Rebuild polkit-0.120 with the security_fixes-1 patch or update to a newer version once available. 11.1-004
In PostgreSQL-14.3, a security vulnerability was fixed that allows for users with permissions to create objects in a database to run commands as a superuser the next time that an autovacuum operation takes place, or when some commands are executed. Update to PostgreSQL-14.3 immediately if you use PostgreSQL's server functionality. 11.1-048
In PostgreSQL-14.5, a security vulnerability was fixed that allows arbitry code execution through the use of extension scripts. Update to PostgreSQL-14.5 immediately if you or your users make use of extension scripts. 11.1-086
In Python-3.10.6, two security vulnerabilities were fixed that could allow for open redirection in the HTTP server, and for a use-after-free when using the memoryview function. Update to Python-3.10.6 or later. 11.1-092
An out-of-bound write has been fixed in (commercial) Qt 5.15.6, and the fix has been backported to the repository maintained by kde folks, so that it is included in the patch provided for QT-5.15.5 in the BLFS book. Update to Qt-5.15.5 or to a later version. 11.1-065
Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. Update to QtWebengine-5.15.9 or to a later version. 11.1-020
In rsync-3.2.5, a security vulnerability was fixed that could allow for malicious rsync servers to overwrite arbitrary files and directories on client systems. Update to rsync-3.2.5 or later, especially if you are using rsync's client. 11.1-093
In Ruby-3.1.2, two security vulnerabilities were fixed that could allow for a denial-of-service (application crash) or for invalid memory reads. Update to Ruby-3.1.2 or later if you are using code with regular expressions or that converts a string object to a float object. 11.1-030
In Samba-4.16.4, several security vulnerabilities were fixed that could allow for password change restriction bypasses, password change forgery, crashes, and information leaks when using Active Directory or the SMB1 protocol. None of these are enabled by default in BLFS, but if you use them, you should update to Samba-4.16.4 immediately. 11.1-089
Several security vulnerabilities were fixed in Seamonkey-2.35.13 that were fixed in Firefox-91.10.0 and Firefox-91.11.0 (as well as the relevant Thunderbird vulnerabilities). There are a variety of impacts. Update to Seamonkey-2.53.13 or later. 11.1-076.
A security vulnerability was discovered in Seamonkey-2.53.12 which could lead to remote code execution in a privileged context when processing crafted JavaScript code, identical to CVE-2022-1802 in Firefox. Rebuild Seamonkey-2.53.12 with the patch immediately. 11.1-051
In Seamonkey-2.53.12, all security vulnerabilities from Firefox/Thunderbird 91.9.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.12 or later. 11.1-040
In Seamonkey-2.53.11.1, all security vulnerabilities from Firefox/Thunderbird 91.7.0 were fixed. These vulnerabilities can have various impacts, but most important are remotely-exploitable crashes and browser spoofing problems. Update to Seamonkey-2.53.11.1 or later. 11.1-023
Seamonkey is also vulnerable to one of the actively exploited vulnerabilities from Firefox and Thunderbird. The BLFS Editors have created a patch which resolves the vulnerability. Rebuild Seamonkey with the patch or upgrade to a later version. 11.1-008
In Seamonkey-2.53.11, all security vulnerabilities from Firefox-91.5-91.6 and Thunderbird-91.6.1 were fixed. This includes a fix for a vulnerability where a remote attacker can take over your system via a crafted email, along with other vulnerabilities which have various impacts. Update to seamonkey-2.53.11 or later. 11.1-005
In Shadow-1.12.2, two security vulnerabilities were fixed that could allow a symlink attack while a shadow utility is running by an administrator and operating on a directory writable by the attacker. Update to shadow-1.12.2 or you'll need to take caution when you run the shadow utilities as root. 11.1-100
In Speex-1.2.1, two security vulnerabilities were fixed that could allow for denial of service conditions as well as stack overflows when using the 'speexenc' and 'speexdec' programs to do operations on crafted WAV files. Update to Speex-1.2.1 or later. 11.1-072
In sqlite-3.39.2, a security vulnerability was fixed that could allow for denial of service when a C API is passed a string argument with billions of bytes contained in it (such as an overly large SQL query). Update to sqlite-3.39.2 or later. 11.1-088
In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for a remotely exploitable denial of service and for arbitrary paths to be read. Update to subversion-1.14.2 or later, especially if mod_dav_svn is in use within your configuration. 11.1-025
In Thunderbird-102.2.0, several security vulnerabilities were fixed that could allow for remote code execution, browser window spoofing, and other impacts. Update to Thunderbird-102.2.0 or later. 11.1-104
In thunderbird 102.1.0 several vulnerabilities were fixed, of which one was rated high. Update to Thunderbird-102.1.0 or later. 11.1-084
In thunderbird 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others SA 11.1-067 sounds as if it is high. Update to Thunderbird-102.0 or later, or as a short-term fix to avoid building the updated dependencies (particularly newer rustc, cbindgen, icu) on older systems update to Thunderbird-91.11.0 and plan to update to 102.0 or later. 11.1-069
In thunderbird 91.10.0 several vulnerabilites were fixed, of which six were rated high and one medium. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.10.0 or later. 11.1-056
In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, It appears these vulnerabilities cannot be exploited via email, but javascript is enabled by default (perhaps only for rss feeds) unless you have disabled it in the Config settings. Update to Thunderbird-91.9.1 or later. 11.1-044
In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Update to Thunderbird-91.9.0 or later. 11.1-041
In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, browser window spoofing, remote code execution, and PGP keys to stay active when revoked. Update to Thunderbird-91.8.0 or later. 11.1-021
In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for remotely exploitable crashes, sandbox escapes, unauthorized add-on modification, browser window spoofing, and for unauthorized access to temporary downloaded files in /tmp. Update to Thunderbird-91.7.0 or later. 11.1-016
In Thunderbird-91.6.2, two security vulnerabilities which are being actively abused in the wild to conduct attacks were fixed. Update to Thunderbird-91.6.2 or later. 11.1-007
In tumbler-4.16.1, a security vulnerability was fixed that could allow for server-side request forgery and arbitrary code execution when indexing crafted files using the gstreamer plugin. Update to tumbler-4.16.1 or later. 11.1-096.
Unbound versions up to and including 1.16.1 are vulnerable to several
ghost domain names
attacks. To fix them update to
unbound-1.16.2 or later.
11.1-085
In unrar-6.1.7, a path traversal vulnerability was fixed that could allow for malicious archives to place files anywhere on the system. Update to unrar-6.1.7 or later. 11.1-094
11 vulnerabilities causing heap-based buffer overflow, use after free, NULL pointer dereference, or uncontrolled recursion and leading to crashes have been fixed in vim-8.2.5014. To fix them update to vim-8.2.5014 or later. 11.1-053
Three vulnerabilities causing heap-based buffer overflow or use after free and leading to crashes have been fixed in vim-8.2.4814. To fix them update to vim-8.2.4814 or later. 11.1-037
One vulnerability causing heap-based buffer overflow and crashing have been fixed in vim-8.2.4567. To fix them update to vim-8.2.4567 or later. 11.1-010
Four vulnerabilities which cause crashes under certain circumstances have been fixed in vim-8.2.4489. To fix them update to vim-8.2.4489 or later. 11.1-001
In WebKitGTK+-2.36.7, a critical 0day security vulnerability was fixed that can allow for trivial remote code execution, and it is under active exploitation. Update to WebKitGTK+-2.36.7 or later immediately. 11.1-105.
In WebKitGTK+-2.36.5 (and subsequently fixed in 2.36.6), two security vulnerabilities were fixed that could allow for remote code execution and UI spoofing when processing malicious web content. Update to WebKitGTK+-2.36.6 or later. 11.1-090.
In WebKitGTK+-2.36.4, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content, and for undesirable behavior (crashing video calls). Update to WebKitGTK+-2.36.4 or later. 11.1-071.
In WebKitGTK+-2.36.3, five security vulnerabilities were fixed that could allow for remote code execution when processing crafted web content. Update to WebKitGTK+-2.36.3 or later. 11.1-059.
In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. Update to WebKitGTK+-2.36.0 or later. 11.1-024.
Two security vulnerabilities were fixed in xorg-server-21.1.4 that could allow for local privilege escalation and remote code execution due to improper input validation. Update to xorg-server-21.1.4 or later as soon as possible. 11.1-079.
Two security vulnerabilities were fixed in Xwayland-22.1.3 that could allow for local privilege escalation due to improper input validation. Update to Xwayland-22.1.3 or later as soon as possible. 11.1-080.