BLFS-11.3 was released on 2023-03-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In httpd-2.4.56, two security vulnerabilities were fixed that could allow for HTTP Request Smuggling when mod_proxy and mod_rewrite are enabled in combination with one another, or when mod_proxy_uwsgi is enabled. Update to httpd-2.4.56 if you use either of those configurations. 11.3-002
In c-ares-1.19.1, three security vulnerabilities were fixed, one of them rated as high. 11.3-026
In cURL-8.1.0, several security vulnerabilities were fixed that could allow for IDN wildcard matches, unexpected application behavior, race conditions, and for information leakage when verifying sha256 fingerprints in the SSH functions of cURL. Update to cURL-8.1.0. 11.3-031
In cURL-8.0.1, six security vulnerabilities were fixed that could allow for authentication bypass, arbitrary file writes, content filter bypasses, command injection, and remotely exploitable crashes. Update to cURL-8.0.1 if you use SFTP/SSH/TELNET/GSS/FTP with cURL or if you use HTTP sites which redirect to HTTPS. 11.3-007
In Exiv2-0.28.0, several security vulnerabilities were fixed that could allow for arbitrary code execution and denial-of-service when processing image metadata. Update to exiv2-0.28.0 or later. 11.3-035
In Firefox-102.11.0esr, six security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream. 11.3-026
In Firefox-102.10.0esr, seven security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream, as well as a fix in the shipped version of libwebp (see SA 11.3-016). 11.3-017
In Firefox-102.9.0esr, five security vulnerabilities applicable to linux systems were fixed, two of them rated as High by upstream. 11.3-005
In Git-2.40.1, three security issues were fixed. They allowed to write outside a working tree when applying a specially crafted patch, allowed for malicious placement of crafted messages under certain circumstances, and arbitrary configuration injection. Update to git-2.40.1. 11.3-023
In ghostscript-10.01.1, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing crafted PostScript files. It is known as "Shell in the Ghost", and is known to be actively exploited with a public proof of concept available. Update to ghostscript-10.01.1 immediately. 11.3-019
In the Javascript code of firefox-102.11.0 there are various changes, including what appears to be the fix for a type-checking bug reported against firefox, see CVE-2023-32211 in 11.3-025
In the Javascript code of firefox-102.10.0 there is a fix for a potentially exploitable invalid free. 11.3-016
In the Javascript code of firefox-102.9.0 there is a fix for a potentially exploitable crash when invalidating JIT code. 11.3-004
The update to firefox-102.10.0 makes public a double-free vulnerability in libwebp which the mozilla developers say could lead to memory corruption and a potentially exploitable crash. In the absence of a new release, apply the patch from upstream. 11.3-015
In libxml2-2.10.4, three security vulnerabilities were fixed that could cause crashes due to null pointer dereferences and improper resource management. Update to libxml2-2.10.4. 11.3-020
In PostgreSQL-15.3, two security vulnerabilities were fixed that could allow for arbitrary code execution as root for some users, and for incorrect security policies to be applied to users. Update to PostgreSQL-15.3. 11.3-034
In QtWebEngine-5.15.14, fixes for several recent Chromium security vulnerabilities were backported to the branch used for 5.15. One of these is rated as Critical, 11 others are rated as High. Qt-5.15 reaches End of Life on 2023-05-26, it is unclear if any further vulnerability fixes will be available. Update to QtWebEngine-5.15.14. 11.3-027
In QtWebEngine-5.15.13, fixes for several recent Chromium security vulnerabilities rated as High were backported to the branch used for 5.15. Update to 5.15.13. 11.3-003
In Requests-2.31.0, a security vulnerability was fixed, rated as moderate. Update to Requests-2.31.0. 11.3-029
In Ruby-3.2.2, two security vulnerabilities were fixed that could allow for denial of service when using the URI and Time gems. Update to ruby-3.2.2 or use the workaround described in the consolidated advisory. 11.3-013
In Samba-4.18.1, three security vulnerabilities were fixed. Note that they only affect Samba in LDAP/AD DC mode, which is not the book's default configuration. However, the security vulnerabilites are severe enough that if you have LDAP or AD DC enabled, you must take immediate action to protect yourself and assume that BitLocker recovery keys have been compromised. One vulnerability allows for cleartext password resets as well and for unauthorized attribute detection. If you are using LDAP/AD DC functionality in Samba, you must update immediately. 11.3-008
In Seamonkey-2.53.16, three versions worth of Firefox and Thunderbird security vulnerabilities were resolved. This includes fixes for issues that could cause remotely exploitable crashes, remote code execution, invalid JavaScript execution, arbitrary file reads, content security policy bypass, screen hijacking, and content spoofing. Update to Seamonkey-2.53.16. 11.3-014
All users of the luatex programs with versions of TexLive from 2017 to 2023 are advised to update to v1.17.0 because of a potential privilege escalation vulnerability if you use an untrusted tex file or on a multiuser system. For users who installed the v2023 binary, use tlmgr. For those who built from source, reinstall with the texlive-20230313-source-security_fix-1.patch and (if using ConTeXt) apply the sed to support luatex-v1.17.0 in mtxrun.lua.
For Texlive before 2023 no new versions are available, so only use those old versions if you need to recreate output from known-good old tex files on single-user systems. 11.3-024
In Thunderbird-102.10.0, several security vulnerabilities were fixed that could allow for remote code execution, denial of service, spoofing, encrypted emails accepting revoked certificates, and more. Update to Thunderbird-102.10.0. 11.3-018
In Thunderbird-102.9.1, a security vulnerability was fixed that could allow for a remotely exploitable denial of service when using the Matrix chat protocol. Update to Thunderbird-102.9.1 if you use that protocol. 11.3-010
In Thunderbird-102.9.0, five security vulnearabilities which can mostly be exploited via HTML mail were resolved. These can allow for spoofing, potentially exploitable crashes, and potentially remote code execution. Update to Thunderbird-102.9.0. 11.3-006
In WebKitGTK+-2.40.2, two security vulnerabilities which could lead to remote code execution and information disclosure were fixed. They are both known to be actively exploited, and require no user interaction. If you have WebKitGTK+ installed, it is critical that you update to WebKitGTK+-2.40.2 or later immediately. 11.3-036
In WebKitGTK+-2.40.1, six security vulnerabilities were fixed, including one which is known to be actively exploited through crafted advertisements or other web content. If you have WebKitGTK+ installed, it is critical that you update this package to protect yourself and your system. Update to WebKitGTK+-2.40.1 immediately, and note the instruction recommendations in the advisory. 11.3-022
In Wireshark-4.0.6, nine security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using a malformed packet trace file or by injecting a malformed packet onto the wire. These vulnerabilities cause a crash or cause Wireshark to go into an infinite loop. Update to Wireshark-4.0.6 to fix these issues. 11.3-030
In Wireshark-4.0.5, three security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These vulnerabilities can occur when Wireshark is run on a network with GQUIC, RPCoRDMA, or LISP packets. Update to Wireshark-4.0.5 if you are on such a network. 11.3-021
In xorg-server-21.1.8, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xorg-server-21.1.8. 11.3-009
In xwayland-23.1.1, a security vulnerability was fixed that could allow for remote code execution for SSH X forwarding sessions and for local privilege escalation on systems where the X server is running privileged. Update to xwayland-23.1.1. 11.3-012