BLFS Security Advisories for 12.4

BLFS Security Advisories for BLFS 12.4 and the current development books.

BLFS-12.4 was released on 2025-09-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

CUPS

12.4 006 CUPS Date: 2025-09-30 Severity: High

In CUPS-2.4.14, two security vulnerabilities were fixed that can allow for a remotely exploitable authentication bypass and denial of service. The authentication bypass vulnerability occurs on systems where the AuthType is set to anything other than Basic, and the denial of service vulnerability occurs on systems that listen for IPP printers through cups-browsed or CUPS itself. Users who have cups-browsed installed, or who have modified the AuthType configuration items, are recommended to update as soon as possible. Update to CUPS-2.4.14. 12.4-006

cURL

12.4 008 cURL Date: 2025-09-30 Severity: Low

In cURL-8.16.0, two security vulnerabilities were fixed that could allow for a predictable mask pattern to occur when using WebSockets (which can allow for a malicious server to induce traffic between machines which can be interpreted by an involved proxy as legitimate traffic), and for sites to overwrite the contents of a secure cookie. Update to cURL-8.16.0. 12.4-008

Exiv2

12.4 010 Exiv2 Date: 2025-09-30 Severity: Low

In Exiv2-0.28.7, two security vulnerability were fixed that could allow for a denial of service (application crash and quadratic resource consumption) when processing EPS files and parsing ICC profiles in JPEG images. Update to Exiv2-0.28.7 if you work with untrusted EPS files or JPEG images. 12.4-010

fetchmail

12.4 017 fetchmail Date: 2025-10-10 Severity: Medium

In fetchmail-6.5.6, a security vulnerability was fixed that could cause a denial of service (application crash) when authenticating using the SMTP client. Note that for this vulnerability to be exploitable, a user must have the esmtpname and esmtppassword options configured, as well as the plugout and mda options to be inactive. This particular configuration is rather uncommon, but if you have fetchmail installed with this configuration and are experiencing crashes, update to fetchmail-6.5.6 or later. 12.4-017

Firefox

12.4 001 Firefox Date: 2025-09-19 Severity: High

In Firefox-140.3.0esr, 7 security vulnerabilities have been fixed that could allow for sandbox escapes, same-origin policy bypasses, exploitation of incorrect boundary conditions, integer overflows, networking information disclosure, and memory safety bugs. Update to Firefox-140.3.0esr. 12.4-001

ffmpeg

12.4 014 ffmpeg Date: 2025-10-10 Severity: High

In ffmpeg-7.1.2, five security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities is known to be exploited in the wild. These vulnerabilities occur when encoding AAC files, processing MPEG-DASH manifests, and when decoding OpenEXR files. These issues all occur due to heap buffer overflows. Note that ffmpeg is used in several contexts, including in web browsers and media players. Update to ffmpeg-7.1.2. 12.4-014

gegl

12.4 015 gegl Date: 2025-10-10 Severity: High

In gegl-0.4.64, a security vulnerability was fixed that could allow for remote code execution when processing HDR files. Note that this vulnerability is only exploitable via GIMP, which has also seen a security update recently. You should update gegl, and then update GIMP. If you are opening untrusted HDR files, you should update to gegl-0.4.64 immediately. 12.4-015

GIMP

12.4 016 GIMP Date: 2025-10-10 Severity: High

In GIMP-3.0.6, six security vulnerabilities were fixed that could allow for remote code execution when processing DCM, WBMP, FF, XWD, and ILBM files. If you are working with DCM, WBMP, FF, XWD, ILBM, or HDR files, you should update to gegl-0.4.64 and GIMP-3.0.6 immediately. 12.4-016

libaom

12.4 007 libaom Date: 2025-09-30 Severity: High

In libaom-3.13.1, a security vulnerability was fixed that could allow for remote code execution when playing a crafted AV1 file. The vulnerability is primarily known to be exploited in a web browser context, such as in QtWebEngine (with it's embedded copy of Chromium). Update to libaom-3.13.1. 12.4-007

OpenJPEG

12.4 009 OpenJPEG Date: 2025-09-30 Severity: Critical

In OpenJPEG-2.5.4, a security vulnerability was fixed that could allow for remote code execution when processing a crafted JPEG2000 file. The issue occurs due to an unbounded out-of-bounds write. Update to OpenJPEG-2.5.4. 12.4-009

OpenSSH

12.4 018 OpenSSH Date: 2025-10-10 Severity: Low

In OpenSSH-10.1p1, a security vulnerability was fixed that could allow for remote code execution in some configurations. Only users who have modified the default configuration in BLFS and set ProxyCommand are vulnerable to the issue, and the issue occurs because OpenSSH allowed control characters in usernames that originate from untrusted sources. If you haven't modified the default BLFS configuration, there is no need to upgrade. If you have modified the configuration and set the ProxyCommand option though, update to OpenSSH-10.1p1. 12.4-018

PCRE2

12.4 004 PCRE2 Date: 2025-09-29 Severity: Medium

In PCRE2-10.46, a security vulnerability was fixed that can allow for information disclosure and a denial-of-service (application crash) when processing a crafted regular expression. This occurs when using the *ACCEPT and *scs: pattern features together, and upstream has noted that the issue can be used to escalate the severity of other security vulnerabilities in a system. Update to PCRE2-10.46, keeping in mind the note in the advisory about using the BLFS instructions since this package has been moved to LFS. 12.4-005

Ruby

12.4 019 Ruby Date: 2025-10-10 Severity: High

In Ruby-3.4.7, a security vulnerability was fixed that could allow for credential leakage to occur when using the URI gem. This occurs when using the + operator to combine URIs. If you are using Subversion with the Ruby bindings, or using the URI gem, update to Ruby-3.4.7. There is no reason to upgrade otherwise. 12.4-019

QtWebEngine

12.4 013 QtWebEngine Date: 2025-10-02 Severity: Critical

In QtWebEngine-6.9.3, fifteen security vulnerabilities were fixed that could allow for remote code execution, information leakage, and content security policy bypasses. At least three of these vulnerabilities are known to be under active exploitation, and users are advised to update QtWebEngine immediately, even if it is only used as a build dependency. Update to QtWebEngine-6.9.3. 12.4-013

SpiderMonkey

12.4 002 SpiderMonkey Date: 2025-09-19 Severity: Medium

In SpiderMonkey from Firefox-140.3.0esr, 1 security vulnerability has been fixed that could allow for exploitation of incorrect boundary conditions. Update to SpiderMonkey from Firefox-140.3.0esr. 12.4-002

Thunderbird

12.4 003 Thunderbird Date: 2025-09-19 Severity: High

In Thunderbird-140.3.0esr, 7 security vulnerabilities have been fixed that could allow for sandbox escapes, same-origin policy bypasses, exploitation of incorrect boundary conditions, integer overflows, networking information disclosure, and memory safety bugs. Update to Thunderbird-140.3.0esr. 12.4-003

Wireshark

12.4 011 Wireshark Date: 2025-09-30 Severity: Low

In Wireshark-4.4.9, a security vulnerability was fixed that could allow for a denial of service (application crash) when processing a crafted SSH packet. This can occur both during live packet captures and when reading a previously saved PCAP file. If you are using Wireshark to dissect SSH packets, updating Wireshark is recommended. Update to Wireshark-4.4.9 if you use Wireshark to dissect SSH packets. 12.4-011