BLFS Security Advisories for BLFS 11.2 and the current development books.
BLFS-11.2 was released on 2022-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
BIND
11.2 012 BIND Date: 2022-09-24 Severity: High
In BIND-9.18.7, six security vulnerabilities were fixed that could allow for denial of service or arbitrary code execution. Update to BIND-9.18.7 if you are using it for anything other than the client utilities. 11.2-012
cURL
11.2 002 cURL Date: 2022-09-03 Severity: Low
In cURL-7.85.0, a security vulnerability was fixed that could allow for some sites to deny access to other sites when processing control codes in cookies. Update to cURL-7.85.0 or later. 11.2-002
Firefox
11.2 007 Firefox Date: 2022-09-20 Severity: High
In Firefox-102.3.0esr several security vulnerabilities, of which three were rated as high, were fixed. Update to firefox-102.3.0esr. 11.2-007
Node.js
11.2 010 Node.js Date: 2022-09-24 Severity: Critical
In Node.js-16.17.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling and weak randomness in the WebCrypto Cryptography system. Update to Node.js-16.17.1. 11.2-010
Poppler
11.2 001 Poppler Date: 2022-09-03 Severity: Critical
In Poppler-22.09.0, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing PDF files. Update to poppler-22.09.0 immediately, but take note of build failures and their solutions described in the consolidated advisory. 11.2-001
Python3
11.2 005 Python3 (LFS and BLFS) Date: 2022-09-14 Severity: High
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005
QtWebEngine
11.2 006 QtWebEngine Date: 2022-09-19 Severity: Critical
In QtWebEngine-5.15.11, several security vulnerabilities were fixed that could allow for denial-of-service attacks, remote code execution, information disclosure, and arbitrary file creation and deletion. Update to QtWebEngine-5.15.11 immediately. 11.2-006
Thunderbird
11.2 013 Thunderbird Date: 2022-09-25 Severity: High
In Thunderbird-102.3.0, several security vulnerabilities were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Update to Thunderbird-102.3.0 immediately. 11.2-013
11.2 003 Thunderbird Date: 2022-09-03 Severity: High
In Thunderbird-102.2.1, several security vulnerabilities were fixed that could allow for leakage of sensitive information, unauthorized content access, unexpected network requests, and denial-of-service attacks. Update to Thunderbird-102.2.1 immediately. 11.2-003
Unbound
11.2 011 Unbound Date: 2022-09-24 Severity: High
In Unbound-1.16.3, a security vulnerability was fixed that could allow for a denial of service (excess resource consumption) due to a non-responsive delegation attack. Update to Unbound-1.16.3. 11.2-011
WebKitGTK+
11.2 008 WebKitGTK+ Date: 2022-09-21 Severity: Critical
In WebKitGTK+-2.36.8, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. A proof of concept exploit exists. Update to WebKitGTK+-2.36.8. 11.2-008
Wireshark
11.2 004 Wireshark Date: 2022-09-14 Severity: Medium
In Wireshark-3.6.8, a security vulnerability was fixed that could allow for a denial-of-service when capturing packets on a network that uses F5 Ethernet Trailer packets. Update to Wireshark-3.6.8 if you're on such a network. 11.2-004