BLFS-13.0 was released on 2026-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In httpd-2.4.67, eleven security vulnerabilities were fixed that could allow for trivial remote code execution, denial of service (resource exhaustion and server crashes), memory disclosure, privilege escalation, HTTP response splitting, and authentication bypasses. These vulnerabilities are in a large variety of modules, including HTTP/2 support, mod_md, mod_rewrite, mod_dav_lock, mod_auth_digest, mod_authn_socache, and mod_proxy_ajp. All users who have httpd installed should update immediately due to the remote code execution vulnerability which affects the commonly enabled HTTP/2 support. Update to httpd-2.4.67. 13.0-079
In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002
In cups-2.4.17, seven security vulnerabilities were fixed that could allow for reliable remote code execution, arbitrary file creation, authorization bypasses, path traversal, and remotely exploitable crashes. In most cases this can be triggered via malicious print jobs, but there is a writeup for the remote code execution vulnerability which demonstrates that the vulnerability is possible on any system which has a shared printer. There is also a writeup for the arbitrary file creation vulnerability which demonstrates placing a file into the /etc/sudoers.d directory to achieve local privilege escalation. All users who have cups installed and enabled should update immediately to protect their systems. Update to cups-2.4.17. 13.0-052
In cURL-8.20.0, seven security vulnerabilities were fixed that could allow for cleartext transmission of sensitive information (due to invalid connection reuse), for authentication bypass when using HTTP Negotiate, for SMB connections to download or upload the wrong file, for proxy credentials to be leaked when using a proxy to connect to a second proxy, for cookie leaks, for credentials to be exposed to remote servers when using a .netrc file, and for cross-proxy Digest authentication state leakage. Update to cURL-8.20.0, especially if you use IMAP/POP3/SMTP URL schemes or SMB. 13.0-087
In cURL-8.19.0, four security vulnerabilities were fixed that could allow for inappropriate HTTP Negoitation connection reuse, token leaks, inappropriate proxy connection reuse with credentials, and use-after-free operations via SMB connection reuse. Update to cURL-8.19.0. 13.0-009
In dash-0.5.13.3, a security vulnerability was fixed that could allow for a denial of service (application crash) due to a floating point exception when doing some arithmetic in shell scripts. The issue can occur when something divides INTMAX_MIN by -1, which causes a signed overflow that leads to a SIGFPE on affected systems. Users who use dash with shell scripts that perform arithmetic should upgrade to dash-0.5.13.3 if they experience crashes. 13.0-059
In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004
In ffmpeg-8.1.1, a security vulnerability was fixed that could allow for a denial of service (application crash) when processing media files. This can be remotely exploited with no user interaction in web browsers and media player contexts. Update to ffmpeg-8.1.1. 13.0-085
In Firefox-140.11.0esr, fifty-five security vulnerabilities were fixed that could allow for remote code execution, denial of service (application crashes and resource exhaustion), information disclosure, privilege escalation, UI spoofing, mitigation bypasses, same-origin policy bypasses, and sandbox escapes. All users of Firefox must update immediately to protect their systems, especially since the sandbox escape vulnerabilities significantly amplify the severity of the remote code execution vulnerabilities fixed in this update. Update to Firefox-140.11.0esr. 13.0-073
In Firefox-140.9.0esr, 38 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, and privilege escalation. All users who have Firefox installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Update to Firefox-140.9.0esr. 13.0-027
In FreeRDP-3.26.0, four security vulnerabilities were fixed that could allow for remote code execution and denial of service. These issues can occur when using clipboard redirection, when using RDPGFX, and when using RDPEAR. These vulnerabilities require a user to connect to a malicious RDP server, and as such most users will be fine as long as they are not connecting to untrusted systems using FreeRDP. Update to FreeRDP-3.26.0. 13.0-086
In FreeRDP-3.25.0, a security vulnerability was fixed that could allow for arbitrary files to be read or written because of a path traversal issue. This does require users to be connected to a RDP server with drive redirection enabled. Update to FreeRDP-3.25.0. 13.0-051
In FreeRDP-3.24.2, 9 security vulnerabilities were fixed that could allow for remote code execution, undefined behavior, and denial of service (application crashes and memory corruption). These vulnerabilities occur in a variety of situations, including when a user connects to a system or interacts with a system after connecting. This can include when receiving audio from the remote system. Users who use FreeRDP Server or connect to untrusted clients should update to FreeRDP-3.24.2 immediately. 13.0-031
In FreeRDP-3.24.0, eight security vulnerabilities were fixed that could allow for heap buffer overflows, out-of-bounds read and write operations, integer underflows, heap overwrites, gigantic while-loop iterations, and denial of service attacks via divisions by zero. Update immediately to FreeRDP-3.24.0. 13.0-012
In FreeRDP-3.23.0, twelve security vulnerabilities were fixed that could allow for remotely exploitable client and server crashes, information disclosure, and remote code execution. This can occur in a large variety of situations, including when using the clipboard redirection feature, connecting to a server, and resizing the window. Users who have FreeRDP installed should consider updating immediately if they connect to untrusted servers or are hosting a publicly-accessible RDP server. Update to FreeRDP-3.23.0. 13.0-001
In FreeType-2.14.3, several potential memory safety problems were resolved that could allow for arbitrary code execution (stack overflows) and denial of service (memory leaks and boundary problems). Upstream has been rather vague on the details of these issues, and the BLFS team was only able to find the exact problems by reviewing the commits for the 2.14.3 release. Upstream however recommends that users upgrade immediately to solve these problems, so we are filing an advisory even though there is not much in the way of details. Update to FreeType-2.14.3. 13.0-024
In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003
In Fuse-3.18.2, two security vulnerabilities were fixed that could allow for use-after-free operations, NULL pointer dereferencing, and memory leaks. Update to Fuse-3.18.2. 13.0-014
In giflib-6.1.2, three assigned security vulnerabilities, among many unassigned AI-audited vulnerabilties, were fixed that could allow for double-free operations, denial of service attacks via memory leaks, heap buffer overflow exploitation, path traversing, out-of-bounds write operations, and integer and buffer overflows. Update to giflib-6.1.2. 13.0-010
In GIMP-3.2.2, twelve security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, information disclosure, and denial of service (application crashes). These occur due to integer overflows and heap buffer overflows. The PCX, PSD, ICO, JP2, PSP, XPM, FITS, TIM, ICNS, PVR, Seattle Filmworks, and GIF image parsers are affected by these vulnerabilities. All users who work with these image types should update GIMP to 3.2.2 immediately, especially if you are working with untrusted image files. Update to GIMP-3.2.2. 13.0-050
In glib-2.88.1, nine security vulnerabilities were fixed that could allow for remote code execution, denial of service (application crashes), and path traversal leading to arbitrary file reads. These issues occur in a variety of different functions including GMarkup, GVariant, GDateTime, and GDBus. Update to glib-2.88.1. 13.0-078
In glib-2.86.5, five security vulnerabilities were fixed that could allow for information disclosure or denial of service (application crashes). These vulnerabilities all occur due to small out-of-bounds reads and buffer over-reads in a variety of crucial functions. Update to glib-2.86.5. 13.0-033
In GnuPG-2.5.20, several security vulnerabilities were fixed that could allow for a denial of service (application crash) when processing crafted certificates, utilizing SC-HSM SmartCards, processing key signatures, and using the 'gpgsm' utility. The only known impact of these problems is a crash. Update to GnuPG-2.5.20 if you experience crashes using the 'gpg' and the 'gpgsm' utilities, or while utilizing SmartCards. 13.0-093
In GnuTLS-3.8.13, thirteen vulnerabilities were fixed that could allow for remote code execution, information disclosure, denial of service (undefined behavior and application crashes), authentication bypass, domain names being accepted that should've been rejected, certificate name constraint bypasses, misuse of certificates, accepting of revoked certificates, and private key disclosure. All users who have GnuTLS installed should update to 3.8.13 immediately. 13.0-076
In gstreamer, gst-plugins-bad, and gst-plugins-good-1.28.3, six security vulnerabilities were fixed that could allow for arbitrary code execution, data corruption, denial of service (application crashes), and information disclosure of sensitive memory contents. These vulnerabilities occur in the H.266/VVC parser, the MXF demuxer, the MOV/MP4 demuxer, the MPEG PS PES header parser, and the core GStreamer libraries themselves. Because the gstreamer suite is used in a variety of contexts (including audio/video editors, media players, and web browsers), and the fact that one of the arbitrary code execution and data corruption vulnerabilities is in the core of gstreamer itself, all users who have the suite installed should update as soon as possible. Update the gstreamer stack to 1.28.3. 13.0-091
In gst-plugins-base, gst-plugins-bad, and gst-plugins-good 1.28.2, eleven security vulnerabilities were fixed that could allow for information disclosure, denial of service (memory exhaustion and application crashes), and arbitrary code execution. These occur in a variety of functions, including the SRT/WebVTT parser, the Matroska demuxer, the WAV parser when decoding CUE files, the FLV demuxer, the mDVDsub subtitle parser, the MOV/MP4 demuxer, the H.266/VVC parser, the JPEG 2000 decimator, the AV1 LEB128 parser, and the H.264 video parser. Because of the variety of circumstances where gstreamer is used (including web browsers and media players), all users who have it installed are advised to update the stack to 1.28.2 immediately. 13.0-036
In lcms-2.19, a security vulnerability was fixed that could allow for a crash or potentially information disclosure when processing a crafted image file to retrieve a color profile. This vulnerability is classified as an integer overflow in the CubeSize() function as an overflow check was performed after multiplication and not before. There is a 992-byte PDF file available to the public that is able to trigger a crash in poppler, OpenJDK, Okular, Evince, GIMP, cups-filters, LibreOffice, and Tumbler (from XFCE). Users should update to this version especially if they start experiencing unexplainable crashes in these programs, or if they explicitly disable ASLR on their systems. Update to lcms2-2.19. 13.0-080
In libarchive-3.8.7, seven security vulnerabilities were fixed that could allow for denial of service (application crashes and memory exhaustion) as well as arbitrary code execution. These vulnerabilities occur in the CAB, CPIO, and ISO9660 formats, as well as in the 'untar' contrib script (which is not installed by default and is sample code). If you use libarchive to process ISO9660 formats (e.g. ISOs), CAB files, or for processing CPIO formatted files, you should consider updating. There isn't much reason for users who don't process those formats to update. Update to libarchive-3.8.7. 13.0-046
In libde265-1.0.18, two security vulnerabilities were fixed that could allow for denial of service attacks and out-of-bounds heap write operations. Update to libde265-1.0.18. 13.0-011
In libexif-0.6.26, three security vulnerabilities were fixed that could allow for arbitrary code execution, denial of service (application crashes), and information disclosure. Update to libexif-0.6.26 especially if you are processing untrusted images or EXIF metadata regularly. 13.0-044
In libgcrypt-1.12.2, two security vulnerabilities were fixed that could allow for a denial of service when using the Dilithium signing algorithm or when using ECDH encryption (including NIST, Brainpool, X448, or X25519 curves). The denial of service impact is memory corruption and subsequent application crashes. There is also a possible remote code execution impact but the possibility of this is extremely minimal because of modern hardening in glibc. Update to libgcrypt-1.12.2. 13.0-056
In libgpg-error-1.61, two security vulnerabilities were fixed that could allow for a denial of service (application crash) and possibly arbitrary code execution. These issues occur in the es_printf() and the vfnameconcat functions. Update to libgpg-error-1.61. 13.0-088
In libinput-1.31.1, two security vulnerabilities were fixed that could allow for a sandbox escape and information disclosure. Both of these issues occur in libinput's plugins subsystem. Update to libinput-1.31.1. 13.0-034
In libpng-1.6.58's libpng-1.6.58-apng patch, a security vulnerability was fixed that could allow for chunk smuggling in the push-mode APNG parser. This can allow for crafted APNG images to cause a denial of service (application crash). Note that this cannot cause code execution because the compressed output of some APNG images write into a pre-allocated row buffer. However, in BLFS, libpng's APNG support is heavily utilized with Firefox, Thunderbird, and Seamonkey. Users who use those packages should apply this update to their systems. Update to libpng-1.6.58. 13.0-094
In libpng-1.6.57, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly heap information disclosure. This can occur with valid PNG files conforming to the PNG specification, as any image that contains an affected chunk can trigger the vulnerability. However, it is rated as Medium because only applications that utilize the png_set_PLTE, png_set_tRNS, and png_set_hIST functions are affected and only if they pass a pointer on an identical struct pair. Most users should still consider upgrading though because this issue occurs with valid PNG files. Update to libpng-1.6.57. 13.0-047
In libpng-1.6.56, two security vulnerabilities were fixed that could allow for remote code execution and information disclosure. The first vulnerability is in the png_set_PLTE and png_set_tRNS functions, where a 100% valid PNG file can trigger a use-after-free which can leak sensitive heap contents, write attacker-influenced information to freed heap memory, and on systems which use glibc (like LFS systems), cause trivial remote code execution when loading the PNG file in contexts such as a web browser. The other vulnerability is an out-of-bounds read/write that only occurs on ARM/AArch64 systems which use the Neon optimizations. All users who have libpng installed are urged to update immediately. 13.0-016
In libraw-0.22.1, eight security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, and denial of service (application crash and memory exhaustion). These vulnerabilities are mostly classified as heap buffer overflows and integer overflows, and they occur in a large variety of different functions and contexts. Any user that processes untrusted RAW images should update to this version immediately to protect their system. Update to libraw-0.22.1. 13.0-045
In libwww-perl-6.83, a security vulnerability was fixed that could allow for Authorization and Proxy-Authorization headers to be leaked to an attacker-controlled host on cross-origin redirects. Update to libwww-perl-6.83. 13.0-092
In libxml2-2.15.3, five security vulnerabilities were fixed that could allow for type confusion and denial of service (application crashes). The denial of service vulnerabilities occur due to use-after-free issues and double frees. The vulnerabilities are in the parser itself as well as entity support, the c14n support, and the Python bindings. Three additional issues were fixed that could allow for memory leaks, but were not classified as security vulnerabilities. Update to libxml2-2.15.3. 13.0-057
In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005
In libXpm-3.5.19, a security vulnerability was fixed that could allow for information disclosure and denial of service (application crashes) when reading a crafted XPM file. Update to libXpm-3.5.19. 13.0-060
In lxml-6.1.1, a security vulnerability was fixed that can be used for URL bypass attacks in embedded SVG, MathML, and other HTML5 content. This issue occurs because the known link attributes from the 'lxml.html.defs.link_attrs' set was missing 'xlink:href', which allowed for unauthorized files to be loaded. Update to lxml-6.1.1. 13.0-095
In lxml-6.1.0, a security vulnerability was fixed that could allow for untrusted XML input to read local files on the system. This was because of an XML External Entity Injection issue in the iterparse() function and the ETCompatXMLParser parser. This affects the default configuration of lxml, and an appication must initialize it with the resolve_entities option explicitly set to False or 'internal' to work around the issue. Users who regularly process untrusted XML input are advised to upgrade immediately. Update to lxml-6.1.0. 13.0-058
In krb5-1.22.2, two security vulnerabilities were discovered that could allow for remotely exploitable denial of service (Kerberos server crash). These issues are caused by a null pointer dereference and a read overrun when the krb5-kdc daemon recieves crafted input during authentication. This can allow unauthenticated remote attackers to crash the daemon. Memory disclosure does not appear to be possible. The client libraries and programs are not affected. Apply the security fixes patch if you are using the server. 13.0-081
In nfs-utils-2.8.6, a security vulnerability was fixed that could allow for a NFSv3 client to escalate privileges assigned to it in the /etc/exports file at mount time. It allows a client to access any subdirectory or subtree of an exported directory regardless of file permissions or other attributes that would normally be expected to apply to the client. This primarily affects servers running NFS, but all users should update due to other bugfixes in this package. Update to nfs-utils-2.8.6. 13.0-007
In nghttp2-1.68.1, a security vulnerability was fixed that could allow for a denial of service via an assertion failure. Update to nghttp2-1.68.1. 13.0-013
In Node.js-24.14.1, 8 security vulnerabilities were fixed that could allow for permission bypasses, remotely exploitable denial of service (resource exhaustion and application crashes), and potential MAC forgery. These can occur in a variety of situations, including when processing HTTP requests, parsing URLs, performing cryptography operations, and accessing files on the system. Note that the potential MAC forgery vulnerability occurs due to a timing side-channel problem. Update to Node.js-24.14.1. 13.0-030.
In ntfs-3g-2026.2.25, a security vulnerability was fixed that could allow for arbitrary code execution, possible privilege escalation, and denial of service (application crashes and possibly a kernel panic) by opening a maliciously crafted NTFS image or filesystem. Update to ntfs-3g-2026.2.25. 13.0-054
In OpenSSH-10.3p1, five security vulnerabilities were fixed that could allow for inappropriate matching of the authorized_keys file in some rare circumstances, for downloads from SCP to be installed SUID/SGID in some situations, for unexpected command execution to occur via shell metacharacters in a username, for OpenSSH to use unintended ECSDA algorithms, and for OpenSSH to omit connection multiplexing confirmation for proxy-mode multiplexing sessions. Most of these vulnerabilities rely on non-standard configurations or specific actions to take place. If you have modified the default BLFS configuration for OpenSSH, review the consolidated advisory to ensure that you are not affected. If you are affected, update to OpenSSH-10.3p1. There is no reason to upgrade if you are not affected. 13.0-032
In PHP-8.5.6, eleven security vulnerabilities were fixed that could allow for denial of service (application crashes, infinite loops, and excessive resource consumption), cross site scripting, remotely exploitable information disclosure, SQL injection, remote code execution, and for numeric truncation (leading to incorrect information being returned from a PHP program). These vulnerabilities occur in a variety of different areas in PHP itself, including the standard library, URI, SOAP, PDO_Firebird, MBString, FPM, and DOM. All users who have PHP installed are urged to update to 8.5.6 immediately, especially if they are running it on a web server. 13.0-090
In Postfix-3.11.2, a security vulnerability was fixed that could allow for a remotely exploitable denial of service (daemon crash). The issue is a buffer over-read, which can occur when Postfix receives an enhanced status code not followed by other text (e.g. 5.7.2 without text after the three number code). Update to Postfix-3.11.2. 13.0-084
In ProFTPD-1.3.9a, a security vulnerability was fixed which could allow for unauthenticated remote code execution, privilege escalation, and authentication bypasses in some circumstances. The issue is in the mod_sql module, where a logic error in the is_escaped_text() function will let a crafted username execute SQL commands when logging is enabled. The default configuration in BLFS is not affected by this vulnerability as it doesn't use mod_sql for retrieving credentials from an SQL database, and it also doesn't enable logging to an SQL database either. If you have changed the default BLFS configuration to enable SQL support though, you need to update ProFTPD as soon as possible. Update to ProFTPD-1.3.9a. 13.0-075
In pytest-9.0.3, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly privilege escalation. This is due to an unsafe use of temporary directories, where previous versions allowed all users to write to the /tmp/pytest-of-${USER} directory. Note that this would only be exploitable locally per upstream, and can only be exploited while a test suite is running. Update to pytest-9.0.3. 13.0-035
In Python-3.14.5, three security vulnerabilities were fixed that could allow for XML hash flooding, FTP connection redirection and port scanning via FTP, and for the 'pip' command to install incorrect files based off the name of an archive. Update to Python-3.14.5 with the security fixes patch. Note that you must also update to Expat-2.8.0 or later to fully resolve the XML hash flooding vulnerability. 13.0-070
In Python-3.14.4 (and 3.13.13), four security vulnerabilities were fixed. After release though, an additional four were resolved. These vulnerabilities can allow for a variety of impacts, including denial of service (application crashes), allowing data to be accepted by the base64 module that should've been processed differently, for input validation bypasses when working with cookies in http.Cookies.Morsel (allowing injection of control characters into cookies), for legacy *.pyc files to be incorrectly handled (leading to unintentional behavior at runtime for various programs), for arbitrary code execution when processing LZMA, BZ2, or GZIP compressed files in Python, for CR/LF bytes to not be rejected by HTTP client proxy tunnel headers, for commands to be injected into the underlying shell when a Python script opens a web browser, and for memory corruption to occur when using the remote debugging feature in Python 3.14 and later. Update to Python-3.14.4 with the security fixes patch. BLFS 12.4 users can safely use 3.13.13 with the patch but will need to skip a missing file during the patch process. 13.0-038
In Python-3.14.3, three security vulnerabilities were found that could allow for a denial of service (application crash), for control characters to be allowed inside of HTTP cookies, and for Python to accidentally pass unexpected options to web browsers. Rebuild Python with the security fixes patch. BLFS 12.4 users can safely use the patch against Python 3.13 with the note that a new test failure will occur due to the test depending on newer testing API from Python 3.14. 13.0-022
In QtWebEngine-6.11.0, 47 security vulnerabilities were fixed that could allow for remote code execution, object corruption, sensitive information disclosure, cross-origin data exfiltration, sandbox escapes, for malicious extensions to inject scripts or HTML into privileged pages, for same-origin policy bypasses, and for navigation restriction bypasses. Two of these vulnerabilities are known to be actively exploited by a threat actor, and it is thus recommended that you update to Qt6 and QtWebEngine 6.11.0 immediately. 13.0-026
LXQt users will need to update to lxqt-panel-2.3.3 and lxqt-config-2.3.2 to fix compatibility problems with Qt6-6.11.0 which cause problems with loading icons from icon themes.
Updated on 2026-04-03 to include information about LXQt icon theme issues.
In requests-2.33.0, a security vulnerability was fixed that could allow for a local attacker with write access to /tmp to pre-create a malicious file that would be loaded in place of a legitimate file. This only affects the requests.utils.extract_zipped_paths() utility function, and not the standard usage of the requests library. Only applications which use this function directly are impacted, and none in BLFS at the moment use it. However, if you have third party modules installed which may use requests, you should update to requests-2.33.0 when it is convenient to do so. 13.0-017
In rsync-3.4.3, six security vulnerabilities were fixed that could allow for local privilege escalation, remotely exploitable file overwrites, hostname/ACL bypasses, remotely exploitable information disclosure (leaking process memory contents including passwords, heap and library pointers, and environment variables), and remotely exploitable denial of service (daemon crashes). The default BLFS configuration is affected by three of these vulnerabilities, while the other three are only exploitable when a user has RSYNC_PROXY set or when the server is running with "daemon chroot = no". The vulnerabilities that the default configuration is affected by include the remotely exploitable information disclosure and the two denial of service issues. Update to rsync-3.4.3 immediately, especially if you are running the rsyncd daemon. 13.0-083
In rsync-3.4.1, a security vulnerability was discovered which could allow for a remotely exploitable crash and information disclosure when an rsync client connects to a malicious server. Only users who pass the -X option to rsync are affected, and this option is not passed by default. If you do use the -X option though, you should apply the security patch in BLFS to fix this vulnerability immediately. 13.0-053
In Ruby-4.0.3, a security vulnerability was fixed that could allow for arbitrary code execution when an application calls the Marshal.load function when the activesupport and ERB support is loaded. This vulnerability is in the ERB gem bundled with Ruby. While users can update the gem on it's own, the BLFS team recommends updating Ruby instead since it's a guaranteed way to ensure that a fixed version is present. Update to Ruby-4.0.3. 13.0-061
In rustc-1.94.1, two security vulnerabilities were fixed in the 'tar' crate bundled with Cargo that could allow for a crafted tarball to modify the permissions of arbitrary directories outside the extraction root and for tarballs to be generated as a different size in some circumstances. After this update was put into BLFS, another update was put in to allow for OpenSSL-4.x compatibility which also fixed several vulnerabilities that affect the 'rust-openssl' crate regardless of which OpenSSL version is in use. Because BLFS 13.0 shipped with OpenSSL-3.6.x, three issues were fixed in this update to the rust-openssl crate that can cause arbitrary code execution and denial of service (application crashes) when working with certificates. Users who have rust installed are urged to update to rustc-1.94.1. Updating to 1.95.0 may require changes to other packages to ensure that they build correctly. Update to rustc-1.94.1. 13.0-055
In Spidermonkey from Firefox-140.11.0esr, four security vulnerabilities were fixed that could allow for remote code execution, information disclosure, and denial of service. These issues occur due to incorrect boundary access, invalid pointers, and use-after-free vulnerabilities. The issues are in the core JavaScript engine as well as the WebAssembly and JIT components. Update to Spidermonkey-140.11.0. 13.0-072
In Spidermonkey from Firefox-140.9.0esr, four security vulnerabilities were fixed that could result in arbitrary code execution, denial of service, or unexpected behavior. These issues are a result of JIT miscompilation, use-after-free problems, usage of uninitialized memory, and incorrect boundary conditions. Update to Spidermonkey-140.9.0. 13.0-028
In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008
In Text::CSV_XS-1.62, a security vulnerability was fixed that could allow for type confusion or denial of service (application crashes). This can show up in crafted CSV input passed to this Perl module, and occurs due to a use-after-free when registered callbacks extend the Perl argument stack. This Perl module is only used by Biber in BLFS, so users who have that package installed and who process untrusted input will want to update. Users who have written Perl code that utilizes this module will also want to update if they use the Parse, print, getline, or getline_all methods in their code. Update to Text::CSV_XS-1.62. 13.0-082
In Thunderbird-140.11.0esr, fifty-five security vulnerabilities were fixed that could allow for remote code execution, denial of service (application crashes and resource exhaustion), information disclosure, privilege escalation, UI spoofing, mitigation bypasses, same-origin policy bypasses, and sandbox escapes. All users of Thunderbird must update immediately to protect their systems, especially since the sandbox escape vulnerabilities significantly amplify the severity of the remote code execution vulnerabilities fixed in this update. Update to Thunderbird-140.11.0esr. 13.0-074
In Thunderbird-140.9.0esr, 40 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, UI spoofing, sensitive data disclosure, and privilege escalation. All users who have Thunderbird installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Note that two issues here are also Thunderbird specific, notably a UI spoofing vulnerability and sensitive data disclosure when connecting to a malicious IMAP server. Update to Thunderbird-140.9.0esr. 13.0-029
In urllib3-2.7.0, two security vulnerabilities were fixed that could allow for sensitive headers to be forwarded across origins, and for denial of service (significant CPU usage and massive memory consumption). The sensitive header forwarding vulnerability occurs if a program calls the ProxyManager.connection_from_url() function and they allow cross origin redirects. The denial of service vulnerability occurs because of a decompression bomb exploitable in the streaming API. Note that users will also want to be on at least brotli-1.2.0 to prevent additional impacts from this vulnerability. Update to urllib3-2.7.0. 13.0-089
In vim-9.2.0481, four security vulnerabilities were fixed that could allow for a denial of service (application crash), for OS Command Injection, and for vimscript code injection. Users who use vimscript, perform spell checking, use the ':find' command, or who view arbitrary tar files using vim are advised to update. Update to vim-9.2.0481. 13.0-071
In vim-9.2.0421, two security vulnerabilities were fixed that could allow for OS command injection when processing tag files and when using sftp:// and file:// URLs to access a file. All users who use sftp:// or file:// URLs to access a file or who use tag navigation should update immediately due to the risk of arbitrary command execution. Update to vim-9.2.0421. 13.0-063
In vim-9.2.0340, two security vulnerabilities were fixed that could allow for operating system command injection (resulting from a sandbox escape in the modeline functionality), and for path traversal issues when modifying the contents of Zip archives to cause vim to overwrite files on the underlying system rather than the intended contents of the Zip archive. All users are urged to update to vim-9.2.0340 immediately due to the risk of arbitrary command execution. 13.0-037
In vim-9.2.0272, a security vulnerability was fixed that could allow for arbitrary OS Command Injection when loading a crafted file. Note that the file just needs to be loaded by VIM, a user does not need to edit it or perform any special commands for the vulnerabiltiy to trigger. All users should update to vim-9.2.0272 immediately, especially if they are regularly viewing source code or other files from untrusted or external sources. 13.0-025
In WebKitGTK-2.52.0, eight security vulnerabilities were fixed that could allow for use-after-free operations, internal application state disclosure, remote and local denial of service attacks, and user tracking. Update to WebKitGTK-2.52.0. 13.0-015
In Wireshark-4.6.5, thirty-nine security vulnerabilities were fixed that could allow for denial of service and potentially remote code execution when picking up crafted packets on a network, when using the sharkd utility, and when importing profiles from other systems. These specifically impact the HTTP, SMB2, GSM RP, WebSocket, RPKI-Router, MBIM, OpenFlow v5, OpenFlow v6, GNW, MySQL, IEEE 802.11, RTSP, ASN.1 PER, TLS, iLBC, DCP-ETSI, SANE, Kismet, USB HID, DLMS/COSEM, ZigBee, BEEP, iLBC, SDP, AMR-NB, RDP, SBC, K12 RF5, AFP, ICMPv6, FC-SWILS, BT-DHT, and Monero packet and protocol dissectors. All users who have Wireshark installed should update to Wireshark-4.6.5 since several of these protocols are commonly used on networks. 13.0-077.
In Wireshark-4.6.4, three security vulnerabilities were fixed that could allow for a denial of service (memory exhaustion and remotely exploitable crash) when dissecting USB HID packets, RF4CE Profile packets, or NTS-KE packets. Users who are using Wireshark but are not operating a network with NTS-KE or RF4CE Profile packets, or who are not using the USB HID dissector, do not need to upgrade. However, if you are on a network where those packet types are in use, or are using Wireshark to dissect USB HID traffic, you should update Wireshark if you are experiencing crashes. Update to Wireshark-4.6.4. 13.0-006
In x265-4.2, three security vulnerabilities were fixed that could allow for a denial of service (excessive memory consumption) when utilizing the x265 command line tool, as well as when saving and loading analysis of a file, and when computing the SEI buffer. Very limited details are available on the issues and the commit upstream contains all of the fixes consolidated into one large commit. All users who use x265 to analyze H.265 files or who use the x265 command line tool should update to x265-4.2. 13.0-062
Updated on 2026-05-22 to document the need to rebuild packages due to a SONAME bump.
In xdg-dbus-proxy-0.1.7, a security vulnerability was fixed that could allow for D-Bus clients to intercept messages that they should not have access to. It was fixed by adjusting the policy parser to be able to handle settings with quotation marks and other cases. In BLFS, the only known package to use xdg-dbus-proxy is WebKitGTK. Update to xdg-dbus-proxy-0.1.7. 13.0-042
In xdg-desktop-portal-1.20.4, a security vulnerability was fixed that could allow for an application which uses the Trash portal to delete any arbitrary file off of the host that it has permissions to access. This is identical to the recent Flatpak security vulnerability relating to this, but affects any program that uses the Trash portal - not just in a Flatpak context. In BLFS, this primarily includes file managers and some web browsers, but could affect other programs as well depending on whether they routinely create or delete files. Update to xdg-desktop-portal-1.20.4. 13.0-043
In Xorg-Server-21.1.22, five security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service (Xorg crashes). These vulnerabilities occur in the XKB and XSYNC extensions. The first vulnerability is an integer underflow in the XkbSetCompatMap() function in the XKB extension, while the second is an out of bounds read in the CheckSetGeom() function (also in the XKB extension). The next vulnerability occurs in the XSYNC extension's miSyncTriggerFence() function, and is classified as a use after free. The next issue is an out of bounds read in the CheckModifierMap() function in the XKB extension, and the final issue is a buffer overflow in the CheckKeyTypes() function in the XKB extension. Update to Xorg-Server-21.1.22, and rebuild TigerVNC against 21.1.22 if it is installed. 13.0-048
In Xwayland-24.1.10, five security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service (Xorg crashes). These vulnerabilities occur in the XKB and XSYNC extensions. The first vulnerability is an integer underflow in the XkbSetCompatMap() function in the XKB extension, while the second is an out of bounds read in the CheckSetGeom() function (also in the XKB extension). The next vulnerability occurs in the XSYNC extension's miSyncTriggerFence() function, and is classified as a use after free. The next issue is an out of bounds read in the CheckModifierMap() function in the XKB extension, and the final issue is a buffer overflow in the CheckKeyTypes() function in the XKB extension. Update to Xwayland-24.1.11. 13.0-049
Updated on 2026-04-29 to tell users to use Xwayland-24.1.11. Xwayland-24.1.10 has several major regressions that caused unexpected crashes and other problems, and 24.1.11 was released to fix these.