BLFS-13.0 was released on 2026-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002
In cURL-8.19.0, four security vulnerabilities were fixed that could allow for inappropriate HTTP Negoitation connection reuse, token leaks, inappropriate proxy connection reuse with credentials, and use-after-free operations via SMB connection reuse. Update to cURL-8.19.0. 13.0-009
In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004
In Firefox-140.9.0esr, 38 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, and privilege escalation. All users who have Firefox installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Update to Firefox-140.9.0esr. 13.0-027
In FreeRDP-3.24.2, 9 security vulnerabilities were fixed that could allow for remote code execution, undefined behavior, and denial of service (application crashes and memory corruption). These vulnerabilities occur in a variety of situations, including when a user connects to a system or interacts with a system after connecting. This can include when receiving audio from the remote system. Users who use FreeRDP Server or connect to untrusted clients should update to FreeRDP-3.24.2 immediately. 13.0-031
In FreeRDP-3.24.0, eight security vulnerabilities were fixed that could allow for heap buffer overflows, out-of-bounds read and write operations, integer underflows, heap overwrites, gigantic while-loop iterations, and denial of service attacks via divisions by zero. Update immediately to FreeRDP-3.24.0. 13.0-012
In FreeRDP-3.23.0, twelve security vulnerabilities were fixed that could allow for remotely exploitable client and server crashes, information disclosure, and remote code execution. This can occur in a large variety of situations, including when using the clipboard redirection feature, connecting to a server, and resizing the window. Users who have FreeRDP installed should consider updating immediately if they connect to untrusted servers or are hosting a publicly-accessible RDP server. Update to FreeRDP-3.23.0. 13.0-001
In FreeType-2.14.3, several potential memory safety problems were resolved that could allow for arbitrary code execution (stack overflows) and denial of service (memory leaks and boundary problems). Upstream has been rather vague on the details of these issues, and the BLFS team was only able to find the exact problems by reviewing the commits for the 2.14.3 release. Upstream however recommends that users upgrade immediately to solve these problems, so we are filing an advisory even though there is not much in the way of details. Update to FreeType-2.14.3. 13.0-024
In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003
In Fuse-3.18.2, two security vulnerabilities were fixed that could allow for use-after-free operations, NULL pointer dereferencing, and memory leaks. Update to Fuse-3.18.2. 13.0-014
In giflib-6.1.2, three assigned security vulnerabilities, among many unassigned AI-audited vulnerabilties, were fixed that could allow for double-free operations, denial of service attacks via memory leaks, heap buffer overflow exploitation, path traversing, out-of-bounds write operations, and integer and buffer overflows. Update to giflib-6.1.2. 13.0-010
In libde265-1.0.18, two security vulnerabilities were fixed that could allow for denial of service attacks and out-of-bounds heap write operations. Update to libde265-1.0.18. 13.0-011
In libpng-1.6.56, two security vulnerabilities were fixed that could allow for remote code execution and information disclosure. The first vulnerability is in the png_set_PLTE and png_set_tRNS functions, where a 100% valid PNG file can trigger a use-after-free which can leak sensitive heap contents, write attacker-influenced information to freed heap memory, and on systems which use glibc (like LFS systems), cause trivial remote code execution when loading the PNG file in contexts such as a web browser. The other vulnerability is an out-of-bounds read/write that only occurs on ARM/AArch64 systems which use the Neon optimizations. All users who have libpng installed are urged to update immediately. 13.0-016
In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005
In nfs-utils-2.8.6, a security vulnerability was fixed that could allow for a NFSv3 client to escalate privileges assigned to it in the /etc/exports file at mount time. It allows a client to access any subdirectory or subtree of an exported directory regardless of file permissions or other attributes that would normally be expected to apply to the client. This primarily affects servers running NFS, but all users should update due to other bugfixes in this package. Update to nfs-utils-2.8.6. 13.0-007
In nghttp2-1.68.1, a security vulnerability was fixed that could allow for a denial of service via an assertion failure. Update to nghttp2-1.68.1. 13.0-013
In Node.js-24.14.1, 8 security vulnerabilities were fixed that could allow for permission bypasses, remotely exploitable denial of service (resource exhaustion and application crashes), and potential MAC forgery. These can occur in a variety of situations, including when processing HTTP requests, parsing URLs, performing cryptography operations, and accessing files on the system. Note that the potential MAC forgery vulnerability occurs due to a timing side-channel problem. Update to Node.js-24.14.1. 13.0-030.
In Python-3.14.3, three security vulnerabilities were found that could allow for a denial of service (application crash), for control characters to be allowed inside of HTTP cookies, and for Python to accidentally pass unexpected options to web browsers. Rebuild Python with the security fixes patch. BLFS 12.4 users can safely use the patch against Python 3.13 with the note that a new test failure will occur due to the test depending on newer testing API from Python 3.14. 13.0-022
In QtWebEngine-6.11.0, 47 security vulnerabilities were fixed that could allow for remote code execution, object corruption, sensitive information disclosure, cross-origin data exfiltration, sandbox escapes, for malicious extensions to inject scripts or HTML into privileged pages, for same-origin policy bypasses, and for navigation restriction bypasses. Two of these vulnerabilities are known to be actively exploited by a threat actor, and it is thus recommended that you update to Qt6 and QtWebEngine 6.11.0 immediately. 13.0-026
In requests-2.33.0, a security vulnerability was fixed that could allow for a local attacker with write access to /tmp to pre-create a malicious file that would be loaded in place of a legitimate file. This only affects the requests.utils.extract_zipped_paths() utility function, and not the standard usage of the requests library. Only applications which use this function directly are impacted, and none in BLFS at the moment use it. However, if you have third party modules installed which may use requests, you should update to requests-2.33.0 when it is convenient to do so. 13.0-017
In Spidermonkey from Firefox-140.9.0esr, four security vulnerabilities were fixed that could result in arbitrary code execution, denial of service, or unexpected behavior. These issues are a result of JIT miscompilation, use-after-free problems, usage of uninitialized memory, and incorrect boundary conditions. Update to Spidermonkey-140.9.0. 13.0-028
In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008
In Thunderbird-140.9.0esr, 40 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, UI spoofing, sensitive data disclosure, and privilege escalation. All users who have Thunderbird installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Note that two issues here are also Thunderbird specific, notably a UI spoofing vulnerability and sensitive data disclosure when connecting to a malicious IMAP server. Update to Thunderbird-140.9.0esr. 13.0-029
In vim-9.2.0272, a security vulnerability was fixed that could allow for arbitrary OS Command Injection when loading a crafted file. Note that the file just needs to be loaded by VIM, a user does not need to edit it or perform any special commands for the vulnerabiltiy to trigger. All users should update to vim-9.2.0272 immediately, especially if they are regularly viewing source code or other files from untrusted or external sources. 13.0-025
In WebKitGTK-2.52.0, eight security vulnerabilities were fixed that could allow for use-after-free operations, internal application state disclosure, remote and local denial of service attacks, and user tracking. Update to WebKitGTK-2.52.0. 13.0-015
In Wireshark-4.6.4, three security vulnerabilities were fixed that could allow for a denial of service (memory exhaustion and remotely exploitable crash) when dissecting USB HID packets, RF4CE Profile packets, or NTS-KE packets. Users who are using Wireshark but are not operating a network with NTS-KE or RF4CE Profile packets, or who are not using the USB HID dissector, do not need to upgrade. However, if you are on a network where those packet types are in use, or are using Wireshark to dissect USB HID traffic, you should update Wireshark if you are experiencing crashes. Update to Wireshark-4.6.4. 13.0-006