LFS 13.0 Security Advisories

LFS Security Advisories for LFS 13.0.

LFS-13.0 was released on 2026-03-05

This page is in alphabetical order of packages, and if a package has multiple advisories the latest one comes first.

The links at the end of each item point to additional details which have links to the development books.

Glibc

Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.

13.0 021 glibc (LFS) Date: 2026-04-01 Severity: High

In glibc-2.43, two security vulnerabilities were discovered that could allow for applications to treat invalid DNS responses as valid. These issues are both classified as violations of the DNS specification, and were resolved by counting the amount of records expected as well as performing input validation on hostnames in DNS records. Users should rebuild glibc with the sed in the development book. Note that rebuilding glibc should be done with extreme caution, and the instructions for updating glibc on that page should be followed strictly to prevent a broken system. 13.0-021

Expat

13.0 019 Expat (LFS) Date: 2026-04-01 Severity: Medium

In Expat-2.7.5, three security vulnerabilities were fixed that could allow for a denial of service (crashes and resource exhaustion) when processing crafted XML files. Because Expat can be used in a variety of different contexts on an LFS system, including some web browsers, users are recommended to update Expat. Update to Expat-2.7.5. 13.0-019

Perl

13.0 023 Perl (LFS) Date: 2026-04-01 Severity: Critical

In Perl-5.42.2, a security vulnerability was fixed by updating the bundled Compress::Raw::Zlib module that could cause several of the zlib security advisories from SA-12.4-099 to be exploited, as well as numerous other internal improvements to that module that fix issues with newer versions of zlib. Users are recommended to update immediately as CISA has rated this vulnerability as Critical. Update to Perl-5.42.2 13.0-023

Python

13.0 022 Python (LFS and BLFS) Date: 2026-04-01 Severity: High

In Python-3.14.3, three security vulnerabilities were found that could allow for a denial of service (application crash), for control characters to be allowed inside of HTTP cookies, and for Python to accidentally pass unexpected options to web browsers. Rebuild Python with the security fixes patch. 13.0-022

systemd

13.0 008 systemd (LFS and BLFS) Date: 2026-03-21 Severity: Medium

In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008

vim

13.0 025 vim (LFS and BLFS) Date: 2026-04-01 Severity: Critical

In vim-9.2.0272, a security vulnerability was fixed that could allow for arbitrary OS Command Injection when loading a crafted file. Note that the file just needs to be loaded by VIM, a user does not need to edit it or perform any special commands for the vulnerabiltiy to trigger. All users should update to vim-9.2.0272 immediately, especially if they are regularly viewing source code or other files from untrusted or external sources. 13.0-025

XML-Parser

13.0 020 XML-Parser (LFS) Date: 2026-04-01 Severity: Critical

In XML-Parser-2.54, two security vulnerabilities were fixed that could allow for remote code execution or denial of service (application crashes) when processing crafted XML documents. Both of these vulnerabilities are known to be exploited in the wild. Update to XML-Parser-2.54 immediately. 13.0-020

xz

13.0 018 xz (LFS) Date: 2026-04-01 Severity: Critical

In xz-5.8.3, a security vulnerability was fixed that could allow for a buffer overflow to occur in the lzma_index_append() function that could possibly allow for arbitrary code execution in some rare circumstances. Upstream has noted that it's very unlikely that the bug can be triggered in any real-world application, but the vulnerability has been marked as Critical nonetheless. The vulnerablity occurs if lzma_index_decoder() was used to decode an Index that contains no Records, as the resulting lzma_index was left in a state where a subsequent lzma_index_append() would not allocate enough memory, and thus the buffer overflow occurs. However, there typically isn't a reason to append Records to a decoded lzma_index. Update to xz-5.8.3. 13.0-018