LFS Security Advisories for LFS 12.3 and the current development books.
LFS-12.3 was released on 2025-03-05
- There are currently no known security vulnerabilities for LFS-12.3.
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
Expat
12.3 006 Expat (LFS) Date: 2025-05-20 Severity: High
In Expat-2.7.1, a security vulnerability was fixed that could result in a crash from chaining a large number of entities. The crash is caused by a stack overflow, and it was resolved by fixing the usage of recursion for general entities in character data, general entities in attribute data, and parameter entities. Update to Expat-2.7.1 as soon as possible. 12.3-006
Perl
12.3 017 Perl (LFS) Date: 2025-05-20 Severity: High
In Perl-5.40.2, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when transliterating non-ASCII bytes. The vulnerability is caused by a heap buffer overflow, and a subsequent out-of-bounds write. Update to Perl-5.40.2. 12.3-017
Python
12.3 018 Python (LFS and BLFS) Date: 2025-05-20 Severity: Medium
In Python-3.13.3, two security vulnerabilities were fixed that could allow for email header spoofing and a denial-of-service (unbounded memory usage). In addition, another vulnerability was resolved after this release of Python that can cause a crash when using the unicode_escape encoding or an error handler when decoding bytes using the bytes.decode() function. Update to Python-3.13.3 and apply the patch for the bytes.decode() vulnerability. 12.3-018
xz
12.3 019 xz (LFS) Date: 2025-05-20 Severity: High
In xz-5.8.1, a security vulnerability was fixed that could allow for invalid input when decompressing an XZ file to cause a denial of service or potentially arbitrary code execution. Update to xz-5.8.1. 12.3-019