LFS Security Advisories for LFS 12.3 and the current development books.
LFS-12.3 was released on 2025-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
coreutils
12.3 043 coreutils (LFS) Date: 2025-06-02 Severity: Medium
In coreutils-9.6, a security vulnerability was discovered that could allow for a denial of service (application crash) or leakage of sensitive data when using the 'sort' utility. The vulnerability is vulnerable to a heap buffer under-read. Update to coreutils-9.7 with the patch. 12.3-043
Expat
12.3 006 Expat (LFS) Date: 2025-05-20 Severity: High
In Expat-2.7.1, a security vulnerability was fixed that could result in a crash from chaining a large number of entities. The crash is caused by a stack overflow, and it was resolved by fixing the usage of recursion for general entities in character data, general entities in attribute data, and parameter entities. Update to Expat-2.7.1 as soon as possible. 12.3-006
Perl
12.3 042 Perl (LFS) Date: 2025-06-02 Severity: Medium
In Perl-5.40.2, a security vulnerability was discovered that could allow for a race condition where file operations may target unintended paths. The vulnerability is known to cause arbitrary code execuction as well as loading files from unexpected locations. Rebuild Perl-5.40.2 with the patch. 12.3-042
12.3 017 Perl (LFS) Date: 2025-05-20 Severity: High
In Perl-5.40.2, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when transliterating non-ASCII bytes. The vulnerability is caused by a heap buffer overflow, and a subsequent out-of-bounds write. Update to Perl-5.40.2. 12.3-017
Python
12.3 047 Python (LFS and BLFS) Date: 2025-06-04 Severity: Critical
In Python-3.13.4, five security vulnerabilities were fixed that could allow for a denial of service when processing long IPv6 addresses, and for tarfile extraction filters to be bypassed using crafted symlinks and hard links. The extraction filter bypasses allow attackers to write arbitrary files onto a user's filesystem when decompressing a tar file using the 'tarfile' python module. Update to Python-3.13.4. 12.3-047
12.3 018 Python (LFS and BLFS) Date: 2025-05-20 Severity: Medium
In Python-3.13.3, two security vulnerabilities were fixed that could allow for email header spoofing and a denial-of-service (unbounded memory usage). In addition, another vulnerability was resolved after this release of Python that can cause a crash when using the unicode_escape encoding or an error handler when decoding bytes using the bytes.decode() function. Update to Python-3.13.3 and apply the patch for the bytes.decode() vulnerability. 12.3-018
systemd
12.3 044 systemd (LFS and BLFS) Date: 2025-06-02 Severity: Medium
In systemd-257.6, a security vulnerability was fixed that allows an attacker to force SUID processes to crash and allows them to replace the program with a non-SUID binary to access the original privileged process's coredump. This allows the attacker to read extremely sensitive data, such as /etc/shadow content. Update to systemd-257.6. 12.3-044
xz
12.3 019 xz (LFS) Date: 2025-05-20 Severity: High
In xz-5.8.1, a security vulnerability was fixed that could allow for invalid input when decompressing an XZ file to cause a denial of service or potentially arbitrary code execution. Update to xz-5.8.1. 12.3-019