BLFS Security Advisories for BLFS 11.2 and the current development books.
BLFS-11.2 was released on 2022-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
Apache HTTPD
11.2 072 Apache HTTPD Date: 2023-01-19 Severity: High
In httpd-2.4.55, three security vulnerabilities were fixed in the mod_proxy, mod_proxy_ajp, and mod_dav modules that could allow for HTTP Response Splitting, Request Smuggling, and remotely exploitable crahses. Update to httpd-2.4.55 if you are using those modules. 11.2-072
Apr
11.2 077 Apr Date: 2023-02-02 Severity: Medium
In apr-1.7.2, three security vulnerabilities were fixed regarding out-of-bounds writes. Update to apr-1.7.2. 11.2-077
Apr-Util
11.2 076 Apr Date: 2023-02-02 Severity: Medium
In apr-util-1.6.3, a security vulnerability was fixed that allowed an attacker to write beyond bounds of a buffer. Update to apr-util-1.6.3. 11.2-076
BIND
11.2 012 BIND Date: 2022-09-24 Severity: High
In BIND-9.18.7, six security vulnerabilities were fixed that could allow for denial of service or arbitrary code execution. Update to BIND-9.18.7 if you are using it for anything other than the client utilities. 11.2-012
cURL
11.2 099 cURL Date: 2023-02-21 Severity: Medium
In cURL-7.88.1, three security vulnerabilities were fixed that could allow for HSTS bypasses and denial of service. Update to cURL-7.88.1 or later. 11.2-099
11.2 063 cURL Date: 2022-12-30 Severity: Low
In cURL-7.87.0, two security vulnerabilities were fixed that could allow for an HSTS bypass when using IDN, and for secure tunnel failure when using SMB and TELNET protocols with cURL and stunnel. Update to cURL-7.87.0 or later. 11.2-063
11.2 027 cURL Date: 2022-10-28 Severity: Medium
In cURL-7.86.0, three security vulnerabilities were fixed that could allow for denial-of-service (application crashes), PUT confusion, and for HSTS bypasses. Update to cURL-7.86.0 or later. 11.2-027
11.2 002 cURL Date: 2022-09-03 Severity: Low
In cURL-7.85.0, a security vulnerability was fixed that could allow for some sites to deny access to other sites when processing control codes in cookies. Update to cURL-7.85.0 or later. 11.2-002
dbus
11.2 018 dbus (LFS and BLFS) Date: 2022-10-28 Severity: Medium
In dbus-1.14.4, three security vulnerabilities were fixed that could allow for unprivileged attackers to cause denial-of-service conditions (system dbus-daemon crashes, as well as crashes of any programs which use the libdbus library). Update to dbus-1.14.4 or later. 11.2-018
DHCP
11.2 019 DHCP Date: 2022-10-28 Severity: High
In DHCP-4.4.3-P1, two security vulnerabilites were fixed that could allow for a denial-of-service and memory leak in the DHCPD server. Update to DHCP-4.4.3-P1 if you are using the DHCPD server. 11.2-019
Epiphany
11.2 102 Epiphany Date: 2023-02-22 Severity: High
In Epiphany-43.1, a security vulnerability was fixed that could allow for password exfiltration through autofill when in a sandboxed environment. Update to Epiphany-43.1 immediately if you use it's password manager. 11.2-102
Firefox
11.2 093 Firefox Date: 2023-02-14 Severity: High
In Firefox-102.8.0esr, eleven security vulnerabilities applicable to linux systems were fixed, eight of them rated as High by upstream. 11.2-093
11.2 067 Firefox Date: 2023-01-17 Severity: High
In Firefox-102.7.0esr, seven security vulnerabilities were fixed, three of them rated as High by upstream. 11.2-067
11.2 052 Firefox Revised: 2023-01-17 Severity: Critical
In Firefox-102.6.0esr, six security vulnerabilities were fixed, four of them rated as High by upstream. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. 11.2-052
11.2 043 Firefox Date: 2022-10-18 Severity: High
In Firefox-102.5.0esr, twelve security vulnerabilities were fixed, seven of them rated as High by upstream. 11.2-043
11.2 015 Firefox Date: 2022-10-18 Severity: High
In Firefox-102.4.0esr, four security vulnerabilities were fixed, two of them rated as High by upstream. Details at 11.2-015
11.2 007 Firefox Date: 2022-09-20 Severity: High
In Firefox-102.3.0esr several security vulnerabilities, of which three were rated as high, were fixed. Update to firefox-102.3.0esr. 11.2-007
glib
11.2 062 glib Date: 2022-12-30 Severity: High
In glib-2.74.4, several security vulnerabilities were fixed in the GVariant normalization code and GDBusMenuModel. Update to glib-2.74.4. 11.2-062
git
11.2 095 git Date: 2022-02-16 Severity: Medium
In git-2.39.2, two security vulnerabilities were fixed that could allow for data exfiltration and path traversal/arbitrary file overwrites when using repositories with symbolic links. Update to git-2.39.2, especially if you are using a repository from an untrusted source with submodules. 11.2-095
11.2 071 git Date: 2023-01-19 Severity: Critical
In git-2.39.1, two security vulnerabilities were fixed that could allow for remote code execution on git clients and servers when using repositories with a .gitattributes file, or when running the 'git log' and 'git archive' commands. Update to git-2.39.1 immediately. 11.2-071
11.2 024 git Date: 2022-10-28 Severity: High
In git-2.38.1, two security vulnerabilities were fixed that could allow for remote code execution on servers which have 'git' installed, and for leakage of sensitive information on systems where untrusted repositories are cloned when symbolic links exist within the repository. Update to git-2.38.1 immediately, especially if you run a git server. 11.2-024
GnuTLS
11.2 089 GnuTLS Date: 2023-02-14 Severity: Medium
In GnuTLS-3.8.0, a security vulnerability which allowed a remote attacker to perform a man-in-the-middle attack was fixed. Update to GnuTLS-3.8.0. 11.2-089
HTTP::Daemon (perl module)
11.2 103 HTTP-Daemon Date: 2023-02-23 Severity: Medium
In HTTP-Daemon-6.15 a vulnerability was fixed which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. Update to HTTP-Daemon-6.15. 11.2-103
ImageMagick
11.2 090 ImageMagick Date: 2023-02-14 Severity: High
BLFS updated to ImageMagick-7.1.0-61 from 7.1.0-46. Belatedly, two CVEs have been raised against 7.1.0-49 (each with the same one-line fix in 7.1.0-52). These were for a Denial of Service and possible information disclosure on png files. The relevant code in 7.1.0-49 was identical in 7.1.0-46. Update to ImageMagick-7.1.0-61 or later. 11.2-090
Intel microcode
11.2 094 Intel Microcode Date: 2023-02-15 Severity: High
Intel microcode for some processors has been updated to fix two information disclosure vulnerabilities exploitable by local privileged users, and one privilege escalation vulnerability exploitable via adjacent network address. Read 11.2-094 for the list of affected processors and how to update the microcode to fix the vulnerabilities.
jasper
11.2 034 jasper Date: 2022-11-08 Severity: High
In jasper-4.0.0, two security vulnerabilities were fixed that could allow for a denial of service when processing crafted JPEG2000 images. Update to jasper-4.0.0 if you use gegl (GIMP), Qt5 (KDE Applications such as Gwenview and Okular), or ImageMagick. 11.2-034
Java (OpenJDK)
11.2 101 OpenJDK Date: 2022-02-22 Severity: Medium
In OpenJDK-19.0.2, two security vulnerabilities were fixed that could allow an unauthenticated attacker with network access to compromise a Java VM. Update to OpenJDK-19.0.2 immediately. 11.2-101
11.2 028 OpenJDK Date: 2022-10-31 Severity: Medium
In OpenJDK-19.0.1, five security vulnerabilities were fixed that could allow an unauthenticated attacker with network access through Kerberos, HTTP, or (more difficult) other protocols, to compromise a Java VM. Update to OpenJDK-19.0.1 immediately. 11.2-028
JS-102
11.2 092 JS-102 Date: 2023-02-14 Severity: High
In the Javascript code of firefox-102.8.0 there is a fix for a Use After Free, which could cause a potentially exploitable crash. 11.2-092
11.2 042 JS-102 Date: 2022-11-16 Severity: High
In the Javascript code of firefox-102.5.0 there is a fix for a Use After Free of a Javascript Realm, which could cause a potentially exploitable crash. 11.2-042
krb5
11.2 044 krb5 Date: 2022-11-17 Severity: Medium
In krb5-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service on 32-bit systems. Update to krb5-1.20.1 if you are using a 32-bit system, especially if you are using one in a server role. 11.2-044
Libksba
11.2 059 Libksba Date: 2022-12-21 Severity: High
In libksba-1.6.3 another severe bug in parsing ASN.1 structures was fixed. 11.2-059
11.2 014 Libksba Date: 2022-10-17 Severity: High
In libksba-1.6.2 a severe bug in parsing ASN.1 structures was fixed. 11.2-014
libtiff
11.2 064 libtiff Date: 2022-12-30 Severity: High
In libtiff-4.5.0, ten security vulnerabilities in the libtiff library and the 'tiffcrop' utility were fixed that could allow for arbitrary code execution and denial of service. Update to libtiff-4.5.0. 11.2-064
11.2 026 libtiff Date: 2022-10-28 Severity: Medium
In libtiff-4.4.0, five security vulnerabilities exist which can cause crashes when using the 'tiffcrop' and 'tiffsplit' utilities provided by that package. The BLFS team has created a patch to fix these issues. Rebuild libtiff with the patch. 11.2-026
libxml2
11.2 020 libxml2 Date: 2022-10-28 Severity: High
In libxml2-2.10.3, two security vulnerabilites were fixed that could allow for denial-of-service conditions or arbitrary code execution depending on the context that an XML document is loaded. Update to libxml2-2.10.3. 11.2-020
Node.js
11.2 097 node.js Date: 2023-02-17 Severity: High
In node.js-18.14.1, five security vulnerabilities were fixed. One of these is rated as High. Update to Node.js-v18.14.1 (or v16.19.1 if you intend to stay with v16 and will be monitoring that for future updates). 11.2-097
11.2 035 Node.js Date: 2022-11-09 Severity: Medium
In Node.js-18.12.1, three security vulnerabilities were fixed. Only one applies to the version (16.18.0) which is in the stable book. It allows an attacker to perform DNS rebinding and execute arbitrary code. Update to Node.js-18.12.1. 11.2-035
11.2 010 Node.js Date: 2022-09-24 Severity: Critical
In Node.js-16.17.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling and weak randomness in the WebCrypto Cryptography system. Update to Node.js-16.17.1. 11.2-010
NSS
11.2 091 NSS Updated: 2023-02-14 Severity: High
In NSS-3.88.1, 3.79.4 and 3.87.1 a bug where an attacker could construct a PKCS 12 cert bundle in such a way that it could allow for arbitrary memory writes was fixed. Update to nss-3.88.1 or later. 11.2-091
ntfs-3g
11.2 038 ntfs-3g Date: 2022-11-09 Severity: High
In ntfs-3g-2022.10.3, a security vulnerability was fixed that could allow for arbitrary code execution at the kernel level. Update to ntfs-3g-2022.10.3. 11.2-038
OpenSSH
11.2 017 OpenSSH Date: 2022-10-28 Severity: Moderate
In OpenSSH-9.1p1, three potential security vulnerabilities were fixed in the ssh-keyscan, ssh-keysign, and ssh-keygen utilities. Update to OpenSSH-9.1p1 if you begin to experience crashes when using these utilities. 11.2-017
PHP
11.2 096 PHP Date: 2022-02-16 Severity: Critical
In PHP-8.2.3, three security vulnerabilities were fixed that could allow for denial of service or authentication bypass. If you are using the Password_verify() function in an application, it is imperative that you update to PHP-8.2.3 immediately since it will always return true with some hashes. 11.2-096
11.2 073 PHP Date: 2023-01-19 Severity: Medium
In PHP-8.2.1, a security vulnerability was fixed in PDO_SQLite which could allow for the module to return an unquoted string. Update to PHP-8.2.1 if you use the PDO_SQLite module. 11.2-073
11.2 039 PHP Date: 2022-11-10 Severity: Critical
In PHP-8.1.12, two security vulnerabilities were fixed that could allow for arbitrary code execution, remotely-exploitable crashes, and for memory contents to be read. These only impact users who use the GD or Hash modules in a program. Update to PHP-8.1.12 immediately if you use either of those two modules. 11.2-039
11.2 023 PHP Date: 2022-10-28 Severity: Medium
In PHP-8.1.11, two security vulnerabilities were fixed that could allow for cookie spoofing, and for denial-of-service when using the 'phar' command (due to an infinite loop). Update to PHP-8.1.11 if you use an application which uses cookies, or if you use the 'phar' command. 11.2-023
Pixman
11.2 037 Pixman Date: 2022-11-09 Severity: High
In Pixman-0.42.2, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service when certain pixmaps are processed, depending on the context of the application. Update to pixman-0.42.2 or later. 11.2-037
Poppler
11.2 001 Poppler Date: 2022-09-03 Severity: Critical
In Poppler-22.09.0, a critical security vulnerability was fixed that allows for trivial arbitrary code execution when processing PDF files. Update to poppler-22.09.0 immediately, but take note of build failures and their solutions described in the consolidated advisory. 11.2-001
PostgreSQL
11.2 085 PostgreSQL Date: 2023-02-12 Severity: Low
In PostgreSQL-15.2, a security vulnerability was fixed that could allow for leakage of confidential information in special circumstances when using Kerberos encryption. Update to PostgreSQL-15.2 if you are using PostgreSQL with Kerberos. 11.2-085.
Python3
11.2 060 Python3 (LFS and BLFS) Date: 2022-12-26 Severity: High or Critical
In Python-3.11.1 five vulnerabilities were fixed, with one rated as High. Because updating from an old Python3 series to a new one requires rebuilding all the modules, if you are remaining on Python-3.10 you should update to Python-3.10.9 which includes a Critical fix as well as an additional fix rated as High and already fixed in 3.11.0. Update to 3.11.1 or later, or 3.10.9 or later as appropriate. 11.2-060
11.2 021 Python3 (LFS and BLFS) Date: 2022-10-28 Severity: High
In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection when some modules are used. Update to Python-3.10.8 or later. 11.2-021
11.2 005 Python3 (LFS and BLFS) Date: 2022-09-14 Severity: High
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial of service (application crash) due to algorithmic complexity. Update to Python-3.10.7 or later. 11.2-005
QtWebEngine
11.2 065 QtWebEngine Date: 2023-01-07 Severity: Critical
In QtWebEngine-5.15.12, many Chromium security vulnerabilities were fixed, including two rated as Critical that allow a remote attacker who has compromised the render to escape the sandbox, as well as many rated High allowing a remote attacker to potentially exploit heap corruption. Most of these are via a crafted HTML page, two are via a crafted PDF file, a few require the user to install a malicious extension (which might not apply to users of qtwebengine). Update to QtWebEngine-5.15.12 or later. 11.2-065
11.2 006 QtWebEngine Date: 2022-09-19 Severity: Critical
In QtWebEngine-5.15.11, several security vulnerabilities were fixed that could allow for denial-of-service attacks, remote code execution, information disclosure, and arbitrary file creation and deletion. Update to QtWebEngine-5.15.11 immediately. 11.2-006
Ruby
11.2 050 Ruby Date: 2022-12-08 Severity: High
In Ruby-3.1.3, a security vulnerability was fixed that could allow for HTTP response splitting in applications which use the 'CGI' gem. Update to Ruby-3.1.3. 11.2-050
Rust
11.2 066 Rust Date: 2023-01-15 Severity: Medium
In all versions of Rust before 1.66.1, Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. This can allow an attacker to perform man-in-the-middle attacks when SSH is used. 11.2-066
rxvt-unicode
11.2 069 rxvt-unicode Date: 2023-01-19 Severity: Critical
In rxvt-unicode-9.31, a critical security vulnerability was fixed that could allow for remote code execution in some cases when using the Perl background extension. Update to rxvt-unicode-9.31 immediately. 11.2-069.
Samba
11.2 086 Samba Date: 2023-02-12 Severity: High
In Samba-4.17.5, an improvement to a security fix for the Netlogon RPC Elevation of Privilege vulnerability was made. Update to Samba-4.17.5 immediately. 11.2-086
11.2 057 Samba Date: 2022-12-15 Severity: High
In Samba-4.17.4, four security vulnerabilities were fixed that could allow for privilege escalation. These are identical to vulnerabilities disclosed in Microsoft Windows on November 8th, 2022. Update to Samba-4.17.4 immediately. 11.2-057
11.2 045 Samba Date: 2022-11-17 Severity: Medium
In Samba-4.17.3, a security vulnerability was fixed that could allow for arbitrary code execution or denial of service on 32-bit systems. Update to Samba-4.17.3 immediately if you are using Samba in a server capacity on a 32-bit system. 11.2-045
11.2 025 Samba Date: 2022-10-28 Severity: Medium
In Samba-4.15.2, three security vulnerabilities were fixed that could allow for bad passwords to be accepted in some circumstances, as well as for attackers to escape an exported share using symbolic links, and for a crash when using GSSAPI. Update to Samba-4.15.2. 11.2-025
Seamonkey
11.2 088 Seamonkey Date: 2023-02-13 Severity: Critical
In Seamonkey-2.53.15, several security vulnerabilities that were fixed in Firefox and Thunderbird's 102.x series were fixed. These could allow for remote code execution, email spoofing, content security bypasses, UI spoofing, DNS redirection, remotely exploitable crashes, and keystroke leakage. Update to Seamonkey-2.53.15 immediately. 11.2-088
Sudo
11.2 074 Sudo Date: 2023-01-20 Severity: High
In Sudo-1.9.12p2, a flaw in sudo’s -e option (aka sudoedit) was fixed that could allow a malicious user with sudoedit privileges to edit arbitrary files. Update to Sudo-1.9.12p2 or later. 11.2-074
11.2 033 Sudo Date: 2022-11-08 Severity: High
In Sudo-1.9.12p1, a security vulnerability was fixed that could allow for arbitrary code execution, privilege escalation, or denial of service. Update to Sudo-1.9.12p1 or later. 11.2-033
sysstat
11.2 040 sysstat Date: 2022-11-14 Severity: High
In sysstat-12.6.1, a security vulnerability was fixed that could allow for remote code execution on 32-bit systems. You should update to sysstat-12.6.1 immediately if you are using a 32-bit system. 11.2-040
systemd
11.2 061 systemd (LFS and BLFS) Date: 2022-12-28 Severity: High
In systemd-241 and higher, a security vulnerability was discovered that could allow for a local information leak and privilege escalation due to systemd-coredump not respecting a kernel option. Rebuild systemd with the patch. 11.2-061
Thunderbird
11.2 098 Thunderbird Date: 2023-02-21 Severity: High
In Thunderbird-102.8.0, several security vulnerabilities were fixed that could allow for content security policy bypasses, crashes, UI lockups, remote code execution, execution of code without a user's knowledge, and screen hijack. Update to Thunderbird-102.8.0. 11.2-098.
11.2 087 Thunderbird Date: 2022-02-13 Severity: High
In Thunderbird-102.7.2, several security vulnerabilities were fixed that could allow for content security policy bypasses, remote code execution, notification bypasses, website spoofing attacks, and invalid signature verification of S/MIME email messages. Update to Thunderbird-102.7.2. 11.2-087
11.2 053 Thunderbird Revised: 2023-01-17 Severity: Critical
In Thunderbird-102.6.0, six security vulnerabilities weres fixed, four of them rated as High by upstream. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. 11.2-053
11.2 048 Thunderbird Date: 2022-12-02 Severity: Moderate
In Thunderbird-102.5.1, a security vulnerability was fixed that could trigger downloading remote content, even if remote content is blocked. Update to Thunderbird-102.5.1 immediately. 11.2-048
11.2 046 Thunderbird Date: 2022-11-20 Severity: High
In Thunderbird-102.5.0, several security vulnerabilities were fixed that could allow for disclosure of information, spoofing attacks, exploitable crashes, removal of cookie protection, and denial-of-service conditions. Update to Thunderbird-102.5.0 immediately. 11.2-046
11.2 022 Thunderbird Date: 2022-10-28 Severity: High
In Thunderbird-102.4.0, several security vulnerabilities were fixed that could allow for arbitrary code execution, impersonation attacks, device verification attacks, and denial-of-service conditions. Update to Thunderbird-102.4.0 immediately, especially if you use the Matrix chat protocol. 11.2-022
11.2 013 Thunderbird Date: 2022-09-25 Severity: High
In Thunderbird-102.3.0, several security vulnerabilities were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Update to Thunderbird-102.3.0 immediately. 11.2-013
11.2 003 Thunderbird Date: 2022-09-03 Severity: High
In Thunderbird-102.2.1, several security vulnerabilities were fixed that could allow for leakage of sensitive information, unauthorized content access, unexpected network requests, and denial-of-service attacks. Update to Thunderbird-102.2.1 immediately. 11.2-003
Unbound
11.2 011 Unbound Date: 2022-09-24 Severity: High
In Unbound-1.16.3, a security vulnerability was fixed that could allow for a denial of service (excess resource consumption) due to a non-responsive delegation attack. Update to Unbound-1.16.3. 11.2-011
WebKitGTK+
11.2 100 WebKitGTK+ Date: 2023-02-21 Severity: Critical
In WebKitGTK+-2.35.5, a critical security vulnerability was fixed that could allow for remote code execution. The vulnerability is under active exploitation. Update to WebKitGTK+-2.38.5 immediately, but note the special instructions in the advisory. 11.2-100
11.2 080 WebKitGTK+ Date: 2023-02-07 Severity: Critical
In WebKitGTK+-2.38.4, three security vulnerabilities were fixed that could allow for remote code execution. Update to WebKitGTK+-2.38.4 immediately, but note the special instructions in the advisory. 11.2-080
11.2 068 WebKitGTK+ Date: 2023-01-19 Severity: High
In WebKitGTK+-2.38.3, several security vulnerabilities were fixed that could allow for remote code execution, denial of service, and sensitive information disclosure. Update to WebKitGTK+-2.38.3 immediately, but note the special instructions in the advisory. 11.2-068
11.2 056 WebKitGTK+ Date: 2022-12-15 Severity: Critical
In WebKitGTK+-2.38.2, five security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, UI spoofing, application state disclosure, and disclosure of sensitive user information. Update to WebKitGTK+-2.38.2 immediately, but note the special instructions in the advisory. 11.2-056
11.2 008 WebKitGTK+ Date: 2022-09-21 Severity: Critical
In WebKitGTK+-2.36.8, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. A proof of concept exploit exists. Update to WebKitGTK+-2.36.8. 11.2-008
Wireshark
11.2 079 Wireshark Date: 2023-02-07 Severity: High
In Wireshark-4.0.3, several security vulnerabilities were fixed that could allow for denial of service (excessive resource consumption, crashes, and memory leaks) when capturing (or reading packets) from a network which has EAP, NFS, GNW, iSCSI, TIPC, NCP, RTPS, or BPv6 packets traveling across it. Update to Wireshark-4.0.3 if you are on such a network. 11.2-079
11.2 051 Wireshark Date: 2022-12-08 Severity: Medium
In Wireshark-4.0.2, two security vulnerabilities were fixed that could allow for a denial-of-service (excessive resource consumption) when capturing (or reading packets) from a network which uses Kafka, BPv6, or OpenFlow packets. Update to Wireshark-4.0.2 if you are on such a network. 11.2-051
11.2 004 Wireshark Date: 2022-09-14 Severity: Medium
In Wireshark-3.6.8, a security vulnerability was fixed that could allow for a denial-of-service when capturing packets on a network that uses F5 Ethernet Trailer packets. Update to Wireshark-3.6.8 if you're on such a network. 11.2-004
xfce4-settings
11.2 041 xfce4-settings Date: 2022-11-14 Severity: High
In xfce4-settings-4.16.5, a security vulnerability was fixed that could allow for argument injection when processing MIME types. Update to xfce4-settings-4.16.5 or later. 11.2-041
Xorg-server
11.2 078 xorg-server Date: 2023-02-07 Severity: High
In xorg-server-21.1.7, a vulnerability was fixed that could lead to local privileges elevation on systems where the X server is running privileged remote code execution for ssh X forwarding sessions. 11.2-078
11.2 058 xorg-server Date: 2022-12-20 Severity: Medium
In xorg-server-21.1.6, two vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-058
11.2 054 xorg-server Date: 2022-12-15 Severity: High
In xorg-server-21.1.5, six vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-054
xwayland
11.2 084 xwayland Date: 2023-02-09 Severity: High
In xwayland-22.1.8, a vulnerability was fixed that could lead to local privileges elevation on systems where xwayland is running privileged, or remote code execution for ssh X forwarding sessions. 11.2-084
11.2 055 xwayland Date: 2022-12-15 Severity: High
In xwayland-22.1.6, six vulnerabilities were fixed that could allow for privilege escalation or remote code execution. 11.2-055