BLFS Security Advisories for 13.0

BLFS Security Advisories for BLFS 13.0 and the current development books.

BLFS-13.0 was released on 2026-03-05

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

BIND

13.0 002 BIND Date: 2026-03-06 Severity: Low

In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002

Exiv2

13.0 004 Exiv2 Date: 2026-03-06 Severity: Low

In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004

FreeRDP

13.0 001 FreeRDP Date: 2026-03-06 Severity: High

In FreeRDP-3.23.0, twelve security vulnerabilities were fixed that could allow for remotely exploitable client and server crashes, information disclosure, and remote code execution. This can occur in a large variety of situations, including when using the clipboard redirection feature, connecting to a server, and resizing the window. Users who have FreeRDP installed should consider updating immediately if they connect to untrusted servers or are hosting a publicly-accessible RDP server. Update to FreeRDP-3.23.0. 13.0-001

FreeType

13.0 003 FreeType2 Date: 2026-03-06 Severity: Medium

In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003

libxml2

13.0 005 libxml2 Date: 2026-03-06 Severity: Medium

In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005

nfs-utils

13.0 007 nfs-utils Date: 2026-03-09 Severity: Medium

In nfs-utils-2.8.6, a security vulnerability was fixed that could allow for a NFSv3 client to escalate privileges assigned to it in the /etc/exports file at mount time. It allows a client to access any subdirectory or subtree of an exported directory regardless of file permissions or other attributes that would normally be expected to apply to the client. This primarily affects servers running NFS, but all users should update due to other bugfixes in this package. Update to nfs-utils-2.8.6. 13.0-007

Wireshark

13.0 006 Wireshark Date: 2026-03-08 Severity: Medium

In Wireshark-4.6.4, three security vulnerabilities were fixed that could allow for a denial of service (memory exhaustion and remotely exploitable crash) when dissecting USB HID packets, RF4CE Profile packets, or NTS-KE packets. Users who are using Wireshark but are not operating a network with NTS-KE or RF4CE Profile packets, or who are not using the USB HID dissector, do not need to upgrade. However, if you are on a network where those packet types are in use, or are using Wireshark to dissect USB HID traffic, you should update Wireshark if you are experiencing crashes. Update to Wireshark-4.6.4. 13.0-006