Lector de Feeds

Publication date: 21 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-32661 Description FreeRDP rdp_write_logon_info_v1 NULL access. (CVE-2024-32661) References

• https://bugs.mageia.org/show_bug.cgi?id=34086
• https://ubuntu.com/security/notices/USN-7341-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32661

SRPMS 9/core

• freerdp-2.11.7-1.1.mga9

Publication date: 21 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description An incorrect path caused gforthmi to fail to operate by default on x86_64 and aarch64. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34109

SRPMS 9/core

• gforth-0.7.3-10.1.mga9

‎xsltproc: Fix link again

← Older revision Revision as of 17:21, 20 March 2025 (2 intermediate revisions by the same user not shown)Line 69: Line 69:  https://bugs.mageia.org/show_bug.cgi?id=20760 https://bugs.mageia.org/show_bug.cgi?id=20760    −xsltproc can be tested by following the instructions [http://www.w3schools.com/xsl/xsl_transformation.asp here] and creating cdcatalog.xml and cdcatalog.xsl as below:+xsltproc can be tested by following the instructions [https://www.w3schools.com/xml/ref_xsl_el_transform.asp here] and creating cdcatalog.xml and cdcatalog.xsl as below:       Line 87: Line 87:       −There is an extended version you can [http://www.w3schools.com/xsl/cdcatalog.xml download from here] - right click & save link as.+There is an extended version you can [https://www.w3schools.com/xml/cdcatalog.xml download from here] - right click & save link as.    −The xsl stylesheet should be saved as cdcatalog.xsl as below. [http://www.w3schools.com/xsl/cdcatalog.xsl direct download here].  +The xsl stylesheet should be saved as cdcatalog.xsl as below. [https://www.w3schools.com/xml/cdcatalog.xsl direct download here].         Line 144: Line 144:     </pre> </pre> −  −      == python-libxslt == == python-libxslt == Katnatek

‎xsltproc: Other link update

← Older revision Revision as of 16:59, 20 March 2025 (One intermediate revision by the same user not shown)Line 69: Line 69:  https://bugs.mageia.org/show_bug.cgi?id=20760 https://bugs.mageia.org/show_bug.cgi?id=20760    −xsltproc can be tested by following the instructions [http://www.w3schools.com/xsl/xsl_transformation.asp here] and creating cdcatalog.xml and cdcatalog.xsl as below:+xsltproc can be tested by following the instructions [https://www.w3schools.com/xml/ref_xsl_el_transform.asp here] and creating cdcatalog.xml and cdcatalog.xsl as below:       Line 89: Line 89:  There is an extended version you can [http://www.w3schools.com/xsl/cdcatalog.xml download from here] - right click & save link as. There is an extended version you can [http://www.w3schools.com/xsl/cdcatalog.xml download from here] - right click & save link as.    −The xsl stylesheet should be saved as cdcatalog.xsl as below. [http://www.w3schools.com/xsl/cdcatalog.xsl direct download here].  +The xsl stylesheet should be saved as cdcatalog.xsl as below. [https://www.w3schools.com/xml/cdcatalog.xsl direct download here].         Line 144: Line 144:     </pre> </pre> −  −      == python-libxslt == == python-libxslt == Katnatek

Publication date: 19 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-29768 Description Vim vulnerable to potential data loss with zip.vim and special crafted zip files. (CVE-2025-29768) References

• https://bugs.mageia.org/show_bug.cgi?id=34097
• https://www.openwall.com/lists/oss-security/2025/03/12/4
• https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29768

SRPMS 9/core

• vim-9.1.1202-1.mga9

Publication date: 19 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-28366 Description The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. References

• https://bugs.mageia.org/show_bug.cgi?id=34116
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366

SRPMS 9/core

• mosquitto-2.0.21-1.mga9

Publication date: 19 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2004-56337 , CVE-2025-24813 Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can. (CVE-2004-56337) Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue (CVE-2025-24813). References

• https://bugs.mageia.org/show_bug.cgi?id=34112
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/WQRQ6JSFISH4LSDOH7IDJHNYPKMGUF5X/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-56337
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813

SRPMS 9/core

• tomcat-9.0.102-1.mga9

Publication date: 19 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1920 , CVE-2025-2135 , CVE-2025-2136 , CVE-2025-2137 Description High CVE-2025-1920: Type Confusion in V8. High CVE-2025-2135: Type Confusion in V8. High CVE-2025-24201: Out of bounds write in GPU on Mac. Medium CVE-2025-2136: Use after free in Inspector. Medium CVE-2025-2137: Out of bounds read in V8. References

• https://bugs.mageia.org/show_bug.cgi?id=34099
• https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1920
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2135
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2136
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2137

SRPMS 9/tainted

• chromium-browser-stable-134.0.6998.88-1.mga9.tainted

← Older revision Revision as of 18:05, 19 March 2025 Line 71: Line 71:  Overview: Overview:    −# Developer builds a package SRPM containing all application source code as well as any unpackaged dependency source code needed by the application (i.e. vendoring it), including a SBOM for those dependencies+# Developer builds a package SRPM containing all application source code as well as any unpackaged dependency source code needed by the application (i.e. vendoring it), including a SBOM (Software Bill of Materials) for those dependencies  # The build system uses only locally-available source to build (as always) and adds a reference to the main source(s) to the SBOM, for completeness # The build system uses only locally-available source to build (as always) and adds a reference to the main source(s) to the SBOM, for completeness  # For interpreted languages, the build system puts any vendored code into a filesystem location specific to the application in the final RPM # For interpreted languages, the build system puts any vendored code into a filesystem location specific to the application in the final RPM Barjac

To do a good job, we need good tools. Some of our servers are old, no longer powerful enough and have limited disk resources to meet the needs of developers. RPM manufacturing takes a long time and this is detrimental to the efficiency of maintaining and evolving the distribution. In short, the machines are well depreciated.

This is why our infrastructure is first getting a makeover. Better adapted to new technologies, it will allow our developers to work faster and more efficiently.

So where is this new infrastructure?

 We received 5 new servers:

– 2 new nodes for building packages: HPE ProLiant DL 360 Gen10 – 2xXeon 6126 (12C/2.6GHz) –

256GB RAM – 2xSSD 3.8TB HW Raid 1 – 2x10Gb/s NICs

– 2 servers to replace sucuk and duvel: HPE ProLiant DL 380 Gen10 – 2 Xeon 6126 (12C/2.6GHz) –

256GB RAM – 2xSSD 3.8TB HW Raid 1 – 10xHDD 12TB HW Raid 5 – 2x10Gb/s NICs

– 1 server for deployment and backup: HPE ProLiant DL80 Gen9 – 2xXeon  E5-2603v4

(6C/1.7GHz) – 256GB RAM – 6xHDD 6TB (donated, with some renewed parts)

– 1 Arista 7120T switch 20xRJ-45 10Gb/s 4xSFP+ 10Gb/s for interconnecting the machines

One of the ideas is to use the latest server to deploy quickly and as automatically as possible the construction nodes and other machines. The method is ready for x86_64 nodes and is being finalized for ARM nodes. The preparation of the servers takes time because the teams anticipate the future and future developments.

Once the preparation part of our servers is finished, the integration part into the Data Center will remain.

We are therefore taking our time to do things well in order to perpetuate the future and future versions of Mageia.

In the meantime, the future version 10 of Mageia continues to bubble in its cauldron! But we are not ready yet to plan a release date for the moment.

Feel free to come and strengthen our teams.