Lector de Feeds

Publication date: 18 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1080 Description Macro URL arbitrary script execution. (CVE-2025-1080) References

• https://bugs.mageia.org/show_bug.cgi?id=34068
• https://lists.debian.org/debian-security-announce/2025/msg00035.html
• https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1080

SRPMS 9/core

• libreoffice-24.2.7.2-1.1.mga9

Add example commit, more details

← Older revision Revision as of 18:36, 17 March 2025 Line 2: Line 2:     * take a checkout of puppet configuration * take a checkout of puppet configuration −* go to modules/buildsystem/templates+* go to ''modules/buildsystem/templates'' −* edit submit-todo.conf+* edit ''submit-todo.conf''    −in checks/version/cauldron ( yaml hierarchy )+in ''checks/version/cauldron'' ( yaml hierarchy )     * change mode from   * change mode from   Line 13: Line 13:     * commit and push * commit and push −* connect on valstar and apply puppet manifest+   +The change will come into effect on the next Puppet run (up to 45 minutes). Here is [https://gitweb.mageia.org/infrastructure/puppet/commit/?id=7827863672e52cfdf43d20a7d776cc1ba6ec313a an example] of such a commit.  +   +A Release Freeze is done similarly, but with  +   + mode: freeze     == How to add someone to the list of users able to upload == == How to add someone to the list of users able to upload ==    −* connect on ldap.mageia.org with sysadmin account+* add the user to the group ''mga-release_managers'' using the [[SOP Adding user to group]] procedure −* add the user to the group "mga-release_managers"      [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25724 Description list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. (CVE-2025-25724 References

• https://bugs.mageia.org/show_bug.cgi?id=34102
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25724

SRPMS 9/core

• libarchive-3.6.2-5.4.mga9

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13176 Description Timing side-channel in ECDSA signature computation. (CVE-2024-13176) References

• https://bugs.mageia.org/show_bug.cgi?id=34106
• https://openssl-library.org/news/secadv/20250120.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176

SRPMS 9/core

• quictls-3.0.15-1.2.mga9

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1219 , CVE-2025-1736 , CVE-2025-1861 , CVE-2025-1734 , CVE-2025-1217 Description Bugs and security with streams have been fixed. References

• https://bugs.mageia.org/show_bug.cgi?id=34091
• https://www.php.net/ChangeLog-8.php#8.2.28
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1219
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1217
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1734
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1861
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1736
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1219
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1736
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1861
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1734
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1217

SRPMS 9/core

• php-8.2.28-1.mga9

Publication date: 17 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description A Python console inside a document does not work. References

• https://bugs.mageia.org/show_bug.cgi?id=34104

SRPMS 9/core

• texmacs-2.1.2-1.1.mga9

Publication date: 17 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description Haproxy has two major, a few medium and a few minor bugs fixed in the last upstream version 2.8.14 of branch 2.8. Fixed major bug list: - quic: reject too large CRYPTO frames - quic: fix wrong packet building due to already acked frames Fixed medium bug list: - checks: make sure to always apply offsets to now_ms in expiration - debug: don't set the STUCK flag from debug_handler() - debug: on panic, make the target thread automatically allocate its buf - event_hdl: fix uninitialized value in async mode when no data is provided - h3: Increase max number of headers when sending headers - h3: Properly limit the number of headers received - http-ana: Don't release too early the L7 buffer - http-ana: Reset request flag about data sent to perform a L7 retry - mailers: make sure to always apply offsets to now_ms in expiration - mux-h1: Fix how timeouts are applied on H1 connections - mux-h1/mux-h2: Reject upgrades with payload on H2 side only - mux-h1: Properly close H1C if an error is reported before sending data - mux-h2: Check the number of headers in HEADERS frame after decoding - mux-h2: Don't send RST_STREAM frame for streams with no ID - mux-h2: Increase max number of headers when encoding HEADERS frames - pattern: prevent uninitialized reads in pat_match_{str,beg} - pools/memprofile: always clean stale pool info on pool_destroy() - queue: always dequeue the backend when redistributing the last server - queue: Make process_srv_queue return the number of streams - queue: make sure never to queue when there's no more served conns - queues: Do not use pendconn_grab_from_px(). - queues: Make sure we call process_srv_queue() when leaving - quic: handle retransmit for standalone FIN STREAM - quic: prevent crash due to CRYPTO parsing error - quic: support wait-for-handshake - resolvers: Insert a non-executed resulution in front of the wait list - sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set - stconn: Don't forward shut for SC in connecting state - stconn: Only consider I/O timers to update stream's expiration date - stconn: Really report blocked send if sends are blocked by an error - stktable: fix missing lock on some table converters - stream: make stream_shutdown() async-safe References

• https://bugs.mageia.org/show_bug.cgi?id=34105
• https://www.haproxy.org/download/2.8/src/CHANGELOG

SRPMS 9/core

• haproxy-2.8.14-1.mga9

Removed sparkleshare

← Older revision Revision as of 14:29, 17 March 2025 Line 618: Line 618:     The category contains the following packages, alphabetically: The category contains the following packages, alphabetically: −*+* sparkleshare     <!-- More? --> <!-- More? --> Papoteur