Lector de Feeds

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2020-7677 , CVE-2021-43138 , CVE-2022-3517 , CVE-2024-37890 , CVE-2024-48949 , CVE-2022-37599 , CVE-2023-26136 , CVE-2023-46234 , CVE-2024-12905 , CVE-2024-4067 , CVE-2025-48387 Description CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references. References

• https://bugs.mageia.org/show_bug.cgi?id=33674
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEDIJM7VQF4Q2L2KKQ6KJ2WZNR7AXYQD/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7677
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43138
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37890
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46234
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48387

SRPMS 9/core

• yarnpkg-1.22.22-0.10.9.2.1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48432 Description Potential log injection via unescaped request path. (CVE-2025-48432) References

• https://bugs.mageia.org/show_bug.cgi?id=34348
• https://www.openwall.com/lists/oss-security/2025/06/04/5
• https://www.openwall.com/lists/oss-security/2025/06/10/2
• https://ubuntu.com/security/notices/USN-7555-1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVFOPDCA45B4XTMYRHQUSJ7JCA56453W/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

SRPMS 9/core

• python-django-4.1.13-1.5.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47947 , CVE-2025-48866 Description ModSecurity Has Possible DoS Vulnerability. (CVE-2025-47947) ModSecurity has possible DoS vulnerability in sanitiseArg action. (CVE-2025-48866) References

• https://bugs.mageia.org/show_bug.cgi?id=34362
• https://lists.debian.org/debian-security-announce/2025/msg00104.html
• https://ubuntu.com/security/notices/USN-7567-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47947
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48866

SRPMS 9/core

• apache-mod_security-2.9.7-1.1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48988 , CVE-2025-49125 Description FileUpload large number of parts with headers DoS. (CVE-2025-48988) Security constraint bypass for pre/post-resources. (CVE-2025-49125) References

• https://bugs.mageia.org/show_bug.cgi?id=34376
• https://www.openwall.com/lists/oss-security/2025/06/16/1
• https://www.openwall.com/lists/oss-security/2025/06/16/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125

SRPMS 9/core

• tomcat-9.0.106-1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-20260 Description Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. (CVE-2025-20260) References

• https://bugs.mageia.org/show_bug.cgi?id=34387
• https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260

SRPMS 9/core

• clamav-1.0.9-1.mga9

Publication date: 25 Jun 2025
Type: bugfix
Affected Mageia releases : 9
Description i586 packages that depend on nodejs to build have issues building: the build never ends or it fails at some point after lots of time. This update fixes the reported issue, but since this release, i586 will require CPUs with SSE2 support. References

• https://bugs.mageia.org/show_bug.cgi?id=34384

SRPMS 9/core

• nodejs-22.16.0-4.mga9

Mageia_Release_Countdown

← Older revision Revision as of 00:53, 25 June 2025 Line 12: Line 12:     [[Sysadmin New Release]] [[Sysadmin New Release]]  +[[Mageia Release Countdown]]     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:53, 25 June 2025 Line 1: Line 1:  [[Category:Documentation]] [[Category:Documentation]]  [[Category:Mirrors]] [[Category:Mirrors]]  +[[Category:Sysadmin]]     {{Multi_language_banner|[[Spiegelserver Liste-de|Deutsch]] ; [[Mirror_List|English]] ; [[Liste des miroirs-fr|français]] ; [[Spiegelserverlijst-nl|Nederlands]] ; [[Yansı Listesi|Turkisk]] ; [[Listas de espelhos-pt-BR|português brasileiro]] ;}} {{Multi_language_banner|[[Spiegelserver Liste-de|Deutsch]] ; [[Mirror_List|English]] ; [[Liste des miroirs-fr|français]] ; [[Spiegelserverlijst-nl|Nederlands]] ; [[Yansı Listesi|Turkisk]] ; [[Listas de espelhos-pt-BR|português brasileiro]] ;}} Danf

typos

← Older revision Revision as of 00:51, 25 June 2025 Line 6: Line 6:  However there's a trick for rebuilding the first packages in order to bootstrap the new perl. However there's a trick for rebuilding the first packages in order to bootstrap the new perl.    −In order to minimize cauldron disrupting, we'll usually rebuild the packages into core/updates_testing.+In order to minimize cauldron disruption, we'll usually rebuild the packages into core/updates_testing. −Once we've enough rebuild pkgs, they'll be moved into core/release and then any remaining pkg will be fixed.+Once we've enough rebuilt pkgs, they'll be moved into core/release and then any remaining pkgs will be fixed.     == Pass 0 for urpmi: Filesys-Df, Locale-gettext, URPM & XML-LibXML == == Pass 0 for urpmi: Filesys-Df, Locale-gettext, URPM & XML-LibXML ==    −Bootstrapping is tricky, there's a script for that at [https://gitweb.mageia.org/software/build-system/iurt/tree/rebuild_perl_iurt rebuild_perl_iurt] that needs to be run for each architecture :+Bootstrapping is tricky; there's a script for that at [https://gitweb.mageia.org/software/build-system/iurt/tree/rebuild_perl_iurt rebuild_perl_iurt] that needs to be run for each architecture :  <pre> <pre>  perl (not really needed as iurt/rebuild_perl_iurt will build it though it could catch a build error not seen locally) perl (not really needed as iurt/rebuild_perl_iurt will build it though it could catch a build error not seen locally) Line 38: Line 38:  </pre> </pre>    −== Pass 1 : pkgs just depending on base perl, that will enable to rebuild perl pkgs further in the dep tree ==+== Pass 1 : pkgs just depending on base perl, that will enable rebuilding perl pkgs further in the dep tree ==  This list was generated by using "urpmf --requires libperl.so" then sorted by deps : This list was generated by using "urpmf --requires libperl.so" then sorted by deps :    Line 110: Line 110:  </pre> </pre>    −=== Really less urgent: ===+=== Much less urgent: ===  <pre> <pre>  apache-mod_perl apache-mod_perl Line 472: Line 472:  </pre> </pre>    −=== 6b: the other who would only be caught while running perl modules depending on them: ===+=== 6b: the others who would only be caught while running perl modules depending on them: ===  <pre> <pre>  libguestfs libguestfs Line 599: Line 599:  *** either using drakx-in-chroot (See [[Drakx-installer tips and tricks]] for details) *** either using drakx-in-chroot (See [[Drakx-installer tips and tricks]] for details)    −One should just try a cople steps before aborting.+One should just try a couple steps before aborting. −If there's an error after a cople step, everything is OK.+If there's no error after a couple steps, everything is OK.     If there's an error, usually we need to include a missing perl module now needed by some of the modules used by drakx. If there's an error, usually we need to include a missing perl module now needed by some of the modules used by drakx. Line 609: Line 609:  == For references : deps for base packages == == For references : deps for base packages ==    −Those importants needs the following perl pkgs to be rebuild in order to be installable (not listing noarch perl modules from Core/Release)+Those important ones need the following perl pkgs to be rebuilt in order to be installable (not listing noarch perl modules from Core/Release)     perl-URPM needs (for building & running) perl-URPM needs (for building & running) Danf

Category:Sysadmin

← Older revision Revision as of 00:48, 25 June 2025 Line 14: Line 14:     providing the build ID you just found. providing the build ID you just found.  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:47, 25 June 2025 Line 37: Line 37:  </pre> </pre>  where XXX is the string after ''userPassword::''. Ensure that what is displayed is different from what you sent it to, or else the password has not yet been changed. where XXX is the string after ''userPassword::''. Ensure that what is displayed is different from what you sent it to, or else the password has not yet been changed.  +  +[[Category:Sysadmin]] Danf

See also

← Older revision Revision as of 00:45, 25 June 2025 Line 8: Line 8:     Documentation for the full rebuild process is TBD. Documentation for the full rebuild process is TBD.  +  +== See Also ==  +  +[[Sysadmin New Release]]     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:44, 25 June 2025 Line 24: Line 24:  </pre> </pre>  The previous maintainer's ID will be displayed when done. If the package name is invalid, an error message will be displayed and no reassignment will take place. The previous maintainer's ID will be displayed when done. If the package name is invalid, an error message will be displayed and no reassignment will take place.  +  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:44, 25 June 2025 Line 18: Line 18:  ./secondary_submit /distrib/bootstrap/distrib/cauldron/SRPMS/core/release/{foo}.src.rpm cauldron {arch} core/release {user who should get the email in case of failure} ./secondary_submit /distrib/bootstrap/distrib/cauldron/SRPMS/core/release/{foo}.src.rpm cauldron {arch} core/release {user who should get the email in case of failure}  </pre> </pre>  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:44, 25 June 2025 Line 42: Line 42:     TBD TBD  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:43, 25 June 2025 Line 40: Line 40:  EOF EOF  </pre> </pre>  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:43, 25 June 2025 Line 39: Line 39:     If the user no longer has access to the old address and is unable to change it, then these changes will need to be done by a sysadmin in a manner TBD. If the user no longer has access to the old address and is unable to change it, then these changes will need to be done by a sysadmin in a manner TBD.  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:43, 25 June 2025 Line 16: Line 16:  For packagers, use ''mga-users'' as the primary group. For packagers, use ''mga-users'' as the primary group.  For other users, ''TBD'' (but ''mga-users'' is probably fine). For other users, ''TBD'' (but ''mga-users'' is probably fine).  +  +[[Category:Sysadmin]] Danf

Publication date: 24 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-29018 Description External DNS requests from 'internal' networks could lead to data exfiltration - CVE-2024-29018 We can't determine if docker 24.0.5 is affected but as it is no longer supported we are releasing version 25.0.7, as it is supported and free of the CVE. References

• https://bugs.mageia.org/show_bug.cgi?id=33870
• External DNS requests from 'internal' networks could lead to data
• https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx
• https://github.com/moby/moby/releases/tag/v25.0.7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29018

SRPMS 9/core

• docker-25.0.7-1.mga9

Publication date: 24 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6019 Description A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system. References

• https://bugs.mageia.org/show_bug.cgi?id=34380
• https://www.openwall.com/lists/oss-security/2025/06/17/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6019

SRPMS 9/core

• udisks2-2.10.1-1.1.mga9
• libblockdev-3.3.1-1.mga9