Lector de Feeds

Publication date: 18 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8176 , CVE-2025-59375 Description Improper restriction of xml entity expansion depth in libexpat. (CVE-2024-8176) This is an extension of the fix published in MGASA-2025-0109 that was determined by upstream to be incomplete. Libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. (CVE-2025-59375) References

• https://bugs.mageia.org/show_bug.cgi?id=34640
• https://bugs.mageia.org/show_bug.cgi?id=34111
• https://www.openwall.com/lists/oss-security/2025/09/24/11
• https://advisories.mageia.org/MGASA-2025-0109.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8176
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375

SRPMS 9/core

• expat-2.7.3-1.mga9

Publication date: 17 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8671 Description It was discovered that a denial of service attack can be performed on cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the server to consume unnecessary resources processing requests for which the response will not be delivered (CVE-2025-8671). References

• https://bugs.mageia.org/show_bug.cgi?id=34587
• https://www.openwall.com/lists/oss-security/2025/08/13/6
• https://www.openwall.com/lists/oss-security/2025/08/16/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8671

SRPMS 9/core

• varnish-7.7.3-1.mga9
• lighttpd-1.4.80-1.3.mga9