Lector de Feeds

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-2794 , CVE-2023-4232 , CVE-2023-4233 , CVE-2023-4234 , CVE-2023-4235 Description Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function. (CVE-2023-2794) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_status_report() function. (CVE-2023-4232) Sms decoder stack-based buffer overflow remote code execution vulnerability within the sms_decode_address_field(). (CVE-2023-4233) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_submit_report() function. (CVE-2023-4234) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver_report() function. (CVE-2023-4235) References

• https://bugs.mageia.org/show_bug.cgi?id=33841
• https://ubuntu.com/security/notices/USN-7141-1
• https://ubuntu.com/security/notices/USN-7151-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2794
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4233
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4234
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4235

SRPMS 9/core

• ofono-2.1-1.1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22376 Description In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. (CVE-2025-22376) References

• https://bugs.mageia.org/show_bug.cgi?id=33923
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLAEBHWU2NBVEDHXVVKYY4Y2XLNJX2VX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22376

SRPMS 9/core

• perl-Net-OAuth-0.300.0-1.mga9
• perl-Crypt-URandom-0.370.0-1.mga9
• perl-Module-Build-0.423.400-1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57966 Description A security issue exists in Ark where a maliciously crafted archive containing file paths beginning with "/" allows files to be extracted to locations outside the intended directory. References

• https://bugs.mageia.org/show_bug.cgi?id=34013
• https://kde.org/info/security/advisory-20250207-1.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57966

SRPMS 9/core

• ark-23.04.3-1.1.mga9

‎Releasing the update: Mention advisories.mageia.org

← Older revision Revision as of 08:21, 13 February 2025 Line 399: Line 399:  Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the  Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is −posted to the website and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has+posted to https://advisories.mageia.org/ and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has −a similar mailing list for update announcements. Varying amounts of automation and manual work are+a similar mailing list for update announcements. The advisories will also be picked eventually up by aggregators like https://osv.dev/. −involved in this last stage of the process for different Linux distributions.+Varying amounts of automation and manual work are involved in this last stage of the process for each separate Linux distributions.     == Other considerations == == Other considerations == Danf

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-52804 Description Tornado has an HTTP cookie parsing DoS vulnerability. (CVE-2024-52804) References

• https://bugs.mageia.org/show_bug.cgi?id=33816
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804

SRPMS 9/core

• python-tornado-6.3.2-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56519 , CVE-2024-56521 , CVE-2024-56522 , CVE-2024-56527 Description An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. (CVE-2024-56519) An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. (CVE-2024-56521) An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. (CVE-2024-56522) An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. (CVE-2024-56527) References

• https://bugs.mageia.org/show_bug.cgi?id=33898
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZX3ABLKKEVGN4M4BBUJFPBNWW5SHP7J3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56519
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56522
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56527

SRPMS 9/core

• php-tcpdf-6.5.0-1.3.mga9

‎See also: Link to LDAP_Groups

← Older revision Revision as of 19:55, 12 February 2025 (One intermediate revision by the same user not shown)Line 37: Line 37:        [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif    [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif  +  += See also =  +* [https://people.mageia.org/g/ Active groups]  +* [[LDAP Groups]] needed for different roles     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

‎Access/Identity: Bugzilla admins

← Older revision Revision as of 19:43, 12 February 2025 Line 23: Line 23:  * [[SOP Sysadmin access revocation]] * [[SOP Sysadmin access revocation]]  * [[SOP Adding groups]] * [[SOP Adding groups]] −* Blocking users in Bugzilla due to spammy behaviour+* Blocking users in Bugzilla due to spammy behaviour ''(this is currently done by Bugzilla admins, not Sysadmins)''  * Unlock user account * Unlock user account  * [[SOP robot credentials renewal]] * [[SOP robot credentials renewal]] Danf

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-46901 Description Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. (CVE-2024-46901) References

• https://bugs.mageia.org/show_bug.cgi?id=33838
• https://www.openwall.com/lists/oss-security/2024/12/09/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46901

SRPMS 9/core

• subversion-1.14.2-2.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-49528 Description A buffer overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via af_dialoguenhance.c:261:5 in the de_stereo component. (CVE-2023-49528) References

• https://bugs.mageia.org/show_bug.cgi?id=33430
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3BMDGSJN6WOKM5DG6WR4ITFVPI77UHH/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49528

SRPMS 9/core

• ffmpeg-5.1.6-1.1.mga9

9/tainted

• ffmpeg-5.1.6-1.1.mga9.tainted

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-6345 Description Remote Code Execution in pypa/setuptools. (CVE-2024-6345) References

• https://bugs.mageia.org/show_bug.cgi?id=33536
• https://lists.suse.com/pipermail/sle-updates/2024-August/036709.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345

SRPMS 9/core

• python-setuptools-65.5.0-3.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-5752 Description Mercurial configuration injectable in repo revision when installing via pip. (CVE-2023-5752) References

• https://bugs.mageia.org/show_bug.cgi?id=33542
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LNQOIWP4YVW27J2PSFKW5GCWPMU7ZATV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5752

SRPMS 9/core

• python-pip-23.0.1-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-46137 , CVE-2024-41671 , CVE-2024-41810 Description Twisted.web has disordered HTTP pipeline response. (CVE-2023-46137) Twisted.web has disordered HTTP pipeline response. (CVE-2024-41671) HTML injection in HTTP redirect body. (CVE-2024-41810) References

• https://bugs.mageia.org/show_bug.cgi?id=33807
• https://ubuntu.com/security/notices/USN-6575-1
• https://ubuntu.com/security/notices/USN-6988-1
• https://ubuntu.com/security/notices/USN-6988-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46137
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41671
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41810

SRPMS 9/core

• python-twisted-22.10.0-2.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-49768 , CVE-2024-49769 Description Waitress has a request processing race condition in HTTP pipelining with an invalid first request. (CVE-2024-49768) Waitress has a denial of service leading to high CPU usage/resource exhaustion. (CVE-2024-49769) References

• https://bugs.mageia.org/show_bug.cgi?id=33819
• https://lists.suse.com/pipermail/sle-security-updates/2024-November/019754.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49768
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49769

SRPMS 9/core

• python-waitress-2.1.2-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-8775 , CVE-2024-9902 , CVE-2024-11079 Description Exposure of sensitive information in Ansible vault files due to improper logging. (CVE-2024-8775) Ansible-core user may read/write unauthorized content. (CVE-2024-9902) Unsafe tagging bypass via hostvars object in ansible-core. (CVE-2024-11079) References

• https://bugs.mageia.org/show_bug.cgi?id=33828
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2Y6RFLPB54N7XR7AP7A2DEXGLBEDEQJU/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8775
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9902
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11079

SRPMS 9/core

• python-ansible-core-2.14.18-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-23419 Description TLS Session Resumption Vulnerability. (CVE-2025-23419) References

• https://bugs.mageia.org/show_bug.cgi?id=33994
• https://www.openwall.com/lists/oss-security/2025/02/05/8
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23419

SRPMS 9/core

• nginx-1.26.3-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56326 Description Jinja has a sandbox breakout through an indirect reference to a format method. (CVE-2024-56326) References

• https://bugs.mageia.org/show_bug.cgi?id=33996
• https://lwn.net/Articles/1008460/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56326

SRPMS 9/core

• python-jinja2-3.1.5-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-46303 , CVE-2024-6781 , CVE-2024-6782 , CVE-2024-7008 , CVE-2024-7009 Description link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. (CVE-2023-46303) Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. (CVE-2024-6781) Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. (CVE-2024-6782) Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. (CVE-2024-7008) Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database. (CVE-2024-7009) References

• https://bugs.mageia.org/show_bug.cgi?id=33535
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTG4W7NKCI3YSS24S3XTWQKFDUAR6BN3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46303
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6781
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7008
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7009

SRPMS 9/core

• calibre-6.17.0-1.1.mga9