Lector de Feeds
MGASA-2025-0195 - Updated nss & firefox packages fix security vulnerabilities
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5262 , CVE-2025-5263 , CVE-2025-5264 , CVE-2025-5266 , CVE-2025-5267 , CVE-2025-5268 , CVE-2025-5269 Description CVE-2025-5283: A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. CVE-2025-5264: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. CVE-2025-5266: Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. CVE-2025-5267: A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. CVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. We can't ship this update to armv7hl architecture, we are investigating the issue and will try to update firefox for armv7hl as soon as posible. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5262 , CVE-2025-5263 , CVE-2025-5264 , CVE-2025-5266 , CVE-2025-5267 , CVE-2025-5268 , CVE-2025-5269 Description CVE-2025-5283: A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. CVE-2025-5264: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. CVE-2025-5266: Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. CVE-2025-5267: A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. CVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. We can't ship this update to armv7hl architecture, we are investigating the issue and will try to update firefox for armv7hl as soon as posible. References
- https://bugs.mageia.org/show_bug.cgi?id=34337
- https://www.mozilla.org/en-US/firefox/128.11.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_112.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5262
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5263
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5264
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5266
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5267
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5268
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5269
- firefox-128.11.0-1.1.mga9
- firefox-l10n-128.11.0-1.mga9
- nss-3.112.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0194 - Updated yarnpkg packages fix security vulnerabilities
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2020-7677 , CVE-2021-43138 , CVE-2022-3517 , CVE-2024-37890 , CVE-2024-48949 , CVE-2022-37599 , CVE-2023-26136 , CVE-2023-46234 , CVE-2024-12905 , CVE-2024-4067 , CVE-2025-48387 Description CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2020-7677 , CVE-2021-43138 , CVE-2022-3517 , CVE-2024-37890 , CVE-2024-48949 , CVE-2022-37599 , CVE-2023-26136 , CVE-2023-46234 , CVE-2024-12905 , CVE-2024-4067 , CVE-2025-48387 Description CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references. References
- https://bugs.mageia.org/show_bug.cgi?id=33674
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEDIJM7VQF4Q2L2KKQ6KJ2WZNR7AXYQD/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37890
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46234
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48387
- yarnpkg-1.22.22-0.10.9.2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0193 - Updated python-django packages fix security vulnerability
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48432 Description Potential log injection via unescaped request path. (CVE-2025-48432) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48432 Description Potential log injection via unescaped request path. (CVE-2025-48432) References
- https://bugs.mageia.org/show_bug.cgi?id=34348
- https://www.openwall.com/lists/oss-security/2025/06/04/5
- https://www.openwall.com/lists/oss-security/2025/06/10/2
- https://ubuntu.com/security/notices/USN-7555-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVFOPDCA45B4XTMYRHQUSJ7JCA56453W/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
- python-django-4.1.13-1.5.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0192 - Updated apache-mod_security packages fix security vulnerabilities
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47947 , CVE-2025-48866 Description ModSecurity Has Possible DoS Vulnerability. (CVE-2025-47947) ModSecurity has possible DoS vulnerability in sanitiseArg action. (CVE-2025-48866) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47947 , CVE-2025-48866 Description ModSecurity Has Possible DoS Vulnerability. (CVE-2025-47947) ModSecurity has possible DoS vulnerability in sanitiseArg action. (CVE-2025-48866) References
- https://bugs.mageia.org/show_bug.cgi?id=34362
- https://lists.debian.org/debian-security-announce/2025/msg00104.html
- https://ubuntu.com/security/notices/USN-7567-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47947
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48866
- apache-mod_security-2.9.7-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0191 - Updated tomcat packages fix security vulnerabilities
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48988 , CVE-2025-49125 Description FileUpload large number of parts with headers DoS. (CVE-2025-48988) Security constraint bypass for pre/post-resources. (CVE-2025-49125) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48988 , CVE-2025-49125 Description FileUpload large number of parts with headers DoS. (CVE-2025-48988) Security constraint bypass for pre/post-resources. (CVE-2025-49125) References
- https://bugs.mageia.org/show_bug.cgi?id=34376
- https://www.openwall.com/lists/oss-security/2025/06/16/1
- https://www.openwall.com/lists/oss-security/2025/06/16/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125
- tomcat-9.0.106-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0190 - Updated clamav packages fix security vulnerability
Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-20260 Description Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. (CVE-2025-20260) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-20260 Description Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. (CVE-2025-20260) References
- https://bugs.mageia.org/show_bug.cgi?id=34387
- https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260
- clamav-1.0.9-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2025-0063 - Updated nodejs packages fix bug
Publication date: 25 Jun 2025
Type: bugfix
Affected Mageia releases : 9
Description i586 packages that depend on nodejs to build have issues building: the build never ends or it fails at some point after lots of time. This update fixes the reported issue, but since this release, i586 will require CPUs with SSE2 support. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description i586 packages that depend on nodejs to build have issues building: the build never ends or it fails at some point after lots of time. This update fixes the reported issue, but since this release, i586 will require CPUs with SSE2 support. References SRPMS 9/core
- nodejs-22.16.0-4.mga9
Categorías: Actualizaciones de Seguridad
SOP Mass rebuild
Mageia_Release_Countdown
← Older revision Revision as of 00:53, 25 June 2025 Line 12: Line 12: [[Sysadmin New Release]] [[Sysadmin New Release]] +[[Mageia Release Countdown]] [[Category:Sysadmin]] [[Category:Sysadmin]] Danf
Categorías: Wiki de Mageia
