Lector de Feeds

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22866 Description Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec. (CVE-2025-22866) References

• https://bugs.mageia.org/show_bug.cgi?id=34009
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3TLTJ366QWWXT5LOMCQMCAWW4WSJRVJG/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22866

SRPMS 9/core

• golang-1.22.12-1.mga9

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1094 Description PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation. (CVE-2025-1094) References

• https://bugs.mageia.org/show_bug.cgi?id=34018
• https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1094

SRPMS 9/core

• postgresql15-15.11-1.mga9
• postgresql13-13.19-1.mga9

Publication date: 14 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description Issues with the conversions and the progress bar have been reported. This update fixes the issues and removes python3-sip as a requirement as is no longer needed References

• https://bugs.mageia.org/show_bug.cgi?id=32465

SRPMS 9/core

• ffmulticonverter-1.8.0-10.1.mga9

‎Apprenticeship in progress

← Older revision Revision as of 09:56, 14 February 2025 Line 224: Line 224:  | pol4n || neoclust || [https://ml.mageia.org/l/arc/dev/2022-03/msg00117.html 2022-03-11] || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || rpcbind/sitecopy/spamassassin/ssdeep/sslsplit || {{yes|Done}} || {{yes|Done}} || tap<br>woff2<br>shairplay<br>ntpsec<br>clusterscripts<br>nagios-plugins<br>xymons<br>zathuras<br>rizins<br>vnstat || 2022-08-18 | pol4n || neoclust || [https://ml.mageia.org/l/arc/dev/2022-03/msg00117.html 2022-03-11] || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || rpcbind/sitecopy/spamassassin/ssdeep/sslsplit || {{yes|Done}} || {{yes|Done}} || tap<br>woff2<br>shairplay<br>ntpsec<br>clusterscripts<br>nagios-plugins<br>xymons<br>zathuras<br>rizins<br>vnstat || 2022-08-18  |- |- −| joselp || papoteur,mokraemer || {{yes|Done}} ||  || {{yes|Done}} ||  ||  ||  ||  || ||  ||  +| joselp || papoteur,mokraemer || {{yes|Done}} ||  || {{yes|Done}} ||  ||  ||  ||  || photomontage ||  ||    |- |-  | zekemx || kekepower || {{yes|Done}} ||  || ||  ||  || 1. conky ||  ||  ||  || | zekemx || kekepower || {{yes|Done}} ||  || ||  ||  || 1. conky ||  ||  ||  || Papoteur

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-2794 , CVE-2023-4232 , CVE-2023-4233 , CVE-2023-4234 , CVE-2023-4235 Description Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function. (CVE-2023-2794) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_status_report() function. (CVE-2023-4232) Sms decoder stack-based buffer overflow remote code execution vulnerability within the sms_decode_address_field(). (CVE-2023-4233) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_submit_report() function. (CVE-2023-4234) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver_report() function. (CVE-2023-4235) References

• https://bugs.mageia.org/show_bug.cgi?id=33841
• https://ubuntu.com/security/notices/USN-7141-1
• https://ubuntu.com/security/notices/USN-7151-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2794
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4233
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4234
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4235

SRPMS 9/core

• ofono-2.1-1.1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22376 Description In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. (CVE-2025-22376) References

• https://bugs.mageia.org/show_bug.cgi?id=33923
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLAEBHWU2NBVEDHXVVKYY4Y2XLNJX2VX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22376

SRPMS 9/core

• perl-Net-OAuth-0.300.0-1.mga9
• perl-Crypt-URandom-0.370.0-1.mga9
• perl-Module-Build-0.423.400-1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57966 Description A security issue exists in Ark where a maliciously crafted archive containing file paths beginning with "/" allows files to be extracted to locations outside the intended directory. References

• https://bugs.mageia.org/show_bug.cgi?id=34013
• https://kde.org/info/security/advisory-20250207-1.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57966

SRPMS 9/core

• ark-23.04.3-1.1.mga9

‎Releasing the update: Mention advisories.mageia.org

← Older revision Revision as of 08:21, 13 February 2025 Line 399: Line 399:  Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the  Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is −posted to the website and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has+posted to https://advisories.mageia.org/ and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has −a similar mailing list for update announcements. Varying amounts of automation and manual work are+a similar mailing list for update announcements. The advisories will also be picked eventually up by aggregators like https://osv.dev/. −involved in this last stage of the process for different Linux distributions.+Varying amounts of automation and manual work are involved in this last stage of the process for each separate Linux distributions.     == Other considerations == == Other considerations == Danf

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-52804 Description Tornado has an HTTP cookie parsing DoS vulnerability. (CVE-2024-52804) References

• https://bugs.mageia.org/show_bug.cgi?id=33816
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804

SRPMS 9/core

• python-tornado-6.3.2-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56519 , CVE-2024-56521 , CVE-2024-56522 , CVE-2024-56527 Description An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. (CVE-2024-56519) An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. (CVE-2024-56521) An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. (CVE-2024-56522) An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. (CVE-2024-56527) References

• https://bugs.mageia.org/show_bug.cgi?id=33898
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZX3ABLKKEVGN4M4BBUJFPBNWW5SHP7J3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56519
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56522
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56527

SRPMS 9/core

• php-tcpdf-6.5.0-1.3.mga9

‎See also: Link to LDAP_Groups

← Older revision Revision as of 19:55, 12 February 2025 (One intermediate revision by the same user not shown)Line 37: Line 37:        [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif    [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif  +  += See also =  +* [https://people.mageia.org/g/ Active groups]  +* [[LDAP Groups]] needed for different roles     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

‎Access/Identity: Bugzilla admins

← Older revision Revision as of 19:43, 12 February 2025 Line 23: Line 23:  * [[SOP Sysadmin access revocation]] * [[SOP Sysadmin access revocation]]  * [[SOP Adding groups]] * [[SOP Adding groups]] −* Blocking users in Bugzilla due to spammy behaviour+* Blocking users in Bugzilla due to spammy behaviour ''(this is currently done by Bugzilla admins, not Sysadmins)''  * Unlock user account * Unlock user account  * [[SOP robot credentials renewal]] * [[SOP robot credentials renewal]] Danf

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-46901 Description Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. (CVE-2024-46901) References

• https://bugs.mageia.org/show_bug.cgi?id=33838
• https://www.openwall.com/lists/oss-security/2024/12/09/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46901

SRPMS 9/core

• subversion-1.14.2-2.1.mga9