Lector de Feeds

Publication date: 12 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-32364 , CVE-2025-32365 Description A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN. (CVE-2025-32364) Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. (CVE-2025-32365) References

• https://bugs.mageia.org/show_bug.cgi?id=34182
• https://ubuntu.com/security/notices/USN-7426-1
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7MHRTVNCUQHLCEUDCYX24NK4ID3BMFG5/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32364
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32365

SRPMS 9/core

• poppler-23.02.0-1.5.mga9

Publication date: 12 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-30258 Description In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS". (CVE-2025-30258) References

• https://bugs.mageia.org/show_bug.cgi?id=34165
• https://ubuntu.com/security/notices/USN-7412-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30258

SRPMS 9/core

• gnupg2-2.3.8-1.3.mga9

Publication date: 12 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27795 Description ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits. (CVE-2025-27795) References

• https://bugs.mageia.org/show_bug.cgi?id=34163
• https://lwn.net/Articles/1016352/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27795

SRPMS 9/core

• graphicsmagick-1.3.40-1.1.mga9

9/tainted

• graphicsmagick-1.3.40-1.1.mga9.tainted

Publication date: 12 Apr 2025
Type: bugfix
Affected Mageia releases : 9
Description Writer crashes in some circumstances when trying to edit or insert a TOC. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34174
• https://bugs.documentfoundation.org/show_bug.cgi?id=163325

SRPMS 9/core

• libreoffice-24.2.7.2-1.2.mga9

Publication date: 10 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-31115 Description XZ has a heap-use-after-free bug in threaded .xz decoder. (CVE-2025-31115) References

• https://bugs.mageia.org/show_bug.cgi?id=34164
• https://www.openwall.com/lists/oss-security/2025/04/03/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115

SRPMS 9/core

• xz-5.4.3-1.1.mga9

Publication date: 10 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-40635 Description containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. References

• https://bugs.mageia.org/show_bug.cgi?id=34145
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IAMUEOAZJQQS6MSFKLEO72TDYAONTTXF/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

SRPMS 9/core

• docker-containerd-1.7.27-1.mga9

Publication date: 10 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-31160 Description atop through 2.11.0 allows local users to cause a denial of service (e.g., assertion failure and application exit) or possibly have unspecified other impact by running certain types of unprivileged processes while a different user runs atop. (CVE-2025-31160) References

• https://bugs.mageia.org/show_bug.cgi?id=34139
• https://www.openwall.com/lists/oss-security/2025/03/26/2
• https://www.openwall.com/lists/oss-security/2025/03/26/3
• https://rachelbythebay.com/w/2025/03/26/atop/
• https://news.ycombinator.com/item?id=43485980
• https://news.ycombinator.com/item?id=43477057
• https://www.openwall.com/lists/oss-security/2025/03/29/1
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3K7T3QBXEP6TWTVJEMB47AVS2B2R5O5V/
• https://lists.debian.org/debian-security-announce/2025/msg00054.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31160

SRPMS 9/core

• atop-2.8.1-1.1.mga9

Publication date: 10 Apr 2025
Type: bugfix
Affected Mageia releases : 9
Description arte.tv has changed the URL of the videos and qarte is unable to retrieve the lists and the videos. Version 5.9.0 fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34159
• https://bugs.launchpad.net/qarte/+bug/2102036

SRPMS 9/core

• qarte-5.9.0-1.mga9