Lector de Feeds

Publication date: 18 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1080 Description Macro URL arbitrary script execution. (CVE-2025-1080) References

• https://bugs.mageia.org/show_bug.cgi?id=34068
• https://lists.debian.org/debian-security-announce/2025/msg00035.html
• https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1080

SRPMS 9/core

• libreoffice-24.2.7.2-1.1.mga9

Add example commit, more details

← Older revision Revision as of 18:36, 17 March 2025 Line 2: Line 2:     * take a checkout of puppet configuration * take a checkout of puppet configuration −* go to modules/buildsystem/templates+* go to ''modules/buildsystem/templates'' −* edit submit-todo.conf+* edit ''submit-todo.conf''    −in checks/version/cauldron ( yaml hierarchy )+in ''checks/version/cauldron'' ( yaml hierarchy )     * change mode from   * change mode from   Line 13: Line 13:     * commit and push * commit and push −* connect on valstar and apply puppet manifest+   +The change will come into effect on the next Puppet run (up to 45 minutes). Here is [https://gitweb.mageia.org/infrastructure/puppet/commit/?id=7827863672e52cfdf43d20a7d776cc1ba6ec313a an example] of such a commit.  +   +A Release Freeze is done similarly, but with  +   + mode: freeze     == How to add someone to the list of users able to upload == == How to add someone to the list of users able to upload ==    −* connect on ldap.mageia.org with sysadmin account+* add the user to the group ''mga-release_managers'' using the [[SOP Adding user to group]] procedure −* add the user to the group "mga-release_managers"      [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25724 Description list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. (CVE-2025-25724 References

• https://bugs.mageia.org/show_bug.cgi?id=34102
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25724

SRPMS 9/core

• libarchive-3.6.2-5.4.mga9

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13176 Description Timing side-channel in ECDSA signature computation. (CVE-2024-13176) References

• https://bugs.mageia.org/show_bug.cgi?id=34106
• https://openssl-library.org/news/secadv/20250120.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176

SRPMS 9/core

• quictls-3.0.15-1.2.mga9

Publication date: 17 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1219 , CVE-2025-1736 , CVE-2025-1861 , CVE-2025-1734 , CVE-2025-1217 Description Bugs and security with streams have been fixed. References

• https://bugs.mageia.org/show_bug.cgi?id=34091
• https://www.php.net/ChangeLog-8.php#8.2.28
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1219
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1217
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1734
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1861
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1736
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1219
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1736
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1861
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1734
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1217

SRPMS 9/core

• php-8.2.28-1.mga9

Publication date: 17 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description A Python console inside a document does not work. References

• https://bugs.mageia.org/show_bug.cgi?id=34104

SRPMS 9/core

• texmacs-2.1.2-1.1.mga9

Publication date: 17 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description Haproxy has two major, a few medium and a few minor bugs fixed in the last upstream version 2.8.14 of branch 2.8. Fixed major bug list: - quic: reject too large CRYPTO frames - quic: fix wrong packet building due to already acked frames Fixed medium bug list: - checks: make sure to always apply offsets to now_ms in expiration - debug: don't set the STUCK flag from debug_handler() - debug: on panic, make the target thread automatically allocate its buf - event_hdl: fix uninitialized value in async mode when no data is provided - h3: Increase max number of headers when sending headers - h3: Properly limit the number of headers received - http-ana: Don't release too early the L7 buffer - http-ana: Reset request flag about data sent to perform a L7 retry - mailers: make sure to always apply offsets to now_ms in expiration - mux-h1: Fix how timeouts are applied on H1 connections - mux-h1/mux-h2: Reject upgrades with payload on H2 side only - mux-h1: Properly close H1C if an error is reported before sending data - mux-h2: Check the number of headers in HEADERS frame after decoding - mux-h2: Don't send RST_STREAM frame for streams with no ID - mux-h2: Increase max number of headers when encoding HEADERS frames - pattern: prevent uninitialized reads in pat_match_{str,beg} - pools/memprofile: always clean stale pool info on pool_destroy() - queue: always dequeue the backend when redistributing the last server - queue: Make process_srv_queue return the number of streams - queue: make sure never to queue when there's no more served conns - queues: Do not use pendconn_grab_from_px(). - queues: Make sure we call process_srv_queue() when leaving - quic: handle retransmit for standalone FIN STREAM - quic: prevent crash due to CRYPTO parsing error - quic: support wait-for-handshake - resolvers: Insert a non-executed resulution in front of the wait list - sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set - stconn: Don't forward shut for SC in connecting state - stconn: Only consider I/O timers to update stream's expiration date - stconn: Really report blocked send if sends are blocked by an error - stktable: fix missing lock on some table converters - stream: make stream_shutdown() async-safe References

• https://bugs.mageia.org/show_bug.cgi?id=34105
• https://www.haproxy.org/download/2.8/src/CHANGELOG

SRPMS 9/core

• haproxy-2.8.14-1.mga9

Removed sparkleshare

← Older revision Revision as of 14:29, 17 March 2025 Line 618: Line 618:     The category contains the following packages, alphabetically: The category contains the following packages, alphabetically: −*+* sparkleshare     <!-- More? --> <!-- More? --> Papoteur

Publication date: 16 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27363 Description An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files which may result in arbitrary code execution. References

• https://bugs.mageia.org/show_bug.cgi?id=34095
• https://www.openwall.com/lists/oss-security/2025/03/13/1
• https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27363

SRPMS 9/core

• freetype2-2.13.0-1.2.mga9

9/tainted

• freetype2-2.13.0-1.2.mga9.tainted

Publication date: 16 Mar 2025
Type: bugfix
Affected Mageia releases : 9
Description xfce4-weather-plugin only shows "no data" due to an API access mismatch. References

• https://bugs.mageia.org/show_bug.cgi?id=34094

SRPMS 9/core

• xfce4-weather-plugin-0.11.3-1.mga9