Lector de Feeds

‎Go: Proposed workflow

← Older revision Revision as of 19:42, 15 February 2025 Line 99: Line 99:  The [https://vuln.go.dev/ Go Vulnerability Database] can be used on an ongoing basis to find security issues in Go packages from the SBOMs of those packages. The [https://vuln.go.dev/ Go Vulnerability Database] can be used on an ongoing basis to find security issues in Go packages from the SBOMs of those packages.    −''details TBD''+A possible workflow:  +   +# After the RPM %install step, run the following:  +#: <pre>syft scan --output spdx-tag-value="%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}.spdx" dir:%{buildroot}</pre>  +#: ''syft'' scans the installed binaries and generates a SBOM including the Go dependencies embedded therein (including Go's stdlib version). The resulting SBOM file can be stored in a permanent location for later scans.  +# Periodically, scan all the SBOM files to see if any of them show dependencies that have reported vulnerabilities by running on each file:  +#: <pre>grype --output json sbom:"%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}.spdx"</pre>  +# If any new vulnerabilities are found, open a bug so the package can be rebuilt.     == See Also == == See Also == Danf

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-49502 , CVE-2024-31578 Description A buffer overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component. (CVE-2023-49502) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (CVE-2024-31578) References

• https://bugs.mageia.org/show_bug.cgi?id=34015
• https://lists.suse.com/pipermail/sle-updates/2024-April/035125.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49502
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31578

SRPMS 9/core

• ffmpeg-5.1.6-1.2.mga9

9/tainted

• ffmpeg-5.1.6-1.2.mga9.tainted

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-5569 Description Denial of Service via crafted zip file in jaraco/zipp. (CVE-2024-5569) References

• https://bugs.mageia.org/show_bug.cgi?id=33395
• https://lists.suse.com/pipermail/sle-updates/2024-July/035932.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5569

SRPMS 9/core

• python-zipp-3.8.1-3.1.mga9

Publication date: 14 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The application crashed and the package needed additional requirements to make it work well once installed. This update fixes the issues. References

• https://bugs.mageia.org/show_bug.cgi?id=34000

SRPMS 9/core

• texstudio-4.5.1-2.1.mga9

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22866 Description Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec. (CVE-2025-22866) References

• https://bugs.mageia.org/show_bug.cgi?id=34009
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3TLTJ366QWWXT5LOMCQMCAWW4WSJRVJG/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22866

SRPMS 9/core

• golang-1.22.12-1.mga9

Publication date: 14 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1094 Description PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation. (CVE-2025-1094) References

• https://bugs.mageia.org/show_bug.cgi?id=34018
• https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1094

SRPMS 9/core

• postgresql15-15.11-1.mga9
• postgresql13-13.19-1.mga9

Publication date: 14 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description Issues with the conversions and the progress bar have been reported. This update fixes the issues and removes python3-sip as a requirement as is no longer needed References

• https://bugs.mageia.org/show_bug.cgi?id=32465

SRPMS 9/core

• ffmulticonverter-1.8.0-10.1.mga9

‎Apprenticeship in progress

← Older revision Revision as of 09:56, 14 February 2025 Line 224: Line 224:  | pol4n || neoclust || [https://ml.mageia.org/l/arc/dev/2022-03/msg00117.html 2022-03-11] || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || rpcbind/sitecopy/spamassassin/ssdeep/sslsplit || {{yes|Done}} || {{yes|Done}} || tap<br>woff2<br>shairplay<br>ntpsec<br>clusterscripts<br>nagios-plugins<br>xymons<br>zathuras<br>rizins<br>vnstat || 2022-08-18 | pol4n || neoclust || [https://ml.mageia.org/l/arc/dev/2022-03/msg00117.html 2022-03-11] || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || {{yes|Done}} || rpcbind/sitecopy/spamassassin/ssdeep/sslsplit || {{yes|Done}} || {{yes|Done}} || tap<br>woff2<br>shairplay<br>ntpsec<br>clusterscripts<br>nagios-plugins<br>xymons<br>zathuras<br>rizins<br>vnstat || 2022-08-18  |- |- −| joselp || papoteur,mokraemer || {{yes|Done}} ||  || {{yes|Done}} ||  ||  ||  ||  || ||  ||  +| joselp || papoteur,mokraemer || {{yes|Done}} ||  || {{yes|Done}} ||  ||  ||  ||  || photomontage ||  ||    |- |-  | zekemx || kekepower || {{yes|Done}} ||  || ||  ||  || 1. conky ||  ||  ||  || | zekemx || kekepower || {{yes|Done}} ||  || ||  ||  || 1. conky ||  ||  ||  || Papoteur

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-2794 , CVE-2023-4232 , CVE-2023-4233 , CVE-2023-4234 , CVE-2023-4235 Description Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function. (CVE-2023-2794) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_status_report() function. (CVE-2023-4232) Sms decoder stack-based buffer overflow remote code execution vulnerability within the sms_decode_address_field(). (CVE-2023-4233) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_submit_report() function. (CVE-2023-4234) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver_report() function. (CVE-2023-4235) References

• https://bugs.mageia.org/show_bug.cgi?id=33841
• https://ubuntu.com/security/notices/USN-7141-1
• https://ubuntu.com/security/notices/USN-7151-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2794
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4233
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4234
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4235

SRPMS 9/core

• ofono-2.1-1.1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22376 Description In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. (CVE-2025-22376) References

• https://bugs.mageia.org/show_bug.cgi?id=33923
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLAEBHWU2NBVEDHXVVKYY4Y2XLNJX2VX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22376

SRPMS 9/core

• perl-Net-OAuth-0.300.0-1.mga9
• perl-Crypt-URandom-0.370.0-1.mga9
• perl-Module-Build-0.423.400-1.mga9

Publication date: 13 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57966 Description A security issue exists in Ark where a maliciously crafted archive containing file paths beginning with "/" allows files to be extracted to locations outside the intended directory. References

• https://bugs.mageia.org/show_bug.cgi?id=34013
• https://kde.org/info/security/advisory-20250207-1.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57966

SRPMS 9/core

• ark-23.04.3-1.1.mga9

‎Releasing the update: Mention advisories.mageia.org

← Older revision Revision as of 08:21, 13 February 2025 Line 399: Line 399:  Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the Once the update candidate has been validated (i.e., approved) by the QA Team, a member of the  Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is Sysadmin Team [[#42|[42]]] will see that the updated packages get pushed to the mirrors and that the advisory is −posted to the website and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has+posted to https://advisories.mageia.org/ and e-mailed to the updates-announce mailing list [[#43|[43]]] . Every Linux distribution has −a similar mailing list for update announcements. Varying amounts of automation and manual work are+a similar mailing list for update announcements. The advisories will also be picked eventually up by aggregators like https://osv.dev/. −involved in this last stage of the process for different Linux distributions.+Varying amounts of automation and manual work are involved in this last stage of the process for each separate Linux distributions.     == Other considerations == == Other considerations == Danf