Lector de Feeds

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-52804 Description Tornado has an HTTP cookie parsing DoS vulnerability. (CVE-2024-52804) References

• https://bugs.mageia.org/show_bug.cgi?id=33816
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804

SRPMS 9/core

• python-tornado-6.3.2-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56519 , CVE-2024-56521 , CVE-2024-56522 , CVE-2024-56527 Description An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. (CVE-2024-56519) An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. (CVE-2024-56521) An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. (CVE-2024-56522) An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. (CVE-2024-56527) References

• https://bugs.mageia.org/show_bug.cgi?id=33898
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZX3ABLKKEVGN4M4BBUJFPBNWW5SHP7J3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56519
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56522
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56527

SRPMS 9/core

• php-tcpdf-6.5.0-1.3.mga9

‎See also: Link to LDAP_Groups

← Older revision Revision as of 19:55, 12 February 2025 (One intermediate revision by the same user not shown)Line 37: Line 37:        [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif    [root@duvel ~]# ldapmodify -H ldaps://ldap.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -f removeowner.ldif  +  += See also =  +* [https://people.mageia.org/g/ Active groups]  +* [[LDAP Groups]] needed for different roles     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

‎Access/Identity: Bugzilla admins

← Older revision Revision as of 19:43, 12 February 2025 Line 23: Line 23:  * [[SOP Sysadmin access revocation]] * [[SOP Sysadmin access revocation]]  * [[SOP Adding groups]] * [[SOP Adding groups]] −* Blocking users in Bugzilla due to spammy behaviour+* Blocking users in Bugzilla due to spammy behaviour ''(this is currently done by Bugzilla admins, not Sysadmins)''  * Unlock user account * Unlock user account  * [[SOP robot credentials renewal]] * [[SOP robot credentials renewal]] Danf

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-46901 Description Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. (CVE-2024-46901) References

• https://bugs.mageia.org/show_bug.cgi?id=33838
• https://www.openwall.com/lists/oss-security/2024/12/09/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46901

SRPMS 9/core

• subversion-1.14.2-2.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-49528 Description A buffer overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via af_dialoguenhance.c:261:5 in the de_stereo component. (CVE-2023-49528) References

• https://bugs.mageia.org/show_bug.cgi?id=33430
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3BMDGSJN6WOKM5DG6WR4ITFVPI77UHH/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49528

SRPMS 9/core

• ffmpeg-5.1.6-1.1.mga9

9/tainted

• ffmpeg-5.1.6-1.1.mga9.tainted

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-6345 Description Remote Code Execution in pypa/setuptools. (CVE-2024-6345) References

• https://bugs.mageia.org/show_bug.cgi?id=33536
• https://lists.suse.com/pipermail/sle-updates/2024-August/036709.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345

SRPMS 9/core

• python-setuptools-65.5.0-3.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-5752 Description Mercurial configuration injectable in repo revision when installing via pip. (CVE-2023-5752) References

• https://bugs.mageia.org/show_bug.cgi?id=33542
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LNQOIWP4YVW27J2PSFKW5GCWPMU7ZATV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5752

SRPMS 9/core

• python-pip-23.0.1-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-46137 , CVE-2024-41671 , CVE-2024-41810 Description Twisted.web has disordered HTTP pipeline response. (CVE-2023-46137) Twisted.web has disordered HTTP pipeline response. (CVE-2024-41671) HTML injection in HTTP redirect body. (CVE-2024-41810) References

• https://bugs.mageia.org/show_bug.cgi?id=33807
• https://ubuntu.com/security/notices/USN-6575-1
• https://ubuntu.com/security/notices/USN-6988-1
• https://ubuntu.com/security/notices/USN-6988-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46137
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41671
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41810

SRPMS 9/core

• python-twisted-22.10.0-2.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-49768 , CVE-2024-49769 Description Waitress has a request processing race condition in HTTP pipelining with an invalid first request. (CVE-2024-49768) Waitress has a denial of service leading to high CPU usage/resource exhaustion. (CVE-2024-49769) References

• https://bugs.mageia.org/show_bug.cgi?id=33819
• https://lists.suse.com/pipermail/sle-security-updates/2024-November/019754.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49768
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49769

SRPMS 9/core

• python-waitress-2.1.2-1.1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-8775 , CVE-2024-9902 , CVE-2024-11079 Description Exposure of sensitive information in Ansible vault files due to improper logging. (CVE-2024-8775) Ansible-core user may read/write unauthorized content. (CVE-2024-9902) Unsafe tagging bypass via hostvars object in ansible-core. (CVE-2024-11079) References

• https://bugs.mageia.org/show_bug.cgi?id=33828
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2Y6RFLPB54N7XR7AP7A2DEXGLBEDEQJU/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8775
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9902
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11079

SRPMS 9/core

• python-ansible-core-2.14.18-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-23419 Description TLS Session Resumption Vulnerability. (CVE-2025-23419) References

• https://bugs.mageia.org/show_bug.cgi?id=33994
• https://www.openwall.com/lists/oss-security/2025/02/05/8
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23419

SRPMS 9/core

• nginx-1.26.3-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56326 Description Jinja has a sandbox breakout through an indirect reference to a format method. (CVE-2024-56326) References

• https://bugs.mageia.org/show_bug.cgi?id=33996
• https://lwn.net/Articles/1008460/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56326

SRPMS 9/core

• python-jinja2-3.1.5-1.mga9

Publication date: 12 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-46303 , CVE-2024-6781 , CVE-2024-6782 , CVE-2024-7008 , CVE-2024-7009 Description link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. (CVE-2023-46303) Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. (CVE-2024-6781) Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. (CVE-2024-6782) Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. (CVE-2024-7008) Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database. (CVE-2024-7009) References

• https://bugs.mageia.org/show_bug.cgi?id=33535
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTG4W7NKCI3YSS24S3XTWQKFDUAR6BN3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46303
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6781
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7008
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7009

SRPMS 9/core

• calibre-6.17.0-1.1.mga9

Publication date: 12 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description A missing requires produces a xviewer crash. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=32393

SRPMS 9/core

• xapps-2.6.1-1.1.mga9
• xviewer-3.2.11-1.1.mga9

‎Wild card certificate: duvel

← Older revision Revision as of 06:44, 11 February 2025 Line 32: Line 32:  = Wild card certificate = = Wild card certificate =    −* Generate a CSR file. This creates a new certificate that we will ask Gandi to sign.+== Create ==  +* Generate a CSR file. This creates a new public certificate that we will ask Gandi to sign.     <pre> <pre> Line 47: Line 48:  Then, choose the ''SSL CERTIFICATES'' sidebar, then click on the *.mageia.org certificate. After some minutes/hours, the ''Validation instructions'' section will provide a CNAME record to add to DNS. Add it similar to [https://gitweb.mageia.org/infrastructure/puppet/commit/?id=231e095d4d4dc099589ad27c43e4e9244f78095c this commit]. Wait some minutes/hour (the time it takes for the DNS to get updated). You can follow the process along on the Gandi certificate page. Then, choose the ''SSL CERTIFICATES'' sidebar, then click on the *.mageia.org certificate. After some minutes/hours, the ''Validation instructions'' section will provide a CNAME record to add to DNS. Add it similar to [https://gitweb.mageia.org/infrastructure/puppet/commit/?id=231e095d4d4dc099589ad27c43e4e9244f78095c this commit]. Wait some minutes/hour (the time it takes for the DNS to get updated). You can follow the process along on the Gandi certificate page.    −When it's ready, download the new certificate as well as the Intermediate certificate (in case it changed from the last year). Backup the current certificate files by copying them into a directory based on the year they were requested, in case a reversion is needed. Add the main    on neru and sucuk in '''/etc/ssl/wildcard.mageia.org.crt'''. Store the intermediate certificate in /etc/ssl/ and make sure there's a link to it from '''/etc/ssl/wildcard.mageia.org.pem'''. Finally, copy the new key file to '''/etc/ssl/wildcard.mageia.org.key''' (making sure it has mode 0700).+== Install ==  +When it's ready, download the new certificate as well as the Intermediate certificate (in case it changed from the last year). Backup the current certificate files by copying them into a directory based on the year they were requested, in case a reversion is needed (if they weren't already copied there last year). Copy the signed cert to neru, sucuk and duvel in '''/etc/ssl/wildcard.mageia.org.crt'''. Store the intermediate certificate in /etc/ssl/ and make sure there's a link to it from '''/etc/ssl/wildcard.mageia.org.pem'''. Finally, copy the new private key file to '''/etc/ssl/wildcard.mageia.org.key''' (making sure it has mode 0700).    −Finally, restart Apache on neru with '''systemctl reload apache'''. Test the new certificate by running '''curl -vI https://blog.mageia.org/''' and look for the new expiration year and for any certificate errors. If it works, do the same on sucuk, using '''curl -vI https://www.mageia.org/''' as the test.+== Test == − +Finally, restart Apache on each of the three servers with '''systemctl reload apache'''. Test the new certificate by running '''curl -vI https://blog.mageia.org/''' as well as '''gitweb.mageia.org''' and '''advisories.mageia.org''' (to check all three servers, although you should check them one at a time as you install the certs) and look for the new expiration year and for any certificate errors. −''TODO: add update instructions for duvel''      Revert the DNS record added previously, remembering to increment the SOA serial (don't use '''git revert'''). Revert the DNS record added previously, remembering to increment the SOA serial (don't use '''git revert'''). Danf

‎Wild card certificate: duvel

← Older revision Revision as of 06:44, 11 February 2025 (One intermediate revision by the same user not shown)Line 32: Line 32:  = Wild card certificate = = Wild card certificate =    −* Regenerate a csr file.+== Create ==  +* Generate a CSR file. This creates a new public certificate that we will ask Gandi to sign.     <pre> <pre> −openssl req -nodes -newkey rsa:2048 -sha256 -keyout /etc/ssl/wildcard.mageia.org.key -out /etc/ssl/wildcard.mageia.org.csr -utf8  +openssl req -nodes -newkey rsa:2048 -sha256 -keyout wildcard.mageia.org.key -out wildcard.mageia.org.csr -utf8    </pre> </pre> −Use FR as country, Paris as city, Mageia.Org as Organization Name, and (most importantly) *.mageia.org as Common Name (although, it's not clear if Gandi actually keeps all that data or replaces it). Then go on [https://admin.gandi.net/?locale=en Gandi website] → SSL Certificates → *.mageia.org and click on ''Renew''.+Use FR as country, Paris as city, Mageia.Org as Organization Name, and (most importantly) *.mageia.org as Common Name (although, it's not clear if Gandi actually keeps all that data or replaces it); leave the other fields blank. Then go on [https://admin.gandi.net/?locale=en Gandi website] → SSL Certificates → *.mageia.org and click on ''Renew''.    −Choose ''Standard'' and ''Full domain'' then click on ''Next''+Choose ''DigiCert'', ''Standard'' and ''Full domain'' then click on ''Next''    −On the window paste the content of the csr file.+In the text box paste the content of the csr file.     Check if we have enough of a credit balance at Gandi to pay for it. If not and expiration is imminent, use a credit card. When the certificate is renewed, choose DNS method for the validation. Check if we have enough of a credit balance at Gandi to pay for it. If not and expiration is imminent, use a credit card. When the certificate is renewed, choose DNS method for the validation.    −Then, go on the certificate, I will provide a DNS record to add in our DNS server.+Then, choose the ''SSL CERTIFICATES'' sidebar, then click on the *.mageia.org certificate. After some minutes/hours, the ''Validation instructions'' section will provide a CNAME record to add to DNS. Add it similar to [https://gitweb.mageia.org/infrastructure/puppet/commit/?id=231e095d4d4dc099589ad27c43e4e9244f78095c this commit]. Wait some minutes/hour (the time it takes for the DNS to get updated). You can follow the process along on the Gandi certificate page.    −Follow this commit:+== Install ==  +When it's ready, download the new certificate as well as the Intermediate certificate (in case it changed from the last year). Backup the current certificate files by copying them into a directory based on the year they were requested, in case a reversion is needed (if they weren't already copied there last year). Copy the signed cert to neru, sucuk and duvel in '''/etc/ssl/wildcard.mageia.org.crt'''. Store the intermediate certificate in /etc/ssl/ and make sure there's a link to it from '''/etc/ssl/wildcard.mageia.org.pem'''. Finally, copy the new private key file to '''/etc/ssl/wildcard.mageia.org.key''' (making sure it has mode 0700).    −https://gitweb.mageia.org/infrastructure/puppet/commit/?id=231e095d4d4dc099589ad27c43e4e9244f78095c+== Test ==  +Finally, restart Apache on each of the three servers with '''systemctl reload apache'''. Test the new certificate by running '''curl -vI https://blog.mageia.org/''' as well as '''gitweb.mageia.org''' and '''advisories.mageia.org''' (to check all three servers, although you should check them one at a time as you install the certs) and look for the new expiration year and for any certificate errors.    −Wait some minutes/hour (the time it takes for the DNS to get updated). You can follow the process along on the Gandi page.+Revert the DNS record added previously, remembering to increment the SOA serial (don't use '''git revert'''). −   −When it's ready, download the new certificate as well as the Intermediate certificate (in case it changed from the last year). Backup the current certificate files by copying them into a directory based on the year they were requested, in case a reversion is needed. Add the main certificate on neru and sucuk in '''/etc/ssl/wildcard.mageia.org.crt'''. Store the intermediate certificate in /etc/ssl/ and make sure there's a link to it from '''/etc/ssl/wildcard.mageia.org.pem'''. Finally, copy the new key file to '''/etc/ssl/wildcard.mageia.org.key''' (making sure it has mode 0700).  −   −Finally, restart Apache on neru with '''systemctl reload apache'''. Test the new certificate by running '''curl -vI https://blog.mageia.org/''' and look for the new expiration year and for any certificate errors. If it works, do the same on sucuk, using '''curl -vI https://www.mageia.org/''' as the test.  −   −Revert the DNS record added previously, remembering to increment the serial (don't use '''git revert''').         [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Publication date: 09 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-11704 , CVE-2025-1009 , CVE-2025-1010 , CVE-2025-1011 , CVE-2025-1012 , CVE-2025-1013 , CVE-2025-1014 , CVE-2025-1015 , CVE-2025-0510 , CVE-2025-1016 , CVE-2025-1017 Description Use-after-free in XSLT. (CVE-2025-1009) Use-after-free in Custom Highlight. (CVE-2025-1010) A bug in WebAssembly code generation could result in a crash. (CVE-2025-1011) Use-after-free during concurrent delazification. (CVE-2025-1012) Potential double-free vulnerability in PKCS#7 decryption handling. (CVE-2024-11704) Potential opening of private browsing tabs in normal browsing windows. (CVE-2025-1013) Certificate length was not properly checked. (CVE-2025-1014) Unsanitized address book fields. (CVE-2025-1015) Address of e-mail sender can be spoofed by malicious email. (CVE-2025-0510) Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7. (CVE-2025-1016) Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. (CVE-2025-1017) References

• https://bugs.mageia.org/show_bug.cgi?id=33984
• https://www.thunderbird.net/en-US/thunderbird/128.7.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11704
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1009
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1010
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1011
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1012
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1013
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1014
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1015
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0510
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1016
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1017

SRPMS 9/core

• thunderbird-128.7.0-1.mga9
• thunderbird-l10n-128.7.0-1.mga9