Lector de Feeds

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5262 , CVE-2025-5263 , CVE-2025-5264 , CVE-2025-5266 , CVE-2025-5267 , CVE-2025-5268 , CVE-2025-5269 Description CVE-2025-5283: A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. CVE-2025-5264: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. CVE-2025-5266: Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. CVE-2025-5267: A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. CVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. We can't ship this update to armv7hl architecture, we are investigating the issue and will try to update firefox for armv7hl as soon as posible. References

• https://bugs.mageia.org/show_bug.cgi?id=34337
• https://www.mozilla.org/en-US/firefox/128.11.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_112.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5262
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5263
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5264
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5266
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5267
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5268
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5269

SRPMS 9/core

• firefox-128.11.0-1.1.mga9
• firefox-l10n-128.11.0-1.mga9
• nss-3.112.0-1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2020-7677 , CVE-2021-43138 , CVE-2022-3517 , CVE-2024-37890 , CVE-2024-48949 , CVE-2022-37599 , CVE-2023-26136 , CVE-2023-46234 , CVE-2024-12905 , CVE-2024-4067 , CVE-2025-48387 Description CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references. References

• https://bugs.mageia.org/show_bug.cgi?id=33674
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEDIJM7VQF4Q2L2KKQ6KJ2WZNR7AXYQD/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7677
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43138
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37890
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46234
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48387

SRPMS 9/core

• yarnpkg-1.22.22-0.10.9.2.1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48432 Description Potential log injection via unescaped request path. (CVE-2025-48432) References

• https://bugs.mageia.org/show_bug.cgi?id=34348
• https://www.openwall.com/lists/oss-security/2025/06/04/5
• https://www.openwall.com/lists/oss-security/2025/06/10/2
• https://ubuntu.com/security/notices/USN-7555-1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVFOPDCA45B4XTMYRHQUSJ7JCA56453W/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

SRPMS 9/core

• python-django-4.1.13-1.5.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47947 , CVE-2025-48866 Description ModSecurity Has Possible DoS Vulnerability. (CVE-2025-47947) ModSecurity has possible DoS vulnerability in sanitiseArg action. (CVE-2025-48866) References

• https://bugs.mageia.org/show_bug.cgi?id=34362
• https://lists.debian.org/debian-security-announce/2025/msg00104.html
• https://ubuntu.com/security/notices/USN-7567-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47947
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48866

SRPMS 9/core

• apache-mod_security-2.9.7-1.1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48988 , CVE-2025-49125 Description FileUpload large number of parts with headers DoS. (CVE-2025-48988) Security constraint bypass for pre/post-resources. (CVE-2025-49125) References

• https://bugs.mageia.org/show_bug.cgi?id=34376
• https://www.openwall.com/lists/oss-security/2025/06/16/1
• https://www.openwall.com/lists/oss-security/2025/06/16/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125

SRPMS 9/core

• tomcat-9.0.106-1.mga9

Publication date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-20260 Description Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. (CVE-2025-20260) References

• https://bugs.mageia.org/show_bug.cgi?id=34387
• https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260

SRPMS 9/core

• clamav-1.0.9-1.mga9

Publication date: 25 Jun 2025
Type: bugfix
Affected Mageia releases : 9
Description i586 packages that depend on nodejs to build have issues building: the build never ends or it fails at some point after lots of time. This update fixes the reported issue, but since this release, i586 will require CPUs with SSE2 support. References

• https://bugs.mageia.org/show_bug.cgi?id=34384

SRPMS 9/core

• nodejs-22.16.0-4.mga9

Mageia_Release_Countdown

← Older revision Revision as of 00:53, 25 June 2025 Line 12: Line 12:     [[Sysadmin New Release]] [[Sysadmin New Release]]  +[[Mageia Release Countdown]]     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:53, 25 June 2025 Line 1: Line 1:  [[Category:Documentation]] [[Category:Documentation]]  [[Category:Mirrors]] [[Category:Mirrors]]  +[[Category:Sysadmin]]     {{Multi_language_banner|[[Spiegelserver Liste-de|Deutsch]] ; [[Mirror_List|English]] ; [[Liste des miroirs-fr|français]] ; [[Spiegelserverlijst-nl|Nederlands]] ; [[Yansı Listesi|Turkisk]] ; [[Listas de espelhos-pt-BR|português brasileiro]] ;}} {{Multi_language_banner|[[Spiegelserver Liste-de|Deutsch]] ; [[Mirror_List|English]] ; [[Liste des miroirs-fr|français]] ; [[Spiegelserverlijst-nl|Nederlands]] ; [[Yansı Listesi|Turkisk]] ; [[Listas de espelhos-pt-BR|português brasileiro]] ;}} Danf

typos

← Older revision Revision as of 00:51, 25 June 2025 Line 6: Line 6:  However there's a trick for rebuilding the first packages in order to bootstrap the new perl. However there's a trick for rebuilding the first packages in order to bootstrap the new perl.    −In order to minimize cauldron disrupting, we'll usually rebuild the packages into core/updates_testing.+In order to minimize cauldron disruption, we'll usually rebuild the packages into core/updates_testing. −Once we've enough rebuild pkgs, they'll be moved into core/release and then any remaining pkg will be fixed.+Once we've enough rebuilt pkgs, they'll be moved into core/release and then any remaining pkgs will be fixed.     == Pass 0 for urpmi: Filesys-Df, Locale-gettext, URPM & XML-LibXML == == Pass 0 for urpmi: Filesys-Df, Locale-gettext, URPM & XML-LibXML ==    −Bootstrapping is tricky, there's a script for that at [https://gitweb.mageia.org/software/build-system/iurt/tree/rebuild_perl_iurt rebuild_perl_iurt] that needs to be run for each architecture :+Bootstrapping is tricky; there's a script for that at [https://gitweb.mageia.org/software/build-system/iurt/tree/rebuild_perl_iurt rebuild_perl_iurt] that needs to be run for each architecture :  <pre> <pre>  perl (not really needed as iurt/rebuild_perl_iurt will build it though it could catch a build error not seen locally) perl (not really needed as iurt/rebuild_perl_iurt will build it though it could catch a build error not seen locally) Line 38: Line 38:  </pre> </pre>    −== Pass 1 : pkgs just depending on base perl, that will enable to rebuild perl pkgs further in the dep tree ==+== Pass 1 : pkgs just depending on base perl, that will enable rebuilding perl pkgs further in the dep tree ==  This list was generated by using "urpmf --requires libperl.so" then sorted by deps : This list was generated by using "urpmf --requires libperl.so" then sorted by deps :    Line 110: Line 110:  </pre> </pre>    −=== Really less urgent: ===+=== Much less urgent: ===  <pre> <pre>  apache-mod_perl apache-mod_perl Line 472: Line 472:  </pre> </pre>    −=== 6b: the other who would only be caught while running perl modules depending on them: ===+=== 6b: the others who would only be caught while running perl modules depending on them: ===  <pre> <pre>  libguestfs libguestfs Line 599: Line 599:  *** either using drakx-in-chroot (See [[Drakx-installer tips and tricks]] for details) *** either using drakx-in-chroot (See [[Drakx-installer tips and tricks]] for details)    −One should just try a cople steps before aborting.+One should just try a couple steps before aborting. −If there's an error after a cople step, everything is OK.+If there's no error after a couple steps, everything is OK.     If there's an error, usually we need to include a missing perl module now needed by some of the modules used by drakx. If there's an error, usually we need to include a missing perl module now needed by some of the modules used by drakx. Line 609: Line 609:  == For references : deps for base packages == == For references : deps for base packages ==    −Those importants needs the following perl pkgs to be rebuild in order to be installable (not listing noarch perl modules from Core/Release)+Those important ones need the following perl pkgs to be rebuilt in order to be installable (not listing noarch perl modules from Core/Release)     perl-URPM needs (for building & running) perl-URPM needs (for building & running) Danf

Category:Sysadmin

← Older revision Revision as of 00:48, 25 June 2025 Line 14: Line 14:     providing the build ID you just found. providing the build ID you just found.  +  +[[Category:Sysadmin]] Danf

Category:Sysadmin

← Older revision Revision as of 00:47, 25 June 2025 Line 37: Line 37:  </pre> </pre>  where XXX is the string after ''userPassword::''. Ensure that what is displayed is different from what you sent it to, or else the password has not yet been changed. where XXX is the string after ''userPassword::''. Ensure that what is displayed is different from what you sent it to, or else the password has not yet been changed.  +  +[[Category:Sysadmin]] Danf

See also

← Older revision Revision as of 00:45, 25 June 2025 Line 8: Line 8:     Documentation for the full rebuild process is TBD. Documentation for the full rebuild process is TBD.  +  +== See Also ==  +  +[[Sysadmin New Release]]     [[Category:Sysadmin]] [[Category:Sysadmin]] Danf