Lector de Feeds

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40929 Description Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. (CVE-2025-40929) References

• https://bugs.mageia.org/show_bug.cgi?id=34627
• https://www.openwall.com/lists/oss-security/2025/09/08/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40929

SRPMS 9/core

• perl-Cpanel-JSON-XS-4.350.0-1.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40928 Description JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. (CVE-2025-40928) References

• https://bugs.mageia.org/show_bug.cgi?id=34628
• https://www.openwall.com/lists/oss-security/2025/09/08/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40928

SRPMS 9/core

• perl-JSON-XS-4.30.0-5.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47287 Description Tornado vulnerable to excessive logging caused by malformed multipart form data. (CVE-2025-47287) References

• https://bugs.mageia.org/show_bug.cgi?id=34343
• https://ubuntu.com/security/notices/USN-7547-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287

SRPMS 9/core

• python-tornado-6.3.2-1.2.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-50181 Description Urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation. (CVE-2025-50181) References

• https://bugs.mageia.org/show_bug.cgi?id=34401
• https://ubuntu.com/security/notices/USN-7599-1
• https://ubuntu.com/security/notices/USN-7599-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50181

SRPMS 9/core

• python-urllib3-1.26.20-1.1.mga9
• python-pip-23.0.1-1.2.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0938 , CVE-2025-1795 , CVE-2024-9287 , CVE-2025-4516 , CVE-2024-12718 , CVE-2025-4138 , CVE-2025-4330 , CVE-2025-4435 , CVE-2025-4517 , CVE-2025-8194 Description URL parser allowed square brackets in domain names. (CVE-2025-0938) Mishandling of comma during folding and unicode-encoding of email headers. (CVE-2025-1795) Virtual environment (venv) activation scripts don't quote paths. (CVE-2024-9287) Use-after-free in "unicode_escape" decoder with error handler. (CVE-2025-4516) Bypass extraction filter to modify file metadata outside extraction directory. (CVE-2024-12718) Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory. (CVE-2025-4138) Extraction filter bypass for linking outside extraction directory. (CVE-2025-4330) Tarfile extracts filtered members when errorlevel=0. (CVE-2025-4435) Arbitrary writes via tarfile realpath overflow. (CVE-2025-4517) Tarfile infinite loop during parsing with negative member offset. (CVE-2025-8194) References

• https://bugs.mageia.org/show_bug.cgi?id=34285
• https://bugs.mageia.org/show_bug.cgi?id=34007
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FRAYUVWW2DYX7RTRPVFLFADRHABRVQN/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NNC4GZYGFZ76A7NUZ5BG2CMGVR32LXCG/
• https://ubuntu.com/security/notices/USN-7488-1
• https://www.openwall.com/lists/oss-security/2025/05/16/4
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUW6UXZQE7B4PPK3PK3NZAWP5PVOU5L3/
• https://www.openwall.com/lists/oss-security/2025/06/24/1
• https://www.openwall.com/lists/oss-security/2025/07/28/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0938
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1795
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9287
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4516
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12718
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4138
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4330
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4435
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4517
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8194

SRPMS 9/core

• python3-3.10.18-1.4.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1860 Description Data::Entropy for Perl uses insecure rand() function for cryptographic functions. (CVE-2025-1860) References

• https://bugs.mageia.org/show_bug.cgi?id=34212
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77JMVPALVOSZWBL54FOO42D3RMLW2DLP/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1860

SRPMS 9/core

• perl-Data-Entropy-0.7.0-10.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2011-10007 Description File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name. (CVE-2011-10007) References

• https://bugs.mageia.org/show_bug.cgi?id=34352
• https://www.openwall.com/lists/oss-security/2025/06/05/4
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IU76LFGXLXKYPWUGOA3WJD5MKZXGVV6/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-10007

SRPMS 9/core

• perl-File-Find-Rule-0.340.0-5.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40907 Description FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. (CVE-2025-40907) References

• https://bugs.mageia.org/show_bug.cgi?id=34355
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVJG5HEXJS2X62ZHSO26DXTMOVBYTU4V/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40907

SRPMS 9/core

• perl-FCGI-0.820.0-3.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-31484 , CVE-2023-31486 Description CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (CVE-2023-31484) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. (CVE-2023-31486) References

• https://bugs.mageia.org/show_bug.cgi?id=31852
• https://www.openwall.com/lists/oss-security/2023/04/29/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31486

SRPMS 9/core

• perl-CPAN-2.340.0-1.1.mga9
• perl-HTTP-Tiny-0.82.0-1.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40908 Description YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified. (CVE-2025-40908) References

• https://bugs.mageia.org/show_bug.cgi?id=34448
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HKC72252CNE2PZENAI7UN24YB5X2Z5EK/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40908

SRPMS 9/core

• perl-YAML-LibYAML-0.860.0-1.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-31484 , CVE-2024-56406 , CVE-2025-40909 Description CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (CVE-2023-31484) Perl is vulnerable to a heap buffer overflow when transliterating non-ASCII bytes. (CVE-2024-56406) Perl threads have a working directory race condition where file operations may target unintended paths. (CVE-2025-40909) References

• https://bugs.mageia.org/show_bug.cgi?id=34209
• https://bugs.mageia.org/show_bug.cgi?id=31852
• https://www.openwall.com/lists/oss-security/2023/04/29/1
• https://ubuntu.com/security/notices/USN-6112-1
• https://openwall.com/lists/oss-security/2025/04/13/3
• https://lists.debian.org/debian-security-announce/2025/msg00064.html
• https://ubuntu.com/security/notices/USN-7434-1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USJDDXS5I35D7CEPDILLJIEUAZOXW7YF/
• https://www.openwall.com/lists/oss-security/2025/05/22/2
• https://www.openwall.com/lists/oss-security/2025/05/23/1
• https://openwall.com/lists/oss-security/2025/05/30/4
• https://www.openwall.com/lists/oss-security/2025/06/02/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56406
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40909

SRPMS 9/core

• perl-5.36.0-1.2.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11411 Description Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data. Unbound is vulnerable for some of these cases that could lead to domain hijacking (CVE-2025-11411). References

• https://bugs.mageia.org/show_bug.cgi?id=34700
• https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11411

SRPMS 9/core

• unbound-1.24.1-1.mga9