Lector de Feeds
MGASA-2025-0240 - Updated expat packages fix security vulnerabilities
Publication date: 18 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8176 , CVE-2025-59375 Description Improper restriction of xml entity expansion depth in libexpat. (CVE-2024-8176) This is an extension of the fix published in MGASA-2025-0109 that was determined by upstream to be incomplete. Libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. (CVE-2025-59375) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8176 , CVE-2025-59375 Description Improper restriction of xml entity expansion depth in libexpat. (CVE-2024-8176) This is an extension of the fix published in MGASA-2025-0109 that was determined by upstream to be incomplete. Libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. (CVE-2025-59375) References
- https://bugs.mageia.org/show_bug.cgi?id=34640
- https://bugs.mageia.org/show_bug.cgi?id=34111
- https://www.openwall.com/lists/oss-security/2025/09/24/11
- https://advisories.mageia.org/MGASA-2025-0109.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8176
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375
- expat-2.7.3-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0239 - Updated varnish & lighttpd packages fix security vulnerability
Publication date: 17 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8671 Description It was discovered that a denial of service attack can be performed on cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the server to consume unnecessary resources processing requests for which the response will not be delivered (CVE-2025-8671). References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8671 Description It was discovered that a denial of service attack can be performed on cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the server to consume unnecessary resources processing requests for which the response will not be delivered (CVE-2025-8671). References
- https://bugs.mageia.org/show_bug.cgi?id=34587
- https://www.openwall.com/lists/oss-security/2025/08/13/6
- https://www.openwall.com/lists/oss-security/2025/08/16/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8671
- varnish-7.7.3-1.mga9
- lighttpd-1.4.80-1.3.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0238 - Updated fetchmail package fixes security vulnerability
Publication date: 14 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61962 Description It was discovered that fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will attempt to start reading from memory address 0x1 to parse the server's SASL challenge. This event will usually cause a crash of fetchmail (CVE-2025-61962). References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61962 Description It was discovered that fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will attempt to start reading from memory address 0x1 to parse the server's SASL challenge. This event will usually cause a crash of fetchmail (CVE-2025-61962). References
- https://bugs.mageia.org/show_bug.cgi?id=34644
- https://www.openwall.com/lists/oss-security/2025/10/03/2
- https://www.openwall.com/lists/oss-security/2025/10/04/3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61962
- fetchmail-6.5.6-1.mga9
Categorías: Actualizaciones de Seguridad
