Lector de Feeds
MGASA-2025-0244 - Updated openssl packages fix a security vulnerability
Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 Description Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 Description Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) References
- https://bugs.mageia.org/show_bug.cgi?id=34643
- https://www.openwall.com/lists/oss-security/2025/09/30/5
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230
- openssl-3.0.18-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0243 - Updated python-django packages fix a security vulnerability
Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-59681 , CVE-2025-59682 Description An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). (CVE-2025-59681) An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. (CVE-2025-59682) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-59681 , CVE-2025-59682 Description An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). (CVE-2025-59681) An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. (CVE-2025-59682) References
- https://bugs.mageia.org/show_bug.cgi?id=34645
- https://www.openwall.com/lists/oss-security/2025/10/01/3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
- python-django-4.1.13-1.7.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0242 - Updated haproxy packages fix security vulnerability & bugs
Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11230 Description Haproxy has a critical, a major, few medium and few minor bugs fixed in the last upstream version 2.8.16 of branch 2.8. Fixed critical bug list: - mjson: fix possible DoS when parsing numbers Fixed major bug list: - listeners: transfer connection accounting when switching listeners Fixed medium bugs list: - check: Requeue healthchecks on I/O events to handle check timeout - check: Set SOCKERR by default when a connection error is reported - checks: fix ALPN inheritance from server - dns: Reset reconnect tempo when connection is finally established - fd: Use the provided tgid in fd_insert() to get tgroup_info - h1: Allow reception if we have early data - h1/h2/h3: reject forbidden chars in the Host header field - h2/h3: reject some forbidden chars in :authority before reassembly - hlua: Add function to change the body length of an HTTP Message - hlua: Forbid any L6/L7 sample fetche functions from lua services - hlua: Report to SC when data were consumed on a lua socket - hlua: Report to SC when output data are blocked on a lua socket - http-client: Ask for more room when request data cannot be xferred - http-client: Don't wake http-client applet if nothing was xferred - http-client: Drain the request if an early response is received - http-client: Notify applet has more data to deliver until the EOM - http-client: Properly inc input data when HTX blocks are xferred - http-client: Test HTX_FL_EOM flag before commiting the HTX buffer - httpclient: Throw an error if an lua httpclient instance is reused - mux-h2: Properly handle connection error during preface sending - server: Duplicate healthcheck's alpn inherited from default server - ssl: ca-file directory mode must read every certificates of a file - ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - ssl: create the mux immediately on early data - ssl: Fix 0rtt to the server - ssl: fix build with AWS-LC - threads: Disable the workaround to load libgcc_s on macOS References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11230 Description Haproxy has a critical, a major, few medium and few minor bugs fixed in the last upstream version 2.8.16 of branch 2.8. Fixed critical bug list: - mjson: fix possible DoS when parsing numbers Fixed major bug list: - listeners: transfer connection accounting when switching listeners Fixed medium bugs list: - check: Requeue healthchecks on I/O events to handle check timeout - check: Set SOCKERR by default when a connection error is reported - checks: fix ALPN inheritance from server - dns: Reset reconnect tempo when connection is finally established - fd: Use the provided tgid in fd_insert() to get tgroup_info - h1: Allow reception if we have early data - h1/h2/h3: reject forbidden chars in the Host header field - h2/h3: reject some forbidden chars in :authority before reassembly - hlua: Add function to change the body length of an HTTP Message - hlua: Forbid any L6/L7 sample fetche functions from lua services - hlua: Report to SC when data were consumed on a lua socket - hlua: Report to SC when output data are blocked on a lua socket - http-client: Ask for more room when request data cannot be xferred - http-client: Don't wake http-client applet if nothing was xferred - http-client: Drain the request if an early response is received - http-client: Notify applet has more data to deliver until the EOM - http-client: Properly inc input data when HTX blocks are xferred - http-client: Test HTX_FL_EOM flag before commiting the HTX buffer - httpclient: Throw an error if an lua httpclient instance is reused - mux-h2: Properly handle connection error during preface sending - server: Duplicate healthcheck's alpn inherited from default server - ssl: ca-file directory mode must read every certificates of a file - ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - ssl: create the mux immediately on early data - ssl: Fix 0rtt to the server - ssl: fix build with AWS-LC - threads: Disable the workaround to load libgcc_s on macOS References
- https://bugs.mageia.org/show_bug.cgi?id=34673
- https://www.haproxy.org/download/2.8/src/CHANGELOG
- https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11230
- haproxy-2.8.16-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0241 - Updated quictls packages with two security issues and bug fixes
Publication date: 20 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 , CVE-2025-9232 Description Two security issues and miscellaneous minor bug fixes. Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 , CVE-2025-9232 Description Two security issues and miscellaneous minor bug fixes. Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232) References
- https://bugs.mageia.org/show_bug.cgi?id=34674
- https://openssl-library.org/news/vulnerabilities/#CVE-2025-9230
- https://openssl-library.org/news/vulnerabilities/#CVE-2025-9232
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232
- quictls-3.0.18-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2025-0086 - Updated rust packages fix bug
Publication date: 20 Oct 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version of rust in mga9 is not new enough to keep building Mozilla's applications. This update fixes the reported issue. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description The current version of rust in mga9 is not new enough to keep building Mozilla's applications. This update fixes the reported issue. References SRPMS 9/core
- rust-1.82.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2025-0085 - Updated phpmyadmin packages fix bug
Publication date: 20 Oct 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed "Delete" button not asking for confirmation when deleting a row. Fix error 500 when simulating a SET statement. Fixed PHP 8.4 deprecations in thecodingmachine/safe. References
Type: bugfix
Affected Mageia releases : 9
Description Fixed "Delete" button not asking for confirmation when deleting a row. Fix error 500 when simulating a SET statement. Fixed PHP 8.4 deprecations in thecodingmachine/safe. References
- https://bugs.mageia.org/show_bug.cgi?id=34680
- https://www.phpmyadmin.net/news/2025/10/8/phpmyadmin-523-is-released/
- phpmyadmin-5.2.3-1.mga9
Categorías: Actualizaciones de Seguridad
