Lector de Feeds

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25186 , CVE-2025-27219 , CVE-2025-27220 , CVE-2025-27221 Description Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186) In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. (CVE-2025-27219) In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. (CVE-2025-27220) In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. (CVE-2025-27221) References

• https://bugs.mageia.org/show_bug.cgi?id=34179
• https://ubuntu.com/security/notices/USN-7418-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25186
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27219
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27220
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27221

SRPMS 9/core

• ruby-3.1.5-47.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2022-42969 Description The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. (CVE-2022-42969) References

• https://bugs.mageia.org/show_bug.cgi?id=31458
• https://lists.suse.com/pipermail/sle-security-updates/2023-January/013536.html
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ELXQR2N4BOTGP4YQAZGZJDQMETKR6DWY/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42969

SRPMS 9/core

• python-py-1.11.0-2.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47273 Description Setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write. (CVE-2025-47273) References

• https://bugs.mageia.org/show_bug.cgi?id=34390
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QJ375SF7FQYZCXBVGMYYQXBL5RK5ORGD/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47273

SRPMS 9/core

• python-setuptools-65.5.0-3.2.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-2467 Description Perl-crypt-openssl-rsa: side-channel attack in pkcs#1 v1.5 padding mode (marvin attack). (CVE-2024-2467) References

• https://bugs.mageia.org/show_bug.cgi?id=34406
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5ZZGII2VWUPCN72PQNW3EQIGG3EPVBL/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2467

SRPMS 9/core

• perl-Crypt-OpenSSL-RSA-0.330.0-1.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-1681 , CVE-2024-6221 , CVE-2024-6839 , CVE-2024-6844 , CVE-2024-6866 Description Log Injection Vulnerability in corydolphin/flask-cors. (CVE-2024-1681) Improper Access Control in corydolphin/flask-cors. (CVE-2024-6221) Improper Regex Path Matching in corydolphin/flask-cors. (CVE-2024-6839) Inconsistent CORS Matching Due to Handling of '+' in URL Path in corydolphin/flask-cors. (CVE-2024-6844) Case-Insensitive Path Matching in corydolphin/flask-cors. (CVE-2024-6866) References

• https://bugs.mageia.org/show_bug.cgi?id=34424
• https://ubuntu.com/security/notices/USN-7612-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1681
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6221
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6839
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6844
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6866

SRPMS 9/core

• python-flask-cors-3.0.10-1.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40918 Description Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. (CVE-2025-40918) References

• https://bugs.mageia.org/show_bug.cgi?id=34489
• https://www.openwall.com/lists/oss-security/2025/07/16/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40918

SRPMS 9/core

• perl-Authen-SASL-2.160.0-13.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40929 Description Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. (CVE-2025-40929) References

• https://bugs.mageia.org/show_bug.cgi?id=34627
• https://www.openwall.com/lists/oss-security/2025/09/08/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40929

SRPMS 9/core

• perl-Cpanel-JSON-XS-4.350.0-1.1.mga9

Publication date: 13 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40928 Description JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. (CVE-2025-40928) References

• https://bugs.mageia.org/show_bug.cgi?id=34628
• https://www.openwall.com/lists/oss-security/2025/09/08/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40928

SRPMS 9/core

• perl-JSON-XS-4.30.0-5.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47287 Description Tornado vulnerable to excessive logging caused by malformed multipart form data. (CVE-2025-47287) References

• https://bugs.mageia.org/show_bug.cgi?id=34343
• https://ubuntu.com/security/notices/USN-7547-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287

SRPMS 9/core

• python-tornado-6.3.2-1.2.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-50181 Description Urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation. (CVE-2025-50181) References

• https://bugs.mageia.org/show_bug.cgi?id=34401
• https://ubuntu.com/security/notices/USN-7599-1
• https://ubuntu.com/security/notices/USN-7599-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50181

SRPMS 9/core

• python-urllib3-1.26.20-1.1.mga9
• python-pip-23.0.1-1.2.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0938 , CVE-2025-1795 , CVE-2024-9287 , CVE-2025-4516 , CVE-2024-12718 , CVE-2025-4138 , CVE-2025-4330 , CVE-2025-4435 , CVE-2025-4517 , CVE-2025-8194 Description URL parser allowed square brackets in domain names. (CVE-2025-0938) Mishandling of comma during folding and unicode-encoding of email headers. (CVE-2025-1795) Virtual environment (venv) activation scripts don't quote paths. (CVE-2024-9287) Use-after-free in "unicode_escape" decoder with error handler. (CVE-2025-4516) Bypass extraction filter to modify file metadata outside extraction directory. (CVE-2024-12718) Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory. (CVE-2025-4138) Extraction filter bypass for linking outside extraction directory. (CVE-2025-4330) Tarfile extracts filtered members when errorlevel=0. (CVE-2025-4435) Arbitrary writes via tarfile realpath overflow. (CVE-2025-4517) Tarfile infinite loop during parsing with negative member offset. (CVE-2025-8194) References

• https://bugs.mageia.org/show_bug.cgi?id=34285
• https://bugs.mageia.org/show_bug.cgi?id=34007
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FRAYUVWW2DYX7RTRPVFLFADRHABRVQN/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NNC4GZYGFZ76A7NUZ5BG2CMGVR32LXCG/
• https://ubuntu.com/security/notices/USN-7488-1
• https://www.openwall.com/lists/oss-security/2025/05/16/4
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUW6UXZQE7B4PPK3PK3NZAWP5PVOU5L3/
• https://www.openwall.com/lists/oss-security/2025/06/24/1
• https://www.openwall.com/lists/oss-security/2025/07/28/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0938
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1795
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9287
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4516
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12718
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4138
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4330
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4435
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4517
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8194

SRPMS 9/core

• python3-3.10.18-1.4.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1860 Description Data::Entropy for Perl uses insecure rand() function for cryptographic functions. (CVE-2025-1860) References

• https://bugs.mageia.org/show_bug.cgi?id=34212
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77JMVPALVOSZWBL54FOO42D3RMLW2DLP/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1860

SRPMS 9/core

• perl-Data-Entropy-0.7.0-10.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2011-10007 Description File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name. (CVE-2011-10007) References

• https://bugs.mageia.org/show_bug.cgi?id=34352
• https://www.openwall.com/lists/oss-security/2025/06/05/4
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IU76LFGXLXKYPWUGOA3WJD5MKZXGVV6/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-10007

SRPMS 9/core

• perl-File-Find-Rule-0.340.0-5.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-40907 Description FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. (CVE-2025-40907) References

• https://bugs.mageia.org/show_bug.cgi?id=34355
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVJG5HEXJS2X62ZHSO26DXTMOVBYTU4V/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40907

SRPMS 9/core

• perl-FCGI-0.820.0-3.1.mga9

Publication date: 12 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-31484 , CVE-2023-31486 Description CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (CVE-2023-31484) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. (CVE-2023-31486) References

• https://bugs.mageia.org/show_bug.cgi?id=31852
• https://www.openwall.com/lists/oss-security/2023/04/29/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31486

SRPMS 9/core

• perl-CPAN-2.340.0-1.1.mga9
• perl-HTTP-Tiny-0.82.0-1.1.mga9