Lector de Feeds
MGASA-2025-0260 - Updated mediawiki packages fix security vulnerabilities
Publication date: 05 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3469 , CVE-2025-32696 , CVE-2025-32697 , CVE-2025-32698 , CVE-2025-32699 , CVE-2025-32700 , CVE-2025-32072 , CVE-2025-11173 , CVE-2025-11261 , CVE-2025-61635 , CVE-2025-61638 , CVE-2025-61639 , CVE-2025-61640 , CVE-2025-61641 , CVE-2025-61643 , CVE-2025-61646 , CVE-2025-61653 Description i18n XSS vulnerability in HTMLMultiSelectField when sections are used. (CVE-2025-3469) "reupload-own" restriction can be bypassed by reverting file. (CVE-2025-32696) Cascading protection is not preventing file reversions. (CVE-2025-32697) LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. (CVE-2025-32698) Potential javascript injection attack enabled by Unicode normalization in Action API. (CVE-2025-32699) AbuseFilter log interfaces expose global private and hidden filters when central DB is not available. (CVE-2025-32700) HTML injection in feed output from i18n message. (CVE-2025-32072) OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage. (CVE-2025-11173) Stored i18n Cross-site scripting (XSS) vulnerability in mw.language.listToText. (CVE-2025-11261) ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload. (CVE-2025-61635) Parsoid: Validation bypass for `data-` attributes. (CVE-2025-61638) Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry. (CVE-2025-61639) Stored i18n Cross-site scripting (XSS) vulnerability in Special:RecentChangesLinked. (CVE-2025-61640) DDoS vulnerability in QueryAllPages API in miser mode. The `maxsize` value is now ignored in that mode. (CVE-2025-61641) Suppressed recent changes may be disclosed to the public RCFeeds. (CVE-2025-61643) Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username. (CVE-2025-61646) TextExtracts extension: Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check. (CVE-2025-61653) VisualEditor extension: Stored i18n Cross-site scripting (XSS) vulnerability in `lastModifiedAt` system messages. (CVE-2025-61655) VisualEditor extension: Missing attribute validation for attributes unwrapped from `data-ve-attributes`. (CVE-2025-61656) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3469 , CVE-2025-32696 , CVE-2025-32697 , CVE-2025-32698 , CVE-2025-32699 , CVE-2025-32700 , CVE-2025-32072 , CVE-2025-11173 , CVE-2025-11261 , CVE-2025-61635 , CVE-2025-61638 , CVE-2025-61639 , CVE-2025-61640 , CVE-2025-61641 , CVE-2025-61643 , CVE-2025-61646 , CVE-2025-61653 Description i18n XSS vulnerability in HTMLMultiSelectField when sections are used. (CVE-2025-3469) "reupload-own" restriction can be bypassed by reverting file. (CVE-2025-32696) Cascading protection is not preventing file reversions. (CVE-2025-32697) LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. (CVE-2025-32698) Potential javascript injection attack enabled by Unicode normalization in Action API. (CVE-2025-32699) AbuseFilter log interfaces expose global private and hidden filters when central DB is not available. (CVE-2025-32700) HTML injection in feed output from i18n message. (CVE-2025-32072) OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage. (CVE-2025-11173) Stored i18n Cross-site scripting (XSS) vulnerability in mw.language.listToText. (CVE-2025-11261) ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload. (CVE-2025-61635) Parsoid: Validation bypass for `data-` attributes. (CVE-2025-61638) Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry. (CVE-2025-61639) Stored i18n Cross-site scripting (XSS) vulnerability in Special:RecentChangesLinked. (CVE-2025-61640) DDoS vulnerability in QueryAllPages API in miser mode. The `maxsize` value is now ignored in that mode. (CVE-2025-61641) Suppressed recent changes may be disclosed to the public RCFeeds. (CVE-2025-61643) Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username. (CVE-2025-61646) TextExtracts extension: Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check. (CVE-2025-61653) VisualEditor extension: Stored i18n Cross-site scripting (XSS) vulnerability in `lastModifiedAt` system messages. (CVE-2025-61655) VisualEditor extension: Missing attribute validation for attributes unwrapped from `data-ve-attributes`. (CVE-2025-61656) References
- https://bugs.mageia.org/show_bug.cgi?id=34211
- https://lists.debian.org/debian-security-announce/2025/msg00063.html
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/
- https://lists.debian.org/debian-security-announce/2025/msg00121.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00034.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3469
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32696
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32697
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32698
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32699
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32700
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32072
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11173
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11261
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61635
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61638
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61639
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61641
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61643
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61646
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61653
- mediawiki-1.35.14-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0259 - Updated net-tools packages fix security vulnerability
Publication date: 05 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46836 Description net-tools Stack-based Buffer Overflow vulnerability. (CVE-2025-46836) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46836 Description net-tools Stack-based Buffer Overflow vulnerability. (CVE-2025-46836) References
- https://bugs.mageia.org/show_bug.cgi?id=34295
- https://lists.debian.org/debian-security-announce/2025/msg00086.html
- https://ubuntu.com/security/notices/USN-7537-1
- https://ubuntu.com/security/notices/USN-7537-2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46836
- net-tools-2.10-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0258 - Updated microcode packages fix security vulnerability
Publication date: 05 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-36347 Description AMD CPU Microcode Signature Verification Vulnerability. (CVE-2024-36347) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-36347 Description AMD CPU Microcode Signature Verification Vulnerability. (CVE-2024-36347) References
- https://bugs.mageia.org/show_bug.cgi?id=34706
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36347
- microcode-0.20250812-3.mga9.nonfree
Categorías: Actualizaciones de Seguridad
MGASA-2025-0257 - Updated libavif packages fix security vulnerabilities
Publication date: 04 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48174 , CVE-2025-48175 Description In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. (CVE-2025-48174) In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes. (CVE-2025-48175) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48174 , CVE-2025-48175 Description In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. (CVE-2025-48174) In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes. (CVE-2025-48175) References
- https://bugs.mageia.org/show_bug.cgi?id=34336
- https://lists.debian.org/debian-security-announce/2025/msg00094.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48174
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48175
- libavif-0.11.1-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0256 - Updated golang packages fix security vulnerabilities
Publication date: 04 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47912 , CVE-2025-58183 , CVE-2025-58185 , CVE-2025-58186 , CVE-2025-58187 , CVE-2025-58188 , CVE-2025-58189 , CVE-2025-61723 , CVE-2025-61724 , CVE-2025-61725 Description Insufficient validation of bracketed IPv6 hostnames in net/url. (CVE-2025-47912) Unbounded allocation when parsing GNU sparse map in archive/tar. (CVE-2025-58183) Parsing DER payload can cause memory exhaustion in encoding/asn1. (CVE-2025-58185) Lack of limit when parsing cookies can cause memory exhaustion in net/http. (CVE-2025-58186) Quadratic complexity when checking name constraints in crypto/x509. (CVE-2025-58187) Panic when validating certificates with DSA public keys in crypto/x509. (CVE-2025-58188) ALPN negotiation error contains attacker controlled information in crypto/tls. (CVE-2025-58189) Quadratic complexity when parsing some invalid inputs in encoding/pem. (CVE-2025-61723) Excessive CPU consumption in Reader.ReadResponse in net/textproto. (CVE-2025-61724) Excessive CPU consumption in ParseAddress in net/mail. (CVE-2025-61725) These packages fix the issues for the compiler only; applications using the functions still need to be rebuilt. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47912 , CVE-2025-58183 , CVE-2025-58185 , CVE-2025-58186 , CVE-2025-58187 , CVE-2025-58188 , CVE-2025-58189 , CVE-2025-61723 , CVE-2025-61724 , CVE-2025-61725 Description Insufficient validation of bracketed IPv6 hostnames in net/url. (CVE-2025-47912) Unbounded allocation when parsing GNU sparse map in archive/tar. (CVE-2025-58183) Parsing DER payload can cause memory exhaustion in encoding/asn1. (CVE-2025-58185) Lack of limit when parsing cookies can cause memory exhaustion in net/http. (CVE-2025-58186) Quadratic complexity when checking name constraints in crypto/x509. (CVE-2025-58187) Panic when validating certificates with DSA public keys in crypto/x509. (CVE-2025-58188) ALPN negotiation error contains attacker controlled information in crypto/tls. (CVE-2025-58189) Quadratic complexity when parsing some invalid inputs in encoding/pem. (CVE-2025-61723) Excessive CPU consumption in Reader.ReadResponse in net/textproto. (CVE-2025-61724) Excessive CPU consumption in ParseAddress in net/mail. (CVE-2025-61725) These packages fix the issues for the compiler only; applications using the functions still need to be rebuilt. References
- https://bugs.mageia.org/show_bug.cgi?id=34651
- https://www.openwall.com/lists/oss-security/2025/10/08/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47912
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58183
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58185
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58186
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58187
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58189
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61723
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61724
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61725
- golang-1.24.9-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0255 - Updated sope packages fix security vulnerability
Publication date: 31 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53603 Description It was discovered that sope, the set of Objective-C frameworks powering SOGo, contains a DoS bug which could cause a crash (CVE-2025-53603). References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53603 Description It was discovered that sope, the set of Objective-C frameworks powering SOGo, contains a DoS bug which could cause a crash (CVE-2025-53603). References
- https://bugs.mageia.org/show_bug.cgi?id=34416
- https://www.openwall.com/lists/oss-security/2025/07/02/3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53603
- sope-5.6.0-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0254 - Updated bind packages fix security vulnerabilities
Publication date: 31 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8677 , CVE-2025-40778 , CVE-2025-40780 Description Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677). Cache poisoning attacks with unsolicited RRs (CVE-2025-40778). Cache poisoning due to weak PRNG (CVE-2025-40780). References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8677 , CVE-2025-40778 , CVE-2025-40780 Description Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677). Cache poisoning attacks with unsolicited RRs (CVE-2025-40778). Cache poisoning due to weak PRNG (CVE-2025-40780). References
- https://bugs.mageia.org/show_bug.cgi?id=34696
- https://www.openwall.com/lists/oss-security/2025/10/22/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40778
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40780
- bind-9.18.39-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0253 - Updated transfig packages fix security vulnerabilities
Publication date: 31 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46397 , CVE-2025-46398 , CVE-2025-46399 , CVE-2025-46400 Description fig2dev stack-overflow. (CVE-2025-46397) fig2dev stack-overflow via read_objects. (CVE-2025-46398) fig2dev segmentation fault vulnerability. (CVE-2025-46399) fig2dev segmentation fault in read_arcobject. (CVE-2025-46400) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46397 , CVE-2025-46398 , CVE-2025-46399 , CVE-2025-46400 Description fig2dev stack-overflow. (CVE-2025-46397) fig2dev stack-overflow via read_objects. (CVE-2025-46398) fig2dev segmentation fault vulnerability. (CVE-2025-46399) fig2dev segmentation fault in read_arcobject. (CVE-2025-46400) References
- https://bugs.mageia.org/show_bug.cgi?id=34309
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZDNSWLCQENGSN2O2GVDL64VL52AR7HAU/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46397
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46398
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46399
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46400
- transfig-3.2.9a-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0252 - Updated libtiff packages fix security vulnerabilities
Publication date: 31 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13978 , CVE-2025-8176 , CVE-2025-8177 , CVE-2025-8534 , CVE-2025-8961 , CVE-2025-9165 , CVE-2025-9900 Description LibTIFF fax2ps tiff2pdf.c t2p_read_tiff_init null pointer dereference. (CVE-2024-13978) LibTIFF tiffmedian.c get_histogram use after free. (CVE-2025-8176) LibTIFF thumbnail.c setrow buffer overflow. (CVE-2025-8177) libtiff tiff2ps tiff2ps.c PS_Lvl2page null pointer dereference. (CVE-2025-8534) LibTIFF tiffcrop tiffcrop.c main memory corruption. (CVE-2025-8961) LibTIFF tiffcmp tiffcmp.c InitCCITTFax3 memory leak. (CVE-2025-9165) Libtiff: libtiff write-what-where. (CVE-2025-9900) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13978 , CVE-2025-8176 , CVE-2025-8177 , CVE-2025-8534 , CVE-2025-8961 , CVE-2025-9165 , CVE-2025-9900 Description LibTIFF fax2ps tiff2pdf.c t2p_read_tiff_init null pointer dereference. (CVE-2024-13978) LibTIFF tiffmedian.c get_histogram use after free. (CVE-2025-8176) LibTIFF thumbnail.c setrow buffer overflow. (CVE-2025-8177) libtiff tiff2ps tiff2ps.c PS_Lvl2page null pointer dereference. (CVE-2025-8534) LibTIFF tiffcrop tiffcrop.c main memory corruption. (CVE-2025-8961) LibTIFF tiffcmp tiffcmp.c InitCCITTFax3 memory leak. (CVE-2025-9165) Libtiff: libtiff write-what-where. (CVE-2025-9900) References
- https://bugs.mageia.org/show_bug.cgi?id=34704
- https://lists.debian.org/debian-security-announce/2025/msg00189.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8176
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9165
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9900
- libtiff-4.5.1-1.6.mga9
Categorías: Actualizaciones de Seguridad
