Lector de Feeds

Publication date: 23 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-10527 , CVE-2025-10528 , CVE-2025-10529 , CVE-2025-10532 , CVE-2025-10533 , CVE-2025-10536 , CVE-2025-10537 , CVE-2025-11708 , CVE-2025-11709 , CVE-2025-11710 , CVE-2025-11711 , CVE-2025-11712 , CVE-2025-11713 , CVE-2025-11714 , CVE-2025-11715 Description CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance() CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures CVE-2025-11710: Cross-process information leaked due to malicious IPC messages CVE-2025-11711: Some non-writable Object properties could be modified CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL” command CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144, and other security fixes; please see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34638
• https://www.thunderbird.net/en-US/thunderbird/140.4.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/
• https://www.thunderbird.net/en-US/thunderbird/140.4.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/
• https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/140.3.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-78/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10527
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10528
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10529
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10532
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10533
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10536
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10537
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11708
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11710
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11711
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11712
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11713
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11714
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11715

SRPMS 9/core

• thunderbird-140.4.0-1.2.mga9
• thunderbird-l10n-140.4.0-1.mga9

Publication date: 23 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-10527 , CVE-2025-10528 , CVE-2025-10529 , CVE-2025-10532 , CVE-2025-10533 , CVE-2025-10536 , CVE-2025-10537 , CVE-2025-11708 , CVE-2025-11709 , CVE-2025-11710 , CVE-2025-11711 , CVE-2025-11712 , CVE-2025-11713 , CVE-2025-11714 , CVE-2025-11715 Description CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance() CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures CVE-2025-11710: Cross-process information leaked due to malicious IPC messages CVE-2025-11711: Some non-writable Object properties could be modified CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL” command CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144, and other security fixes; please see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34637
• https://www.firefox.com/en-US/firefox/140.4.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html
• https://www.firefox.com/en-US/firefox/140.3.1/releasenotes/
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_116.html
• https://www.firefox.com/en-US/firefox/140.3.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-75/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10527
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10528
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10529
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10532
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10533
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10536
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10537
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11708
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11710
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11711
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11712
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11713
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11714
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11715

SRPMS 9/core

• nss-3.117.0-1.mga9
• rootcerts-20251003.00-1.mga9
• firefox-140.4.0-1.2.mga9
• firefox-l10n-140.4.0-1.mga9

Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53859 Description It was discovered that nginx contains a security issue in the ngx_mail_smtp_module which might allow an attacker to cause buffer over-read potentially resulting in sensitive information leak in a HTTP request to the authentication server (CVE-2025-53859). References

• https://bugs.mageia.org/show_bug.cgi?id=34585
• https://www.openwall.com/lists/oss-security/2025/08/13/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53859

SRPMS 9/core

• nginx-1.26.3-1.1.mga9

Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 Description Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) References

• https://bugs.mageia.org/show_bug.cgi?id=34643
• https://www.openwall.com/lists/oss-security/2025/09/30/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230

SRPMS 9/core

• openssl-3.0.18-1.mga9

Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-59681 , CVE-2025-59682 Description An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). (CVE-2025-59681) An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. (CVE-2025-59682) References

• https://bugs.mageia.org/show_bug.cgi?id=34645
• https://www.openwall.com/lists/oss-security/2025/10/01/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682

SRPMS 9/core

• python-django-4.1.13-1.7.mga9

Publication date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11230 Description Haproxy has a critical, a major, few medium and few minor bugs fixed in the last upstream version 2.8.16 of branch 2.8. Fixed critical bug list: - mjson: fix possible DoS when parsing numbers Fixed major bug list: - listeners: transfer connection accounting when switching listeners Fixed medium bugs list: - check: Requeue healthchecks on I/O events to handle check timeout - check: Set SOCKERR by default when a connection error is reported - checks: fix ALPN inheritance from server - dns: Reset reconnect tempo when connection is finally established - fd: Use the provided tgid in fd_insert() to get tgroup_info - h1: Allow reception if we have early data - h1/h2/h3: reject forbidden chars in the Host header field - h2/h3: reject some forbidden chars in :authority before reassembly - hlua: Add function to change the body length of an HTTP Message - hlua: Forbid any L6/L7 sample fetche functions from lua services - hlua: Report to SC when data were consumed on a lua socket - hlua: Report to SC when output data are blocked on a lua socket - http-client: Ask for more room when request data cannot be xferred - http-client: Don't wake http-client applet if nothing was xferred - http-client: Drain the request if an early response is received - http-client: Notify applet has more data to deliver until the EOM - http-client: Properly inc input data when HTX blocks are xferred - http-client: Test HTX_FL_EOM flag before commiting the HTX buffer - httpclient: Throw an error if an lua httpclient instance is reused - mux-h2: Properly handle connection error during preface sending - server: Duplicate healthcheck's alpn inherited from default server - ssl: ca-file directory mode must read every certificates of a file - ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - ssl: create the mux immediately on early data - ssl: Fix 0rtt to the server - ssl: fix build with AWS-LC - threads: Disable the workaround to load libgcc_s on macOS References

• https://bugs.mageia.org/show_bug.cgi?id=34673
• https://www.haproxy.org/download/2.8/src/CHANGELOG
• https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11230

SRPMS 9/core

• haproxy-2.8.16-1.mga9

Publication date: 20 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9230 , CVE-2025-9232 Description Two security issues and miscellaneous minor bug fixes. Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232) References

• https://bugs.mageia.org/show_bug.cgi?id=34674
• https://openssl-library.org/news/vulnerabilities/#CVE-2025-9230
• https://openssl-library.org/news/vulnerabilities/#CVE-2025-9232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232

SRPMS 9/core

• quictls-3.0.18-1.mga9

Publication date: 20 Oct 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version of rust in mga9 is not new enough to keep building Mozilla's applications. This update fixes the reported issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34500

SRPMS 9/core

• rust-1.82.0-1.mga9

Publication date: 20 Oct 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed "Delete" button not asking for confirmation when deleting a row. Fix error 500 when simulating a SET statement. Fixed PHP 8.4 deprecations in thecodingmachine/safe. References

• https://bugs.mageia.org/show_bug.cgi?id=34680
• https://www.phpmyadmin.net/news/2025/10/8/phpmyadmin-523-is-released/

SRPMS 9/core

• phpmyadmin-5.2.3-1.mga9