Lector de Feeds

‎[WIP] Non-maintainer updates: Add some clarification, mention nonmaintainer e-mails

← Older revision Revision as of 22:56, 18 November 2025 Line 37: Line 37:  Mageia has a lot of packages and relatively few packagers. We, as a community, always do what we do to make Mageia a better distribution and if/when we step on somebody's toes, we've done it in good faith because we want to make Mageia the best it can be. Mageia has a lot of packages and relatively few packagers. We, as a community, always do what we do to make Mageia a better distribution and if/when we step on somebody's toes, we've done it in good faith because we want to make Mageia the best it can be.    −This development deserves a set of guidelines or policies and here is a Work In Progress list proposed on @dev.+This development deserves a set of guidelines or policies and here is a Work In Progress list first proposed on @dev.    −* Non-maintainer release bumps are fine, no need to ask maintainer, unless it's a substantial change (most of the time those are rebuilds or small fixes)+* Non-maintainer release bumps (i.e. point releases) are fine, no need to ask maintainer, unless it's a substantial change (most of the time those are rebuilds or small fixes)  * Non-maintainer version bumps should be discussed with the registered maintainer (in maintdb), when: * Non-maintainer version bumps should be discussed with the registered maintainer (in maintdb), when:  ** The package is well-established as being maintained by one person or a group of persons (firefox, KDE stack, kernel, etc.) ** The package is well-established as being maintained by one person or a group of persons (firefox, KDE stack, kernel, etc.) −** The maintainer is active, i.e. has been working on packages, MLs or bugzilla during the last couple of months+** The maintainer is active, i.e. has been working on packages, MLs or Bugzilla during the last couple of months −** The version bump is substantial: major/minor bump or soname change, non-trivial spec changes like syncing with another distro that was not the maintainer's documented update workflow+** The version bump is substantial: major/minor bump or soname change (if a library), non-trivial spec changes like syncing with another distro that was not the maintainer's documented update workflow −* For security issues, non-maintainer uploads are fine if the maintainer hasn't commented on the bug report yet and a reasonable amount of time has passed. Of course, use common sense, if it's the kernel or glibc, give the maintainer a chance to review your changes.+** The spec file has a prominent comment explicitly requesting that the maintainer be contacted before making changes  +* For security issues, non-maintainer uploads are fine if the maintainer hasn't commented on the bug report yet and a reasonable amount of time has passed. Of course, use common sense; if it's the kernel or glibc, give the maintainer a chance to review your changes.  * In other cases, use empathy and your best judgement. Sending a two lines email to a maintainer to notify of your wish to update a package doesn't cost much. Many times, you'd even get an answer saying that you can go ahead and thanking you for your work, which is always worth taking IMO :) * In other cases, use empathy and your best judgement. Sending a two lines email to a maintainer to notify of your wish to update a package doesn't cost much. Many times, you'd even get an answer saying that you can go ahead and thanking you for your work, which is always worth taking IMO :)  * When doing non-maintainer uploads, be conservative with your changes. Don't drop patches that you don't understand, ask the maintainer, and use the answer to better document the purpose of said patches. Don't sync with a new upstream or another distro without asking (unless that package is identified as synced with a given distro, e.g. rust or firefox). * When doing non-maintainer uploads, be conservative with your changes. Don't drop patches that you don't understand, ask the maintainer, and use the answer to better document the purpose of said patches. Don't sync with a new upstream or another distro without asking (unless that package is identified as synced with a given distro, e.g. rust or firefox).  +* Beginning at the end of 2025, a spec file change submitted by a non-maintainer automatically causes a notification e-mail to be sent to the package's registered maintainer     == Package Naming == == Package Naming == Danf

Publication date: 18 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-12817 , CVE-2025-12818 Description PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege. (CVE-2025-12817) PostgreSQL libpq undersizes allocations, via integer wraparound. (CVE-2025-12818) References

• https://bugs.mageia.org/show_bug.cgi?id=34752
• https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818

SRPMS 9/core

• postgresql15-15.15-1.mga9
• postgresql13-13.23-1.mga9

Publication date: 18 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-42516 , CVE-2024-43204 , CVE-2024-47252 , CVE-2025-49630 , CVE-2025-23048 , CVE-2025-49812 , CVE-2025-53020 , CVE-2025-54090 Description HTTP response splitting. (CVE-2024-42516) SSRF with mod_headers setting Content-Type header. (CVE-2024-43204) mod_ssl error log variable escaping. (CVE-2024-47252) mod_proxy_http2 denial of service. (CVE-2025-49630) mod_ssl access control bypass with session resumption. (CVE-2025-23048) mod_ssl TLS upgrade attack. (CVE-2025-49812) HTTP/2 DoS by Memory Increase. (CVE-2025-53020) 'RewriteCond expr' always evaluates to true in 2.4.64. (CVE-2025-54090) You will find the update delay sometimes causes a failure; just restart the service after the update. References

• https://bugs.mageia.org/show_bug.cgi?id=34464
• https://www.openwall.com/lists/oss-security/2025/07/10/2
• https://www.openwall.com/lists/oss-security/2025/07/10/3
• https://www.openwall.com/lists/oss-security/2025/07/10/4
• https://www.openwall.com/lists/oss-security/2025/07/10/6
• https://www.openwall.com/lists/oss-security/2025/07/10/7
• https://www.openwall.com/lists/oss-security/2025/07/10/8
• https://www.openwall.com/lists/oss-security/2025/07/10/9
• https://www.openwall.com/lists/oss-security/2025/07/10/10
• https://www.openwall.com/lists/oss-security/2025/07/24/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42516
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43204
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47252
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49630
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23048
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49812
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53020
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54090

SRPMS 9/core

• apache-2.4.65-1.mga9

Publication date: 17 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13012 , CVE-2025-13013 , CVE-2025-13014 , CVE-2025-13015 , CVE-2025-13016 , CVE-2025-13017 , CVE-2025-13018 , CVE-2025-13019 , CVE-2025-13020 Description Race condition in the Graphics component. (CVE-2025-13012) Mitigation bypass in the DOM: Core & HTML component. (CVE-2025-13013) CVE-2025-13014: Use-after-free in the Audio/Video component. (CVE-2025-13014) Spoofing issue in Firefox. (CVE-2025-13015) Incorrect boundary conditions in the JavaScript: WebAssembly component. (CVE-2025-13016) Same-origin policy bypass in the DOM: Notifications component. (CVE-2025-13017) Mitigation bypass in the DOM: Security component. (CVE-2025-13018) Same-origin policy bypass in the DOM: Workers component. (CVE-2025-13019) Use-after-free in the WebRTC: Audio/Video component. (CVE-2025-13020) References

• https://bugs.mageia.org/show_bug.cgi?id=34742
• https://www.firefox.com/en-US/firefox/140.5.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13012
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13013
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13014
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13015
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13016
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13017
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13020

SRPMS 9/core

• firefox-140.5.0-1.mga9
• firefox-l10n-140.5.0-1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description We are rebuilding packages requiring icu version 72 with icu version 73 to use an icu version with security fixes. These packages are the last set; after these updates there should not be packages that depend on icu version 72 in your system. If you find you can't run (change lib64 to lib in 32bit system): LC_ALL=C urpme lib64icu72 without uninstalling packages in your system, please report. References

• https://bugs.mageia.org/show_bug.cgi?id=34740

SRPMS 9/core

• gnome-builder-44.2-1.1.mga9
• gnucash-5.3-1.1.mga9
• kdeplasma-addons-5.27.10-1.1.mga9
• evolution-data-server-3.48.3-1.1.mga9
• kbibtex-0.10.0-3.1.mga9
• geary-43.0-3.1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description We are rebuilding packages requiring icu version 72 with icu version 73 to use an icu version with security fixes. These packages are the third set. References

• https://bugs.mageia.org/show_bug.cgi?id=34730

SRPMS 9/core

• gspell-1.12.1-1.1.mga9
• libcdr-0.1.7-5.1.mga9
• 0ad-0.0.26-3.1.mga9
• c-icap-modules-classify-20180416-15.1.mga9
• enchant2-2.3.3-2.1.mga9
• gnustep-base-1.28.0-2.1.mga9
• gnustep-gui-0.28.0-10.1.mga9
• konsole-23.04.3-1.1.mga9
• qtwebengine5-5.15.10-8.1.mga9
• qtwebengine6-6.4.1-5.1.mga9
• performous-1.2.0-6.1.mga9
• plasma-workspace-5.27.10-1.3.mga9
• R-base-4.3.3-1.1.mga9
• scribus-1.5.8-11.1.mga9
• strawberry-1.0.17-1.1.mga9
• subtitlecomposer-0.7.1-3.1.mga9
• mpd-0.23.11-4.1.mga9

9/tainted

• mpd-0.23.11-4.1.mga9.tainted

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description It appears there has been a rollout for the WEB client where YouTube has removed the playback links for adaptiveFormats in the player response. This leaves only the SABR streaming URL for playback (which is what YouTube has been using for a while now) References

• https://bugs.mageia.org/show_bug.cgi?id=34750
• https://github.com/yt-dlp/yt-dlp/issues/12482

SRPMS 9/core

• python-packaging-24.2-1.mga9
• python-hatchling-1.27.0-1.mga9
• yt-dlp-2025.11.12-1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description The kvm modules are now preloaded at boot, and thus it conflicts with vbox modules. This version has a fix that rmmod the kvm module before starting virtualbox VMs References

• https://bugs.mageia.org/show_bug.cgi?id=34408
• https://www.virtualbox.org/wiki/Changelog-7.1
• https://www.virtualbox.org/ticket/22248
• https://github.com/VirtualBox/virtualbox/issues/372

SRPMS 9/core

• virtualbox-7.1.14-2.mga9
• kmod-virtualbox-7.1.14-12.mga9