Lector de Feeds

Publication date: 25 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-28690 , CVE-2026-30883 Description GraphicsMagick has a stack write buffer overflow in MNG encoder. (CVE-2026-28690) GraphicsMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder. (CVE-2026-30883) References

• https://bugs.mageia.org/show_bug.cgi?id=35256
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UHRHM3VZ5CG6TQ5X4EQBR77LTWVJJQVY/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30883

SRPMS 9/core

• graphicsmagick-1.3.40-1.4.mga9

9/tainted

• graphicsmagick-1.3.40-1.4.mga9.tainted

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity aka Terrapin Attack References

• https://bugs.mageia.org/show_bug.cgi?id=32676
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

SRPMS 9/core

• trilead-ssh2-217-8.jenkins293.1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25916 , CVE-2026-26079 Description Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. Fix bug where a password could get changed without providing the old password, reported by flydragon777. Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. Fix XSS issue in a HTML attachment preview, reported by aikido_security. Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/. References

• https://bugs.mageia.org/show_bug.cgi?id=35237
• https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25916
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26079

SRPMS 9/core

• roundcubemail-1.6.14-1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-43457 , CVE-2026-20608 , CVE-2026-20635 , CVE-2026-20636 , CVE-2026-20644 , CVE-2026-20652 , CVE-2026-20676 Description CVE-2025-43457 Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-20608 Processing maliciously crafted web content may lead to an unexpected process crash. This issue was addressed through improved state management. CVE-2026-20635 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20636 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20644 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20652 A remote attacker may be able to cause a denial-of-service. The issue was addressed with improved memory handling. CVE-2026-20676 A website may be able to track users through Safari web extensions. This issue was addressed through improved state management. References

• https://bugs.mageia.org/show_bug.cgi?id=35228
• https://webkitgtk.org/2026/03/12/webkitgtk2.50.6-released.html
• https://webkitgtk.org/security/WSA-2026-0001.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-43457
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20608
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20635
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20636
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20644
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20652
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20676

SRPMS 9/core

• webkit2-2.50.6-1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2006-10002 , CVE-2006-10003 Description XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size causing a heap corruption (double free or corruption) and crashes. (CVE-2006-10002) XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. (CVE-2006-10003) References

• https://bugs.mageia.org/show_bug.cgi?id=35238
• https://www.openwall.com/lists/oss-security/2026/03/19/1
• https://www.openwall.com/lists/oss-security/2026/03/19/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10002
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10003

SRPMS 9/core

• perl-XML-Parser-2.460.0-6.1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33412 Description Command injection via newline in glob() affects Vim < 9.2.0202. (CVE-2026-33412) References

• https://bugs.mageia.org/show_bug.cgi?id=35239
• https://www.openwall.com/lists/oss-security/2026/03/19/10
• https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33412

SRPMS 9/core

• vim-9.2.209-1.mga9

Publication date: 24 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description Add kwin-x11 subpackage to smooth upgrades to cauldron (and the future Mageia 10). References

• https://bugs.mageia.org/show_bug.cgi?id=34966

SRPMS 9/core

• kwin-5.27.10-1.4.mga9

Publication date: 20 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32776 , CVE-2026-32777 , CVE-2026-32778 Description libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. (CVE-2026-32776) libexpat before 2.7.5 allows an infinite loop while parsing DTD content. (CVE-2026-32777) libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier out-of-memory condition. (CVE-2026-32778) References

• https://bugs.mageia.org/show_bug.cgi?id=35227
• https://www.openwall.com/lists/oss-security/2026/03/17/10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32776
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32777
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32778

SRPMS 9/core

• expat-2.7.5-1.mga9

Tras haber sido aprobadas por el Consejo, las imágenes ISO de la beta 1 de Mageia 10 ya están disponibles para que el público las pruebe. En total, unos 26 GB de imágenes ISO han llegado a la rama ../mageia/iso/10/ de nuestros servidores de réplica.

Se han añadido muchas correcciones y nuevas actualizaciones desde que llegó la alpha 1 de Mageia 10 en Enero.

Tras la congelación de la versión, estos son los cambios más destacados con respecto a Mageia 9:

• Kernel 6.18 (LTS)
• Plasma 6.5
• Gnome 49
• Xfce 4.20
• LibreOffice 26.2
• Firefox ESR 140.8
• Mesa 26.0.2 – que habilita los controladores más recientes para AMD, Intel y nouveau (también están disponibles los controladores propietarios de nVidia)

El plan sigue siendo tener lista la versión oficial de Mageia 10 en abril de 2026.

Los próximos pasos incluyen:

• Publicar una beta 2 que contenga el material gráfico y la documentación actualizados para mga10.
• Aumentar las pruebas, especialmente para las actualizaciones desde mga9.
• Centrarse en corregir los errores que impiden el lanzamiento.

El conjunto de Mageia 10 Beta1 inlcuye una amplia colección de formatos de instalación:

• Imágenes ISO de instalación clásica para instalaciones tradicionales en sistemas de 32 bits (i686) y 64 bits.
• Imágenes Live Desktop con entornos de escritorio populares como Plasma, Gnome y Xfce.

Las imágenes ISO se pueden encontrar aquí o en el directorio ../mageia/iso/10/ de tu servidor espejo favorito.

¡Disfruta de las pruebas _o/!

This is a slightly edited version of a post written by BAud.

Having been approved by the Council, the Mageia 10 beta1 ISOs are now available for public testing.  All together about 26GB of ISOs have landed in the ../mageia/iso/10/ branch of our mirrors.

A lot of fixes and new updates have been added since Mageia 10 alpha1 arrived back in January.

Following version freeze, here are notable changes from Mageia 9:

• kernel 6.18 (LTS)
• Plasma 6.5
• GNOME 49
• Xfce 4.20
• LibreOffice 26.2
• Firefox ESR 140.8
• Mesa 26.0.2 – enabling latest drivers for AMD, Intel and nouveau (nVidia proprietary drivers are available too)

The plan is still to have the official Mageia 10 release ready in April 2026.

Next steps include:

• Publish a beta 2 containing artwork and documentation updated for mga10
• Increase tests, especially for upgrades from mga9
• Concentrate on fixing release blocker bugs

The Mageia 10 Beta1 set includes a comprehensive collection of installation formats:

• Classical Installation ISOs for traditional installs on 32-bit (i686) and 64-bit systems
• Live Desktop Images featuring popular desktops such as Plasma, GNOME, and Xfce

The ISOs can be found here or in the ../mageia/iso/10/ directory of your favourite mirror.

Enjoy your testing _o/!

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25799 Description Division-by-Zero in YUV sampling factor validation leads to crash. (CVE-2026-25799) References

• https://bugs.mageia.org/show_bug.cgi?id=35199
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/A4HXQ3URGVXBE42UAP5YCPCA63KZZPJ3/
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25799

SRPMS 9/core

• graphicsmagick-1.3.40-1.3.mga9
• imagemagick-7.1.1.29-1.2.mga9

9/tainted

• graphicsmagick-1.3.40-1.3.mga9.tainted
• imagemagick-7.1.1.29-1.2.mga9.tainted

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61984 , CVE-2025-61985 Description ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (CVE-2025-61984) ssh in OpenSSH before 10.1 allows the '0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. (CVE-2025-61985) References

• https://bugs.mageia.org/show_bug.cgi?id=35202
• https://ubuntu.com/security/notices/USN-8090-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61984
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61985

SRPMS 9/core

• openssh-9.3p1-2.6.mga9

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4177 Description YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. (CVE-2026-4177) References

• https://bugs.mageia.org/show_bug.cgi?id=35219
• https://www.openwall.com/lists/oss-security/2026/03/16/6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4177

SRPMS 9/core

• perl-YAML-Syck-1.340.0-4.1.mga9

Publication date: 19 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix some regressions appeared in 18.2 and 15.16. References

• https://bugs.mageia.org/show_bug.cgi?id=35198
• https://www.postgresql.org/about/news/postgresql-183-179-1613-1517-and-1422-released-3246/

SRPMS 9/core

• postgresql15-15.17-1.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN has seen lots of improvement since version 5.10.2. This update is necessary for the safety of sailors. References

• https://bugs.mageia.org/show_bug.cgi?id=35208

SRPMS 9/core

• opencpn-5.12.4-3.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN plugins have seen lots of improvement since the versions already present in Mageia 9. They have been updated for Cauldron but sailors can't wait for Mageia 10 being published since these updates are necessary for their safety as early as this spring time. References

• https://bugs.mageia.org/show_bug.cgi?id=35209

SRPMS 9/core

• opencpn-ais-radar-plugin-1.4.20.0-1.mga9
• opencpn-celestial-navigation-plugin-2.4.66.0-1.mga9
• opencpn-climatology-plugin-1.6.35.0-1.mga9
• opencpn-dashboardsk-plugin-0.3.4-1.mga9
• opencpn-iacfleet-plugin-0.33.0-1.mga9
• opencpn-logbookkonni-plugin-1.5.00.0-2.mga9
• opencpn-nsk-plugin-0.2.4.1-1.mga9
• opencpn-objsearch-plugin-0.28.0-1.mga9
• opencpn-polar-plugin-1.2.37.0-1.mga9
• opencpn-radar-plugin-5.6.0~beta-1.mga9
• opencpn-sar-plugin-4.2.2-1.mga9
• opencpn-squiddio-plugin-1.3.99.0-1.mga9
• opencpn-watchdog-plugin-2.5.2.0-1.mga9
• opencpn-weather-routing-plugin-1.15.45.7-1.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN plugins have seen lots of improvement since the versions already present in Mageia 9. They have been updated for Cauldron but sailors can't wait for Mageia 10 being published since these updates are necessary for their safety as early as this spring time. These two updates concern plugins containing non free binaries necessary to use encrypted paid nautical charts from countries which don't provide them freely ! References

• https://bugs.mageia.org/show_bug.cgi?id=35210

SRPMS 9/nonfree

• opencpn-s63-plugin-1.30.9.1-1.mga9.nonfree
• opencpn-o-charts-plugin-2.1.9-1.mga9.nonfree

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description This update brings the last commits of this C++ library for MARitime NAVigation purposes. It may be needed to build or use programs for maritime navigation References

• https://bugs.mageia.org/show_bug.cgi?id=35211

SRPMS 9/core

• marnav-0.14.0-8.git20230504.mga9

Publication date: 14 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-0847 Description Path Traversal in nltk/nltk. (CVE-2026-0847) References

• https://bugs.mageia.org/show_bug.cgi?id=35188
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UERV2PU6W5DFFKA4ORZASCPJ2ZDGYTBX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847

SRPMS 9/core

• python-nltk-3.9.3-1.mga9

Publication date: 14 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-66614 , CVE-2026-24733 , CVE-2026-24734 Description Client certificate verification bypass due to virtual host mapping. (CVE-2025-66614) Security constraint bypass with HTTP/0.9. (CVE-2026-24733) OCSP revocation bypass. (CVE-2026-24734) References

• https://bugs.mageia.org/show_bug.cgi?id=35192
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G27HXAIMRCGPRM6GBYQX7NUKNQS4RLJ4/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24733
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734

SRPMS 9/core

• tomcat-9.0.115-1.mga9