Lector de Feeds

MGASA-2026-0152 - Updated bind packages fix security vulnerabilities

Mageia Security - 19 Mayo, 2026 - 18:01
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13878 , CVE-2026-1519 Description It was discovered that bind contained a vulnerability where a Malformed BRID/HHIT record can cause named to terminate unexpectedly (CVE-2025-13878). If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (CVE-2026-1519). References SRPMS 9/core
  • bind-9.18.47-1.mga9

Mageia 10 RC1

Blog de Mageia-ES - 19 Mayo, 2026 - 08:27

Puedes haber notado que Mageia 10 RC1 fue lanzado hace unos días. Contiene las nuevas ilustraciones de Mageia 10, como el fondo de pantalla que se publicó aquí, pero también salvapantallas realmente bonitos.

Aparte de eso, contiene cientos de nuevos paquetes con correcciones de seguridad y otras que han sido añadidas desde 10beta1. Algunos de ellos están listados abajo:

  • firefox-140.10.1
  • gtk+3.0-3.24.52
  • kernel-6.18.26
  • libreoffice-26.2.3.2
  • mesa-26.0.6
  • nss-3.123.1
  • postgresql18-18.3
  • rootcerts-20260412.00
  • samba-4.23.7
  • systemd-258.7
  • thunderbird-140.10.0
  • urpmi-8.136

Las listas completas de paquetes incluidos se encuentran en los archivos .idx de los medios de instalación clásicos o en los archivos .lst de las imágenes iso en vivo.

Sin embargo, nuestros empaquetadores ya han publicado más correcciones de seguridad y otros errores después de que se crearan las ISO 10RC1. A continuación se mencionan algunas de ellas:

  • kernel-6.18.30-2.mga10
  • firefox-140.10.2-1.mga10
  • gtk4.0-4.20.4-1.mga10
  • glib2.0-2.86.5-1.mga10
  • java-*-openjdk
  • mariadb-12.2.2-2.mga10
  • mutter-49.5-1.mga10
  • python3-3.13.13-7.mga10
  • sddm-0.21.0-17.mga10
  • thunderbird-140.10.2-1.mga10

Por favor, prueba una o más ISOs e informa de cualquier problema en nuestro Bugzilla. Ten en cuenta que estamos siendo machacados por bots de IA, por favor ten paciencia si la conexión a Bugzilla es difícil.

No encontramos problemas impactantes al probar estas ISO antes de que fueran lanzadas, realmente necesitamos que las pruebes para detectar problemas que nos perdimos. Algunos de los problemas menos graves que puede encontrar se enumeran en las Erratas de Mageia 10.

¡Esperamos que disfrutes con esta nueva versión de prueba!

Categorías: Blogs Oficiales

Mageia 10 RC1

Blog de Mageia (English) - 19 Mayo, 2026 - 07:25

You may have noticed that Mageia 10 RC1 was released a few days ago. It contains the new Mageia 10 artwork, like the wallpaper that was published here, but also really nice screensavers.

Apart from that, it contains hundreds of newer packages with security and other fixes that have been added since 10beta1. Some of them are listed below:

  • firefox-140.10.1
  • gtk+3.0-3.24.52
  • kernel-6.18.26
  • libreoffice-26.2.3.2
  • mesa-26.0.6
  • nss-3.123.1
  • postgresql18-18.3
  • rootcerts-20260412.00
  • samba-4.23.7
  • systemd-258.7
  • thunderbird-140.10.0
  • urpmi-8.136

The full lists of included packages can be found in the .idx files for the classical installation media or the .lst files for the live iso images.

However, our packagers have already released more security and other bug fixes after the 10RC1 ISOs were built. Just a few of them are mentioned below:

  • kernel-6.18.30-2.mga10
  • firefox-140.10.2-1.mga10
  • gtk4.0-4.20.4-1.mga10
  • glib2.0-2.86.5-1.mga10
  • java-*-openjdk
  • mariadb-12.2.2-2.mga10
  • mutter-49.5-1.mga10
  • python3-3.13.13-7.mga10
  • sddm-0.21.0-17.mga10
  • thunderbird-140.10.2-1.mga10

Please test one or more ISOs and report any issues in our Bugzilla. Note that we are being hammered by AI bots, please be patient if connecting to Bugzilla is difficult.

We did not find shocking problems while testings these ISOs before they were released, we really need you to test them for issues we missed. Some of the less severe issues you might encounter, are listed in the Mageia 10 Errata.

Happy testing!

Categorías: Blogs Oficiales

MGASA-2026-0151 - Updated postgresql15 packages fix security vulnerabilities

Mageia Security - 19 Mayo, 2026 - 03:46
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6472 , CVE-2026-6473 , CVE-2026-6474 , CVE-2026-6475 , CVE-2026-6476 , CVE-2026-6477 , CVE-2026-6478 , CVE-2026-6479 , CVE-2026-6575 , CVE-2026-6637 , CVE-2026-6638 Description PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege. (CVE-2026-6472) PostgreSQL server undersizes allocations, via integer wraparound. (CVE-2026-6473) PostgreSQL timeofday() can disclose portions of server memory. (CVE-2026-6474) PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice. (CVE-2026-6475) PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory. (CVE-2026-6477) PostgreSQL discloses MD5-hashed passwords via covert timing channel. (CVE-2026-6478) PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion. (CVE-2026-6479) PostgreSQL refint allows stack buffer overflow and SQL injection. (CVE-2026-6637) References SRPMS 9/core
  • postgresql15-15.18-1.mga9

MGASA-2026-0150 - Updated perl-libwww-perl & perl-HTTP-Message packages fix security vulnerabilities

Mageia Security - 19 Mayo, 2026 - 03:46
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8368 Description LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects References SRPMS 9/core
  • perl-libwww-perl-6.830.0-1.mga9
  • perl-HTTP-Message-7.10.0-1.mga9

MGASA-2026-0149 - Updated perl-WWW-Mechanize-Cached, perl-File-XDG & perl-Path-Tiny packages fix security vulnerabilities

Mageia Security - 18 Mayo, 2026 - 20:12
Publication date: 18 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8612 Description WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. References SRPMS 9/core
  • perl-WWW-Mechanize-Cached-2.0.0-1.mga9
  • perl-Path-Tiny-0.150.0-1.mga9
  • perl-File-XDG-1.30.0-1.mga9

MGASA-2026-0148 - Updated perl-YAML-Syck package fixes security vulnerability

Mageia Security - 18 Mayo, 2026 - 20:12
Publication date: 18 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5089 Description YAML::Syck versions before 1.38 for Perl have an out-of-bounds read. References SRPMS 9/core
  • perl-YAML-Syck-1.450.0-1.mga9

MGASA-2026-0147 - Updated rclone packages fix security vulnerabilities

Mageia Security - 18 Mayo, 2026 - 20:12
Publication date: 18 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41179 , CVE-2026-41176 , CVE-2026-32282 , CVE-2026-32289 , CVE-2026-33810 , CVE-2026-27144 , CVE-2026-27143 , CVE-2026-32288 , CVE-2026-32283 , CVE-2026-27140 , CVE-2026-32280 , CVE-2026-32281 , CVE-2026-33186 , CVE-2026-27137 , CVE-2026-27138 , CVE-2026-25679 , CVE-2026-27142 , CVE-2026-1229 , CVE-2026-27141 , CVE-2025-68121 , CVE-2025-61729 , CVE-2025-58181 , CVE-2025-30204 , CVE-2025-22869 , CVE-2025-22870 , CVE-2024-45337 , CVE-2024-45338 , CVE-2024-52522 , CVE-2023-45288 , CVE-2024-35255 , CVE-2023-48795 Description This update bring new features, bugs and vulnerabilities fixed in rclone and golang components used to build it. References SRPMS 9/core
  • rclone-1.73.5-1.1.mga9

MGASA-2026-0146 - Updated haproxy packages fix security vulnerability

Mageia Security - 17 Mayo, 2026 - 00:54
Publication date: 16 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33555 Description The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. (CVE-2026-33555) References SRPMS 9/core
  • haproxy-2.8.18-1.1.mga9

MGASA-2026-0145 - Updated firefox & thunderbird packages fix security vulnerabilities

Mageia Security - 16 Mayo, 2026 - 18:45
Publication date: 16 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-62813 , CVE-2026-32776 , CVE-2026-32777 , CVE-2026-32778 , CVE-2026-8090 , CVE-2026-8092 , CVE-2026-8094 Description LZ4 compression library issue. (CVE-2025-62813) libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. (CVE-2026-32776) libexpat before 2.7.5 allows an infinite loop while parsing DTD content. (CVE-2026-32777) libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. (CVE-2026-32778) Use-after-free in the DOM: Networking component. (CVE-2026-8090) Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2, Firefox 150.0.2, Thunderbird ESR 140.10.2 and Thunderbird 150.0.2. (CVE-2026-8092) Another issue in the WebRTC component. (CVE-2026-8094) References SRPMS 9/core
  • firefox-140.10.2-1.mga9
  • firefox-l10n-140.10.2-1.mga9
  • thunderbird-140.10.2-1.mga9
  • thunderbird-l10n-140.10.2-1.mga9

MGASA-2026-0144 - Updated dpkg packages fix security vulnerabilities

Mageia Security - 16 Mayo, 2026 - 07:17
Publication date: 16 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2219 Description It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU). References SRPMS 9/core
  • dpkg-1.22.22-1.mga9

MGASA-2026-0142 - Updated samba packages fix security vulnerabilities

Mageia Security - 16 Mayo, 2026 - 01:52
Publication date: 16 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2018-14628 , CVE-2025-10230 , CVE-2025-9640 Description An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. (CVE-2018-14628) Command injection in wins server hook script. (CVE-2025-10230) vfs_streams_xattr uninitialized memory write possible. (CVE-2025-9640) References SRPMS 9/core
  • samba-4.17.12-1.2.mga9

MGASA-2026-0141 - Updated libreoffice packages fix security vulnerability

Mageia Security - 15 Mayo, 2026 - 07:17
Publication date: 15 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4430 Description Heap Buffer Overflow in AgileEngine. (CVE-2026-4430) References SRPMS 9/core
  • libreoffice-24.2.7.2-1.4.mga9

MGASA-2026-0140 - Updated perl-HTTP-Tiny packages fix security vulnerability

Mageia Security - 15 Mayo, 2026 - 07:17
Publication date: 15 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-7010 Description HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. (CVE-2026-7010) References SRPMS 9/core
  • perl-HTTP-Tiny-0.82.0-1.2.mga9

MGASA-2026-0139 - Updated tomcat packages fix security vulnerability

Mageia Security - 15 Mayo, 2026 - 07:17
Publication date: 15 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41284 , CVE-2026-41293 , CVE-2026-42498 , CVE-2026-43512 , CVE-2026-43513 , CVE-2026-43514 , CVE-2026-43515 Description Unbounded read in WebDAV LOCK and PROPFIND handling. (CVE-2026-41284) HTTP/2 request headers not validated. (CVE-2026-41293) WebSocket authentication header exposure. (CVE-2026-42498) Digest authenticator will authenticate any unknown user. (CVE-2026-43512) LockOutRealm treats user names as case-sensitive. (CVE-2026-43513) AJP secret compared in non-constant time. (CVE-2026-43514) Security constraints not correctly applied. (CVE-2026-43515) References SRPMS 9/core
  • tomcat-9.0.118-1.mga9

MGASA-2026-0138 - Updated awstats packages fix security vulnerability

Mageia Security - 15 Mayo, 2026 - 07:17
Publication date: 15 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-63261 Description AWStats is vulnerable to Command Injection via the open function. (CVE-2025-63261) References SRPMS 9/core
  • awstats-7.9-1.1.mga9

MGASA-2026-0137 - Updated perl-XML-LibXML packages fix security vulnerability

Mageia Security - 14 Mayo, 2026 - 03:43
Publication date: 14 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8177 Description XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. (CVE-2026-8177) References SRPMS 9/core
  • perl-XML-LibXML-2.20.800-3.1.mga9

MGASA-2026-0136 - Updated perl-Net-CIDR-Lite packages fix security vulnerabilities

Mageia Security - 14 Mayo, 2026 - 03:43
Publication date: 14 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-45190 , CVE-2026-45191 Description Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. (CVE-2026-45190) Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. (CVE-2026-45191) References SRPMS 9/core
  • perl-Net-CIDR-Lite-0.240.0-1.mga9

MGASA-2026-0135 - Updated dnsmasq packages fix security vulnerabilities

Mageia Security - 14 Mayo, 2026 - 03:43
Publication date: 14 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2291 , CVE-2026-4890 , CVE-2026-4891 , CVE-2026-4892 , CVE-2026-4893 , CVE-2026-5172 Description CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS. CVE-2026-4890: A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. CVE-2026-4891: A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. CVE-2026-4892: A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893: An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information. CVE-2026-5172: A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end. References SRPMS 9/core
  • dnsmasq-2.92rel2-1.mga9
Feed