Lector de Feeds

Publication date: 13 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5958 Description Race Condition in GNU Sed. (CVE-2026-5958) References

• https://bugs.mageia.org/show_bug.cgi?id=35465
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/242J2LW3C7C4MDLVKSD3DJDBKXAJXUTP/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5958

SRPMS 9/core

• sed-4.9-1.1.mga9

Publication date: 13 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6735 , CVE-2026-7259 , CVE-2025-14179 , CVE-2026-6722 , CVE-2026-7261 , CVE-2026-7262 , CVE-2026-7568 , CVE-2026-7258 Description FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) OpenSSL: Fix compatibility issues with OpenSSL 4.0. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) SOAP: - Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) - Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) - Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) Standard: - Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) - Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) References

• https://bugs.mageia.org/show_bug.cgi?id=35481
• https://www.php.net/ChangeLog-8.php#8.2.31
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6735
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7259
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14179
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6722
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7261
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7262
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7568
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7258

SRPMS 9/core

• php-8.2.31-1.mga9

Publication date: 10 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-35058 , CVE-2026-40215 Description CVE-2026-35058 - fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key CVE-2026-40215 - fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances References

• https://bugs.mageia.org/show_bug.cgi?id=35442
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFR4RR6F447AZK2ZTKVGZP3NKKWFW6DW/
• https://community.openvpn.net/Security%20Announcements/CVE-2026-35058
• https://community.openvpn.net/Security%20Announcements/CVE-2026-40215
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35058
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40215

SRPMS 9/core

• openvpn-2.6.20-1.1.mga9

Publication date: 09 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6746 , CVE-2026-6747 , CVE-2026-6748 , CVE-2026-6749 , CVE-2026-6750 , CVE-2026-6751 , CVE-2026-6752 , CVE-2026-6753 , CVE-2026-6754 , CVE-2026-6757 , CVE-2026-6759 , CVE-2026-6761 , CVE-2026-6762 , CVE-2026-6763 , CVE-2026-6764 , CVE-2026-6765 , CVE-2026-6769 Description Use-after-free in the DOM: Core & HTML component. (CVE-2026-6746) Use-after-free in the WebRTC component. (CVE-2026-6747) Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6748) Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. (CVE-2026-6749) Privilege escalation in the Graphics: WebRender component. (CVE-2026-6750) Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6751) Incorrect boundary conditions in the WebRTC component. (CVE-2026-6752) Incorrect boundary conditions in the WebRTC component. (CVE-2026-6753) Use-after-free in the JavaScript Engine component. (CVE-2026-6754) Invalid pointer in the JavaScript: WebAssembly component. (CVE-2026-6757) Use-after-free in the Widget: Cocoa component. (CVE-2026-6759) Privilege escalation in the Networking component. (CVE-2026-6761) Spoofing issue in the DOM: Core & HTML component. (CVE-2026-6762) Mitigation bypass in the File Handling component. (CVE-2026-6763) Incorrect boundary conditions in the DOM: Device Interfaces component. (CVE-2026-6764) Information disclosure in the Form Autofill component. (CVE-2026-6765) Privilege escalation in the Debugger component. (CVE-2026-6769) Other issue in the Storage: IndexedDB component. (CVE-2026-6770) Mitigation bypass in the DOM: Security component. (CVE-2026-6771) Incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-6776) Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6785) Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6786) Information disclosure due to incorrect boundary conditions in the Audio/Video component. (CVE-2026-7320) Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-7321) Memory safety bugs fixed in Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. (CVE-2026-7322) Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. (CVE-2026-7323) References

• https://bugs.mageia.org/show_bug.cgi?id=35404
• https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/
• https://www.thunderbird.net/en-US/thunderbird/140.10.1esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-39/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6746
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6747
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6748
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6749
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6750
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6751
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6752
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6753
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6754
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6757
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6759
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6763
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6764
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6765
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6769

SRPMS 9/core

• thunderbird-140.10.1-1.mga9
• thunderbird-l10n-140.10.1-1.mga9

Publication date: 09 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6746 , CVE-2026-6747 , CVE-2026-6748 , CVE-2026-6749 , CVE-2026-6750 , CVE-2026-6751 , CVE-2026-6752 , CVE-2026-6753 , CVE-2026-6754 , CVE-2026-6757 , CVE-2026-6759 , CVE-2026-6761 , CVE-2026-6762 , CVE-2026-6763 , CVE-2026-6764 , CVE-2026-6765 , CVE-2026-6766 Description Use-after-free in the DOM: Core & HTML component. (CVE-2026-6746) Use-after-free in the WebRTC component. (CVE-2026-6747) Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6748) Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. (CVE-2026-6749) Privilege escalation in the Graphics: WebRender component. (CVE-2026-6750) Uninitialized memory in the Audio/Video: Web Codecs component. (CVE-2026-6751) Incorrect boundary conditions in the WebRTC component. (CVE-2026-6752) Incorrect boundary conditions in the WebRTC component. (CVE-2026-6753) Use-after-free in the JavaScript Engine component. (CVE-2026-6754) Invalid pointer in the JavaScript: WebAssembly component. (CVE-2026-6757) Use-after-free in the Widget: Cocoa component. (CVE-2026-6759) Privilege escalation in the Networking component. (CVE-2026-6761) Spoofing issue in the DOM: Core & HTML component. (CVE-2026-6762) Mitigation bypass in the File Handling component. (CVE-2026-6763) Incorrect boundary conditions in the DOM: Device Interfaces component. (CVE-2026-6764) Information disclosure in the Form Autofill component. (CVE-2026-6765) Incorrect boundary conditions in the Libraries component in NSS. (CVE-2026-6766) Other issue in the Libraries component in NSS. (CVE-2026-6767) Privilege escalation in the Debugger component. (CVE-2026-6769) Other issue in the Storage: IndexedDB component. (CVE-2026-6770) Mitigation bypass in the DOM: Security component. (CVE-2026-6771) Incorrect boundary conditions in the Libraries component in NSS. (CVE-2026-6772) Incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-6776) Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6785) Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6786) Information disclosure due to incorrect boundary conditions in the Audio/Video component. (CVE-2026-7320) Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. (CVE-2026-7321) Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. (CVE-2026-7322) Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1. (CVE-2026-7323) References

• https://bugs.mageia.org/show_bug.cgi?id=35403
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123.html
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123_1.html
• https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/
• https://www.firefox.com/en-US/firefox/140.10.1/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6746
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6747
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6748
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6749
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6750
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6751
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6752
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6753
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6754
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6757
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6759
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6763
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6764
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6765
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6766

SRPMS 9/core

• rootcerts-20260412.00-1.mga9
• nss-3.123.1-1.mga9
• firefox-140.10.1-1.mga9
• firefox-l10n-140.10.1-1.mga9

Publication date: 09 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-39881 , CVE-2026-41411 , CVE-2026-42307 Description Ex command injection in Vims NetBeans integration. (CVE-2026-39881) Command injection via backtick expansion in tag filenames in Vim < v9.2.0357. (CVE-2026-41411) OS Command Injection in netrw affects Vim < 9.2.0383. (CVE-2026-42307) OS Command Injection via 'path' completion affects Vim < 9.2.0435. References

• https://bugs.mageia.org/show_bug.cgi?id=35332
• https://www.openwall.com/lists/oss-security/2026/04/07/13
• https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
• https://www.openwall.com/lists/oss-security/2026/04/15/7
• https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
• https://www.openwall.com/lists/oss-security/2026/04/22/8
• https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx
• https://www.openwall.com/lists/oss-security/2026/05/03/11
• https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39881
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41411
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42307

SRPMS 9/core

• vim-9.2.437-1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32746 Description telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. (CVE-2026-32746) References

• https://bugs.mageia.org/show_bug.cgi?id=35468
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X5ABJVGBTZGH3FCDZEF3XQAMMJVC5AWA/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32746

SRPMS 9/core

• krb5-appl-1.0.3-16.1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6842 , CVE-2026-6843 Description Local attacker can inject malicious .desktop launcher due to insecure directory permissions. (CVE-2026-6842) Format string vulnerability leads to denial of service. (CVE-2026-6843) References

• https://bugs.mageia.org/show_bug.cgi?id=35466
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLLMINU5CKQDNMS5OT7OKS5V6YQFIJUC/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6842
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6843

SRPMS 9/core

• nano-7.2-1.2.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40561 Description Starlet versions through 0.31 for Perl allow HTTP Request Smuggling via Improper Header Precedence. (CVE-2026-40561) References

• https://bugs.mageia.org/show_bug.cgi?id=35464
• https://www.openwall.com/lists/oss-security/2026/05/03/1
• https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40561

SRPMS 9/core

• perl-Starlet-0.310.0-4.1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40560 Description Starman versions before 0.4018 for Perl allow HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. References

• https://bugs.mageia.org/show_bug.cgi?id=35448
• https://www.openwall.com/lists/oss-security/2026/04/29/1
• https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes
• https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40560

SRPMS 9/core

• perl-Starman-0.401.800-1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40706 Description In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs. (CVE-2026-40706) References

• https://bugs.mageia.org/show_bug.cgi?id=35412
• https://www.openwall.com/lists/oss-security/2026/04/21/4
• https://lists.debian.org/debian-security-announce/2026/msg00131.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40706

SRPMS 9/core

• ntfs-3g-2022.10.3-1.2.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-26284 , CVE-2026-33535 Description ImageMagick has a heap overflow in the pcd decoder that leads to an out of bounds read. (CVE-2026-26284) ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction. (CVE-2026-33535) References

• https://bugs.mageia.org/show_bug.cgi?id=35408
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BMSWBU7XGK6MZYTE62GVV7BFJIH6PSZU/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NPVKK6XVDNZQVOOYGCEQVGQHUWYX64EY/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26284
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33535

SRPMS 9/core

• graphicsmagick-1.3.40-1.5.mga9

9/tainted

• graphicsmagick-1.3.40-1.5.mga9.tainted

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41082 Description In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. (CVE-2026-41082) References

• https://bugs.mageia.org/show_bug.cgi?id=35405
• https://lists.debian.org/debian-security-announce/2026/msg00126.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41082

SRPMS 9/core

• opam-2.1.3-1.1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40198 , CVE-2026-40199 Description Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. (CVE-2026-40198) Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. (CVE-2026-40199) References

• https://bugs.mageia.org/show_bug.cgi?id=35348
• https://www.openwall.com/lists/oss-security/2026/04/11/1
• https://www.openwall.com/lists/oss-security/2026/04/11/2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKKSURTDDZIA5TCZ3QL5KFVFSKVVMRSQ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40198
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40199

SRPMS 9/core

• perl-Net-CIDR-Lite-0.230.0-1.mga9

Publication date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4775 Description Arbitrary code execution or denial of service via signed integer overflow in tiff file processing. (CVE-2026-4775) References

• https://bugs.mageia.org/show_bug.cgi?id=35340
• https://lwn.net/Articles/1066930/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4775

SRPMS 9/core

• libtiff-4.5.1-1.8.mga9