Actualizaciones de Seguridad

Publication date: 11 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9086 Description curl is susceptible to an out-of-bounds read in the cookie handler that could either cause a crash or potentially make allow a clear-text site to override the contents of a secure cookie. This release also fixes a rare memory leak in HTTP trailers. References

• https://bugs.mageia.org/show_bug.cgi?id=34623
• https://curl.se/docs/CVE-2025-9086.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086

SRPMS 9/core

• curl-7.88.1-4.8.mga9

Publication date: 09 Sep 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed a bugregression introduced in 580.65.06 that could cause Vulkan applications to hang on Wayland. Added support for NVIDIA Smooth Motion on GeForce RTX 40 Series GPUs. Fixed a bug that caused /sys/class/drm/.../enabled to always report "disabled" for NVIDIA GPU connectors. References

• https://bugs.mageia.org/show_bug.cgi?id=34610
• https://www.nvidia.com/en-us/drivers/details/253003/

SRPMS 9/nonfree

• nvidia-current-580.82.07-1.mga9.nonfree

Publication date: 08 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8067 Description Out-of-bounds read in udisks daemon. (CVE-2025-8067) References

• https://bugs.mageia.org/show_bug.cgi?id=34602
• https://www.openwall.com/lists/oss-security/2025/08/28/1
• https://www.openwall.com/lists/oss-security/2025/08/28/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8067

SRPMS 9/core

• udisks2-2.10.1-1.2.mga9

Publication date: 08 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8713 , CVE-2025-8714 , CVE-2025-8715 Description PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table. (CVE-2025-8713) PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client. (CVE-2025-8714) PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server. (CVE-2025-8715) References

• https://bugs.mageia.org/show_bug.cgi?id=34608
• https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8713
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8714
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8715

SRPMS 9/core

• postgresql15-15.14-1.mga9
• postgresql13-13.22-1.mga9

Publication date: 08 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-57833 Description Potential SQL injection in FilteredRelation column aliases. (CVE-2025-57833) References

• https://bugs.mageia.org/show_bug.cgi?id=34612
• https://www.openwall.com/lists/oss-security/2025/09/03/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833

SRPMS 9/core

• python-django-4.1.13-1.6.mga9

Publication date: 08 Sep 2025
Type: bugfix
Affected Mageia releases : 9
Description Haproxy has a few medium and a few minor bugs fixed in the last upstream version 2.8.15 of branch 2.8. Fixed medium bug list: - backend: do not overwrite srv dst address on reuse (2) - backend: fix reuse with set-dst/set-dst-port - clock: make sure now_ms cannot be TICK_ETERNITY - debug: close a possible race between thread dump and panic() - fd: mark FD transferred to another process as FD_CLONED - filters: Handle filters registered on data with no payload callback - h3: trim whitespaces in header value prior to QPACK encoding - h3: trim whitespaces when parsing headers value - hlua/cli: fix cli applet UAF in hlua_applet_wakeup() - hlua: fix hlua_applet_{http,tcp}_fct() yield regression (lost data) - http-ana: Report 502 from req analyzer only during rsp forwarding - htx: wrong count computation in htx_xfer_blks() - mux-quic: do not attach on already closed stream - mux-quic: fix crash on RS/SS emission if already close local - peers: prevent learning expiration too far in futur from unsync node - sample: fix risk of overflow when replacing multiple regex back-refs - spoe: Don't wakeup idle applets in loop during stopping - ssl: chosing correct certificate using RSA-PSS with TLSv1.3 - startup: return to initial cwd only after check_config_validity() - thread: use pthread_self() not ha_pthread[tid] in set_affinity References

• https://bugs.mageia.org/show_bug.cgi?id=34599
• https://www.haproxy.org/download/2.8/src/CHANGELOG

SRPMS 9/core

• haproxy-2.8.15-1.mga9

Publication date: 05 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430 , CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025--9185 Description Use-after-free in FontFaceSet. (CVE-2025-6424) The WebCompat WebExtension shipped exposed a persistent UUID. (CVE-2025-6425) Incorrect parsing of URLs could have allowed embedding of youtube.com. (CVE-2025-6429) Content-Disposition header ignored when a file is included in an embed or object tag. (CVE-2025-6430) JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185). For the armv7hl architecture this package fixes additional vulnerabilities; see the links below: https://advisories.mageia.org/MGASA-2025-0197.html https://advisories.mageia.org/MGASA-2025-0168.html https://advisories.mageia.org/MGASA-2025-0151.html https://advisories.mageia.org/MGASA-2025-0126.html https://advisories.mageia.org/MGASA-2025-0093.html https://advisories.mageia.org/MGASA-2025-0048.html https://advisories.mageia.org/MGASA-2025-0010.html https://advisories.mageia.org/MGASA-2024-0395.html https://advisories.mageia.org/MGASA-2024-0384.html https://advisories.mageia.org/MGASA-2024-0365.html https://advisories.mageia.org/MGASA-2024-0350.html https://advisories.mageia.org/MGASA-2024-0336.html https://advisories.mageia.org/MGASA-2024-0332.html References

• https://bugs.mageia.org/show_bug.cgi?id=34415
• https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/
• https://www.thunderbird.net/en-US/thunderbird/128.13.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-62/
• https://www.thunderbird.net/en-US/thunderbird/128.14.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-71/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8027
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8028
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8029
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8030
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8031
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8032
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8033
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8034
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8035
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9179
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9180
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9181
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025--9185

SRPMS 9/core

• thunderbird-128.14.0-1.mga9
• thunderbird-l10n-128.14.0-1.mga9

Publication date: 05 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025-9185 Description JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185) References

• https://bugs.mageia.org/show_bug.cgi?id=34552
• https://www.firefox.com/en-US/firefox/128.13.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
• https://www.firefox.com/en-US/firefox/128.14.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-66/
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_114.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8027
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8028
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8029
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8030
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8031
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8032
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8033
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8034
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8035
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9179
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9180
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9181
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9185

SRPMS 9/core

• firefox-128.14.0-1.4.mga9
• firefox-l10n-128.14.0-1.mga9
• nss-3.115.1-1.mga9
• nspr-4.37-1.mga9
• rootcerts-20250808.00-1.mga9

Publication date: 02 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53905 , CVE-2025-53906 Description Path traversal issue with tar.vim and special crafted tar archives in Vim < 9.1.1552. (CVE-2025-53905) Path traversal issue with zip.vim and special crafted zip archives in Vim < v9.1.1551. (CVE-2025-53906) References

• https://bugs.mageia.org/show_bug.cgi?id=34486
• https://www.openwall.com/lists/oss-security/2025/07/15/1
• https://www.openwall.com/lists/oss-security/2025/07/15/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53905
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53906

SRPMS 9/core

• vim-9.1.1552-1.mga9

Publication date: 02 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6395 , CVE-2025-32988 , CVE-2025-32989 , CVE-2025-32990 Description null pointer dereference in _gnutls_figure_common_ciphersuite(). (CVE-2025-6395) Vulnerability in gnutls othername san export. (CVE-2025-32988) Vulnerability in gnutls sct extension parsing. (CVE-2025-32989) Vulnerability in gnutls certtool template parsing. (CVE-2025-32990) References

• https://bugs.mageia.org/show_bug.cgi?id=34484
• https://www.openwall.com/lists/oss-security/2025/07/11/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32990

SRPMS 9/core

• gnutls-3.8.4-1.2.mga9

Publication date: 02 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-54389 , CVE-2025-54409 Description Improper output neutralization (potential AIDE detection bypass). (CVE-2025-54389) Null pointer dereference after reading incorrectly encoded xattr attributes from database (local DoS). (CVE-2025-54409) References

• https://bugs.mageia.org/show_bug.cgi?id=34586
• https://www.openwall.com/lists/oss-security/2025/08/14/7
• https://www.openwall.com/lists/oss-security/2025/08/14/8
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54389
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54409

SRPMS 9/core

• aide-0.18.6-1.1.mga9

Publication date: 02 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-52434 , CVE-2025-52520 , CVE-2025-53506 , CVE-2025-48989 Description APR/Native Connector crash leading to DoS. (CVE-2025-52434) DoS via integer overflow in multipart file upload. (CVE-2025-52520) DoS via excessive h2 streams at connection start. (CVE-2025-53506) H2 DoS - Made You Reset. (CVE-2025-48989) References

• https://bugs.mageia.org/show_bug.cgi?id=34465
• https://www.openwall.com/lists/oss-security/2025/07/10/11
• https://www.openwall.com/lists/oss-security/2025/07/10/12
• https://www.openwall.com/lists/oss-security/2025/07/10/13
• https://www.openwall.com/lists/oss-security/2025/08/13/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52434
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53506
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48989

SRPMS 9/core

• tomcat-9.0.108-1.mga9

Publication date: 02 Sep 2025
Type: bugfix
Affected Mageia releases : 9
Description This update fixes a packaging issue allowing for conflicting libraries to be installed. References

• https://bugs.mageia.org/show_bug.cgi?id=34589

SRPMS 9/core

• slurm-23.11.11-1.2.mga9

Publication date: 01 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-52555 Description Security regression (CVE-2025-52555) that would have allowed an user to read, write and execute to any directory owned by root as long as they chmod 777 it. References

• https://bugs.mageia.org/show_bug.cgi?id=34400
• https://www.openwall.com/lists/oss-security/2025/06/26/1
• https://github.com/ceph/ceph/commit/64f0d786a078a79843c1c1da9cae5e2e603371af
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52555

SRPMS 9/core

• ceph-18.2.7-2.mga9

Publication date: 01 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47906 , CVE-2025-47907 Description LookPath may return unexpected paths, CVE-2025-47906. incorrect results returned from Rows.Scan, CVE-2025-47907. These packages fix the issues for the compiler only; applications using the functions still need to be rebuilt. References

• https://bugs.mageia.org/show_bug.cgi?id=34584
• https://www.openwall.com/lists/oss-security/2025/08/06/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47906
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47907

SRPMS 9/core

• golang-1.24.6-1.mga9

Publication date: 01 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8058 Description Double-free after allocation failure in regcomp. (CVE-2025-8058) References

• https://bugs.mageia.org/show_bug.cgi?id=34580
• https://www.openwall.com/lists/oss-security/2025/07/23/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8058

SRPMS 9/core

• glibc-2.36-57.mga9

Publication date: 01 Sep 2025
Type: bugfix
Affected Mageia releases : 9
Description Thia update adds support to LZ4 and other compression formats. References

• https://bugs.mageia.org/show_bug.cgi?id=34583

SRPMS 9/core

• rocksdb-7.7.8-1.2.mga9

Publication date: 29 Aug 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed a bug that could cause Vulkan applications to hang when destroying swapchains after a lost device event. Fixed a bug that could allow atomic commit and other DRM operations to return success status despite having failed due to handling an interrupt. Fixed a bug that could cause GTK 4 applications to crash when using the Vulkan backend on Wayland. Fixed a bug that could intermittently cause llama.cpp to crash on exit when using the Vulkan backend. Other bugs are also fixed; see the references. References

• https://bugs.mageia.org/show_bug.cgi?id=34568
• https://www.nvidia.com/en-us/drivers/details/252613/

SRPMS 9/nonfree

• nvidia-current-580.76.05-2.mga9.nonfree

Publication date: 18 Aug 2025
Type: bugfix
Affected Mageia releases : 9
Description This update brings the latest bugs fixed by Nvidia. Note additional information provided by them. References

• https://bugs.mageia.org/show_bug.cgi?id=34556
• https://www.nvidia.com/en-us/drivers/details/252411/

SRPMS 9/nonfree

• nvidia-current-570.181-1.mga9.nonfree

Publication date: 15 Aug 2025
Type: bugfix
Affected Mageia releases : 9
Description Our current version of opencpn-radar-plugin (5.5.0) doesn't work with opencpn itself updated to version-5.10.2. This new version of opencpn-radar-plugin (5.5.4) corrects this problem. References

• https://bugs.mageia.org/show_bug.cgi?id=34532

SRPMS 9/core

• opencpn-radar-plugin-5.5.4-3.mga9