Actualizaciones de Seguridad

Publication date: 06 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26618 Description SSH SFTP packet size not verified properly in Erlang OTP. (CVE-2025-26618) References

• https://bugs.mageia.org/show_bug.cgi?id=34067
• https://ubuntu.com/security/notices/USN-7313-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26618

SRPMS 9/core

• erlang-24.3.4.15-1.1.mga9

Publication date: 06 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-35368 Description FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. (CVE-2024-35368) References

• https://bugs.mageia.org/show_bug.cgi?id=34066
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZB33CK26BY2QPYGREWH7HHWHPSLGY4DI/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35368

SRPMS 9/core

• ffmpeg-5.1.6-1.4.mga9

9/tainted

• ffmpeg-5.1.6-1.4.mga9.tainted

Publication date: 03 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26594 , CVE-2025-26595 , CVE-2025-26596 , CVE-2025-26597 , CVE-2025-26598 , CVE-2025-26599 , CVE-2025-26600 , CVE-2025-26601 Description Use-after-free of the root cursor. (CVE-2025-26594) Buffer overflow in XkbVModMaskText(). (CVE-2025-26595) Heap overflow in XkbWriteKeySyms(). (CVE-2025-26596) Buffer overflow in XkbChangeTypesOfKey(). (CVE-2025-26597) Out-of-bounds write in CreatePointerBarrierClient(). (CVE-2025-26598) Use of uninitialized pointer in compRedirectWindow(). (CVE-2025-26599) Use-after-free in PlayReleasedEvents(). (CVE-2025-26600) Use-after-free in SyncInitTrigger(). (CVE-2025-26601) References

• https://bugs.mageia.org/show_bug.cgi?id=34052
• https://www.openwall.com/lists/oss-security/2025/02/25/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26594
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26595
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26596
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26597
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26598
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26599
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26600
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26601

SRPMS 9/core

• x11-server-21.1.8-7.7.mga9
• x11-server-xwayland-22.1.9-1.7.mga9
• tigervnc-1.13.1-2.7.mga9

Publication date: 02 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0518 , CVE-2025-22919 , CVE-2025-22920 , CVE-2025-22921 , CVE-2025-25473 Description A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file. (CVE-2025-22919) A heap buffer overflow vulnerability in FFmpeg before commit 4bf784c allows attackers to trigger a memory corruption via supplying a crafted media file in avformat when processing tile grid group streams. This can lead to a Denial of Service (DoS). (CVE-2025-22920) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. (CVE-2025-22921) FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. (CVE-2025-25473) References

• https://bugs.mageia.org/show_bug.cgi?id=34054
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G5BFJ3U3RQS5BEVWWNUO24FHCSLCALHX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0518
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22919
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22920
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22921
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25473

SRPMS 9/core

• ffmpeg-5.1.6-1.3.mga9

9/tainted

• ffmpeg-5.1.6-1.3.mga9.tainted

Publication date: 02 Mar 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57360 , CVE-2025-0840 Description nm >=2.43 is affected by: Incorrect Access Control. The type of exploitation is: local. The component is: `nm --without-symbol-version` function. (CVE-2024-57360) GNU Binutils objdump.c disassemble_bytes stack-based overflow. (CVE-2025-0840) References

• https://bugs.mageia.org/show_bug.cgi?id=34053
• https://ubuntu.com/security/notices/USN-7306-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57360
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0840

SRPMS 9/core

• binutils-2.40-11.1.mga9

Publication date: 28 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description gnome-boxes can't redirect usb ports to guest systems, this is due missing requiriment on spice-gtk. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=33445

SRPMS 9/core

• gnome-boxes-44.2-1.1.mga9

Publication date: 28 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1378 Description A vulnerability, which was classified as problematic, was found in radare2. Affected is an unknown function in the library /libr/main/rasm2.c of the component rasm2. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. References

• https://bugs.mageia.org/show_bug.cgi?id=34044
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6L3CRKPOLSYHPHW4QETC25D65CTE33EO/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1378

SRPMS 9/core

• radare2-5.8.8-1.5.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1390 Description pam_cap: Fix potential configuration parsing error. (CVE-2025-1390) References

• https://bugs.mageia.org/show_bug.cgi?id=34048
• https://ubuntu.com/security/notices/USN-7287-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1390

SRPMS 9/core

• libcap-2.52-5.1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57392 Description A buffer overflow vulnerability in Proftpd commit 4017eff8 allows a remote attacker to execute arbitrary code and can cause a denial of service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port. (CVE-2024-57392) References

• https://bugs.mageia.org/show_bug.cgi?id=34042
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E36XSNXDCOSSYTPKEMAEUAZ6QVQJTSFZ/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/C3HZA5IS6YXHXDULEZHLHWOVCC3IYNGP/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57392

SRPMS 9/core

• proftpd-1.3.8c-1.1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26465 Description Machine-in-the-middle attack vulnerability if verifyhostkeydns is enabled. (CVE-2025-26465) References

• https://bugs.mageia.org/show_bug.cgi?id=34036
• https://openwall.com/lists/oss-security/2025/02/18/1
• https://openwall.com/lists/oss-security/2025/02/18/4
• https://lists.debian.org/debian-security-announce/2025/msg00030.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STTU3AYQZPT4FUMERJH7RQ3KH3TMQDUI/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GGMBNUMHNWAKKPCVKBQBXE7C4WSYOBAY/
• https://ubuntu.com/security/notices/USN-7270-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26465

SRPMS 9/core

• openssh-9.3p1-2.4.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Upstream kernel version 6.6.79 fixes bugs and vulnerabilities. The kmod-virtualbox and kmod-xtables-addons packages have been updated to work with this new kernel. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34023
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-6.6.79-1.mga9
• kmod-virtualbox-7.0.24-67.mga9
• kmod-xtables-addons-3.24-73.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Vanilla upstream kernel version 6.6.79 fixes bugs and vulnerabilities. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34024
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-linus-6.6.79-1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0633 Description A heap-based buffer overflow vulnerability in iniparser_dumpsection_ini() in iniparser allows an attacker to read out-of-bounds memory. (CVE-2025-0633) References

• https://bugs.mageia.org/show_bug.cgi?id=34047
• https://ubuntu.com/security/notices/USN-7286-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0633

SRPMS 9/core

• iniparser-4.1-4.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25472 , CVE-2025-25474 , CVE-2025-25475 Description A buffer overflow in DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DCM file (CVE-2025-25472). DCMTK was discovered to contain a buffer overflow via the component /dcmimgle/diinpxt.h (CVE-2025-25474). A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file (CVE-2025-25475). References

• https://bugs.mageia.org/show_bug.cgi?id=34043
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VEIE5K5WMSCBUU2JDXY5E576NA36I3NC/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25472
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25474
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25475

SRPMS 9/core

• dcmtk-3.6.7-4.4.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description These packages have a bogus requirement on python3-sip; trying to install these packages will cause conflicts if you have applications that require python3-sip6. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34014

SRPMS 9/core

• autohint-onoff-2.0-1.1.mga9
• enki-22.08.0-1.1.mga9
• pyzo-4.12.0-2.1.mga9
• meteo-qt-3.3-2.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1244 Description A command injection flaw was found which could allow a remote, unauthenticated attacker to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. References

• https://bugs.mageia.org/show_bug.cgi?id=34045
• https://lwn.net/Articles/1011611/
• https://nvd.nist.gov/vuln/detail/CVE-2025-1244
• https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1244

SRPMS 9/core

• emacs-29.4-1.3.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26603 Description A heap use-after-free was found in str_to_reg() in Vim < 9.1.1115. (CVE-2025-26603) References

• https://bugs.mageia.org/show_bug.cgi?id=34035
• https://openwall.com/lists/oss-security/2025/02/16/1
• https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26603

SRPMS 9/core

• vim-9.1.1122-1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56171 , CVE-2025-24928 , CVE-2025-27113 Description The updated packages fix security vulnerabilities: Use-after-free in xmlSchemaIDCFillNodeTables. (CVE-2024-56171) Stack-buffer-overflow in xmlSnprintfElements. (CVE-2025-24928) Null-deref in xmlPatMatch. (CVE-2025-27113) References

• https://bugs.mageia.org/show_bug.cgi?id=34037
• https://openwall.com/lists/oss-security/2025/02/18/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113

SRPMS 9/core

• libxml2-2.10.4-1.6.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-24528 Description Overflow when calculating ulog block size. (CVE-2025-24528) References

• https://bugs.mageia.org/show_bug.cgi?id=34040
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLIGTCER7WVUGDD5KJI3RHPHU5VI7UCF/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24528

SRPMS 9/core

• krb5-1.20.1-1.4.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12243 Description Gnutls impacted by inefficient DER decoding in libtasn1 leading to remote DoS. (CVE-2024-12243) References

• https://bugs.mageia.org/show_bug.cgi?id=34041
• https://ubuntu.com/security/notices/USN-7281-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12243

SRPMS 9/core

• gnutls-3.8.4-1.1.mga9