Mageia Security
MGASA-2026-0191 - Updated libxmp packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-45676 , CVE-2023-45677 , CVE-2023-45679 , CVE-2023-45680 , CVE-2023-45681 , CVE-2023-45682 , CVE-2025-47256 Description CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() CVE-2023-45680: Null pointer dereference in vorbis_deinit() CVE-2023-45681: Out of bounds heap buffer write CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder() CVE-2023-45677: Heap buffer out of bounds write in start_decoder() CVE-2023-45682: Wild address read in vorbis_decode_packet_rest() CVE-2025-47256 stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-45676 , CVE-2023-45677 , CVE-2023-45679 , CVE-2023-45680 , CVE-2023-45681 , CVE-2023-45682 , CVE-2025-47256 Description CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() CVE-2023-45680: Null pointer dereference in vorbis_deinit() CVE-2023-45681: Out of bounds heap buffer write CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder() CVE-2023-45677: Heap buffer out of bounds write in start_decoder() CVE-2023-45682: Wild address read in vorbis_decode_packet_rest() CVE-2025-47256 stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file. References
- https://bugs.mageia.org/show_bug.cgi?id=33915
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CVZWMTH36ES7RCJEMRANBDTL76QBE75Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKMOFYKVMD2LPU7O33SEH2RGSY2ZE73K/
- https://www.cve.org/CVERecord?id=CVE-2023-45676
- https://www.cve.org/CVERecord?id=CVE-2023-45677
- https://www.cve.org/CVERecord?id=CVE-2023-45679
- https://www.cve.org/CVERecord?id=CVE-2023-45680
- https://www.cve.org/CVERecord?id=CVE-2023-45681
- https://www.cve.org/CVERecord?id=CVE-2023-45682
- https://www.cve.org/CVERecord?id=CVE-2025-47256
- libxmp-4.5.0-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0190 - Updated golang-x-net packages fix security vulnerability
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45338 Description CVE-2024-45338 An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45338 Description CVE-2024-45338 An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. References
- https://bugs.mageia.org/show_bug.cgi?id=34019
- https://github.com/advisories/GHSA-w32m-9786-jp63
- https://www.cve.org/CVERecord?id=CVE-2024-45338
- golang-x-net-0.7.0-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0189 - Updated libssh packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4877 , CVE-2025-4878 , CVE-2025-5318 , CVE-2025-5351 , CVE-2025-5372 , CVE-2025-5449 , CVE-2025-5987 Description CVE-2025-4877 Write beyond bounds in binary to base64 conversion functions CVE-2025-4878 Use of uninitialized variable in privatekey_from_file() CVE-2025-5318 Likely read beyond bounds in sftp server handle management CVE-2025-5351 Double free in functions exporting keys CVE-2025-5372 ssh_kdf() returns a success code on certain failures CVE-2025-5449 Likely read beyond bounds in sftp server message decoding CVE-2025-5987 Invalid return code for chacha20 poly1305 with OpenSSL backend References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4877 , CVE-2025-4878 , CVE-2025-5318 , CVE-2025-5351 , CVE-2025-5372 , CVE-2025-5449 , CVE-2025-5987 Description CVE-2025-4877 Write beyond bounds in binary to base64 conversion functions CVE-2025-4878 Use of uninitialized variable in privatekey_from_file() CVE-2025-5318 Likely read beyond bounds in sftp server handle management CVE-2025-5351 Double free in functions exporting keys CVE-2025-5372 ssh_kdf() returns a success code on certain failures CVE-2025-5449 Likely read beyond bounds in sftp server message decoding CVE-2025-5987 Invalid return code for chacha20 poly1305 with OpenSSL backend References
- https://bugs.mageia.org/show_bug.cgi?id=34405
- https://www.openwall.com/lists/oss-security/2025/06/27/2
- https://www.cve.org/CVERecord?id=CVE-2025-4877
- https://www.cve.org/CVERecord?id=CVE-2025-4878
- https://www.cve.org/CVERecord?id=CVE-2025-5318
- https://www.cve.org/CVERecord?id=CVE-2025-5351
- https://www.cve.org/CVERecord?id=CVE-2025-5372
- https://www.cve.org/CVERecord?id=CVE-2025-5449
- https://www.cve.org/CVERecord?id=CVE-2025-5987
- libssh-0.10.6-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0188 - Updated jq packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23337 , CVE-2025-48060 , CVE-2026-32316 , CVE-2026-39979 , CVE-2026-33948 , CVE-2026-33947 , CVE-2026-39956 , CVE-2026-40164 Description An integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. (CVE-2024-23337) It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue to leak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-40164) A heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz); (CVE-2025-48060) Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. (CVE-2026-41256) The ordinary module loader recurses without cycle detection when two otherwise valid modules include each other (CVE-2026-44777) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23337 , CVE-2025-48060 , CVE-2026-32316 , CVE-2026-39979 , CVE-2026-33948 , CVE-2026-33947 , CVE-2026-39956 , CVE-2026-40164 Description An integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. (CVE-2024-23337) It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue to leak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-40164) A heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz); (CVE-2025-48060) Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. (CVE-2026-41256) The ordinary module loader recurses without cycle detection when two otherwise valid modules include each other (CVE-2026-44777) References
- https://bugs.mageia.org/show_bug.cgi?id=34443
- https://www.openwall.com/lists/oss-security/2026/04/15/8
- https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f
- https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
- https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9
- https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg
- https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28
- https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
- https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r
- https://www.cve.org/CVERecord?id=CVE-2024-23337
- https://www.cve.org/CVERecord?id=CVE-2025-48060
- https://www.cve.org/CVERecord?id=CVE-2026-32316
- https://www.cve.org/CVERecord?id=CVE-2026-39979
- https://www.cve.org/CVERecord?id=CVE-2026-33948
- https://www.cve.org/CVERecord?id=CVE-2026-33947
- https://www.cve.org/CVERecord?id=CVE-2026-39956
- https://www.cve.org/CVERecord?id=CVE-2026-40164
- jq-1.6-3.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0187 - Updated tor packages fix security issues
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4444 , CVE-2026-44597 , CVE-2026-44599 , CVE-2026-44600 , CVE-2026-44601 , CVE-2026-44602 , CVE-2026-44603 Description This update provides lots of security issues fixed by upstream since our current version. Please see the links for details. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4444 , CVE-2026-44597 , CVE-2026-44599 , CVE-2026-44600 , CVE-2026-44601 , CVE-2026-44602 , CVE-2026-44603 Description This update provides lots of security issues fixed by upstream since our current version. Please see the links for details. References
- https://bugs.mageia.org/show_bug.cgi?id=35486
- https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.25/ReleaseNotes?ref_type=tags#L5
- https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.9.8/ReleaseNotes?ref_type=tags#L5
- https://www.cve.org/CVERecord?id=CVE-2025-4444
- https://www.cve.org/CVERecord?id=CVE-2026-44597
- https://www.cve.org/CVERecord?id=CVE-2026-44599
- https://www.cve.org/CVERecord?id=CVE-2026-44600
- https://www.cve.org/CVERecord?id=CVE-2026-44601
- https://www.cve.org/CVERecord?id=CVE-2026-44602
- https://www.cve.org/CVERecord?id=CVE-2026-44603
- tor-0.4.9.8-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0186 - Updated libxpm packages fix security vulnerability
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4367 Description libXpm Out-of-bounds read in xpmNextWord(). (CVE-2026-4367) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4367 Description libXpm Out-of-bounds read in xpmNextWord(). (CVE-2026-4367) References
- https://bugs.mageia.org/show_bug.cgi?id=35415
- https://www.openwall.com/lists/oss-security/2026/04/21/3
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RVKVREGNUTRNFASWOP3IK7BSE3RXDHLZ/
- https://www.cve.org/CVERecord?id=CVE-2026-4367
- libxpm-3.5.15-1.2.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0185 - Updated minetest packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40959 , CVE-2026-40960 Description Mod security sandbox escape. (CVE-2026-40959) HTTP API and insecure environment access control bypass. (CVE-2026-40960) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40959 , CVE-2026-40960 Description Mod security sandbox escape. (CVE-2026-40959) HTTP API and insecure environment access control bypass. (CVE-2026-40960) References
- https://bugs.mageia.org/show_bug.cgi?id=35422
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K6QTVDXSL7E72EYONNHDCY7I7LTD27B/
- https://lists.debian.org/debian-security-announce/2026/msg00127.html
- https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3
- https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4
- https://www.cve.org/CVERecord?id=CVE-2026-40959
- https://www.cve.org/CVERecord?id=CVE-2026-40960
- minetest-5.7.0-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0184 - Updated wireshark packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-11596 , CVE-2024-9781 , CVE-2025-11626 , CVE-2025-13499 , CVE-2025-13945 , CVE-2025-13946 , CVE-2025-1492 , CVE-2025-5601 , CVE-2025-9817 , CVE-2026-0960 , CVE-2026-5405 , CVE-2026-5653 , CVE-2026-6529 , CVE-2026-6530 , CVE-2026-6867 , CVE-2026-6868 , CVE-2026-6869 , CVE-2026-6870 , CVE-2026-7376 , CVE-2026-7378 , CVE-2026-7379 Description Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code. This update fixes the reported issue. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-11596 , CVE-2024-9781 , CVE-2025-11626 , CVE-2025-13499 , CVE-2025-13945 , CVE-2025-13946 , CVE-2025-1492 , CVE-2025-5601 , CVE-2025-9817 , CVE-2026-0960 , CVE-2026-5405 , CVE-2026-5653 , CVE-2026-6529 , CVE-2026-6530 , CVE-2026-6867 , CVE-2026-6868 , CVE-2026-6869 , CVE-2026-6870 , CVE-2026-7376 , CVE-2026-7378 , CVE-2026-7379 Description Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code. This update fixes the reported issue. References
- https://bugs.mageia.org/show_bug.cgi?id=33641
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TDSVQBWNGPIXNB6DJ7GN3MKZXQIAMQNM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7XDTIEL5AXYD7FSCLZTDTSH5DDELHHLL/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QKS4A6WNLC3Y3QRK3OCQ4MEHDXODKUI6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D55JJLGZUIFAWMHEC7HM4552HI7FDQJE/
- https://lists.debian.org/debian-security-announce/2026/msg00160.html
- https://www.cve.org/CVERecord?id=CVE-2024-11596
- https://www.cve.org/CVERecord?id=CVE-2024-9781
- https://www.cve.org/CVERecord?id=CVE-2025-11626
- https://www.cve.org/CVERecord?id=CVE-2025-13499
- https://www.cve.org/CVERecord?id=CVE-2025-13945
- https://www.cve.org/CVERecord?id=CVE-2025-13946
- https://www.cve.org/CVERecord?id=CVE-2025-1492
- https://www.cve.org/CVERecord?id=CVE-2025-5601
- https://www.cve.org/CVERecord?id=CVE-2025-9817
- https://www.cve.org/CVERecord?id=CVE-2026-0960
- https://www.cve.org/CVERecord?id=CVE-2026-5405
- https://www.cve.org/CVERecord?id=CVE-2026-5653
- https://www.cve.org/CVERecord?id=CVE-2026-6529
- https://www.cve.org/CVERecord?id=CVE-2026-6530
- https://www.cve.org/CVERecord?id=CVE-2026-6867
- https://www.cve.org/CVERecord?id=CVE-2026-6868
- https://www.cve.org/CVERecord?id=CVE-2026-6869
- https://www.cve.org/CVERecord?id=CVE-2026-6870
- https://www.cve.org/CVERecord?id=CVE-2026-7376
- https://www.cve.org/CVERecord?id=CVE-2026-7378
- https://www.cve.org/CVERecord?id=CVE-2026-7379
- wireshark-4.0.17-1.2.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0183 - Updated freeciv packages fix security vulnerabilities
Publication date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33250 Description CVE-2026-33250, freeciv crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33250 Description CVE-2026-33250, freeciv crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine References
- https://bugs.mageia.org/show_bug.cgi?id=35257
- https://lists.debian.org/debian-security-announce/2026/msg00082.html
- https://www.cve.org/CVERecord?id=CVE-2026-33250
- freeciv-3.0.7-1.2.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0182 - Updated ruby-net-ssh packages fix security vulnerabilities
Publication date: 09 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) , for ruby-net-ssh. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) , for ruby-net-ssh. References
- https://bugs.mageia.org/show_bug.cgi?id=32682
- https://github.com/net-ssh/net-ssh/blob/v7.3.0/CHANGES.txt
- https://github.com/net-ssh/net-ssh/compare/v7.0.1...v7.3.0
- https://www.openwall.com/lists/oss-security/2023/12/18/3
- https://www.openwall.com/lists/oss-security/2023/12/19/5
- https://www.openwall.com/lists/oss-security/2023/12/20/3
- https://www.cve.org/CVERecord?id=CVE-2023-48795
- ruby-net-ssh-7.3.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0181 - Updated suricata packages fix security vulnerabilities
Publication date: 09 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45797 , CVE-2024-47187 , CVE-2024-47188 , CVE-2024-47522 , CVE-2024-45795 , CVE-2024-45796 , CVE-2024-55605 , CVE-2024-55626 , CVE-2024-55627 , CVE-2024-55628 , CVE-2024-55629 , CVE-2025-29916 , CVE-2025-29917 , CVE-2025-29918 Description Various security, performance, accuracy, and stability issues have been fixed, plus we have moved to a supported version. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45797 , CVE-2024-47187 , CVE-2024-47188 , CVE-2024-47522 , CVE-2024-45795 , CVE-2024-45796 , CVE-2024-55605 , CVE-2024-55626 , CVE-2024-55627 , CVE-2024-55628 , CVE-2024-55629 , CVE-2025-29916 , CVE-2025-29917 , CVE-2025-29918 Description Various security, performance, accuracy, and stability issues have been fixed, plus we have moved to a supported version. References
- https://bugs.mageia.org/show_bug.cgi?id=33666
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WUPZOFSY4QOLJUU5AJZ7K6EES56A4KEN/
- https://forum.suricata.io/t/suricata-6-is-now-end-of-life-eol/4790
- https://forum.suricata.io/t/suricata-7-0-10-released/5522
- https://forum.suricata.io/t/suricata-7-0-9-released/5495
- https://forum.suricata.io/t/suricata-7-0-8-released/5137
- https://forum.suricata.io/t/suricata-7-0-7-released/4877
- https://www.cve.org/CVERecord?id=CVE-2024-45797
- https://www.cve.org/CVERecord?id=CVE-2024-47187
- https://www.cve.org/CVERecord?id=CVE-2024-47188
- https://www.cve.org/CVERecord?id=CVE-2024-47522
- https://www.cve.org/CVERecord?id=CVE-2024-45795
- https://www.cve.org/CVERecord?id=CVE-2024-45796
- https://www.cve.org/CVERecord?id=CVE-2024-55605
- https://www.cve.org/CVERecord?id=CVE-2024-55626
- https://www.cve.org/CVERecord?id=CVE-2024-55627
- https://www.cve.org/CVERecord?id=CVE-2024-55628
- https://www.cve.org/CVERecord?id=CVE-2024-55629
- https://www.cve.org/CVERecord?id=CVE-2025-29916
- https://www.cve.org/CVERecord?id=CVE-2025-29917
- https://www.cve.org/CVERecord?id=CVE-2025-29918
- suricata-7.0.10-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0180 - Updated packagekit packages fix security vulnerability
Publication date: 09 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41651 Description PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root. (CVE-2026-41651) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41651 Description PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root. (CVE-2026-41651) References
- https://bugs.mageia.org/show_bug.cgi?id=35428
- https://lists.debian.org/debian-security-announce/2026/msg00136.html
- https://www.openwall.com/lists/oss-security/2026/04/22/6
- https://lists.freedesktop.org/archives/packagekit/2026-April/026513.html
- https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
- https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
- https://www.cve.org/CVERecord?id=CVE-2026-41651
- packagekit-1.2.6-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2026-0034 - Updated unbound packages fix security vulnerabilities
Publication date: 09 Jun 2026
Type: bugfix
Affected Mageia releases : 9
CVE: CVE-2026-32792 , CVE-2026-33278 , CVE-2026-40622 , CVE-2026-41292 , CVE-2026-42534 , CVE-2026-42923 , CVE-2026-42944 , CVE-2026-42959 , CVE-2026-42960 , CVE-2026-44390 , CVE-2026-44608 Description Updated unbound packages fix various security vulnerabilities, one big critical (CVE-2026-33278) and concerning a possible remote code execution during DNSSEC validation. References
Type: bugfix
Affected Mageia releases : 9
CVE: CVE-2026-32792 , CVE-2026-33278 , CVE-2026-40622 , CVE-2026-41292 , CVE-2026-42534 , CVE-2026-42923 , CVE-2026-42944 , CVE-2026-42959 , CVE-2026-42960 , CVE-2026-44390 , CVE-2026-44608 Description Updated unbound packages fix various security vulnerabilities, one big critical (CVE-2026-33278) and concerning a possible remote code execution during DNSSEC validation. References
- https://bugs.mageia.org/show_bug.cgi?id=35561
- https://nlnetlabs.nl/projects/unbound/security-advisories/
- https://www.openwall.com/lists/oss-security/2026/05/20/5
- https://www.cve.org/CVERecord?id=CVE-2026-32792
- https://www.cve.org/CVERecord?id=CVE-2026-33278
- https://www.cve.org/CVERecord?id=CVE-2026-40622
- https://www.cve.org/CVERecord?id=CVE-2026-41292
- https://www.cve.org/CVERecord?id=CVE-2026-42534
- https://www.cve.org/CVERecord?id=CVE-2026-42923
- https://www.cve.org/CVERecord?id=CVE-2026-42944
- https://www.cve.org/CVERecord?id=CVE-2026-42959
- https://www.cve.org/CVERecord?id=CVE-2026-42960
- https://www.cve.org/CVERecord?id=CVE-2026-44390
- https://www.cve.org/CVERecord?id=CVE-2026-44608
- unbound-1.25.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0179 - Updated golang-x-crypto & golang-x-sys-devel packages fix security vulnerability
Publication date: 07 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately after the secure channel was established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately after the secure channel was established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. References
- https://bugs.mageia.org/show_bug.cgi?id=32674
- https://www.openwall.com/lists/oss-security/2023/12/18/3
- https://www.openwall.com/lists/oss-security/2023/12/19/5
- https://www.openwall.com/lists/oss-security/2023/12/20/3
- https://www.cve.org/CVERecord?id=CVE-2023-48795
- golang-x-crypto-0.45.0-1.mga9
- golang-x-sys-0.30.0-2.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0178 - Updated xdg-dbus-proxy packages fix security vulnerability
Publication date: 07 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-34080 Description A policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-34080 Description A policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. References
- https://bugs.mageia.org/show_bug.cgi?id=35347
- https://www.openwall.com/lists/oss-security/2026/04/10/15
- https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
- https://www.cve.org/CVERecord?id=CVE-2026-34080
- xdg-dbus-proxy-0.1.7-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0177 - Updated kernel-linus packages fix security vulnerabilities
Publication date: 06 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-43491 , CVE-2026-43492 , CVE-2026-43493 , CVE-2026-43495 , CVE-2026-43496 , CVE-2026-43497 , CVE-2026-43499 , CVE-2026-43501 , CVE-2026-43502 , CVE-2026-43503 , CVE-2026-46300 , CVE-2026-46333 Description Vanilla upstream kernel version 6.6.141 fixes vulnerabilities. For information about the vulnerabilities see the links. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-43491 , CVE-2026-43492 , CVE-2026-43493 , CVE-2026-43495 , CVE-2026-43496 , CVE-2026-43497 , CVE-2026-43499 , CVE-2026-43501 , CVE-2026-43502 , CVE-2026-43503 , CVE-2026-46300 , CVE-2026-46333 Description Vanilla upstream kernel version 6.6.141 fixes vulnerabilities. For information about the vulnerabilities see the links. References
- https://bugs.mageia.org/show_bug.cgi?id=35590
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.139
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.140
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.141
- https://www.cve.org/CVERecord?id=CVE-2026-43491
- https://www.cve.org/CVERecord?id=CVE-2026-43492
- https://www.cve.org/CVERecord?id=CVE-2026-43493
- https://www.cve.org/CVERecord?id=CVE-2026-43495
- https://www.cve.org/CVERecord?id=CVE-2026-43496
- https://www.cve.org/CVERecord?id=CVE-2026-43497
- https://www.cve.org/CVERecord?id=CVE-2026-43499
- https://www.cve.org/CVERecord?id=CVE-2026-43501
- https://www.cve.org/CVERecord?id=CVE-2026-43502
- https://www.cve.org/CVERecord?id=CVE-2026-43503
- https://www.cve.org/CVERecord?id=CVE-2026-46300
- https://www.cve.org/CVERecord?id=CVE-2026-46333
- kernel-linus-6.6.141-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0176 - Updated perl-DBIx-Class-EncodedColumn and new perl-Crypt-URandom-Token packages fix security vulnerabilities
Publication date: 06 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27551 , CVE-2025-27552 Description The updated perl-DBIx-Class-EncodedColumn and new perl-Crypt-URandom-Token packages fix security issues: DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Digest.pm (CVE-2025-27551) DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm (CVE-2025-27552) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27551 , CVE-2025-27552 Description The updated perl-DBIx-Class-EncodedColumn and new perl-Crypt-URandom-Token packages fix security issues: DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Digest.pm (CVE-2025-27551) DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm (CVE-2025-27552) References
- https://bugs.mageia.org/show_bug.cgi?id=34215
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZO6ZQ5X5UGT2U2IHHPDXAJUDE27HTUX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTXKJZJLOFULT3WQ46ITSLDFTLG4YKJ2/
- https://www.cve.org/CVERecord?id=CVE-2025-27551
- https://www.cve.org/CVERecord?id=CVE-2025-27552
- perl-DBIx-Class-EncodedColumn-0.110.0-1.mga9
- perl-Crypt-URandom-Token-0.005-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0175 - Updated cockpit packages fix security vulnerabilities
Publication date: 05 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4802 , CVE-2026-4631 , CVE-2026-4800 Description CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability. CVE-2026-4800, lodash vulnerable to Code Injection via `_.template` imports key names CVE-2026-4802, A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4802 , CVE-2026-4631 , CVE-2026-4800 Description CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability. CVE-2026-4800, lodash vulnerable to Code Injection via `_.template` imports key names CVE-2026-4802, A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise. References
- https://bugs.mageia.org/show_bug.cgi?id=35563
- https://www.openwall.com/lists/oss-security/2026/05/20/19
- https://github.com/cockpit-project/cockpit/releases/tag/339
- https://github.com/cockpit-project/cockpit/releases/tag/340
- https://github.com/cockpit-project/cockpit/releases/tag/341
- https://github.com/cockpit-project/cockpit/releases/tag/341.1
- https://github.com/cockpit-project/cockpit/releases/tag/342
- https://github.com/cockpit-project/cockpit/releases/tag/343
- https://github.com/cockpit-project/cockpit/releases/tag/344
- https://github.com/cockpit-project/cockpit/releases/tag/345
- https://github.com/cockpit-project/cockpit/releases/tag/346
- https://github.com/cockpit-project/cockpit/releases/tag/347
- https://github.com/cockpit-project/cockpit/releases/tag/348
- https://github.com/cockpit-project/cockpit/releases/tag/349
- https://github.com/cockpit-project/cockpit/releases/tag/350
- https://github.com/cockpit-project/cockpit/releases/tag/351
- https://github.com/cockpit-project/cockpit/releases/tag/352
- https://github.com/cockpit-project/cockpit/releases/tag/353
- https://github.com/cockpit-project/cockpit/releases/tag/353.1
- https://github.com/cockpit-project/cockpit/releases/tag/354
- https://github.com/cockpit-project/cockpit/releases/tag/355
- https://github.com/cockpit-project/cockpit/releases/tag/356
- https://github.com/cockpit-project/cockpit/releases/tag/356.1
- https://github.com/cockpit-project/cockpit/releases/tag/356.2
- https://github.com/advisories/GHSA-rq49-h582-83m7
- https://github.com/advisories/GHSA-r5fr-rjxr-66jc
- https://github.com/advisories/GHSA-3wjm-5g86-c6p3
- https://www.cve.org/CVERecord?id=CVE-2026-4802
- https://www.cve.org/CVERecord?id=CVE-2026-4631
- https://www.cve.org/CVERecord?id=CVE-2026-4800
- cockpit-356.2-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0174 - Updated kernel, kmod-virtualbox & kmod-xtables-addons packages fix security vulnerabilities
Publication date: 05 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-43491 , CVE-2026-43492 , CVE-2026-43493 , CVE-2026-43495 , CVE-2026-43496 , CVE-2026-43497 , CVE-2026-43499 , CVE-2026-43501 , CVE-2026-43502 , CVE-2026-43503 , CVE-2026-46300 , CVE-2026-46333 Description Upstream kernel version 6.6.141 fixes vulnerabilities. The kmod-virtualbox & kmod-xtables-addons packages have been updated to work with this new kernel. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-43491 , CVE-2026-43492 , CVE-2026-43493 , CVE-2026-43495 , CVE-2026-43496 , CVE-2026-43497 , CVE-2026-43499 , CVE-2026-43501 , CVE-2026-43502 , CVE-2026-43503 , CVE-2026-46300 , CVE-2026-46333 Description Upstream kernel version 6.6.141 fixes vulnerabilities. The kmod-virtualbox & kmod-xtables-addons packages have been updated to work with this new kernel. References
- https://bugs.mageia.org/show_bug.cgi?id=35579
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.139
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.140
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.141
- https://www.cve.org/CVERecord?id=CVE-2026-43491
- https://www.cve.org/CVERecord?id=CVE-2026-43492
- https://www.cve.org/CVERecord?id=CVE-2026-43493
- https://www.cve.org/CVERecord?id=CVE-2026-43495
- https://www.cve.org/CVERecord?id=CVE-2026-43496
- https://www.cve.org/CVERecord?id=CVE-2026-43497
- https://www.cve.org/CVERecord?id=CVE-2026-43499
- https://www.cve.org/CVERecord?id=CVE-2026-43501
- https://www.cve.org/CVERecord?id=CVE-2026-43502
- https://www.cve.org/CVERecord?id=CVE-2026-43503
- https://www.cve.org/CVERecord?id=CVE-2026-46300
- https://www.cve.org/CVERecord?id=CVE-2026-46333
- kernel-6.6.141-1.mga9
- kmod-virtualbox-7.1.18-20.mga9
- kmod-xtables-addons-3.24-92.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0173 - Updated xmlrpc-c packages fix security vulnerabilities
Publication date: 05 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2022-25236 , CVE-2022-25313 , CVE-2022-25314 , CVE-2022-25315 , CVE-2022-40674 , CVE-2022-43680 Description This update fixes the vulnerabilities by no longer building with the vulnerable bundled libexpat version. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2022-25236 , CVE-2022-25313 , CVE-2022-25314 , CVE-2022-25315 , CVE-2022-40674 , CVE-2022-43680 Description This update fixes the vulnerabilities by no longer building with the vulnerable bundled libexpat version. References
- https://bugs.mageia.org/show_bug.cgi?id=31123
- https://www.cve.org/CVERecord?id=CVE-2022-25236
- https://www.cve.org/CVERecord?id=CVE-2022-25313
- https://www.cve.org/CVERecord?id=CVE-2022-25314
- https://www.cve.org/CVERecord?id=CVE-2022-25315
- https://www.cve.org/CVERecord?id=CVE-2022-40674
- https://www.cve.org/CVERecord?id=CVE-2022-43680
- xmlrpc-c-1.51.08-1.1.mga9
Categorías: Actualizaciones de Seguridad
