Mageia Security

Publication date: 21 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-49091 Description KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code. (CVE-2025-49091) References

• https://bugs.mageia.org/show_bug.cgi?id=34364
• https://www.openwall.com/lists/oss-security/2025/06/10/5
• https://lists.debian.org/debian-security-announce/2025/msg00109.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49091

SRPMS 9/core

• konsole-23.04.3-1.2.mga9

Publication date: 21 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-49844 , CVE-2025-46817 , CVE-2025-46818 , CVE-2025-46819 Description A Lua script may lead to remote code execution. (CVE-2025-49844) A Lua script may lead to integer overflow and potential RCE. (CVE-2025-46817) A Lua script can be executed in the context of another user. (CVE-2025-46818) LUA out-of-bound read. (CVE-2025-46819) References

• https://bugs.mageia.org/show_bug.cgi?id=34650
• https://www.openwall.com/lists/oss-security/2025/10/07/2
• https://github.com/redis/redis/releases/tag/7.2.11
• https://github.com/redis/redis/releases/tag/7.2.12
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49844
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46818
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46819

SRPMS 9/core

• redis-7.2.12-1.mga9

Publication date: 21 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-50007 , CVE-2023-50008 , CVE-2023-6602 , CVE-2023-6604 , CVE-2023-6605 , CVE-2024-31582 , CVE-2024-35367 , CVE-2025-59728 , CVE-2025-59731 , CVE-2025-59732 , CVE-2025-59733 , CVE-2025-7700 Description FFmpeg v.n6.1-3-g466799d4f5 allows an attacker to trigger use of a parameter of negative size in the av_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component. (CVE-2023-50007) FFmpeg v.n6.1-3-g466799d4f5 allows memory consumption when using the colorcorrect filter, in the av_malloc function in libavutil/mem.c:105:9 component. (CVE-2023-50008) Improper handling of input format in tty demuxer of ffmpeg. (CVE-2023-6602) Hls xbin demuxer dos amplification in ffmpeg. (CVE-2023-6604) Dash playlist ssrf vulnerability in ffmpeg. (CVE-2023-6605) FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input. (CVE-2024-31582) FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer. (CVE-2024-35367) Heap-buffer-overflow write in FFmpeg MDASH resolve_content_path. (CVE-2025-59728) Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress. (CVE-2025-59731, CVE-2025-59732, CVE-2025-59733) Null pointer dereference in ffmpeg als decoder (libavcodec/alsdec.c). (CVE-2025-7700) References

• https://bugs.mageia.org/show_bug.cgi?id=34757
• https://ffmpeg.org/security.html
• https://lists.debian.org/debian-security-announce/2025/msg00149.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50007
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50008
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6602
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6604
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6605
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31582
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35367
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59728
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59731
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59732
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59733
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7700

SRPMS 9/core

• ffmpeg-5.1.7-1.mga9

9/tainted

• ffmpeg-5.1.7-1.mga9.tainted

Publication date: 19 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13012 , CVE-2025-13013 , CVE-2025-13014 , CVE-2025-13015 , CVE-2025-13016 , CVE-2025-13017 , CVE-2025-13018 , CVE-2025-13019 , CVE-2025-13020 Description Race condition in the Graphics component. (CVE-2025-13012) Mitigation bypass in the DOM: Core & HTML component. (CVE-2025-13013) CVE-2025-13014: Use-after-free in the Audio/Video component. (CVE-2025-13014) Spoofing issue in Firefox. (CVE-2025-13015) Incorrect boundary conditions in the JavaScript: WebAssembly component. (CVE-2025-13016) Same-origin policy bypass in the DOM: Notifications component. (CVE-2025-13017) Mitigation bypass in the DOM: Security component. (CVE-2025-13018) Same-origin policy bypass in the DOM: Workers component. (CVE-2025-13019) Use-after-free in the WebRTC: Audio/Video component. (CVE-2025-13020) References

• https://bugs.mageia.org/show_bug.cgi?id=34743
• https://www.thunderbird.net/en-US/thunderbird/140.5.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-91/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13012
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13013
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13014
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13015
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13016
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13017
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13020

SRPMS 9/core

• thunderbird-140.5.0-1.mga9
• thunderbird-l10n-140.5.0-1.mga9

Publication date: 19 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-57812 , CVE-2025-64503 Description CUPS-Filters has heap-buffer-overflow write in `cfImageLut()`. (CVE-2025-57812) cups-filters 1.x: out of bounds write in pdftoraster. (CVE-2025-64503) References

• https://bugs.mageia.org/show_bug.cgi?id=34746
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57812
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64503

SRPMS 9/core

• cups-filters-1.28.16-6.2.mga9

Publication date: 19 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-42472 Description Flatpak may allow access to files outside sandbox for certain apps. (CVE-2024-42472). References

• https://bugs.mageia.org/show_bug.cgi?id=33510
• https://openwall.com/lists/oss-security/2024/08/14/6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42472

SRPMS 9/core

• flatpak-1.14.10-1.mga9
• bubblewrap-0.7.0-1.1.mga9

Publication date: 18 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-12817 , CVE-2025-12818 Description PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege. (CVE-2025-12817) PostgreSQL libpq undersizes allocations, via integer wraparound. (CVE-2025-12818) References

• https://bugs.mageia.org/show_bug.cgi?id=34752
• https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818

SRPMS 9/core

• postgresql15-15.15-1.mga9
• postgresql13-13.23-1.mga9

Publication date: 18 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-42516 , CVE-2024-43204 , CVE-2024-47252 , CVE-2025-49630 , CVE-2025-23048 , CVE-2025-49812 , CVE-2025-53020 , CVE-2025-54090 Description HTTP response splitting. (CVE-2024-42516) SSRF with mod_headers setting Content-Type header. (CVE-2024-43204) mod_ssl error log variable escaping. (CVE-2024-47252) mod_proxy_http2 denial of service. (CVE-2025-49630) mod_ssl access control bypass with session resumption. (CVE-2025-23048) mod_ssl TLS upgrade attack. (CVE-2025-49812) HTTP/2 DoS by Memory Increase. (CVE-2025-53020) 'RewriteCond expr' always evaluates to true in 2.4.64. (CVE-2025-54090) You will find the update delay sometimes causes a failure; just restart the service after the update. References

• https://bugs.mageia.org/show_bug.cgi?id=34464
• https://www.openwall.com/lists/oss-security/2025/07/10/2
• https://www.openwall.com/lists/oss-security/2025/07/10/3
• https://www.openwall.com/lists/oss-security/2025/07/10/4
• https://www.openwall.com/lists/oss-security/2025/07/10/6
• https://www.openwall.com/lists/oss-security/2025/07/10/7
• https://www.openwall.com/lists/oss-security/2025/07/10/8
• https://www.openwall.com/lists/oss-security/2025/07/10/9
• https://www.openwall.com/lists/oss-security/2025/07/10/10
• https://www.openwall.com/lists/oss-security/2025/07/24/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42516
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43204
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47252
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49630
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23048
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49812
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53020
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54090

SRPMS 9/core

• apache-2.4.65-1.mga9

Publication date: 17 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13012 , CVE-2025-13013 , CVE-2025-13014 , CVE-2025-13015 , CVE-2025-13016 , CVE-2025-13017 , CVE-2025-13018 , CVE-2025-13019 , CVE-2025-13020 Description Race condition in the Graphics component. (CVE-2025-13012) Mitigation bypass in the DOM: Core & HTML component. (CVE-2025-13013) CVE-2025-13014: Use-after-free in the Audio/Video component. (CVE-2025-13014) Spoofing issue in Firefox. (CVE-2025-13015) Incorrect boundary conditions in the JavaScript: WebAssembly component. (CVE-2025-13016) Same-origin policy bypass in the DOM: Notifications component. (CVE-2025-13017) Mitigation bypass in the DOM: Security component. (CVE-2025-13018) Same-origin policy bypass in the DOM: Workers component. (CVE-2025-13019) Use-after-free in the WebRTC: Audio/Video component. (CVE-2025-13020) References

• https://bugs.mageia.org/show_bug.cgi?id=34742
• https://www.firefox.com/en-US/firefox/140.5.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13012
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13013
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13014
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13015
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13016
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13017
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13020

SRPMS 9/core

• firefox-140.5.0-1.mga9
• firefox-l10n-140.5.0-1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description We are rebuilding packages requiring icu version 72 with icu version 73 to use an icu version with security fixes. These packages are the last set; after these updates there should not be packages that depend on icu version 72 in your system. If you find you can't run (change lib64 to lib in 32bit system): LC_ALL=C urpme lib64icu72 without uninstalling packages in your system, please report. References

• https://bugs.mageia.org/show_bug.cgi?id=34740

SRPMS 9/core

• gnome-builder-44.2-1.1.mga9
• gnucash-5.3-1.1.mga9
• kdeplasma-addons-5.27.10-1.1.mga9
• evolution-data-server-3.48.3-1.1.mga9
• kbibtex-0.10.0-3.1.mga9
• geary-43.0-3.1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description We are rebuilding packages requiring icu version 72 with icu version 73 to use an icu version with security fixes. These packages are the third set. References

• https://bugs.mageia.org/show_bug.cgi?id=34730

SRPMS 9/core

• gspell-1.12.1-1.1.mga9
• libcdr-0.1.7-5.1.mga9
• 0ad-0.0.26-3.1.mga9
• c-icap-modules-classify-20180416-15.1.mga9
• enchant2-2.3.3-2.1.mga9
• gnustep-base-1.28.0-2.1.mga9
• gnustep-gui-0.28.0-10.1.mga9
• konsole-23.04.3-1.1.mga9
• qtwebengine5-5.15.10-8.1.mga9
• qtwebengine6-6.4.1-5.1.mga9
• performous-1.2.0-6.1.mga9
• plasma-workspace-5.27.10-1.3.mga9
• R-base-4.3.3-1.1.mga9
• scribus-1.5.8-11.1.mga9
• strawberry-1.0.17-1.1.mga9
• subtitlecomposer-0.7.1-3.1.mga9
• mpd-0.23.11-4.1.mga9

9/tainted

• mpd-0.23.11-4.1.mga9.tainted

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description It appears there has been a rollout for the WEB client where YouTube has removed the playback links for adaptiveFormats in the player response. This leaves only the SABR streaming URL for playback (which is what YouTube has been using for a while now) References

• https://bugs.mageia.org/show_bug.cgi?id=34750
• https://github.com/yt-dlp/yt-dlp/issues/12482

SRPMS 9/core

• python-packaging-24.2-1.mga9
• python-hatchling-1.27.0-1.mga9
• yt-dlp-2025.11.12-1.mga9

Publication date: 17 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description The kvm modules are now preloaded at boot, and thus it conflicts with vbox modules. This version has a fix that rmmod the kvm module before starting virtualbox VMs References

• https://bugs.mageia.org/show_bug.cgi?id=34408
• https://www.virtualbox.org/wiki/Changelog-7.1
• https://www.virtualbox.org/ticket/22248
• https://github.com/VirtualBox/virtualbox/issues/372

SRPMS 9/core

• virtualbox-7.1.14-2.mga9
• kmod-virtualbox-7.1.14-12.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48734 Description Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default. (CVE-2025-48734) References

• https://bugs.mageia.org/show_bug.cgi?id=34330
• https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48734

SRPMS 9/core

• apache-commons-beanutils-1.9.4-7.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-55014 Description The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. (CVE-2025-55014) References

• https://bugs.mageia.org/show_bug.cgi?id=34533
• https://seclists.org/oss-sec/2025/q3/75
• https://seclists.org/oss-sec/2025/q3/81
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55014

SRPMS 9/core

• stardict-3.0.6.3-2.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3155 Description The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. (CVE-2025-3155) References

• https://bugs.mageia.org/show_bug.cgi?id=34173
• https://www.openwall.com/lists/oss-security/2025/04/04/1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27Z5WA2SKQGJ4UVVHUNWY73Y4PNKT3AA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNBXVCRWOMV4OCPACFVW6R4I6T4PSAEM/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/T4HL3S3XNP5C4Q7YW3W22GDBDEEXQDW2/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3155

SRPMS 9/core

• yelp-42.2-1.1.mga9
• yelp-xsl-42.1-1.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48976 Description Apache Commons FileUpload: FileUpload DoS via part headers. (CVE-2025-48976) References

• https://bugs.mageia.org/show_bug.cgi?id=34377
• https://www.openwall.com/lists/oss-security/2025/06/16/4
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O4NTTRMGJEETFRWJKHNAERLI3E52LN2W/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976

SRPMS 9/core

• apache-commons-fileupload-1.4-5.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-50383 Description Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386 (only 32-bit processors can be affected). (CVE-2024-50383) References

• https://bugs.mageia.org/show_bug.cgi?id=34391
• https://ubuntu.com/security/notices/USN-7586-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383

SRPMS 9/core

• botan2-2.19.5-1.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6140 Description Spdlog pattern_formatter-inl.h scoped_padder resource consumption. (CVE-2025-6140) References

• https://bugs.mageia.org/show_bug.cgi?id=34446
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PKLBHCP4H6J6LCEJELBPDKGM2W4ZWDNC/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6140

SRPMS 9/core

• spdlog-1.11.0-4.1.mga9

Publication date: 15 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-48924 Description Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs. (CVE-2025-48924) References

• https://bugs.mageia.org/show_bug.cgi?id=34483
• https://www.openwall.com/lists/oss-security/2025/07/11/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48924

SRPMS 9/core

• apache-commons-lang3-3.12.0-3.1.mga9
• apache-commons-lang-2.6-25.1.mga9