Mageia Security
MGAA-2026-0033 - Updated drakxtools packages fix bug
Publication date: 05 Jun 2026
Type: bugfix
Affected Mageia releases : 9
Description Closing windows of applications launched from Mageia Control Center (aka MCC) should return to the main MCC window; currently that does not happen. This update fixes the reported issue. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description Closing windows of applications launched from Mageia Control Center (aka MCC) should return to the main MCC window; currently that does not happen. This update fixes the reported issue. References SRPMS 9/core
- drakxtools-18.66.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0172 - Updated lxc packages fix security vulnerability
Publication date: 04 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-39402 Description CVE-2026-39402, lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-39402 Description CVE-2026-39402, lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion References
- https://bugs.mageia.org/show_bug.cgi?id=35487
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LRWSIWUURCABTGG26SGDYX7OCPQ7FIS7/
- https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq
- https://www.cve.org/CVERecord?id=CVE-2026-39402
- lxc-5.0.3-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2026-0032 - Updated ceph packages fix bug
Publication date: 04 Jun 2026
Type: bugfix
Affected Mageia releases : 9
Description Updated ceph packages matching upstream bug fix release for the "Relief" branch References
Type: bugfix
Affected Mageia releases : 9
Description Updated ceph packages matching upstream bug fix release for the "Relief" branch References
- https://bugs.mageia.org/show_bug.cgi?id=35570
- https://ceph.io/en/news/blog/2026/v18-2-8-reef-released/
- ceph-18.2.8-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0171 - Updated libcaca packages fix security vulnerability
Publication date: 02 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42046 Description Heap OOB write in canvas import functions caused by int overflow. (CVE-2026-42046) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42046 Description Heap OOB write in canvas import functions caused by int overflow. (CVE-2026-42046) References
- https://bugs.mageia.org/show_bug.cgi?id=35600
- https://ubuntu.com/security/notices/USN-8318-1
- https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w
- https://github.com/cacalabs/libcaca/issues/86
- https://www.cve.org/CVERecord?id=CVE-2026-42046
- libcaca-0.99-0.beta19.11.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0170 - Updated assimp packages fix security vulnerabilities
Publication date: 02 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-2750 , CVE-2025-2751 , CVE-2025-2757 , CVE-2025-3158 , CVE-2025-3548 , CVE-2025-11277 , CVE-2025-70067 Description CVE-2025-2750,- A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-3158, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. Affected by this issue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVE-2025-3548, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp up to 5.4.3. This issue affects the function aiString::Set in the library include/assimp/types.h of the component File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. CVE-2025-11277, A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. CVE-2025-70067, Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-2750 , CVE-2025-2751 , CVE-2025-2757 , CVE-2025-3158 , CVE-2025-3548 , CVE-2025-11277 , CVE-2025-70067 Description CVE-2025-2750,- A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-3158, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. Affected by this issue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVE-2025-3548, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp up to 5.4.3. This issue affects the function aiString::Set in the library include/assimp/types.h of the component File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. CVE-2025-11277, A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. CVE-2025-70067, Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation References
- https://bugs.mageia.org/show_bug.cgi?id=34439
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYGDCFEL3GZ5PDUZFKEVVISQWAENNBTB/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2LQLM3OX7KPUJNJSKSVDROFQGZRJPVRF/
- https://www.cve.org/CVERecord?id=CVE-2025-2750
- https://www.cve.org/CVERecord?id=CVE-2025-2751
- https://www.cve.org/CVERecord?id=CVE-2025-2757
- https://www.cve.org/CVERecord?id=CVE-2025-3158
- https://www.cve.org/CVERecord?id=CVE-2025-3548
- https://www.cve.org/CVERecord?id=CVE-2025-11277
- https://www.cve.org/CVERecord?id=CVE-2025-70067
- assimp-5.2.5-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0169 - Updated sdl2_sound packages fix security vulnerability
Publication date: 02 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14369 Description Updated packages fix CVE-2025-14369 in bundled dr_flac. References SRPMS 9/core
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14369 Description Updated packages fix CVE-2025-14369 in bundled dr_flac. References SRPMS 9/core
- sdl2_sound-1.0.4-0.hg653.7.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0168 - Updated tar packages fix security vulnerability
Publication date: 02 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5704 Description A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. This update fixes the reported issue. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5704 Description A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. This update fixes the reported issue. References
- https://bugs.mageia.org/show_bug.cgi?id=35350
- https://bugzilla.redhat.com/show_bug.cgi?id=2455360
- https://www.openwall.com/lists/oss-security/2026/04/11/10
- https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html
- https://www.cve.org/CVERecord?id=CVE-2026-5704
- tar-1.35-4.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2026-0031 - Updated java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk & java-latest-openjdk fix security vulnerabilities
Publication date: 02 Jun 2026
Type: bugfix
Affected Mageia releases : 9
CVE: CVE-2026-22007 , CVE-2026-22008 , CVE-2026-22013 , CVE-2026-22016 , CVE-2026-22018 , CVE-2026-22021 , CVE-2026-23865 , CVE-2026-34268 , CVE-2026-34282 Description Enhance crypto algorithm support. (CVE-2026-22007) Improved Arena allocations. (CVE-2026-22008) Improve Kerberos credentialing. (CVE-2026-22013) Enhance Path Factories Redux. (CVE-2026-22016) Enhance Zip file reading. (CVE-2026-22018) Enhance certificate chain validation. (CVE-2026-22021) Updating FreeType 2.14.1 . (CVE-2026-23865) Enhance key generation. (CVE-2026-34268) Enhance TLS connection handling. (CVE-2026-34282) References
Type: bugfix
Affected Mageia releases : 9
CVE: CVE-2026-22007 , CVE-2026-22008 , CVE-2026-22013 , CVE-2026-22016 , CVE-2026-22018 , CVE-2026-22021 , CVE-2026-23865 , CVE-2026-34268 , CVE-2026-34282 Description Enhance crypto algorithm support. (CVE-2026-22007) Improved Arena allocations. (CVE-2026-22008) Improve Kerberos credentialing. (CVE-2026-22013) Enhance Path Factories Redux. (CVE-2026-22016) Enhance Zip file reading. (CVE-2026-22018) Enhance certificate chain validation. (CVE-2026-22021) Updating FreeType 2.14.1 . (CVE-2026-23865) Enhance key generation. (CVE-2026-34268) Enhance TLS connection handling. (CVE-2026-34282) References
- https://bugs.mageia.org/show_bug.cgi?id=35402
- https://access.redhat.com/errata/RHSA-2026:9682
- https://access.redhat.com/errata/RHSA-2026:9254
- https://access.redhat.com/errata/RHSA-2026:9686
- https://access.redhat.com/errata/RHSA-2026:9690
- https://access.redhat.com/errata/RHSA-2026:9693
- https://www.oracle.com/security-alerts/cpuapr2026.html#AppendixJAVA
- https://www.cve.org/CVERecord?id=CVE-2026-22007
- https://www.cve.org/CVERecord?id=CVE-2026-22008
- https://www.cve.org/CVERecord?id=CVE-2026-22013
- https://www.cve.org/CVERecord?id=CVE-2026-22016
- https://www.cve.org/CVERecord?id=CVE-2026-22018
- https://www.cve.org/CVERecord?id=CVE-2026-22021
- https://www.cve.org/CVERecord?id=CVE-2026-23865
- https://www.cve.org/CVERecord?id=CVE-2026-34268
- https://www.cve.org/CVERecord?id=CVE-2026-34282
- java-1.8.0-openjdk-1.8.0.492.b09-1.mga9
- java-11-openjdk-11.0.31.0.11-1.mga9
- java-17-openjdk-17.0.19.0.10-1.mga9
- java-latest-openjdk-25.0.3.0.9-1.rolling.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0167 - Updated vim packages fix security vulnerabilities
Publication date: 30 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-45130 , CVE-2026-43961 , CVE-2026-46483 Description Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450. (CVE-2026-45130) Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.0480. (CVE-2026-43961) Command Injection in tar.vim affects Vim < 9.2.0479. (CVE-2026-46483) Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.0495. Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-45130 , CVE-2026-43961 , CVE-2026-46483 Description Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450. (CVE-2026-45130) Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.0480. (CVE-2026-43961) Command Injection in tar.vim affects Vim < 9.2.0479. (CVE-2026-46483) Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.0495. Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496. References
- https://bugs.mageia.org/show_bug.cgi?id=35490
- https://www.openwall.com/lists/oss-security/2026/05/07/9
- https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
- https://www.openwall.com/lists/oss-security/2026/05/14/6
- https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
- https://www.openwall.com/lists/oss-security/2026/05/14/7
- https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3
- https://www.openwall.com/lists/oss-security/2026/05/17/3
- https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c
- https://www.openwall.com/lists/oss-security/2026/05/17/4
- https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
- https://www.cve.org/CVERecord?id=CVE-2026-45130
- https://www.cve.org/CVERecord?id=CVE-2026-43961
- https://www.cve.org/CVERecord?id=CVE-2026-46483
- vim-9.2.498-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0166 - Updated perl-Template-Toolkit packages fix security vulnerability
Publication date: 30 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5090 Description Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. (CVE-2026-5090) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5090 Description Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. (CVE-2026-5090) References
- https://bugs.mageia.org/show_bug.cgi?id=35554
- https://www.openwall.com/lists/oss-security/2026/05/19/40
- https://www.cve.org/CVERecord?id=CVE-2026-5090
- perl-Template-Toolkit-3.101.0-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0165 - Updated nspr, nss and firefox(-l10n) packages fix security issues
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151. (CVE-2026-8974) Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151. (CVE-2026-8975) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151. (CVE-2026-8974) Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151. (CVE-2026-8975) References
- https://bugs.mageia.org/show_bug.cgi?id=35555
- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/S3z0rOO1xpg
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_124.html
- https://www.firefox.com/en-US/firefox/140.11.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-48/
- https://www.cve.org/CVERecord?id=CVE-2026-8388
- https://www.cve.org/CVERecord?id=CVE-2026-8391
- https://www.cve.org/CVERecord?id=CVE-2026-8401
- https://www.cve.org/CVERecord?id=CVE-2026-8946
- https://www.cve.org/CVERecord?id=CVE-2026-8947
- https://www.cve.org/CVERecord?id=CVE-2026-8950
- https://www.cve.org/CVERecord?id=CVE-2026-8953
- https://www.cve.org/CVERecord?id=CVE-2026-8954
- https://www.cve.org/CVERecord?id=CVE-2026-8955
- https://www.cve.org/CVERecord?id=CVE-2026-8956
- https://www.cve.org/CVERecord?id=CVE-2026-8957
- https://www.cve.org/CVERecord?id=CVE-2026-8958
- https://www.cve.org/CVERecord?id=CVE-2026-8961
- https://www.cve.org/CVERecord?id=CVE-2026-8962
- https://www.cve.org/CVERecord?id=CVE-2026-8968
- https://www.cve.org/CVERecord?id=CVE-2026-8970
- https://www.cve.org/CVERecord?id=CVE-2026-8974
- https://www.cve.org/CVERecord?id=CVE-2026-8975
- nspr-4.39.0-1.mga9
- nss-3.124.0-1.mga9
- firefox-140.11.0-1.mga9
- firefox-l10n-140.11.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0164 - Updated thunderbird(-l10n) packages fix security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8974) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8975) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8974) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8975) References
- https://bugs.mageia.org/show_bug.cgi?id=35560
- https://www.thunderbird.net/en-US/thunderbird/140.11.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-51/
- https://www.cve.org/CVERecord?id=CVE-2026-8388
- https://www.cve.org/CVERecord?id=CVE-2026-8391
- https://www.cve.org/CVERecord?id=CVE-2026-8401
- https://www.cve.org/CVERecord?id=CVE-2026-8946
- https://www.cve.org/CVERecord?id=CVE-2026-8947
- https://www.cve.org/CVERecord?id=CVE-2026-8950
- https://www.cve.org/CVERecord?id=CVE-2026-8953
- https://www.cve.org/CVERecord?id=CVE-2026-8954
- https://www.cve.org/CVERecord?id=CVE-2026-8955
- https://www.cve.org/CVERecord?id=CVE-2026-8956
- https://www.cve.org/CVERecord?id=CVE-2026-8957
- https://www.cve.org/CVERecord?id=CVE-2026-8958
- https://www.cve.org/CVERecord?id=CVE-2026-8961
- https://www.cve.org/CVERecord?id=CVE-2026-8962
- https://www.cve.org/CVERecord?id=CVE-2026-8968
- https://www.cve.org/CVERecord?id=CVE-2026-8970
- https://www.cve.org/CVERecord?id=CVE-2026-8974
- https://www.cve.org/CVERecord?id=CVE-2026-8975
- thunderbird-140.11.0-1.mga9
- thunderbird-l10n-140.11.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0163 - Updated bind packages fix security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-3039 , CVE-2026-3592 , CVE-2026-3593 , CVE-2026-5946 , CVE-2026-5947 , CVE-2026-5950 Description Updated bind package fixes security vulnerabilities: bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb BIND 9 server memory exhaustion during GSS-API TKEY negotiation (CVE-2026-3039) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Amplification vulnerabilities via self-pointed glue records (CVE-2026-3592) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation (CVE-2026-3593) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Invalid handling of CLASS != IN (CVE-2026-5946) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb SIG(0) validation during query flood may lead to undefined behavior (CVE-2026-5947) *Unbounded resend loop in BIND 9 resolver (CVE-2026-5950) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-3039 , CVE-2026-3592 , CVE-2026-3593 , CVE-2026-5946 , CVE-2026-5947 , CVE-2026-5950 Description Updated bind package fixes security vulnerabilities: bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb BIND 9 server memory exhaustion during GSS-API TKEY negotiation (CVE-2026-3039) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Amplification vulnerabilities via self-pointed glue records (CVE-2026-3592) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation (CVE-2026-3593) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Invalid handling of CLASS != IN (CVE-2026-5946) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb SIG(0) validation during query flood may lead to undefined behavior (CVE-2026-5947) *Unbounded resend loop in BIND 9 resolver (CVE-2026-5950) References
- https://bugs.mageia.org/show_bug.cgi?id=35557
- https://www.openwall.com/lists/oss-security/2026/05/20/11
- https://www.cve.org/CVERecord?id=CVE-2026-3039
- https://www.cve.org/CVERecord?id=CVE-2026-3592
- https://www.cve.org/CVERecord?id=CVE-2026-3593
- https://www.cve.org/CVERecord?id=CVE-2026-5946
- https://www.cve.org/CVERecord?id=CVE-2026-5947
- https://www.cve.org/CVERecord?id=CVE-2026-5950
- bind-9.18.49-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0162 - Updated graphicsmagick packages fix a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42050 Description The updated packages fix a security vulnerability: Stack buffer overflow in XTileImage. (CVE-2026-42050) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42050 Description The updated packages fix a security vulnerability: Stack buffer overflow in XTileImage. (CVE-2026-42050) References
- https://bugs.mageia.org/show_bug.cgi?id=35556
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O6OYKKQT2LLKS52FQTHRZ7GJJSUXW3YH/
- https://www.cve.org/CVERecord?id=CVE-2026-42050
- graphicsmagick-1.3.40-1.6.mga9
- graphicsmagick-1.3.40-1.6.mga9.tainted
Categorías: Actualizaciones de Seguridad
MGASA-2026-0161 - Updated microcode package fixes security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-35979 Description The updated package fixes a security vulnerability: A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability. (CVE-2025-35979) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-35979 Description The updated package fixes a security vulnerability: A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability. (CVE-2025-35979) References
- https://bugs.mageia.org/show_bug.cgi?id=35558
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20260512
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01420.html
- https://www.cve.org/CVERecord?id=CVE-2025-35979
- microcode-0.20260512-1.mga9.nonfree
Categorías: Actualizaciones de Seguridad
MGASA-2026-0160 - Updated perl-Catalyst-Plugin-Authentication package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5091 Description The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. (CVE-2026-5091) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5091 Description The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. (CVE-2026-5091) References
- https://bugs.mageia.org/show_bug.cgi?id=35569
- https://www.openwall.com/lists/oss-security/2026/05/21/19
- https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes
- https://www.cve.org/CVERecord?id=CVE-2026-5091
- perl-Catalyst-Plugin-Authentication-0.100.230-12.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0159 - Updated nginx package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-9256 Description The updated package fixes a security vulnerability: NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-9256) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-9256 Description The updated package fixes a security vulnerability: NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-9256) References
- https://bugs.mageia.org/show_bug.cgi?id=35581
- https://www.openwall.com/lists/oss-security/2026/05/22/14
- https://www.cve.org/CVERecord?id=CVE-2026-9256
- nginx-1.30.2-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0158 - Updated perl-IO-Compress package fixes security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-15649 , CVE-2026-48959 , CVE-2026-48961 , CVE-2026-48962 Description The updated package fixes security vulnerabilities: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. (CVE-2025-15649) IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. (CVE-2026-48959) IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. (CVE-2026-48962) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-15649 , CVE-2026-48959 , CVE-2026-48961 , CVE-2026-48962 Description The updated package fixes security vulnerabilities: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. (CVE-2025-15649) IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. (CVE-2026-48959) IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. (CVE-2026-48962) References
- https://bugs.mageia.org/show_bug.cgi?id=35593
- https://www.openwall.com/lists/oss-security/2026/05/27/1
- https://www.openwall.com/lists/oss-security/2026/05/27/2
- https://www.openwall.com/lists/oss-security/2026/05/27/3
- https://www.openwall.com/lists/oss-security/2026/05/27/4
- https://www.cve.org/CVERecord?id=CVE-2025-15649
- https://www.cve.org/CVERecord?id=CVE-2026-48959
- https://www.cve.org/CVERecord?id=CVE-2026-48961
- https://www.cve.org/CVERecord?id=CVE-2026-48962
- perl-IO-Compress-2.204.0-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0157 - Updated perl-HTTP-Daemon package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8450 Description The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). (CVE-2026-8450) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8450 Description The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). (CVE-2026-8450) References
- https://bugs.mageia.org/show_bug.cgi?id=35594
- https://www.openwall.com/lists/oss-security/2026/05/27/5
- https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes
- https://www.cve.org/CVERecord?id=CVE-2026-8450
- perl-HTTP-Daemon-6.140.0-3.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0156 - Updated nginx packages fix security vulnerabilities
Publication date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40460 , CVE-2026-40701 , CVE-2026-42926 , CVE-2026-42934 , CVE-2026-42945 , CVE-2026-42946 Description NGINX ngx_quic_module vulnerability. (CVE-2026-40460) NGINX ngx_http_ssl_module vulnerability. (CVE-2026-40701) NGINX ngx_http_proxy_v2_module vulnerability. (CVE-2026-42926) NGINX ngx_http_charset_module vulnerability. (CVE-2026-42934) NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-42945) NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability. (CVE-2026-42946) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40460 , CVE-2026-40701 , CVE-2026-42926 , CVE-2026-42934 , CVE-2026-42945 , CVE-2026-42946 Description NGINX ngx_quic_module vulnerability. (CVE-2026-40460) NGINX ngx_http_ssl_module vulnerability. (CVE-2026-40701) NGINX ngx_http_proxy_v2_module vulnerability. (CVE-2026-42926) NGINX ngx_http_charset_module vulnerability. (CVE-2026-42934) NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-42945) NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability. (CVE-2026-42946) References
- https://bugs.mageia.org/show_bug.cgi?id=35529
- https://www.openwall.com/lists/oss-security/2026/05/13/7
- https://www.cve.org/CVERecord?id=CVE-2026-40460
- https://www.cve.org/CVERecord?id=CVE-2026-40701
- https://www.cve.org/CVERecord?id=CVE-2026-42926
- https://www.cve.org/CVERecord?id=CVE-2026-42934
- https://www.cve.org/CVERecord?id=CVE-2026-42945
- https://www.cve.org/CVERecord?id=CVE-2026-42946
- nginx-1.30.1-1.mga9
Categorías: Actualizaciones de Seguridad
