Mageia Security
MGASA-2024-0340 - Updated redis packages fix security vulnerabilities
Publication date: 27 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-31227 , CVE-2024-31228 , CVE-2024-31449 Description An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. (CVE-2024-31227) Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. (CVE-2024-31228) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. (CVE-2024-31449) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-31227 , CVE-2024-31228 , CVE-2024-31449 Description An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. (CVE-2024-31227) Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. (CVE-2024-31228) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. (CVE-2024-31449) References
- https://bugs.mageia.org/show_bug.cgi?id=33643
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMP3URK6CE4LGQZ7V2GD23UVMTFM7K46/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31227
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31228
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31449
- redis-7.0.14-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0339 - Updated cpanminus packages fix security vulnerability
Publication date: 27 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45321 Description The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. (CVE-2024-45321) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45321 Description The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. (CVE-2024-45321) References
- https://bugs.mageia.org/show_bug.cgi?id=33631
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5W36RUTOUQ2VUGWG2FCEBOWNRYS6RBI/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45321
- cpanminus-1.704.500-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0338 - Updated mozjs78 packages fix security vulnerabilities
Publication date: 27 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45490 , CVE-2024-45491 , CVE-2024-45492 Description An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. (CVE-2024-45490) An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45491) An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45492) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45490 , CVE-2024-45491 , CVE-2024-45492 Description An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. (CVE-2024-45490) An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45491) An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45492) References
- https://bugs.mageia.org/show_bug.cgi?id=33630
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NII5WWMANSN5NYNMNOK7LJ2P5FT7TW5X/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492
- mozjs78-78.15.0-7.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0337 - Updated libgsf packages fix security vulnerabilities
Publication date: 27 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-36474 , CVE-2024-42415 Description An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-36474) An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-42415) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-36474 , CVE-2024-42415 Description An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-36474) An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-42415) References
- https://bugs.mageia.org/show_bug.cgi?id=33620
- https://lwn.net/Articles/993121/
- https://ubuntu.com/security/notices/USN-7062-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36474
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42415
- libgsf-1.14.50-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0336 - Updated thunderbird packages fix security vulnerabilities
Publication date: 27 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-9680 Description The updated packages provide Thunderbird 128 for all mandatory arches of Mageia (x86_64, i586 and aarch64) and fix several bugs, including a security vulnerability: References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-9680 Description The updated packages provide Thunderbird 128 for all mandatory arches of Mageia (x86_64, i586 and aarch64) and fix several bugs, including a security vulnerability: References
- https://bugs.mageia.org/show_bug.cgi?id=33633
- https://www.thunderbird.net/en-US/thunderbird/128.3.1esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/
- https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes/
- https://bugs.mageia.org/show_bug.cgi?id=33608
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680
- thunderbird-128.3.2-1.mga9
- thunderbird-l10n-128.3.2-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0216 - Updated pipewire packages fix bugs
Publication date: 27 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description This release includes the fixes up to pipewire-1.0.9, that fix a few bugs and some leaks for stability. For the changelog (referring to 1.0.9) see the references. References
Type: bugfix
Affected Mageia releases : 9
Description This release includes the fixes up to pipewire-1.0.9, that fix a few bugs and some leaks for stability. For the changelog (referring to 1.0.9) see the references. References
- https://bugs.mageia.org/show_bug.cgi?id=33673
- https://gitlab.freedesktop.org/pipewire/pipewire/-/releases
- pipewire-0.3.85-6.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0335 - Updated oath-toolkit packages fix security vulnerability
Publication date: 25 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-47191 Description pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. (CVE-2024-47191) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-47191 Description pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. (CVE-2024-47191) References
- https://bugs.mageia.org/show_bug.cgi?id=33619
- https://lists.archlinux.org/archives/list/arch-security@lists.archlinux.org/message/IDKMOOVTHHDXCEEZ2S4VVYLM3N5QBPJA/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47191
- oath-toolkit-2.6.7-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0334 - Updated firefox packages fix security vulnerabilities
Publication date: 24 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7519 , CVE-2024-7520 , CVE-2024-7521 , CVE-2024-7522 , CVE-2024-7524 , CVE-2024-7525 , CVE-2024-7526 , CVE-2024-7527 , CVE-2024-7528 , CVE-2024-7529 , CVE-2024-8385 , CVE-2024-8381 , CVE-2024-8382 , CVE-2024-8383 , CVE-2024-8384 , CVE-2024-8386 , CVE-2024-8387 , CVE-2024-9680 Description The updated package provides Firefox 128 for all mandatory arches of Mageia (x86_64, i586 and aarch64), fixing several bugs, including security vulnerabilities, for i586 and aarch64: Fullscreen notification dialog can be obscured by document content. (CVE-2024-7518) Out of bounds memory access in graphics shared memory handling. (CVE-2024-7519) Type confusion in WebAssembly. (CVE-2024-7520) Incomplete WebAssembly exception handing. (CVE-2024-7521) Out of bounds read in editor component. (CVE-2024-7522) CSP strict-dynamic bypass using web-compatibility shims. (CVE-2024-7524) Missing permission check when creating a StreamFilter. (CVE-2024-7525) Uninitialized memory used by WebGL. (CVE-2024-7526) Use-after-free in JavaScript garbage collection. (CVE-2024-7527) Use-after-free in IndexedDB. (CVE-2024-7528) Document content could partially obscure security prompts. (CVE-2024-7529) WASM type confusion involving ArrayTypes. (CVE-2024-8385) Type confusion when looking up a property name in a "with" block. (CVE-2024-8381) Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran. (CVE-2024-8382) links in an external application. (CVE-2024-8383: Firefox did not ask before openings news) Garbage collection could mis-color cross-compartment objects in OOM conditions. (CVE-2024-8384) SelectElements could be shown over another site if popups are allowed. (CVE-2024-8386) Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. (CVE-2024-8387) Compromised content process can bypass site isolation. (CVE-2024-9392) Cross-origin access to PDF contents through multipart responses. (CVE-2024-9393) Cross-origin access to JSON contents through multipart responses. (CVE-2024-9394) Clipboard write permission bypass. (CVE-2024-8900) Potential memory corruption may occur when cloning certain objects. (CVE-2024-9396) Potential directory upload bypass via clickjacking. (CVE-2024-9397) External protocol handlers could be enumerated via popups. (CVE-2024-9398) Specially crafted WebTransport requests could lead to denial of service. (CVE-2024-9399) Potential memory corruption during JIT compilation. (CVE-2024-9400) Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. (CVE-2024-9401) Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. (CVE-2024-9402) Use-after-free in Animation timeline. (CVE-2024-9680) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7519 , CVE-2024-7520 , CVE-2024-7521 , CVE-2024-7522 , CVE-2024-7524 , CVE-2024-7525 , CVE-2024-7526 , CVE-2024-7527 , CVE-2024-7528 , CVE-2024-7529 , CVE-2024-8385 , CVE-2024-8381 , CVE-2024-8382 , CVE-2024-8383 , CVE-2024-8384 , CVE-2024-8386 , CVE-2024-8387 , CVE-2024-9680 Description The updated package provides Firefox 128 for all mandatory arches of Mageia (x86_64, i586 and aarch64), fixing several bugs, including security vulnerabilities, for i586 and aarch64: Fullscreen notification dialog can be obscured by document content. (CVE-2024-7518) Out of bounds memory access in graphics shared memory handling. (CVE-2024-7519) Type confusion in WebAssembly. (CVE-2024-7520) Incomplete WebAssembly exception handing. (CVE-2024-7521) Out of bounds read in editor component. (CVE-2024-7522) CSP strict-dynamic bypass using web-compatibility shims. (CVE-2024-7524) Missing permission check when creating a StreamFilter. (CVE-2024-7525) Uninitialized memory used by WebGL. (CVE-2024-7526) Use-after-free in JavaScript garbage collection. (CVE-2024-7527) Use-after-free in IndexedDB. (CVE-2024-7528) Document content could partially obscure security prompts. (CVE-2024-7529) WASM type confusion involving ArrayTypes. (CVE-2024-8385) Type confusion when looking up a property name in a "with" block. (CVE-2024-8381) Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran. (CVE-2024-8382) links in an external application. (CVE-2024-8383: Firefox did not ask before openings news) Garbage collection could mis-color cross-compartment objects in OOM conditions. (CVE-2024-8384) SelectElements could be shown over another site if popups are allowed. (CVE-2024-8386) Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. (CVE-2024-8387) Compromised content process can bypass site isolation. (CVE-2024-9392) Cross-origin access to PDF contents through multipart responses. (CVE-2024-9393) Cross-origin access to JSON contents through multipart responses. (CVE-2024-9394) Clipboard write permission bypass. (CVE-2024-8900) Potential memory corruption may occur when cloning certain objects. (CVE-2024-9396) Potential directory upload bypass via clickjacking. (CVE-2024-9397) External protocol handlers could be enumerated via popups. (CVE-2024-9398) Specially crafted WebTransport requests could lead to denial of service. (CVE-2024-9399) Potential memory corruption during JIT compilation. (CVE-2024-9400) Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. (CVE-2024-9401) Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. (CVE-2024-9402) Use-after-free in Animation timeline. (CVE-2024-9680) References
- https://bugs.mageia.org/show_bug.cgi?id=33607
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7519
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7520
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7521
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7524
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7525
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7526
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7527
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7528
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7529
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8385
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8381
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8382
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8383
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8384
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8386
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8387
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680
- firefox-128.3.1-3.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0215 - Updated freefilesync packages fix missed icons
Publication date: 23 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description After installing FreeFileSync, no icon appears in the Plasma menu for FreeFileSync or RealTimeSync. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description After installing FreeFileSync, no icon appears in the Plasma menu for FreeFileSync or RealTimeSync. References SRPMS 9/core
- freefilesync-12.5-1.4.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0214 - Updated llvm17-suite & llvm19-suite packages fix building packages requiring newer llvm
Publication date: 21 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description Monolithic LLVM17 & LLVM19 packages to bring the complete LLVM stack (llvm, clang, lld, compiler-rt, polly) at once. These packages live in custom folders. You need to set env variables and paths accordingly. For instance for llvm19 in x86_64, and to be adjusted to your needs: PATH="/usr/lib64/llvm19/bin:$PATH" LLVM_DIR=/usr/lib64/llvm19/lib/cmake/llvm We are now releasing these packages for all supported architectures. References
Type: bugfix
Affected Mageia releases : 9
Description Monolithic LLVM17 & LLVM19 packages to bring the complete LLVM stack (llvm, clang, lld, compiler-rt, polly) at once. These packages live in custom folders. You need to set env variables and paths accordingly. For instance for llvm19 in x86_64, and to be adjusted to your needs: PATH="/usr/lib64/llvm19/bin:$PATH" LLVM_DIR=/usr/lib64/llvm19/lib/cmake/llvm We are now releasing these packages for all supported architectures. References
- https://bugs.mageia.org/show_bug.cgi?id=33322
- https://github.com/llvm/llvm-project/releases/tag/llvmorg-17.0.6
- https://github.com/llvm/llvm-project/releases/tag/llvmorg-19.1.0
- llvm19-suite-19.1.0-3.mga9
- llvm17-suite-17.0.6-2.7.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0213 - Updated amarok packages fix bugs
Publication date: 21 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description Small UI and compilation fixes Fix saving and restoring playlist queue on quit / restart (BR 338741) Fix system tray icon menu reordering Fix erroneous apparent zero track progresses on track changes, which caused playcount updates and scrobbles to get skipped (BR 337849, BR 406701) Fix 'save playlist' button in playlist controls Sort playlist sorting breadcrumb menu by localized names (BR 277146) Miscellaneous fixes to saving and loading various playlist file formats, resulting also in improved compatibility with other software (including BR 435779, BR 333745) Don't show false reordering visual hints on a sorted playlist (BR 254821) Fix multiple instances of web services appearing in Internet menu after saving plugin config. Show podcast provider actions for non-empty podcast categories, too (BR 371192) Fix threading-related crashes in CoverManager (BR 490147) References
Type: bugfix
Affected Mageia releases : 9
Description Small UI and compilation fixes Fix saving and restoring playlist queue on quit / restart (BR 338741) Fix system tray icon menu reordering Fix erroneous apparent zero track progresses on track changes, which caused playcount updates and scrobbles to get skipped (BR 337849, BR 406701) Fix 'save playlist' button in playlist controls Sort playlist sorting breadcrumb menu by localized names (BR 277146) Miscellaneous fixes to saving and loading various playlist file formats, resulting also in improved compatibility with other software (including BR 435779, BR 333745) Don't show false reordering visual hints on a sorted playlist (BR 254821) Fix multiple instances of web services appearing in Internet menu after saving plugin config. Show podcast provider actions for non-empty podcast categories, too (BR 371192) Fix threading-related crashes in CoverManager (BR 490147) References
- https://bugs.mageia.org/show_bug.cgi?id=33637
- https://blogs.kde.org/2024/08/02/amarok-3.1-tricks-of-the-light-released/
- https://blogs.kde.org/2024/04/29/amarok-3.0-castaway-released/
- amarok-3.1.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0212 - Updated vlc packages contain a few improvements and some fixes
Publication date: 21 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description Super Resolution scaling with AMD GPU nVidia TrueHDR filter for SDR->HDR generation support for Opus Ambisonic support for HTTP content range (RFC 9110) improvements for MP4 and Opus support new AMD VQ Enhancer filter 3rd party libraries updates fixes for VAAPI, HLS, UPNP modules and reduction of warnings and crashes fix for the crash on macOS with devices with more than 9 channels fix a potential security issue on MMS (heap buffer overflow) References
Type: bugfix
Affected Mageia releases : 9
Description Super Resolution scaling with AMD GPU nVidia TrueHDR filter for SDR->HDR generation support for Opus Ambisonic support for HTTP content range (RFC 9110) improvements for MP4 and Opus support new AMD VQ Enhancer filter 3rd party libraries updates fixes for VAAPI, HLS, UPNP modules and reduction of warnings and crashes fix for the crash on macOS with devices with more than 9 channels fix a potential security issue on MMS (heap buffer overflow) References
- https://bugs.mageia.org/show_bug.cgi?id=33638
- https://code.videolan.org/videolan/vlc/-/raw/3.0.x/NEWS
- https://github.com/videolan/vlc/releases/tag/3.0.21
- vlc-3.0.21-4.mga9.tainted
- vlc-3.0.21-4.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0211 - Updated systemd packages fix bugs
Publication date: 21 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description This update fixes some issues on laptops (or desktops) with suspend/resume or using the powerbutton. Before this patch pressing the power button immediately powered the system off. After this patch, the desktop manager asks again, if it should suspend, power off or reboot. Also events for closing the lid, setting brightness and/or showing the battery status now work again. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description This update fixes some issues on laptops (or desktops) with suspend/resume or using the powerbutton. Before this patch pressing the power button immediately powered the system off. After this patch, the desktop manager asks again, if it should suspend, power off or reboot. Also events for closing the lid, setting brightness and/or showing the battery status now work again. References SRPMS 9/core
- systemd-253.24-3.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0333 - Updated unbound packages fix security vulnerabilities
Publication date: 16 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-8508 Description NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-8508 Description NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic. References
- https://bugs.mageia.org/show_bug.cgi?id=33621
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8508
- unbound-1.21.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0210 - Updated mesa packages improve stability
Publication date: 14 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description Latest bugfix release for mesa 24.2.x branch, which improves stability. References
Type: bugfix
Affected Mageia releases : 9
Description Latest bugfix release for mesa 24.2.x branch, which improves stability. References
- https://bugs.mageia.org/show_bug.cgi?id=33612
- https://docs.mesa3d.org/relnotes/24.2.4.html
- https://docs.mesa3d.org/relnotes/24.2.0.html#changes
- https://docs.mesa3d.org/relnotes/24.2.1.html#changes
- https://docs.mesa3d.org/relnotes/24.2.2.html#changes
- https://docs.mesa3d.org/relnotes/24.2.3.html#changes
- https://docs.mesa3d.org/relnotes/24.2.4.html#changes
- mesa-24.2.4-2.mga9
- mesa-24.2.4-2.mga9.tainted
Categorías: Actualizaciones de Seguridad
MGAA-2024-0209 - Updated nmap & libssh2 packages fix bugs
Publication date: 14 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description This update fixes functionality and other bugs; see the references. References SRPMS 9/core
Type: bugfix
Affected Mageia releases : 9
Description This update fixes functionality and other bugs; see the references. References SRPMS 9/core
- nmap-7.95-1.mga9
- libssh2-1.11.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0332 - Updated thunderbird packages fix security vulnerabilities
Publication date: 14 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7519 , CVE-2024-7520 , CVE-2024-7521 , CVE-2024-7522 , CVE-2024-7524 , CVE-2024-7525 , CVE-2024-7526 , CVE-2024-7527 , CVE-2024-7528 , CVE-2024-7529 , CVE-2024-7531 , CVE-2024-8385 , CVE-2024-8381 , CVE-2024-8382 , CVE-2024-8383 , CVE-2024-8384 , CVE-2024-8386 , CVE-2024-8387 Description The current version has reached EOL and several security vulnerabilities were fixed by Mozilla. We are having some issues that are delaying the build for some architectures, so for the moment we are releasing this update just for x86_64. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7519 , CVE-2024-7520 , CVE-2024-7521 , CVE-2024-7522 , CVE-2024-7524 , CVE-2024-7525 , CVE-2024-7526 , CVE-2024-7527 , CVE-2024-7528 , CVE-2024-7529 , CVE-2024-7531 , CVE-2024-8385 , CVE-2024-8381 , CVE-2024-8382 , CVE-2024-8383 , CVE-2024-8384 , CVE-2024-8386 , CVE-2024-8387 Description The current version has reached EOL and several security vulnerabilities were fixed by Mozilla. We are having some issues that are delaying the build for some architectures, so for the moment we are releasing this update just for x86_64. References
- https://bugs.mageia.org/show_bug.cgi?id=33502
- https://www.thunderbird.net/en-US/thunderbird/128.1.0esr/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/128.1.1esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
- https://www.thunderbird.net/en-US/thunderbird/128.2.0esr/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/128.2.1esr/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/128.2.2esr/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/128.2.3esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/
- https://www.thunderbird.net/en-US/thunderbird/128.3.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7519
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7520
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7521
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7524
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7525
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7526
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7527
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7528
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7529
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7531
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8385
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8381
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8382
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8383
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8384
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8386
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8387
- thunderbird-128.3.0-1.mga9
- thunderbird-l10n-128.3.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0331 - Updated firefox firefox-l10n packages fix security vulnerabilities
Publication date: 14 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-9680 Description The updated packages fix a security vulnerability: Use-after-free in Animation timeline. (CVE-2024-9680) We are having some issues that are delaying the build for some architectures, so for the moment we are releasing this update just for x86_64. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-9680 Description The updated packages fix a security vulnerability: Use-after-free in Animation timeline. (CVE-2024-9680) We are having some issues that are delaying the build for some architectures, so for the moment we are releasing this update just for x86_64. References
- https://bugs.mageia.org/show_bug.cgi?id=33629
- https://www.mozilla.org/en-US/firefox/128.3.1/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680
- firefox-128.3.1-1.mga9
- firefox-l10n-128.3.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGAA-2024-0208 - Updated stlink packages fix bug
Publication date: 13 Oct 2024
Type: bugfix
Affected Mageia releases : 9
Description stlink has been updated to version 1.8.0 which has many bug fixes and adds support for new devices since the 1.7.0 version it is replacing. References
Type: bugfix
Affected Mageia releases : 9
Description stlink has been updated to version 1.8.0 which has many bug fixes and adds support for new devices since the 1.7.0 version it is replacing. References
- https://bugs.mageia.org/show_bug.cgi?id=33568
- https://github.com/stlink-org/stlink/releases/tag/v1.8.0
- https://github.com/stlink-org/stlink/blob/v1.8.0/CHANGELOG.md
- stlink-1.8.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2024-0330 - Updated quictls packages fix security vulnerabilities
Publication date: 11 Oct 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-5535 Description The updated packages fix security vulnerabilities References
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-5535 Description The updated packages fix security vulnerabilities References
- https://bugs.mageia.org/show_bug.cgi?id=33614
- https://openssl-library.org/news/vulnerabilities-3.0/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535
- quictls-3.0.15-1.mga9
Categorías: Actualizaciones de Seguridad
