Mageia Security

Publication date: 28 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description gnome-boxes can't redirect usb ports to guest systems, this is due missing requiriment on spice-gtk. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=33445

SRPMS 9/core

• gnome-boxes-44.2-1.1.mga9

Publication date: 28 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1378 Description A vulnerability, which was classified as problematic, was found in radare2. Affected is an unknown function in the library /libr/main/rasm2.c of the component rasm2. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. References

• https://bugs.mageia.org/show_bug.cgi?id=34044
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6L3CRKPOLSYHPHW4QETC25D65CTE33EO/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1378

SRPMS 9/core

• radare2-5.8.8-1.5.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1390 Description pam_cap: Fix potential configuration parsing error. (CVE-2025-1390) References

• https://bugs.mageia.org/show_bug.cgi?id=34048
• https://ubuntu.com/security/notices/USN-7287-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1390

SRPMS 9/core

• libcap-2.52-5.1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57392 Description A buffer overflow vulnerability in Proftpd commit 4017eff8 allows a remote attacker to execute arbitrary code and can cause a denial of service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port. (CVE-2024-57392) References

• https://bugs.mageia.org/show_bug.cgi?id=34042
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E36XSNXDCOSSYTPKEMAEUAZ6QVQJTSFZ/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/C3HZA5IS6YXHXDULEZHLHWOVCC3IYNGP/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57392

SRPMS 9/core

• proftpd-1.3.8c-1.1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26465 Description Machine-in-the-middle attack vulnerability if verifyhostkeydns is enabled. (CVE-2025-26465) References

• https://bugs.mageia.org/show_bug.cgi?id=34036
• https://openwall.com/lists/oss-security/2025/02/18/1
• https://openwall.com/lists/oss-security/2025/02/18/4
• https://lists.debian.org/debian-security-announce/2025/msg00030.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STTU3AYQZPT4FUMERJH7RQ3KH3TMQDUI/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GGMBNUMHNWAKKPCVKBQBXE7C4WSYOBAY/
• https://ubuntu.com/security/notices/USN-7270-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26465

SRPMS 9/core

• openssh-9.3p1-2.4.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Upstream kernel version 6.6.79 fixes bugs and vulnerabilities. The kmod-virtualbox and kmod-xtables-addons packages have been updated to work with this new kernel. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34023
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-6.6.79-1.mga9
• kmod-virtualbox-7.0.24-67.mga9
• kmod-xtables-addons-3.24-73.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Vanilla upstream kernel version 6.6.79 fixes bugs and vulnerabilities. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34024
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-linus-6.6.79-1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0633 Description A heap-based buffer overflow vulnerability in iniparser_dumpsection_ini() in iniparser allows an attacker to read out-of-bounds memory. (CVE-2025-0633) References

• https://bugs.mageia.org/show_bug.cgi?id=34047
• https://ubuntu.com/security/notices/USN-7286-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0633

SRPMS 9/core

• iniparser-4.1-4.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25472 , CVE-2025-25474 , CVE-2025-25475 Description A buffer overflow in DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DCM file (CVE-2025-25472). DCMTK was discovered to contain a buffer overflow via the component /dcmimgle/diinpxt.h (CVE-2025-25474). A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file (CVE-2025-25475). References

• https://bugs.mageia.org/show_bug.cgi?id=34043
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VEIE5K5WMSCBUU2JDXY5E576NA36I3NC/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25472
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25474
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25475

SRPMS 9/core

• dcmtk-3.6.7-4.4.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description These packages have a bogus requirement on python3-sip; trying to install these packages will cause conflicts if you have applications that require python3-sip6. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34014

SRPMS 9/core

• autohint-onoff-2.0-1.1.mga9
• enki-22.08.0-1.1.mga9
• pyzo-4.12.0-2.1.mga9
• meteo-qt-3.3-2.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1244 Description A command injection flaw was found which could allow a remote, unauthenticated attacker to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. References

• https://bugs.mageia.org/show_bug.cgi?id=34045
• https://lwn.net/Articles/1011611/
• https://nvd.nist.gov/vuln/detail/CVE-2025-1244
• https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1244

SRPMS 9/core

• emacs-29.4-1.3.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26603 Description A heap use-after-free was found in str_to_reg() in Vim < 9.1.1115. (CVE-2025-26603) References

• https://bugs.mageia.org/show_bug.cgi?id=34035
• https://openwall.com/lists/oss-security/2025/02/16/1
• https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26603

SRPMS 9/core

• vim-9.1.1122-1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56171 , CVE-2025-24928 , CVE-2025-27113 Description The updated packages fix security vulnerabilities: Use-after-free in xmlSchemaIDCFillNodeTables. (CVE-2024-56171) Stack-buffer-overflow in xmlSnprintfElements. (CVE-2025-24928) Null-deref in xmlPatMatch. (CVE-2025-27113) References

• https://bugs.mageia.org/show_bug.cgi?id=34037
• https://openwall.com/lists/oss-security/2025/02/18/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113

SRPMS 9/core

• libxml2-2.10.4-1.6.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-24528 Description Overflow when calculating ulog block size. (CVE-2025-24528) References

• https://bugs.mageia.org/show_bug.cgi?id=34040
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLIGTCER7WVUGDD5KJI3RHPHU5VI7UCF/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24528

SRPMS 9/core

• krb5-1.20.1-1.4.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12243 Description Gnutls impacted by inefficient DER decoding in libtasn1 leading to remote DoS. (CVE-2024-12243) References

• https://bugs.mageia.org/show_bug.cgi?id=34041
• https://ubuntu.com/security/notices/USN-7281-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12243

SRPMS 9/core

• gnutls-3.8.4-1.1.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix a bug in GTK3 tooltips. References

• https://bugs.mageia.org/show_bug.cgi?id=30574

SRPMS 9/core

• gtk+3.0-3.24.38-1.2.mga9
• lxpanel-0.11.0-0.git20250215.1.mga9