Mageia Security

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26603 Description A heap use-after-free was found in str_to_reg() in Vim < 9.1.1115. (CVE-2025-26603) References

• https://bugs.mageia.org/show_bug.cgi?id=34035
• https://openwall.com/lists/oss-security/2025/02/16/1
• https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26603

SRPMS 9/core

• vim-9.1.1122-1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56171 , CVE-2025-24928 , CVE-2025-27113 Description The updated packages fix security vulnerabilities: Use-after-free in xmlSchemaIDCFillNodeTables. (CVE-2024-56171) Stack-buffer-overflow in xmlSnprintfElements. (CVE-2025-24928) Null-deref in xmlPatMatch. (CVE-2025-27113) References

• https://bugs.mageia.org/show_bug.cgi?id=34037
• https://openwall.com/lists/oss-security/2025/02/18/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113

SRPMS 9/core

• libxml2-2.10.4-1.6.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-24528 Description Overflow when calculating ulog block size. (CVE-2025-24528) References

• https://bugs.mageia.org/show_bug.cgi?id=34040
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLIGTCER7WVUGDD5KJI3RHPHU5VI7UCF/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24528

SRPMS 9/core

• krb5-1.20.1-1.4.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12243 Description Gnutls impacted by inefficient DER decoding in libtasn1 leading to remote DoS. (CVE-2024-12243) References

• https://bugs.mageia.org/show_bug.cgi?id=34041
• https://ubuntu.com/security/notices/USN-7281-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12243

SRPMS 9/core

• gnutls-3.8.4-1.1.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix a bug in GTK3 tooltips. References

• https://bugs.mageia.org/show_bug.cgi?id=30574

SRPMS 9/core

• gtk+3.0-3.24.38-1.2.mga9
• lxpanel-0.11.0-0.git20250215.1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix a regression introduced by the fix for CVE-2025-1094 and a memory leak in pg_createsubscriber. References

• https://bugs.mageia.org/show_bug.cgi?id=34039
• https://www.postgresql.org/about/news/postgresql-174-168-1512-1417-and-1320-released-3018/

SRPMS 9/core

• postgresql15-15.12-1.mga9
• postgresql13-13.20-1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description - Crash when trying to create a tab for a Magnatune panel or a Jamendo panel - bug: playback was skipping after 20 or 30 minutes running - Remove the nonfunctional Jamendo feature (the Jamendo site has modified its access and is no longer reachable for any Music Player) References

• https://bugs.mageia.org/show_bug.cgi?id=34034

SRPMS 9/core

• guayadeque-0.7.0-1.mga9

Publication date: 24 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-49393 , CVE-2024-49394 Description The To and Cc email header fields are not protected by cryptographic signing. (CVE-2024-49393) The In-reply-to email header field is not protected by cryptographic signing. (CVE-2024-49394) References

• https://bugs.mageia.org/show_bug.cgi?id=33814
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZYFPGXOX4Q4I4UNPEGXP2N372IN2YSAS/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49393
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49394

SRPMS 9/core

• neomutt-20241002-1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version can't handle files from newer versions. This update fixes the issue. Note the 1st time wizard can't select custom folder for backups, please select it later in Edit -> Preferences References

• https://bugs.mageia.org/show_bug.cgi?id=34029

SRPMS 9/core

• grisbi-3.0.4-1.mga9

Publication date: 22 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description Instructions to uninstall the telegram application are not accurate. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=32593

SRPMS 9/core

• get-telegram-1.7.7-3.1.mga9

Publication date: 20 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix some oauth2 problems. References

• https://bugs.mageia.org/show_bug.cgi?id=33950
• https://www.claws-mail.org/NEWS
• https://forums.mageia.org/en/viewtopic.php?t=15558

SRPMS 9/core

• claws-mail-4.3.0-1.mga9

Publication date: 17 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-49083 , CVE-2023-50782 , CVE-2024-26130 Description Cryptography vulnerable to NULL-dereference when loading PKCS7 certificates. (CVE-2023-49083) Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659. (CVE-2023-50782) Cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. (CVE-2024-26130) References

• https://bugs.mageia.org/show_bug.cgi?id=32584
• https://www.openwall.com/lists/oss-security/2023/11/29/2
• https://ubuntu.com/security/notices/USN-6673-1
• https://ubuntu.com/security/notices/USN-6673-3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49083
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26130

SRPMS 9/core

• openssl-3.0.15-1.3.mga9
• python-cryptography-39.0.1-1.1.mga9

Publication date: 17 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-31068 , CVE-2024-36293 , CVE-2023-43758 , CVE-2024-39355 , CVE-2024-37020 Description Improper Finite State Machines (FSMs) in Hardware Logic for some Intel® Processors may allow privileged user to potentially enable denial of service via local access. (CVE-2024-31068) Improper access control in the EDECCSSA user leaf function for some Intel® Processors with Intel® SGX may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-36293) Improper input validation in UEFI firmware for some Intel® processors may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2023-43758) Improper handling of physical or environmental conditions in some Intel® Processors may allow an authenticated user to enable denial of service via local access. (CVE-2024-39355) Sequence of processor instructions leads to unexpected behavior in the Intel® DSA V1.0 for some Intel® Xeon® Processors may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-37020) References

• https://bugs.mageia.org/show_bug.cgi?id=34020
• https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31068
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36293
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43758
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39355
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37020

SRPMS 9/nonfree

• microcode-0.20250211-1.mga9.nonfree