Mageia 2021-0482: aom security update
aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free. (CVE-2021-30474) References: - https://bugs.mageia.org/show_bug.cgi?id=29550
Mageia 2021-0481: vim security update
CVE-2021-3778: vim: Heap-based Buffer Overflow in utf_ptr2char() Fix: patch 8.2.3409: reading beyond end of line with invalid utf-8 character When vim 8.2 is built with --with-features=huge --enable-gui=none and address sanitizer, a heap-buffer overflow occurs when running: echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt
Mageia 2021-0480: libslirp security update
Invalid pointer initialization issues were found in the SLiRP networking implementation of QEMU. In the bootp_input() function while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this
Mageia 2021-0479: python-mpmath security update
Fix CVE-2021-29063 regular expression denial of service References: - https://bugs.mageia.org/show_bug.cgi?id=29537 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/3M5O55E7VUDMXCPQR6MQTOIFDKHP36AA/
Mageia 2021-0478: thunderbird security update
Updated thunderbird packages fix security vulnerabilities: Due to a data race in the crossbeam-deque in the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the
Mageia 2021-0477: mediawiki security update
XSS vulnerability in Special:Search. (CVE-2021-41798) ApiQueryBacklinks can cause a full table scan. (CVE-2021-41799) Fix PoolCounter protection of Special:Contributions. (CVE-2021-41800) ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked). (CVE-2021-41801)
Mageia 2021-0476: plib security update
Integer overflow vulnerability that could result in arbitrary code execution. The vulnerability is found in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file. References:
Mageia 2021-0475: golang security update
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. (CVE-2021-39293)
Mageia 2021-0474: xstream/xmlpull/mxparser security update
Multiple security vulnerabilities have been discovered in XStream. See references for details. References: - https://bugs.mageia.org/show_bug.cgi?id=29512
Mageia 2021-0473: python-flask-restx security update
Regular expression denial of service in email_regex. References: - https://bugs.mageia.org/show_bug.cgi?id=29509 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/5UCTFVDU3677B5OBGK4EF5NMUPJLL6SQ/
Mageia 2021-0472: grilo security update
Michael Catanzaro reported a problem in Grilo, a framework for discovering and browsing media. TLS certificate verification is not enabled on the SoupSessionAsync objects created by Grilo, leaving users vulnerable to network MITM attacks.
Mageia 2021-0471: libreoffice security update
LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an
Mageia 2021-0470: apache security update
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for
Mageia 2021-0469: firefox security update
Due to a data race in the crossbeam-deque in the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak (CVE-2021-32810).
Mageia 2021-0468: libcryptopp security update
The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
Mageia 2021-0467: cockpit security update
Restrict frame embedding to same origin References: - https://bugs.mageia.org/show_bug.cgi?id=29518 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/XQLK6K2XNAT4GT54IRSTVXU2RMN6V3YB/
Mageia 2021-0466: weechat security update
A crafted WebSocket frame could result in a crash in the weechat Relay plugin. References: - https://bugs.mageia.org/show_bug.cgi?id=29513 - https://www.debian.org/lts/security/2021/dla-2770
Mageia 2021-0465: libss7 security update
Unsafe use of strncpy. (rhbz#1932066) References: - https://bugs.mageia.org/show_bug.cgi?id=29493 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/
Mageia 2021-0464: fail2ban security update
fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if
Mageia 2021-0463: nodejs security update
Multiple security fixes for nodejs. See references for details References: - https://bugs.mageia.org/show_bug.cgi?id=29365 - https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
