Mageia 2021-0455: icu security update
Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30535) References:
Mageia 2021-0454: libspf2 security update
Updated libspf2 packages fix buffer overflow. References: - https://bugs.mageia.org/show_bug.cgi?id=29396 - https://www.openwall.com/lists/oss-security/2021/08/11/6
Mageia 2021-0453: c-ares security update
Missing input validation on hostnames returned by DNS servers. (CVE-2021-3672) References: - https://bugs.mageia.org/show_bug.cgi?id=29350
Mageia 2021-0452: apache-mod_auth_openidc security update
In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. (CVE-2021-32786)
Mageia 2021-0451: perl-DBI security update
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). (CVE-2014-10402)
Mageia 2021-0450: chromium-browser-stable security update
The chromium-browser-stable package has been updated to 94.0.4606.61 version that fixes multiples security vulnerabilities. From 90.0.4430.72 (released on April 14, 2021) to 94.0.4606.61 version, see upstream advisories.
Mageia 2021-0449: libgd security update
The updated packages fix a security vulnerability: The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks (CVE-2021-40812).
Mageia 2021-0448: python-pillow security update
Updated python-pillow packages fix security vulnerability: The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function (CVE-2021-23437).
Mageia 2021-0447: webkit2 security update
Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.32.4, fixing various bugs and the following security issue:
Mageia 2021-0446: libgcrypt security update
The updated packages fix a security vulnerability: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's
Mageia 2021-0445: mosquitto security update
Mosquitto is updated to 2.0.12 to fix security vulnerability: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for
Mageia 2021-0444: gstreamer security update
GStreamer has been updated to 1.18.5 to fix various bugs and some security issues. References: - https://bugs.mageia.org/show_bug.cgi?id=29452
Mageia 2021-0443: qtwebengine5 security update
Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.6, fixing several security issues in the bundled chromium code.
Mageia 2021-0442: php security update
Updated php packages fix security vulnerabilities: - Integer overflow in mysqli_real_escape_string() - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substr_replace
Mageia 2021-0441: libssh security update
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically,
Mageia 2021-0440: 389-ds-base security update
Fixed crypt handling of locked accounts. (CVE-2021-3652) References: - https://bugs.mageia.org/show_bug.cgi?id=29393 - https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html
Mageia 2021-0439: apache security update
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193) Malformed requests may cause the server to dereference a NULL pointer.
Mageia 2021-0438: curl security update
UAF and double-free in MQTT sending. (CVE-2021-22945) Protocol downgrade required TLS bypassed. (CVE-2021-22946) STARTTLS protocol injection via MITM. (CVE-2021-22947)
Mageia 2021-0437: gifsicle security update
Fixes a security vulnerability on certain resize operations with '--resize-method=box'. References: - https://bugs.mageia.org/show_bug.cgi?id=29458
Mageia 2021-0436: ghostscript security update
Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) References: - https://bugs.mageia.org/show_bug.cgi?id=29453 - https://ubuntu.com/security/notices/USN-5075-1
