Mageia 2021-0447: webkit2 security update
Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.32.4, fixing various bugs and the following security issue:
Mageia 2021-0446: libgcrypt security update
The updated packages fix a security vulnerability: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's
Mageia 2021-0445: mosquitto security update
Mosquitto is updated to 2.0.12 to fix security vulnerability: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for
Mageia 2021-0444: gstreamer security update
GStreamer has been updated to 1.18.5 to fix various bugs and some security issues. References: - https://bugs.mageia.org/show_bug.cgi?id=29452
Mageia 2021-0443: qtwebengine5 security update
Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.6, fixing several security issues in the bundled chromium code.
Mageia 2021-0442: php security update
Updated php packages fix security vulnerabilities: - Integer overflow in mysqli_real_escape_string() - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substr_replace
Mageia 2021-0441: libssh security update
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically,
Mageia 2021-0440: 389-ds-base security update
Fixed crypt handling of locked accounts. (CVE-2021-3652) References: - https://bugs.mageia.org/show_bug.cgi?id=29393 - https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html
Mageia 2021-0439: apache security update
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193) Malformed requests may cause the server to dereference a NULL pointer.
Mageia 2021-0438: curl security update
UAF and double-free in MQTT sending. (CVE-2021-22945) Protocol downgrade required TLS bypassed. (CVE-2021-22946) STARTTLS protocol injection via MITM. (CVE-2021-22947)
Mageia 2021-0437: gifsicle security update
Fixes a security vulnerability on certain resize operations with '--resize-method=box'. References: - https://bugs.mageia.org/show_bug.cgi?id=29458
Mageia 2021-0436: ghostscript security update
Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) References: - https://bugs.mageia.org/show_bug.cgi?id=29453 - https://ubuntu.com/security/notices/USN-5075-1
Mageia 2021-0435: python3 security update
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition. bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
Mageia 2021-0434: proftpd security update
Fixes memory disclosure to RADIUS servers by mod_radius. Ftp clients like filezilla fail to detect locale with in log : "Status: Server does not support non-ASCII characters."
Mageia 2021-0433: libgd security update
read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file. (CVE-2021-38115) gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through
Mageia 2021-0432: vim security update
Using retab with large value may lead to heap buffer overflow References: - https://bugs.mageia.org/show_bug.cgi?id=29444 - https://bugzilla.redhat.com/show_bug.cgi?id=2001929
Mageia 2021-0431: gpac security update
A specially crafted MPEG-4 input when decoding the atom for the "co64" FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21834) A specially crafted MPEG-4 input using the "ctts" FOURCC code can cause
Mageia 2021-0430: libarchive security update
Fix handling of symbolic link ACLs on Linux. Never follow symlinks when setting file flags on Linux. Do not follow symlinks when processing the fixup list.
Mageia 2021-0429: openssl security update
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then
Mageia 2021-0428: apr security update
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940)
