Mageia 2021-0437: gifsicle security update
Fixes a security vulnerability on certain resize operations with '--resize-method=box'. References: - https://bugs.mageia.org/show_bug.cgi?id=29458
Mageia 2021-0436: ghostscript security update
Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) References: - https://bugs.mageia.org/show_bug.cgi?id=29453 - https://ubuntu.com/security/notices/USN-5075-1
Mageia 2021-0435: python3 security update
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition. bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
Mageia 2021-0434: proftpd security update
Fixes memory disclosure to RADIUS servers by mod_radius. Ftp clients like filezilla fail to detect locale with in log : "Status: Server does not support non-ASCII characters."
Mageia 2021-0433: libgd security update
read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file. (CVE-2021-38115) gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through
Mageia 2021-0432: vim security update
Using retab with large value may lead to heap buffer overflow References: - https://bugs.mageia.org/show_bug.cgi?id=29444 - https://bugzilla.redhat.com/show_bug.cgi?id=2001929
Mageia 2021-0431: gpac security update
A specially crafted MPEG-4 input when decoding the atom for the "co64" FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21834) A specially crafted MPEG-4 input using the "ctts" FOURCC code can cause
Mageia 2021-0430: libarchive security update
Fix handling of symbolic link ACLs on Linux. Never follow symlinks when setting file flags on Linux. Do not follow symlinks when processing the fixup list.
Mageia 2021-0429: openssl security update
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then
Mageia 2021-0428: apr security update
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940)
Mageia 2021-0427: thunderbird security update
Mozilla developers Tyson Smith and Gabriele Svelto reported memory safety bugs present in Thunderbird ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-38493).
Mageia 2021-0426: tor security update
Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service.
Mageia 2021-0425: firefox security update
Mozilla developers Tyson Smith and Gabriele Svelto reported memory safety bugs present in Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-38493).
Mageia 2021-0424: postgresql security update
Memory disclosure in certain queries. (CVE-2021-3677) References: - https://bugs.mageia.org/show_bug.cgi?id=29369 - https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/
Mageia 2021-0423: cpio security update
GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. (CVE-2021-38185). References:
Mageia 2021-0422: lynx security update
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165) References:
Mageia 2021-0421: nextcloud-client security update
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. (CVE-2021-22895) In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if
Mageia 2021-0420: ansible security update
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode.
Mageia 2021-0419: kernel-linus security update
This kernel-linus update is based on upstream 5.10.62 and fixes atleast the following security issues: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a
Mageia 2021-0418: kernel security update
This kernel update is based on upstream 5.10.62 and fixes atleast the following security issues: A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or
