Mageia 2023-0249: microcode security update
This update adds initial microcode updates for AMD and Intel CPUs for the following security issues: AMD:
Mageia 2023-0248: php security update
Libxml - GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823) Phar - GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()) (CVE-2023-3824)
Mageia 2023-0247: samba security update
Out-of-bounds read due to insufficient length checks in winbindd_pam_auth_crap.c (CVE-2022-2127) Improper SMB2 packet signing mechanism leading to man in the middle risk (CVE-2023-3347) Infinite loop vulnerability was found in Samba's mdssvc RPC service for
Mageia 2023-0246: redis security update
A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. (CVE-2022-24834) References:
Mageia 2023-0245: docker-containerd security update
Memory leak. (CVE-2022-23471) Denial of service with maliciously crafted image with a large file (CVE-2023-25153) Security bypass due to improper supplementary group handling. (CVE-2023-25173)
Mageia 2023-0244: microcode security update
Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information (CVE-2023-20593, also known as Zenbleed).
Mageia 2023-0243: kernel-linus security update
This kernel-linus update is based on upstream 5.15.122 and fixes atleast the following security issues: Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another
Mageia 2023-0242: kernel security update
This kernel update is based on upstream 5.15.122 and fixes atleast the following security issue: Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another
Mageia 2023-0241: mediawiki security update
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n
Mageia 2023-0240: cri-o security update
Denial of service due to memory or disk exhaustion. (CVE-2022-1708) References: - https://bugs.mageia.org/show_bug.cgi?id=30526 - https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
Mageia 2023-0239: virtualbox security update
This update provides the upstream 7.0.10 maintenance release that fixes at least the following security vulnerabilities: Vulnerability in the Oracle VM VirtualBox prior to 7.0.10 contains an easily exploitable vulnerability that allows high privileged attacker
Mageia 2023-0238: kernel-linus security update
This kernel-linus update is based on upstream 5.15.120 and fixes atleast the following security issues: A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the
Mageia 2023-0237: kernel security update
This kernel update is based on upstream 5.15.120 and fixes atleast the following security issues: A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the
Mageia 2023-0236: mingw-nsis security update
Mishandles access control for an uninstaller directory. (CVE-2023-37378) References: - https://bugs.mageia.org/show_bug.cgi?id=32091 - https://www.debian.org/lts/security/2023/dla-3483
Mageia 2023-0235: firefox/nss security update
An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS (CVE-2023-37201). Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment
Mageia 2023-0234: php security update
Fixed SOAP bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247) References: - https://bugs.mageia.org/show_bug.cgi?id=32075
Mageia 2023-0233: texlive security update
Any document compiled with older versions of LuaTeX can execute arbitrary shell commands, even with shell escape disabled. (CVE-2023-32700) References: - https://bugs.mageia.org/show_bug.cgi?id=31952
Mageia 2023-0232: mutt/neomutt security update
Out-of-bounds read in imap/util.c when an IMAP sequence set ends with a comma. (CVE-2021-32055) Overflow in uudecoder in Mutt allows read past end of input line (CVE-2022-1328)
Mageia 2023-0231: qt4/qtsvg5 security update
Out-of-bounds write in QtPrivate::QCommonArrayOps::growAppend (CVE-2021-45930) QtSvg QSvgFont m_unitsPerEm initialization is mishandled. (CVE-2023-32573)
Mageia 2023-0230: maven security update
No longer use http (non-SSL) repository references by default. References: - https://bugs.mageia.org/show_bug.cgi?id=28924 - https://www.openwall.com/lists/oss-security/2021/04/23/5
