Mageia 2022-0139: webkit2 security update
The webkit2 package has been updated to version 2.36.0, fixing several security issues and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=30262
Mageia 2022-0138: ceph security update
Updated ceph packages fix security vulnerabilities: the key length for encrypted devices created using ceph-volume is incorrect. This is due to a bug in ceph_volume/util/encryption.py which is fixed by this new version. (CVE-2021-3979)
Mageia 2022-0137: gdal security update
GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment). (CVE-2021-45943)
Mageia 2022-0136: fribidi security update
Stack based buffer overflow. (CVE-2022-25308) Heap-buffer-overflow in fribidi_cap_rtl_to_unicode. (CVE-2022-25309) SEGV in fribidi_remove_bidi_marks. (CVE-2022-25310) References:
Mageia 2022-0135: busybox security update
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. (CVE-2022-28391)
Mageia 2022-0134: 389-ds-base security update
A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing.
Mageia 2022-0133: usbredir security update
A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination. (CVE-2021-3700)
Mageia 2022-0132: python-paramiko security update
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. (CVE-2022-24302) References:
Mageia 2022-0131: flatpak security update
Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. (CVE-2021-43860) Path traversal vulnerability (CVE-2022-21682)
