Mageia 2021-0443: qtwebengine5 security update
Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.6, fixing several security issues in the bundled chromium code.
Mageia 2021-0442: php security update
Updated php packages fix security vulnerabilities: - Integer overflow in mysqli_real_escape_string() - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substr_replace
Mageia 2021-0441: libssh security update
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically,
Mageia 2021-0440: 389-ds-base security update
Fixed crypt handling of locked accounts. (CVE-2021-3652) References: - https://bugs.mageia.org/show_bug.cgi?id=29393 - https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html
Mageia 2021-0439: apache security update
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193) Malformed requests may cause the server to dereference a NULL pointer.
Mageia 2021-0438: curl security update
UAF and double-free in MQTT sending. (CVE-2021-22945) Protocol downgrade required TLS bypassed. (CVE-2021-22946) STARTTLS protocol injection via MITM. (CVE-2021-22947)
Mageia 2021-0437: gifsicle security update
Fixes a security vulnerability on certain resize operations with '--resize-method=box'. References: - https://bugs.mageia.org/show_bug.cgi?id=29458
Mageia 2021-0436: ghostscript security update
Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) References: - https://bugs.mageia.org/show_bug.cgi?id=29453 - https://ubuntu.com/security/notices/USN-5075-1
Mageia 2021-0435: python3 security update
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition. bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
