Mageia 2022-0472: leptonica security update
This update fixes a denial of service vulnerability in leptonlib. It can be made to crash with an arithmetic exception on specially crafted JPEG files. (CVE-2022-38266) References:
Mageia 2022-0471: xfce4-settings security update
argument injection vulnerability in xfce4-mime-helper from the xfce4-settings package. References: - https://bugs.mageia.org/show_bug.cgi?id=31237
Mageia 2022-0470: libetpan security update
Null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c. (CVE-2022-4121) References: - https://bugs.mageia.org/show_bug.cgi?id=31214
Mageia 2022-0469: python-slixmpp security update
Fixes missing certificate hostname validation References: - https://bugs.mageia.org/show_bug.cgi?id=31200 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/RDCGUJ5VBYUCDAXSHYA5NX2THU2RYIXE/
Mageia 2022-0468: heimdal security update
Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not apply delegation_not_allowed (aka not-delegated) user attributes for S4U2Self. Instead the forwardable flag is set even if the impersonated client has the not-delegated flag set. (CVE-2019-14870)
Mageia 2022-0467: krb5 security update
Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash).
Mageia 2022-0466: couchdb security update
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. (CVE-2022-24706)
Mageia 2022-0465: matio security update
matio (aka MAT File I/O Library) 1.5.18 through 1.5.21 has a heap-based buffer overflow in ReadInt32DataDouble (called from ReadInt32Data and Mat_VarRead4). (CVE-2020-36428) matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based
Mageia 2022-0464: vim security update
Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command. (CVE-2022-4141) References:
Mageia 2022-0463: nodejs-json-schema security update
node-json-schema, JSON Schema validation and specifications, was vulnerable to Improperly Controlled Modification of Object Prototype Attributes. (CVE-2021-3918) References:
Mageia 2022-0462: rootcerts security update
Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates. r=KathleenWilson References: - https://bugs.mageia.org/show_bug.cgi?id=31232
Mageia 2022-0461: awstats security update
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. (CVE-2022-46391) References: - https://bugs.mageia.org/show_bug.cgi?id=31230
Mageia 2022-0460: netkit-telnet security update
2-byte DoS in netkit-telnetd. (CVE-2022-39028) References: - https://bugs.mageia.org/show_bug.cgi?id=31229 - https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Mageia 2022-0459: rxvt-unicode security update
rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. (CVE-2022-4170) References:
Mageia 2022-0458: busybox security update
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. (CVE-2022-30065) References:
Mageia 2022-0457: emacs security update
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working
Mageia 2022-0456: admesh security update
Security fix for TALOS-2022-1594. References: - https://bugs.mageia.org/show_bug.cgi?id=31207 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/IWF2CGKHHMVPAEZ2VSMQDVMDS4VUYMV3/
Mageia 2022-0455: shadowutils security update
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees. (CVE-2013-4235) References: - https://bugs.mageia.org/show_bug.cgi?id=31198
Mageia 2022-0454: ruby security update
If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If
Mageia 2022-0453: libarchive security update
In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. (CVE-2022-36227)
