Mageia 2024-0204: git Security Advisory Updates
Updated Git to version 2.41.1 to fix CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021
Mageia 2024-0200: openssl Security Advisory Updates
The updated packages fix security vulnerabilities: Excessive time spent checking DSA keys and parameters. (CVE-2024-4603) Use After Free with SSL_free_buffers. (CVE-2024-4741) References:
Mageia 2024-0199: python-jinja2 Security Advisory Updates
It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting (XSS) attack.
Mageia 2024-0198: perl-Email-MIME Security Advisory Updates
An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts. (CVE-2024-4140)
Mageia 2024-0196: chromium-browser-stable Security Advisory Updates
The chromium-browser-stable package has been updated to the 125.0.6422.112 release. It includes 1 security fix. * High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
Mageia 2024-0194: chromium-browser-stable Security Advisory Updates
The chromium-browser-stable package has been updated to the 125.0.6422.76 release. It includes 6 security fixes Please, do note, that since some versions ago, only x86_64 is supported. i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code..
Mageia 2024-0193: roundcubemail Security Advisory Updates
This is a security update to the stable version 1.6 of Roundcube Webmail. Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike.
Mageia 2024-0192: ghostscript Security Advisory Updates
Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.
Mageia 2024-0191: thunderbird Security Advisory Updates
Arbitrary JavaScript execution in PDF.js. (CVE-2024-4367) IndexedDB files retained in private browsing mode. (CVE-2024-4767) Potential permissions request bypass via clickjacking. (CVE-2024-4768) Cross-origin responses could be distinguished between script and non-script content-types. (CVE-2024-4769)
Mageia 2024-0190: chromium-browser-stable Security Advisory Updates
The chromium-browser-stable package has been updated to the 125.0.6422.60 release. It includes 9 security fixes. Please, do note, only x86_64 is supported from now on. i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.
Mageia 2024-0189: nss & firefox Security Advisory Updates
Arbitrary JavaScript execution in PDF.js. (CVE-2024-4367) IndexedDB files retained in private browsing mode. (CVE-2024-4767) Potential permissions request bypass via clickjacking. (CVE-2024-4768) Cross-origin responses could be distinguished between script and non-script content-types. (CVE-2024-4769)
Mageia 2024-0186: stb Security Advisory Updates
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is
Mageia 2024-0183: djvulibre Security Advisory Updates
An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. References: - https://bugs.mageia.org/show_bug.cgi?id=33221
Mageia 2024-0179: java-1.8.0, java-11, java-17, java-latest Security Advisory Updates
Long Exception message leading to crash. (CVE-2024-21011) HTTP/2 client improper reverse DNS lookup. (CVE-2024-21012) Integer overflow in C1 compiler address generation. (CVE-2024-21068) Pack200 excessive memory allocation. (CVE-2024-21085) C2 compilation fails with "Exceeded _node_regs array". (CVE-2024-21094)
Mageia 2024-0178: chromium-browser-stable Security Advisory Updates
The chromium-browser-stable package has been updated to the 124.0.6367.207 release. It includes 4 security fixes. Please, do note, only x86_64 is supported from now on. i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.
Mageia 2024-0175: mutt Security Advisory Updates
Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 1.5.2
Mageia 2024-0173: glibc Security Advisory Updates
Stack-based buffer overflow in netgroup cache: If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. (CVE-2024-33599) Null pointer crashes after notfound response: If the Name Service Cache
Mageia 2024-0172: libxml2 Security Advisory Updates
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. (CVE-2024-25062)
Mageia 2024-0171: tpm2-tss Security Advisory Updates
A flaw was found in the tpm2-tss package, where there was no check that the magic number in the attest is equal to the TPM2_GENERATED_VALUE. This flaw allows an attacker to generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.
Mageia 2024-0165: freeglut Security Advisory Updates
freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function. (CVE-2024-24258) freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function. (CVE-2024-24259)
