Mageia 2023-0054: curl security update
HTTP multi-header compression denial of service. (CVE-2023-23916) References: - https://bugs.mageia.org/show_bug.cgi?id=31554 - https://curl.se/docs/CVE-2023-23916.html
Mageia 2023-0053: nodejs-qs security update
nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such
Mageia 2023-0052: upx security update
Denial of service due to heap-based buffer overflow issue in UPX in PackTmt::pack() in p_tmt.cpp file. (CVE-2023-23456) Denial of service due to segmentation fault in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. (CVE-2023-23457)
Mageia 2023-0051: qtbase5 security update
Avoid unintentionally using binaries from CWD (CVE-2022-23853) Fix a possible DOS involving the Qt SQL ODBC driver plugin (CVE-2023-24607) Also fixes a regression that prevented Akonadi from working with kmail
Mageia 2023-0050: tpm2-tss security update
Tss2_RC_SetHandler and Tss2_RC_Decode both index into layer_handler with an 8 bit layer number, but the array only has TPM2_ERROR_TSS2_RC_LAYER_COUNT entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. (CVE-2023-22745)
Mageia 2023-0049: phpmyadmin security update
Security fix for an XSS vulnerability in the drag-and-drop upload functionality (PMASA-2023-01) Additional bugfixes including - issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
Mageia 2023-0048: editorconfig-core-c security update
Mark Esler and David Fernandez Gonzalez discovered that EditorConfig Core C incorrectly handled memory when handling certain inputs. An attacker could possibly use this issue to cause applications using EditorConfig Core C to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-0341)
Mageia 2023-0047: webkit2 security update
Processing maliciously crafted web content may lead to arbitrary code execution. (CVE-2022-42826) (CVE-2023-23517) (CVE-2023-23518) References: - https://bugs.mageia.org/show_bug.cgi?id=31504
Mageia 2023-0046: libzen security update
A vulnerability classified as problematic has been found in MediaArea ZenLib up to 0.4.38. This affects the function Ztring::Date_From_Seconds_1970_Local of the file Source/ZenLib/Ztring.cpp. The manipulation of the argument Value leads to unchecked return value to null pointer dereference. (CVE-2020-36646)
