Mageia 2022-0250: curl security update
Set-Cookie denial of service. (CVE-2022-32205) HTTP compression denial of service. (CVE-2022-32206) Unpreserved file permissions. (CVE-2022-32207)
Mageia 2022-0249: squid security update
Denial of Service in Gopher Processing. (CVE-2021-46784) References: - https://bugs.mageia.org/show_bug.cgi?id=30578 - https://ubuntu.com/security/notices/USN-5491-1
Mageia 2022-0248: ruby-git security update
Command Injection via git argument injection (CVE-2022-25648) References: - https://bugs.mageia.org/show_bug.cgi?id=30497 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/
Mageia 2022-0247: cyrus-imapd security update
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. (CVE-2021-33582)
Mageia 2022-0246: openssl security update
The c_rehash script allows command injection. (CVE-2022-2068) References: - https://bugs.mageia.org/show_bug.cgi?id=30573 - https://www.openssl.org/news/secadv/20220621.txt
Mageia 2022-0245: python-bottle security update
Bottle before 0.12.20 mishandles errors during early request binding. (CVE-2022-31799) References: - https://bugs.mageia.org/show_bug.cgi?id=30532
Mageia 2022-0244: python-pyjwt security update
An attacker submitting the JWT token can choose the used signing algorithm (CVE-2022-29217) References: - https://bugs.mageia.org/show_bug.cgi?id=30485
Mageia 2022-0243: kernel-linus security update
This kernel update-linus is based on upstream 5.15.50 and fixes at least the following security issues: Incomplete cleanup of multi-core shared buffers for some Intel Processors may allow an authenticated user to potentially enable information disclosure
Mageia 2022-0242: kernel security update
This kernel update is based on upstream 5.15.50 and fixes at least the following security issues: Incomplete cleanup of multi-core shared buffers for some Intel Processors may allow an authenticated user to potentially enable information disclosure
Mageia 2022-0241: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 103.0.5060.53 branch, fixing many bugs and 14 CVE. Some of them are listed below: Use after free in Base. (CVE-2022-2156) Use after free in Interest groups. (CVE-2022-2157)
Mageia 2022-0240: libtiff security update
Heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c. (CVE-2022-1354) Stack-buffer-overflow in tiffcp.c in main(). (CVE-2022-1355) Out-of-bounds read in LZWDecode. (CVE-2022-1622, CVE-2022-1623)
Mageia 2022-0239: 389-ds-base security update
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to,
Mageia 2022-0238: exo security update
Changed to prevent executing possibly malicious .desktop files from online sources (ftp://, http:// etc.). References: - https://bugs.mageia.org/show_bug.cgi?id=30540
Mageia 2022-0237: halibut security update
Use-after-free in cleanup_index() in index.c (CVE-2021-42612) Double free in cleanup_index() in index.c (CVE-2021-42613) Use-after-free in info_width_internal() in bk_info.c (CVE-2021-42614) References:
Mageia 2022-0236: exempi security update
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-36045)
Mageia 2022-0235: bluez security update
It was discovered that BlueZ incorrectly validated certain capabilities and lengths when handling the A2DP profile. A remote attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or possibly execute arbitrary code.
Mageia 2022-0234: php security update
CLI -Fixed bug #8575 (CLI closes standard streams too early). Core -Fixed Haiku ZTS builds. Date -Fixed bug #8471 (Segmentation fault when converting immutable and mutable DateTime instances created using reflection). php-fpm - Fixed bug #72185 writes empty fcgi record causing nginx 502.
Mageia 2022-0233: dnsmasq security update
A write after free has been discovered in DHCPv6 code. A special request could be crafted to modify already freed memory. (CVE-2022-0934) References: - https://bugs.mageia.org/show_bug.cgi?id=30318
Mageia 2022-0232: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 102.0.5005.115 version, fixing many bugs and 7 CVE. Some of them are listed below: Use after free in WebGPU. (CVE-2022-2007) Out of bounds memory access in WebGL. (CVE-2022-2008) Out of bounds read in compositing. (CVE-2022-2010)
Mageia 2022-0231: golang security update
crypto/tls: session tickets lack random ticket_age_add. Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. (CVE-2022-30629)
