Mageia 2024-0027: gpac security update
This update fixes two security vulnerabilities, CVE-2023-3012 and CVE-2023-3291, see the References below. References: - https://bugs.mageia.org/show_bug.cgi?id=32016
Mageia 2024-0026: glibc security update
The updated packages fix security vulnerabilities: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program
Mageia 2024-0024: thunderbird security update
Out of bounds write in ANGLE. (CVE-2024-0741) Failure to update user input timestamp. (CVE-2024-0742) Crash when listing printers on Linux. (CVE-2024-0746)
Mageia 2024-0021: perl security update
The updated packages fix a security vulnerability: Write past buffer end via illegal user-defined Unicode property. (CVE-2023-47038) References:
Mageia 2024-0020: openssl security update
The updated packages fix security vulnerabilities: Excessive time spent in DH check / generation with large Q parameter value. (CVE-2023-5678) POLY1305 MAC implementation corrupts vector registers on PowerPC. (CVE-2023-6129)
Mageia 2024-0019: zlib security update
Updated zlib packages fix a security vulnerability: Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted
Mageia 2024-0018: python-pillow security update
This update fixes the following security issue: Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter This is a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Mageia 2024-0017: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 120.0.6099.224 release. 4 vulnerabilities are fixed; some of them are listed below: High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06.
Mageia 2024-0016: avahi security update
The updated packages fix security vulnerabilities: A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. (CVE-2023-38469) A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. (CVE-2023-38470)
Mageia 2024-0015: erlang security update
The updated packages fix a security vulnerability: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh. (CVE-2023-48795) References:
Mageia 2024-0014: tinyxml security update
The updated packages fix a security vulnerability: StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. (CVE-2023-34194)
Mageia 2024-0013: hplip security update
There were security issues in hplip's `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c This update fixes these issues. References:
Mageia 2024-0012: nss and firefox security update
The updated packages fix security vulnerabilities Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Potential exposure of uninitialized data in EncryptingOutputStream. (CVE-2023-6865)
Mageia 2024-0011: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 120.0.6099.216release. Together with 120.0.6099.199, 7 vulnerabilities are fixed; some of them are listed below: References:
Mageia 2024-0010: openssh security update
The updated packages fix security vulnerabilities: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (CVE-2023-38408)
Mageia 2024-0009: x11-server and tigervnc security update
The updated packages fix security vulnerabilities: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is
Mageia 2024-0008: gnutls security update
The updated packages fix a security vulnerability: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. (CVE-2023-5981)
Mageia 2024-0007: vlc security update
The updated packages fix security vulnerabilities: Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption (CVE-2023-47359). Videolan VLC prior to version 3.0.20 contains an Integer underflow that
Mageia 2024-0006: thunderbird thunderbird-l10n security update
The updated packages fix security vulnerabilities: Truncated signed text was shown with a valid OpenPGP signature. (CVE-2023-50762) S/MIME signature accepted despite mismatching message date. (CVE-2023-50761)
Mageia 2024-0002: libssh2 security update
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded
