Mageia 2022-0238: exo security update
Changed to prevent executing possibly malicious .desktop files from online sources (ftp://, http:// etc.). References: - https://bugs.mageia.org/show_bug.cgi?id=30540
Mageia 2022-0237: halibut security update
Use-after-free in cleanup_index() in index.c (CVE-2021-42612) Double free in cleanup_index() in index.c (CVE-2021-42613) Use-after-free in info_width_internal() in bk_info.c (CVE-2021-42614) References:
Mageia 2022-0236: exempi security update
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-36045)
Mageia 2022-0235: bluez security update
It was discovered that BlueZ incorrectly validated certain capabilities and lengths when handling the A2DP profile. A remote attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or possibly execute arbitrary code.
Mageia 2022-0234: php security update
CLI -Fixed bug #8575 (CLI closes standard streams too early). Core -Fixed Haiku ZTS builds. Date -Fixed bug #8471 (Segmentation fault when converting immutable and mutable DateTime instances created using reflection). php-fpm - Fixed bug #72185 writes empty fcgi record causing nginx 502.
Mageia 2022-0233: dnsmasq security update
A write after free has been discovered in DHCPv6 code. A special request could be crafted to modify already freed memory. (CVE-2022-0934) References: - https://bugs.mageia.org/show_bug.cgi?id=30318
Mageia 2022-0232: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 102.0.5005.115 version, fixing many bugs and 7 CVE. Some of them are listed below: Use after free in WebGPU. (CVE-2022-2007) Out of bounds memory access in WebGL. (CVE-2022-2008) Out of bounds read in compositing. (CVE-2022-2010)
Mageia 2022-0231: golang security update
crypto/tls: session tickets lack random ticket_age_add. Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. (CVE-2022-30629)
Mageia 2022-0230: kernel-linus security update
This kernel-linus update is based on upstream 5.15.46 and fixes at least the following security issues: KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID (CVE-2022-1789).
Mageia 2022-0229: kernel security update
This kernel update is based on upstream 5.15.46 and fixes at least the following security issues: KVM: x86: avoid calling x86 emulator without a decoded instruction (CVE-2022-1852).
Mageia 2022-0228: apache security update
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. (CVE-2022-26377)
Mageia 2022-0227: docker-containerd security update
A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the 'ExecSync' API. (CVE-2022-31030) References:
Mageia 2022-0226: php-smarty security update
Template authors could inject php code by choosing a malicious {block} name or {include} file name. (CVE-2022-29221) References: - https://bugs.mageia.org/show_bug.cgi?id=30495
Mageia 2022-0225: nats-server security update
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. (CVE-2022-24450)
Mageia 2022-0224: python-pypdf2 security update
Infinite loop with manipulated inline images (CVE-2022-24859) References: - https://bugs.mageia.org/show_bug.cgi?id=30511 - https://www.debian.org/lts/security/2022/dla-3039
Mageia 2022-0223: vim security update
out-of-bounds read in gchar_cursor() in misc1.c (CVE-2022-1851) use-after-free in find_pattern_in_path() in search.c (CVE-2022-1898) out-of-bounds write in vim_regsub_both() in regexp.c (CVE-2022-1897) buffer over-read in utf_ptr2char() in mbyte.c (CVE-2022-1927 ) out of bounds write in vim_regsub_both() (CVE-2022-1942)
Mageia 2022-0222: python-ujson security update
Benchmark refactor - argparse CLI. Fix segmentation faults when errors occur while handling unserialisable objects. Fix segmentation fault when an exception is raised while converting a dict key to a string.
Mageia 2022-0221: thunderbird security update
When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name
Mageia 2022-0220: firefox/nss/nspr security update
A malicious website could have learned the size of a cross-origin resource that supported Range requests (CVE-2022-31736). A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash (CVE-2022-31737).
Mageia 2022-0219: gimp security update
GIMP 2.10 is vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. (CVE-2022-30067) References:
