Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorized clients
An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key (CVE-2021-23991). A crafted OpenPGP key with an invalid user ID could be used to confuse the user (MOZ-2021-23992).
The updated packages fix security vulnerabilities and a crash when a device does some cast traffic in the local network. (See upstream release notes). References: - https://bugs.mageia.org/show_bug.cgi?id=28702
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files (SA-2021-0002). GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files (SA-2021-0003).
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876)