Mageia 2024-0015: erlang security update
The updated packages fix a security vulnerability: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh. (CVE-2023-48795) References:
Mageia 2024-0014: tinyxml security update
The updated packages fix a security vulnerability: StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. (CVE-2023-34194)
Mageia 2024-0013: hplip security update
There were security issues in hplip's `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c This update fixes these issues. References:
Mageia 2024-0012: nss and firefox security update
The updated packages fix security vulnerabilities Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Potential exposure of uninitialized data in EncryptingOutputStream. (CVE-2023-6865)
Mageia 2024-0011: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 120.0.6099.216release. Together with 120.0.6099.199, 7 vulnerabilities are fixed; some of them are listed below: References:
Mageia 2024-0010: openssh security update
The updated packages fix security vulnerabilities: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (CVE-2023-38408)
Mageia 2024-0009: x11-server and tigervnc security update
The updated packages fix security vulnerabilities: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is
Mageia 2024-0008: gnutls security update
The updated packages fix a security vulnerability: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. (CVE-2023-5981)
Mageia 2024-0007: vlc security update
The updated packages fix security vulnerabilities: Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption (CVE-2023-47359). Videolan VLC prior to version 3.0.20 contains an Integer underflow that
Mageia 2024-0006: thunderbird thunderbird-l10n security update
The updated packages fix security vulnerabilities: Truncated signed text was shown with a valid OpenPGP signature. (CVE-2023-50762) S/MIME signature accepted despite mismatching message date. (CVE-2023-50761)
Mageia 2024-0002: libssh2 security update
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded
Mageia 2023-0357: libssh security update
New version 0.10.6 for fixing security vulnerabilities of CVE-2023-6004, CVE-2023-48795 [Prefix Truncation Attacks in SSH Specification (Terrapin Attack)] and CVE-2023-6918. References:
Mageia 2023-0356: proftpd security update
ProFTPd upstream has released version 1.3.8b to fix CVE-2023-48795. >From the changelog: - Implemented mitigations for "Terrapin" SSH attack (CVE-2023-48795). References:
Mageia 2023-0355: chromium-browser-stable security update
The chromium-browser-stable package has been updated to the 120.0.6099.129 release, fixing bugs and 20 vulnerabilities, together with 120.0.6099.109, 120.0.6099.71 and 120.0.6099.62; some of them are listed below. High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy
Mageia 2023-0354: gstreamer security update
Updated gstreamer packages fix many security issues (see the references below). Apart from the listed CVEs, ZDI-CAN-22300 is also fixed. References:
Mageia 2023-0353: bluez security update
This update fixes the following security issue. Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to
Mageia 2023-0352: fusiondirectory security update
The updated packages fix security vulnerabilities: Fusiondirectory 1.3 suffers from Improper Session Handling. (CVE-2022-36179) Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) via /fusiondirectory/index.php?message=[injection],
Mageia 2023-0351: ghostscript security update
The updated packages fix a security vulnerability. An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer. (CVE-2023-46751)
Mageia 2023-0350: cjose security update
The updated packages fix a security vulnerability: The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE
Mageia 2023-0349: golang security update
Update to upstream golang 1.21.5 to fix CVE2023-39326 and CVE-2023-4528[35] In Mageia 8, this update also allows build nodes to build docker stack References:
