Actualizaciones de Seguridad

Publication date: 25 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-52886 Description poppler uses std::atomic_int for reference counting. Because it is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. References

• https://bugs.mageia.org/show_bug.cgi?id=34485
• https://www.openwall.com/lists/oss-security/2025/07/11/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52886

SRPMS 9/core

• poppler-23.02.0-1.7.mga9

Publication date: 25 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-32462 , CVE-2025-32463 Description CVE-2025-32462 - Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines CVE-2025-32463 - Sudo before 1.9.17p1 allows local users to obtain root access because "/etc/nsswitch.conf" from a user-controlled directory is used with the --chroot option. References

• https://bugs.mageia.org/show_bug.cgi?id=34409
• https://www.openwall.com/lists/oss-security/2025/06/30/2
• https://www.openwall.com/lists/oss-security/2025/06/30/3
• https://thehackernews.com/2025/07/critical-sudo-vulnerabilities-let-local.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463

SRPMS 9/core

• sudo-1.9.15p5-1.1.mga9

Publication date: 25 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description This is a bugfix update that sync the driver with the nvidia latest release. References

• https://bugs.mageia.org/show_bug.cgi?id=34499
• https://www.nvidia.com/en-us/drivers/details/249194/

SRPMS 9/core

• ldetect-lst-0.6.61-1.mga9

9/nonfree

• nvidia-current-570.172.08-2.mga9.nonfree

Publication date: 22 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5455 Description An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. References

• https://bugs.mageia.org/show_bug.cgi?id=34444
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KQMS4MZAS4ACVLXLPAIC3JKRWOKIVJS7/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5455

SRPMS 9/core

• qtbase6-6.4.1-5.2.mga9
• qtbase5-5.15.7-6.2.mga9

Publication date: 22 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version crashes at start. This update fixes the reported issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34492
• https://bugs.launchpad.net/qarte/+bug/2117028

SRPMS 9/core

• qarte-5.10.0-1.mga9

Publication date: 19 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27151 , CVE-2023-41056 , CVE-2025-32023 , CVE-2025-48367 Description Updated redis packages to a more recent version to fix security vulnerabilities: Some vulnerabilities have been discovered and fixed. Please note this update is from 7.0 to 7.2 which brings some potentially breaking changes. In most cases this update could be installed without problems. Potentially Breaking / Behavior Changes: bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Client side tracking for scripts now tracks the keys that are read by the script instead of the keys that are declared by the caller of EVAL / FCALL (#11770) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Freeze time sampling during command execution and in scripts (#10300) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb When a blocked command is being unblocked, checks like ACL, OOM, etc are re-evaluated (#11012) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Unify ACL failure error message text and error codes (#11160) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Blocked stream command that's released when key no longer exists carries a different error code (#11012) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Command stats are updated for blocked commands only when / if the command actually executes (#11012) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb The way ACL users are stored internally no longer removes redundant command and category rules, which may alter the way those rules are displayed as part of `ACL SAVE`, `ACL GETUSER` and `ACL LIST` (#11224) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Client connections created for TLS-based replication use SNI if possible (#11458) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Stream consumers: Re-purpose seen-time, add active-time (#11099) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb XREADGROUP and X[AUTO]CLAIM create the consumer regardless of whether it was able to perform some reading/claiming (#11099) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb ACL default newly created user set sanitize-payload flag in ACL LIST/GETUSER #11279 bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Fix HELLO command not to affect the client state unless successful (#11659) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Normalize `NAN` in replies to a single nan type, like we do with `inf` (#11597) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Cluster SHARD IDs are no longer visible in the cluster nodes output, introduced in 7.2-RC1. (#10536, #12166) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb When calling PUBLISH with a RESP3 client that's also subscribed to the same channel, the order is changed and the reply is sent before the published message (#12326) References

• https://bugs.mageia.org/show_bug.cgi?id=34452
• https://github.com/redis/redis/releases/tag/7.2.10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27151
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41056
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32023
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48367

SRPMS 9/core

• redis-7.2.10-1.mga9

Publication date: 19 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13176 , CVE-2024-9143 Description Miscellaneous minor bug fixes. References

• https://bugs.mageia.org/show_bug.cgi?id=34478
• https://openssl-library.org/news/secadv/20241016.txt
• https://openssl-library.org/news/secadv/20250120.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9143

SRPMS 9/core

• quictls-3.0.17-1.mga9

Publication date: 19 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53367 Description An out-of-bounds write in the MMRDecoder::scanruns method was fixed. The vulnerability could be exploited to gain code execution on a Linux Desktop system when the user tries to open a crafted document. References

• https://bugs.mageia.org/show_bug.cgi?id=34423
• https://www.openwall.com/lists/oss-security/2025/07/03/1
• https://ubuntu.com/security/notices/USN-7631-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53367

SRPMS 9/core

• djvulibre-3.5.29-1.mga9

Publication date: 17 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description VBoxManage: Fixed a crash when running 'guestcontrol run' on Windows hosts (bug #22175) Audio: Fixed device switching on Windows hosts (bug #22267) Windows host installer: Fixed multiple installation entries in the 'Add or remove programs' dialog and upgrade issues Linux host: Fixed issue which caused VM Selector process crash due to missing libdl.so and libpthread.so libraries (bug #22193) Linux host: Removed libIDL as a build time dependency when building VirtualBox from source code (bug #21169) Linux guest and host: Added initial support for kernel 6.15 (bug #22420) Linux guest: Added initial support for kernel 6.16-RC0 Linux guest and host: Fixed issue with building modules for UEK8 kernel on Oracle Linux 9 distribution RDP: Fixed issue when it was not possible to paste clipboard buffer into a guest over RDP remote session References

• https://bugs.mageia.org/show_bug.cgi?id=34474
• https://www.virtualbox.org/wiki/Changelog-7.1#v10

SRPMS 9/core

• virtualbox-7.1.10-1.mga9
• kmod-virtualbox-7.1.10-4.mga9

Publication date: 15 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5683 Description Loading a specifically-crafted ICNS format image file in QImage will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. References

• https://bugs.mageia.org/show_bug.cgi?id=34395
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3F6LZUJWFANK7X5A65ECKBPB2KQ2DCO/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5683

SRPMS 9/core

• qtimageformats6-6.4.1-1.1.mga9

Publication date: 11 Jul 2025
Type: security
Affected Mageia releases : 9
Description Suggested Advisory The last packaged version for armv7hl was 115.13.0, so from the point of view of the armv7hl architecture, this is a Security Advisory and fixes a lot of CVEs; see the linked Security Advisories below. https://advisories.mageia.org/MGASA-2024-0325.html https://advisories.mageia.org/MGASA-2024-0331.html https://advisories.mageia.org/MGASA-2024-0349.html https://advisories.mageia.org/MGASA-2024-0383.html https://advisories.mageia.org/MGASA-2025-0009.html https://advisories.mageia.org/MGASA-2025-0045.html https://advisories.mageia.org/MGASA-2025-0092.html https://advisories.mageia.org/MGASA-2025-0125.html https://advisories.mageia.org/MGASA-2025-0150.html https://advisories.mageia.org/MGASA-2025-0165.html https://advisories.mageia.org/MGASA-2025-0195.html https://advisories.mageia.org/MGASA-2025-0201.html For the remaining architectures, this is just a bump in the release subversion. We understand it can be upsetting to get an update that does not fix or improve something, but as part of quality assurance the packages of a piece of software should be built from the same source rpm for all the architectures. References

• https://bugs.mageia.org/show_bug.cgi?id=34430

SRPMS 9/core

• firefox-128.12.0-1.4.mga9
• firefox-l10n-128.12.0-1.2.mga9

Publication date: 11 Jul 2025
Type: security
Affected Mageia releases : 9
Description Key validity not computed when key is certified by a trusted "certify-only" key (regression due to patch for CVE-2025-30258) References

• https://bugs.mageia.org/show_bug.cgi?id=34458
• https://ubuntu.com/security/notices/USN-7412-2

SRPMS 9/core

• gnupg2-2.3.8-1.4.mga9

Publication date: 11 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4674 Description Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a '.hg' directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. References

• https://bugs.mageia.org/show_bug.cgi?id=34456
• https://www.openwall.com/lists/oss-security/2025/07/08/5
• https://github.com/golang/go/issues/74382
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4674

SRPMS 9/core

• golang-1.24.5-1.mga9

Publication date: 11 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6297 Description It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions. References

• https://bugs.mageia.org/show_bug.cgi?id=34441
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/FNSLEIUKJQUM5CTEBYJAKWDXADY2FDTH/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6297

SRPMS 9/core

• dpkg-1.22.21-1.mga9

Publication date: 11 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description pretrans scripts are run before any package installation is run, as such the scripts must not depend on any interpreter/only lua is allowed. The problem occurs when creating livecd or similar chroots from scratch, then the pretrans script fails because there is nothing that would provide /bin/sh to run the script. This update fixes the reported issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34397

SRPMS 9/core

• nss-3.113.0-1.1.mga9

Publication date: 11 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description The 32bit blender version comes with a wrapper script which automatically select between a sse (pentium4 and above) or non-sse (pentium) flavours. Unfortunately this script at some point lost the executable permission in the SPEC file. This update fixes the reported issue and bring new version of blender. References

• https://bugs.mageia.org/show_bug.cgi?id=30324
• https://www.blender.org/download/lts/3-3/

SRPMS 9/core

• blender-3.3.21-1.mga9

Publication date: 08 Jul 2025
Type: bugfix
Affected Mageia releases : 9
Description The update fixes an issue building firefox & thunderbird in the armv7hl architecture. References

• https://bugs.mageia.org/show_bug.cgi?id=34422

SRPMS 9/core

• llvm19-suite-19.1.0-4.mga9

Publication date: 05 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1735 , CVE-2025-6491 , CVE-2025-1220 Description PGSQL: Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735) SOAP: Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491) Standard: Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220) References

• https://bugs.mageia.org/show_bug.cgi?id=34418
• https://www.php.net/ChangeLog-8.php#8.2.29
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1735
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6491
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1220

SRPMS 9/core

• php-8.2.29-1.mga9

Publication date: 05 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-48877 , CVE-2024-52035 , CVE-2024-54028 Description A memory corruption vulnerability exists in the Shared String Table Record Parser implementation in the xls2csv utility version 0.95. (CVE-2024-48877) An integer overflow vulnerability exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95. (CVE-2024-52035) An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0.95. (CVE-2024-54028) References

• https://bugs.mageia.org/show_bug.cgi?id=34411
• https://lists.debian.org/debian-security-announce/2025/msg00117.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48877
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52035
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54028

SRPMS 9/core

• catdoc-0.95-5.1.mga9

Publication date: 02 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430 Description CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. CVE-2025-6430: When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a or tag, potentially making a website vulnerable to a cross-site scripting attack. We can't yet ship this update to the armv7hl architecture; we are investigating the issue and will try to update firefox for armv7hl as soon as possible. References

• https://bugs.mageia.org/show_bug.cgi?id=34393
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html
• https://www.mozilla.org/en-US/firefox/128.12.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430

SRPMS 9/core

• firefox-128.12.0-1.1.mga9
• firefox-l10n-128.12.0-1.1.mga9
• rootcerts-20250613.00-1.mga9
• nss-3.113.0-1.mga9