Actualizaciones de Seguridad

Publication date: 12 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13151 Description Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. (CVE-2025-13151) References

• https://bugs.mageia.org/show_bug.cgi?id=34957
• https://www.openwall.com/lists/oss-security/2026/01/08/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13151

SRPMS 9/core

• libtasn1-4.21.0-1.mga9

Publication date: 12 Jan 2026
Type: bugfix
Affected Mageia releases : 9
Description We are planning make a backport for kernel 6.18. In the QA stage, we discovered the dkms-vhba, libmirage and cdemu-daemon packages don't work as they should. These updates fixes the reported issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34963
• https://bugs.mageia.org/show_bug.cgi?id=34545#c63

SRPMS 9/core

• dkms-vhba-20250329-1.mga9
• libmirage-3.2.10-1.mga9
• cdemu-daemon-3.2.7-1.2.mga9

Publication date: 11 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-22184 Description zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname(). (CVE-2026-22184) References

• https://bugs.mageia.org/show_bug.cgi?id=34954
• https://www.openwall.com/lists/oss-security/2026/01/06/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22184

SRPMS 9/core

• zlib-1.2.13-1.3.mga9

Publication date: 11 Jan 2026
Type: bugfix
Affected Mageia releases : 9
Description This package provide a fixed/patched version for kernel modules built with dkms-nvidia470 under kernel 6.18.x available in backports References

• https://bugs.mageia.org/show_bug.cgi?id=34961

SRPMS 9/nonfree

• nvidia470-470.256.02-4.mga9.nonfree

Publication date: 10 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11961 Description OOBR and OOBW in pcap_ether_aton() in libpcap. (CVE-2025-11961) References

• https://bugs.mageia.org/show_bug.cgi?id=34939
• http://www.slackware.com/security/viewer.php?l=slackware-security&y=2026&m=slackware-security.355202
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11961

SRPMS 9/core

• libpcap-1.10.6-1.mga9

Publication date: 10 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-69277 Description Libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. (CVE-2025-69277) References

• https://bugs.mageia.org/show_bug.cgi?id=34940
• https://lists.debian.org/debian-security-announce/2026/msg00002.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69277

SRPMS 9/core

• sodium-1.0.18-3.1.mga9

Publication date: 10 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13034 , CVE-2025-14017 , CVE-2025-14524 , CVE-2025-14819 , CVE-2025-15079 , CVE-2025-15224 Description curl is susceptible to a number of low severity security vulnerabilities: CVE-2025-14524: bearer token leak on cross-protocol redirect CVE-2025-14819: OpenSSL partial chain store policy bypass CVE-2025-15079: libssh knownhosts file vulnerability CVE-2025-15224: libssh key passphrase bypass vulnerability This release fixes these issues. References

• https://bugs.mageia.org/show_bug.cgi?id=34944
• https://curl.se/docs/vuln-7.88.1.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13034
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14017
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14524
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14819
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15079
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15224

SRPMS 9/core

• curl-7.88.1-4.9.mga9

Publication date: 10 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-69194 Description Arbitrary File Write via Metalink Path Traversal in GNU Wget2. (CVE-2025-69194) References

• https://bugs.mageia.org/show_bug.cgi?id=34947
• https://www.openwall.com/lists/oss-security/2026/01/07/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69194

SRPMS 9/core

• wget2-2.0.1-1.1.mga9

Publication date: 07 Jan 2026
Type: bugfix
Affected Mageia releases : 9
Description The current version can't encrypt a partition on a USB device. The current version cannot remove an iso9660 filesystem when formatting a USB device that was previously used to create a LiveUsb. This update fixes the reported issues. References

• https://bugs.mageia.org/show_bug.cgi?id=34877
• https://bugs.mageia.org/show_bug.cgi?id=33657

SRPMS 9/core

• isodumper-1.61-1.mga9

Publication date: 07 Jan 2026
Type: bugfix
Affected Mageia releases : 9
Description This update brings enhancements to our alternative theme coffee-ng for sddm. References

• https://bugs.mageia.org/show_bug.cgi?id=32412

SRPMS 9/core

• sddm-theme-coffee-ng-2.0-1.1.mga9

Publication date: 02 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-58364 , CVE-2025-58060 Description cups has Authentication bypass with AuthType Negotiate. (CVE-2025-58060) cups: Remote DoS via null dereference. (CVE-2025-58364) References

• https://bugs.mageia.org/show_bug.cgi?id=34900
• https://bugs.mageia.org/show_bug.cgi?id=34800
• https://lists.debian.org/debian-security-announce/2025/msg00162.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58364
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58060

SRPMS 9/core

• cups-2.4.6-1.6.mga9

Publication date: 02 Jan 2026
Type: bugfix
Affected Mageia releases : 9
Description Some recent systems refuse to connect to a ssh server running on mageia 9. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34914
• https://www.openssh.org/pq.html

SRPMS 9/core

• crypto-policies-20221110-2.1.mga9

Publication date: 30 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description Vcdimager plug-in can't be enabled in brasero. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34915
• https://gitlab.gnome.org/GNOME/brasero/-/merge_requests/31

SRPMS 9/core

• brasero-3.12.3-5.2.mga9

Publication date: 30 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description The key we are current using to sign packages expires on 2025-12-31 and will no longer be accepted as trusted. In cauldron the key was updated some time ago causing some additional work in Mageia 9 to cauldron upgrades. These packages update the keys in your system (you need to reboot after the update). All packages have been resigned with the new key. References

• https://bugs.mageia.org/show_bug.cgi?id=34920

SRPMS 9/core

• mageia-release-9-2.3.mga9

Publication date: 30 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description The key we are current using to sign packages expires on 2025-12-31 and will no longer be accepted as trusted. In cauldron the key has been updated sometime ago causing some additional work in mageia 9 to cauldron upgrades. These packages update the keys for dnf and to build with mock. References

• https://bugs.mageia.org/show_bug.cgi?id=34918

SRPMS 9/core

• mageia-repos-9-4.1.mga9
• distribution-gpg-keys-1.89-1.1.mga9

Publication date: 29 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46727 , CVE-2025-49007 , CVE-2025-59830 , CVE-2025-61770 , CVE-2025-61771 , CVE-2025-61772 , CVE-2025-61919 , CVE-2025-61780 Description Unbounded-Parameter DoS in Rack::QueryParser. (CVE-2025-46727) ReDoS Vulnerability in Rack::Multipart handle_mime_head. (CVE-2025-49007) Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters. (CVE-2025-59830) Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion). (CVE-2025-61770) Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion). (CVE-2025-61771) Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion). (CVE-2025-61772) Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing. (CVE-2025-61919) Rack has Possible Information Disclosure Vulnerability. (CVE-2025-61780) References

• https://bugs.mageia.org/show_bug.cgi?id=34755
• https://rack.github.io/rack/3.2/CHANGELOG_md.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46727
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49007
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780

SRPMS 9/core

• ruby-rack-2.2.21-1.mga9

Publication date: 29 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-47866 Description RGW DoS attack with empty HTTP header in S3 object copy. (CVE-2024-47866) References

• https://bugs.mageia.org/show_bug.cgi?id=34741
• https://www.openwall.com/lists/oss-security/2025/11/11/3
• https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47866

SRPMS 9/core

• ceph-18.2.7-2.1.mga9

Publication date: 29 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version does not set the environment variable LESSOPEN which means that you can't view gz, bz2, lzma, zip, rpm, html, etc. files. This update fixes the reported issue. After the update you should close the terminal emulator in use for the fix to take effect. References

• https://bugs.mageia.org/show_bug.cgi?id=34892

SRPMS 9/core

• less-678-1.2.mga9

Publication date: 26 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed a bug that caused display corruption on LG Ultragear monitors when certain modes were used. Fixed a bug that caused corruption in X-Plane on workstation GPUs. Fixed a regression introduced in 580.65.06, that caused some mode timings, such as 1920x1080@75, to no longer be available. Reverted a change that led to a user regression in 580.105.08 that caused display modes to be invalidated on a number of monitors. Fixed a bug that caused the Dots Per Inch (DPI) to be incorrectly reported for some monitors such as the Samsung Odyssey Neo G9. Fixed several problems that prevented Vulkan applications from working on Venus VirtIO virtual GPU, on Volta and newer. Fixed the following EGL platform bugs that prevented multisample configurations from working. References

• https://bugs.mageia.org/show_bug.cgi?id=34852
• https://www.nvidia.com/en-us/drivers/details/259042/

SRPMS 9/core

• ldetect-lst-0.6.63-1.mga9

9/nonfree

• nvidia-current-580.119.02-1.mga9.nonfree

Publication date: 22 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-68460 , CVE-2025-68461 Description Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike. Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. References

• https://bugs.mageia.org/show_bug.cgi?id=34863
• https://github.com/roundcube/roundcubemail/releases/tag/1.6.12
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68460
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68461

SRPMS 9/core

• roundcubemail-1.6.12-1.mga9