Actualizaciones de Seguridad

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26465 Description Machine-in-the-middle attack vulnerability if verifyhostkeydns is enabled. (CVE-2025-26465) References

• https://bugs.mageia.org/show_bug.cgi?id=34036
• https://openwall.com/lists/oss-security/2025/02/18/1
• https://openwall.com/lists/oss-security/2025/02/18/4
• https://lists.debian.org/debian-security-announce/2025/msg00030.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STTU3AYQZPT4FUMERJH7RQ3KH3TMQDUI/
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GGMBNUMHNWAKKPCVKBQBXE7C4WSYOBAY/
• https://ubuntu.com/security/notices/USN-7270-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26465

SRPMS 9/core

• openssh-9.3p1-2.4.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Upstream kernel version 6.6.79 fixes bugs and vulnerabilities. The kmod-virtualbox and kmod-xtables-addons packages have been updated to work with this new kernel. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34023
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-6.6.79-1.mga9
• kmod-virtualbox-7.0.24-67.mga9
• kmod-xtables-addons-3.24-73.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21687 , CVE-2025-21688 , CVE-2025-21689 , CVE-2025-21690 , CVE-2025-21691 , CVE-2025-21692 , CVE-2025-21699 , CVE-2025-21700 , CVE-2025-21701 Description Vanilla upstream kernel version 6.6.79 fixes bugs and vulnerabilities. For information about the vulnerabilities see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=34024
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.75
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.76
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.77
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.78
• https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.79
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21692
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21699
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21700
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21701

SRPMS 9/core

• kernel-linus-6.6.79-1.mga9

Publication date: 26 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0633 Description A heap-based buffer overflow vulnerability in iniparser_dumpsection_ini() in iniparser allows an attacker to read out-of-bounds memory. (CVE-2025-0633) References

• https://bugs.mageia.org/show_bug.cgi?id=34047
• https://ubuntu.com/security/notices/USN-7286-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0633

SRPMS 9/core

• iniparser-4.1-4.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-25472 , CVE-2025-25474 , CVE-2025-25475 Description A buffer overflow in DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DCM file (CVE-2025-25472). DCMTK was discovered to contain a buffer overflow via the component /dcmimgle/diinpxt.h (CVE-2025-25474). A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file (CVE-2025-25475). References

• https://bugs.mageia.org/show_bug.cgi?id=34043
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VEIE5K5WMSCBUU2JDXY5E576NA36I3NC/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25472
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25474
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25475

SRPMS 9/core

• dcmtk-3.6.7-4.4.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description These packages have a bogus requirement on python3-sip; trying to install these packages will cause conflicts if you have applications that require python3-sip6. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=34014

SRPMS 9/core

• autohint-onoff-2.0-1.1.mga9
• enki-22.08.0-1.1.mga9
• pyzo-4.12.0-2.1.mga9
• meteo-qt-3.3-2.1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-1244 Description A command injection flaw was found which could allow a remote, unauthenticated attacker to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. References

• https://bugs.mageia.org/show_bug.cgi?id=34045
• https://lwn.net/Articles/1011611/
• https://nvd.nist.gov/vuln/detail/CVE-2025-1244
• https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1244

SRPMS 9/core

• emacs-29.4-1.3.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-26603 Description A heap use-after-free was found in str_to_reg() in Vim < 9.1.1115. (CVE-2025-26603) References

• https://bugs.mageia.org/show_bug.cgi?id=34035
• https://openwall.com/lists/oss-security/2025/02/16/1
• https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26603

SRPMS 9/core

• vim-9.1.1122-1.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56171 , CVE-2025-24928 , CVE-2025-27113 Description The updated packages fix security vulnerabilities: Use-after-free in xmlSchemaIDCFillNodeTables. (CVE-2024-56171) Stack-buffer-overflow in xmlSnprintfElements. (CVE-2025-24928) Null-deref in xmlPatMatch. (CVE-2025-27113) References

• https://bugs.mageia.org/show_bug.cgi?id=34037
• https://openwall.com/lists/oss-security/2025/02/18/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113

SRPMS 9/core

• libxml2-2.10.4-1.6.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-24528 Description Overflow when calculating ulog block size. (CVE-2025-24528) References

• https://bugs.mageia.org/show_bug.cgi?id=34040
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLIGTCER7WVUGDD5KJI3RHPHU5VI7UCF/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24528

SRPMS 9/core

• krb5-1.20.1-1.4.mga9

Publication date: 25 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12243 Description Gnutls impacted by inefficient DER decoding in libtasn1 leading to remote DoS. (CVE-2024-12243) References

• https://bugs.mageia.org/show_bug.cgi?id=34041
• https://ubuntu.com/security/notices/USN-7281-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12243

SRPMS 9/core

• gnutls-3.8.4-1.1.mga9

Publication date: 25 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix a bug in GTK3 tooltips. References

• https://bugs.mageia.org/show_bug.cgi?id=30574

SRPMS 9/core

• gtk+3.0-3.24.38-1.2.mga9
• lxpanel-0.11.0-0.git20250215.1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix a regression introduced by the fix for CVE-2025-1094 and a memory leak in pg_createsubscriber. References

• https://bugs.mageia.org/show_bug.cgi?id=34039
• https://www.postgresql.org/about/news/postgresql-174-168-1512-1417-and-1320-released-3018/

SRPMS 9/core

• postgresql15-15.12-1.mga9
• postgresql13-13.20-1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description - Crash when trying to create a tab for a Magnatune panel or a Jamendo panel - bug: playback was skipping after 20 or 30 minutes running - Remove the nonfunctional Jamendo feature (the Jamendo site has modified its access and is no longer reachable for any Music Player) References

• https://bugs.mageia.org/show_bug.cgi?id=34034

SRPMS 9/core

• guayadeque-0.7.0-1.mga9

Publication date: 24 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-49393 , CVE-2024-49394 Description The To and Cc email header fields are not protected by cryptographic signing. (CVE-2024-49393) The In-reply-to email header field is not protected by cryptographic signing. (CVE-2024-49394) References

• https://bugs.mageia.org/show_bug.cgi?id=33814
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZYFPGXOX4Q4I4UNPEGXP2N372IN2YSAS/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49393
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49394

SRPMS 9/core

• neomutt-20241002-1.mga9

Publication date: 24 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version can't handle files from newer versions. This update fixes the issue. Note the 1st time wizard can't select custom folder for backups, please select it later in Edit -> Preferences References

• https://bugs.mageia.org/show_bug.cgi?id=34029

SRPMS 9/core

• grisbi-3.0.4-1.mga9

Publication date: 22 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description Instructions to uninstall the telegram application are not accurate. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=32593

SRPMS 9/core

• get-telegram-1.7.7-3.1.mga9

Publication date: 20 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix some oauth2 problems. References

• https://bugs.mageia.org/show_bug.cgi?id=33950
• https://www.claws-mail.org/NEWS
• https://forums.mageia.org/en/viewtopic.php?t=15558

SRPMS 9/core

• claws-mail-4.3.0-1.mga9

Publication date: 17 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-49083 , CVE-2023-50782 , CVE-2024-26130 Description Cryptography vulnerable to NULL-dereference when loading PKCS7 certificates. (CVE-2023-49083) Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659. (CVE-2023-50782) Cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. (CVE-2024-26130) References

• https://bugs.mageia.org/show_bug.cgi?id=32584
• https://www.openwall.com/lists/oss-security/2023/11/29/2
• https://ubuntu.com/security/notices/USN-6673-1
• https://ubuntu.com/security/notices/USN-6673-3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49083
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26130

SRPMS 9/core

• openssl-3.0.15-1.3.mga9
• python-cryptography-39.0.1-1.1.mga9

Publication date: 17 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-31068 , CVE-2024-36293 , CVE-2023-43758 , CVE-2024-39355 , CVE-2024-37020 Description Improper Finite State Machines (FSMs) in Hardware Logic for some Intel® Processors may allow privileged user to potentially enable denial of service via local access. (CVE-2024-31068) Improper access control in the EDECCSSA user leaf function for some Intel® Processors with Intel® SGX may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-36293) Improper input validation in UEFI firmware for some Intel® processors may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2023-43758) Improper handling of physical or environmental conditions in some Intel® Processors may allow an authenticated user to enable denial of service via local access. (CVE-2024-39355) Sequence of processor instructions leads to unexpected behavior in the Intel® DSA V1.0 for some Intel® Xeon® Processors may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-37020) References

• https://bugs.mageia.org/show_bug.cgi?id=34020
• https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31068
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36293
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43758
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39355
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37020

SRPMS 9/nonfree

• microcode-0.20250211-1.mga9.nonfree