Mageia Security

Publication date: 31 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description If kodi-pvr-iptvsimple is installed, kodi updates could break, this includes Mageia 9 to Cauldron upgrades. This update fixes the reported issue. References

• https://bugs.mageia.org/show_bug.cgi?id=35246

SRPMS 9/core

• kodi-20.4-1.3.mga9

9/tainted

• kodi-20.4-1.3.mga9.tainted

Publication date: 29 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32874 , CVE-2026-32875 Description CVE-2026-32874 ujson 5.4.0 to 5.11.0 inclusive contains an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. ujson 5.4.0 to 5.11.0 has an integer overflow while handling a large indent which leads to a buffer overflow or infinite loop. References

• https://bugs.mageia.org/show_bug.cgi?id=35258
• https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FAXR2DP4Q5GMDURV7CAFQ5YGYAOMVNL/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32874
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32875

SRPMS 9/core

• python-ujson-5.7.0-1.1.mga9

Publication date: 29 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25075 Description strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow. (CVE-2026-25075) References

• https://bugs.mageia.org/show_bug.cgi?id=35265
• https://lists.debian.org/debian-security-announce/2026/msg00085.html
• https://ubuntu.com/security/notices/USN-8117-1
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/WWO45DS2P5I7KBXXZSDAS4ECX6DR3NYJ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25075

SRPMS 9/core

• strongswan-5.9.14-1.2.mga9

Publication date: 28 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-21637 , CVE-2026-21710 , CVE-2026-21713 , CVE-2026-21714 , CVE-2026-21715 , CVE-2026-21716 , CVE-2026-21717 Description Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS. (CVE-2026-21637) Denial of Service via __proto__ header name in req.headersDistinct (Uncaught TypeError crashes Node.js process). (CVE-2026-21710) Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery. (CVE-2026-21713) Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion. (CVE-2026-21714) Permission Model Bypass in realpathSync.native Allows File Existence Disclosure. (CVE-2026-21715) CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716) HashDoS in V8. (CVE-2026-21717) References

• https://bugs.mageia.org/show_bug.cgi?id=35270
• https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21637
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21713
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21714
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21715
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21716
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21717

SRPMS 9/core

• nodejs-22.22.2-1.mga9

Publication date: 28 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33416 , CVE-2026-33636 Description Use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE. (CVE-2026-33416) Out-of-bounds read/write in the palette expansion on ARM Neon. (CVE-2026-33636) References

• https://bugs.mageia.org/show_bug.cgi?id=35279
• https://www.openwall.com/lists/oss-security/2026/03/26/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33416
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33636

SRPMS 9/core

• libpng-1.6.38-1.5.mga9

Publication date: 27 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-9301 Description cmake cmForEachCommand.cxx ReplayItems assertion. (CVE-2025-9301 References

• https://bugs.mageia.org/show_bug.cgi?id=35263
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRYGBCSAOIXW3H7GXSATU2RXSYBKTGFL/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9301

SRPMS 9/core

• cmake-3.26.4-1.1.mga9

Publication date: 25 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-23554 Description Use after free of paging structures in EPT. (CVE-2026-23554) References

• https://bugs.mageia.org/show_bug.cgi?id=35222
• https://www.openwall.com/lists/oss-security/2026/03/17/6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23554

SRPMS 9/core

• xen-4.17.5-1.git20251028.3.mga9

Publication date: 25 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-28690 , CVE-2026-30883 Description GraphicsMagick has a stack write buffer overflow in MNG encoder. (CVE-2026-28690) GraphicsMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder. (CVE-2026-30883) References

• https://bugs.mageia.org/show_bug.cgi?id=35256
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UHRHM3VZ5CG6TQ5X4EQBR77LTWVJJQVY/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30883

SRPMS 9/core

• graphicsmagick-1.3.40-1.4.mga9

9/tainted

• graphicsmagick-1.3.40-1.4.mga9.tainted

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795 Description CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity aka Terrapin Attack References

• https://bugs.mageia.org/show_bug.cgi?id=32676
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

SRPMS 9/core

• trilead-ssh2-217-8.jenkins293.1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25916 , CVE-2026-26079 Description Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. Fix bug where a password could get changed without providing the old password, reported by flydragon777. Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. Fix XSS issue in a HTML attachment preview, reported by aikido_security. Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/. References

• https://bugs.mageia.org/show_bug.cgi?id=35237
• https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25916
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26079

SRPMS 9/core

• roundcubemail-1.6.14-1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-43457 , CVE-2026-20608 , CVE-2026-20635 , CVE-2026-20636 , CVE-2026-20644 , CVE-2026-20652 , CVE-2026-20676 Description CVE-2025-43457 Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-20608 Processing maliciously crafted web content may lead to an unexpected process crash. This issue was addressed through improved state management. CVE-2026-20635 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20636 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20644 Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-20652 A remote attacker may be able to cause a denial-of-service. The issue was addressed with improved memory handling. CVE-2026-20676 A website may be able to track users through Safari web extensions. This issue was addressed through improved state management. References

• https://bugs.mageia.org/show_bug.cgi?id=35228
• https://webkitgtk.org/2026/03/12/webkitgtk2.50.6-released.html
• https://webkitgtk.org/security/WSA-2026-0001.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-43457
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20608
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20635
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20636
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20644
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20652
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20676

SRPMS 9/core

• webkit2-2.50.6-1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2006-10002 , CVE-2006-10003 Description XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size causing a heap corruption (double free or corruption) and crashes. (CVE-2006-10002) XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. (CVE-2006-10003) References

• https://bugs.mageia.org/show_bug.cgi?id=35238
• https://www.openwall.com/lists/oss-security/2026/03/19/1
• https://www.openwall.com/lists/oss-security/2026/03/19/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10002
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10003

SRPMS 9/core

• perl-XML-Parser-2.460.0-6.1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33412 Description Command injection via newline in glob() affects Vim < 9.2.0202. (CVE-2026-33412) References

• https://bugs.mageia.org/show_bug.cgi?id=35239
• https://www.openwall.com/lists/oss-security/2026/03/19/10
• https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33412

SRPMS 9/core

• vim-9.2.209-1.mga9

Publication date: 24 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description Add kwin-x11 subpackage to smooth upgrades to cauldron (and the future Mageia 10). References

• https://bugs.mageia.org/show_bug.cgi?id=34966

SRPMS 9/core

• kwin-5.27.10-1.4.mga9

Publication date: 20 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32776 , CVE-2026-32777 , CVE-2026-32778 Description libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. (CVE-2026-32776) libexpat before 2.7.5 allows an infinite loop while parsing DTD content. (CVE-2026-32777) libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier out-of-memory condition. (CVE-2026-32778) References

• https://bugs.mageia.org/show_bug.cgi?id=35227
• https://www.openwall.com/lists/oss-security/2026/03/17/10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32776
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32777
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32778

SRPMS 9/core

• expat-2.7.5-1.mga9

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25799 Description Division-by-Zero in YUV sampling factor validation leads to crash. (CVE-2026-25799) References

• https://bugs.mageia.org/show_bug.cgi?id=35199
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/A4HXQ3URGVXBE42UAP5YCPCA63KZZPJ3/
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25799

SRPMS 9/core

• graphicsmagick-1.3.40-1.3.mga9
• imagemagick-7.1.1.29-1.2.mga9

9/tainted

• graphicsmagick-1.3.40-1.3.mga9.tainted
• imagemagick-7.1.1.29-1.2.mga9.tainted

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61984 , CVE-2025-61985 Description ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (CVE-2025-61984) ssh in OpenSSH before 10.1 allows the '0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. (CVE-2025-61985) References

• https://bugs.mageia.org/show_bug.cgi?id=35202
• https://ubuntu.com/security/notices/USN-8090-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61984
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61985

SRPMS 9/core

• openssh-9.3p1-2.6.mga9

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4177 Description YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. (CVE-2026-4177) References

• https://bugs.mageia.org/show_bug.cgi?id=35219
• https://www.openwall.com/lists/oss-security/2026/03/16/6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4177

SRPMS 9/core

• perl-YAML-Syck-1.340.0-4.1.mga9

Publication date: 19 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix some regressions appeared in 18.2 and 15.16. References

• https://bugs.mageia.org/show_bug.cgi?id=35198
• https://www.postgresql.org/about/news/postgresql-183-179-1613-1517-and-1422-released-3246/

SRPMS 9/core

• postgresql15-15.17-1.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN has seen lots of improvement since version 5.10.2. This update is necessary for the safety of sailors. References

• https://bugs.mageia.org/show_bug.cgi?id=35208

SRPMS 9/core

• opencpn-5.12.4-3.mga9