Actualizaciones de Seguridad

Publication date: 31 Jan 2025
Type: bugfix
Affected Mageia releases : 9
Description Minor bug fixes and improvements. References

• https://bugs.mageia.org/show_bug.cgi?id=33963
• https://www.nvidia.com/en-us/drivers/details/238858/

SRPMS 9/nonfree

• nvidia-current-550.144.03-1.mga9.nonfree

Publication date: 30 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0611 , CVE-2025-0612 Description Object corruption in V8. (CVE-2025-0611) Out of bounds memory access in V8. (CVE-2025-0612) References

• https://bugs.mageia.org/show_bug.cgi?id=33962
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_22.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0611
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0612

SRPMS 9/tainted

• chromium-browser-stable-132.0.6834.110-1.mga9.tainted

Publication date: 30 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-53263 Description Git LFS permits exfiltration of credentials via crafted HTTP URLs. (CVE-2024-53263) References

• https://bugs.mageia.org/show_bug.cgi?id=33931
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U4RACGLXZEZGUX7BZLFN4GQOHFBHL6FO/
• https://lists.debian.org/debian-security-announce/2025/msg00011.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263

SRPMS 9/core

• git-lfs-3.2.0-1.1.mga9

Publication date: 27 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-21571 , CVE-2025-21533 Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L) References

• https://bugs.mageia.org/show_bug.cgi?id=33952
• https://www.oracle.com/security-alerts/cpujan2025.html#AppendixOVIR
• https://www.virtualbox.org/wiki/Changelog-7.0#v24
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21571
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21533

SRPMS 9/core

• virtualbox-7.0.24-1.mga9
• kmod-virtualbox-7.0.24-63.mga9

Publication date: 27 Jan 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixes a mate-volume-control crash when Bluetooth disconnects. References

• https://bugs.mageia.org/show_bug.cgi?id=33918

SRPMS 9/core

• libmatemixer-1.26.1-1.mga9

Publication date: 27 Jan 2025
Type: bugfix
Affected Mageia releases : 9
Description Fixed an issue which prevents executing pgadmin on php 8. Please note that just work with postgresql13. References

• https://bugs.mageia.org/show_bug.cgi?id=28582
• https://wiki.mageia.org/en/Mageia_9_Errata#Various_software
• https://github.com/phppgadmin/phppgadmin/issues/119

SRPMS 9/core

• phppgadmin-7.13.0-2.1.mga9

Publication date: 26 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-0395 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. (CVE-2025-0395) References

• https://bugs.mageia.org/show_bug.cgi?id=33953
• https://www.openwall.com/lists/oss-security/2025/01/22/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0395

SRPMS 9/core

• glibc-2.36-55.mga9

Publication date: 26 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-13176 Description Timing side-channel in ECDSA signature computation. (CVE-2024-13176) References

• https://bugs.mageia.org/show_bug.cgi?id=33942
• https://openssl-library.org/news/secadv/20250120.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176

SRPMS 9/core

• openssl-3.0.15-1.2.mga9

Publication date: 25 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-53580 Description It was discovered that iperf 3.17.1 contains a segmentation violation via the iperf_exchange_parameters() function. References

• https://bugs.mageia.org/show_bug.cgi?id=33914
• https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/message/77I3GUDI3ZWMFAYZRZIRL3FI5TCBTNBQ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53580

SRPMS 9/core

• iperf-3.18-1.mga9

Publication date: 24 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-30536 , CVE-2024-2961 Description fix possible security issue with library code slim/psr7 (CVE-2023-30536) fix possible security issue relating to iconv (CVE-2024-2961, PMASA-2025-3) fix an XSS vulnerability in the check tables feature (PMASA-2025-1) fix an XSS vulnerability in the Insert tab (PMASA-2025-2) References

• https://bugs.mageia.org/show_bug.cgi?id=33948
• https://www.phpmyadmin.net/news/2025/1/21/phpMyAdmin-522-is-released/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30536
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961

SRPMS 9/core

• phpmyadmin-5.2.2-1.mga9

Publication date: 24 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56378 Description libpoppler.so has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. (CVE-2024-56378) References

• https://bugs.mageia.org/show_bug.cgi?id=33932
• https://ubuntu.com/security/notices/USN-7213-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56378

SRPMS 9/core

• poppler-23.02.0-1.4.mga9

Publication date: 23 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45336 , CVE-2024-45341 Description net/http: sensitive headers incorrectly sent after cross-domain redirect, (CVE-2024-45336). crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints, (CVE-2024-45341). References

• https://bugs.mageia.org/show_bug.cgi?id=33940
• https://www.openwall.com/lists/oss-security/2025/01/17/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45336
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45341

SRPMS 9/core

• golang-1.22.11-1.mga9

Publication date: 22 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7025 , CVE-2024-9369 , CVE-2024-9370 , CVE-2024-9602 , CVE-2024-9603 , CVE-2024-9954 , CVE-2024-9955 , CVE-2024-9956 , CVE-2024-9957 , CVE-2024-9958 , CVE-2024-9959 , CVE-2024-9960 , CVE-2024-9961 , CVE-2024-9962 , CVE-2024-9963 , CVE-2024-9964 , CVE-2024-9965 , CVE-2024-9966 Description Lot of CVEs were fixed by upstream since our current version; please see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=33609
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7025
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9369
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9370
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9602
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9603
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9954
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9955
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9956
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9957
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9958
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9959
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9960
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9961
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9962
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9963
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9964
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9965
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9966

SRPMS 9/tainted

• chromium-browser-stable-132.0.6834.84-1.mga9.tainted

Publication date: 22 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12084 , CVE-2024-12085 , CVE-2024-12086 , CVE-2024-12087 , CVE-2024-12088 , CVE-2024-12747 Description Heap buffer overflow in rsync due to improper checksum length handling. (CVE-2024-12084) Info leak via uninitialized stack contents. (CVE-2024-12085) Rsync server leaks arbitrary client files. (CVE-2024-12086) Path traversal vulnerability in rsync. (CVE-2024-12087) Rsync --safe-links option bypass leads to path traversal. (CVE-2024-12088) Race condition in rsync handling symbolic links. (CVE-2024-12747) References

• https://bugs.mageia.org/show_bug.cgi?id=33920
• https://www.openwall.com/lists/oss-security/2025/01/14/3
• https://lists.debian.org/debian-security-announce/2025/msg00004.html
• https://ubuntu.com/security/notices/USN-7206-1
• https://ubuntu.com/security/notices/USN-7206-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12084
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12085
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12086
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12087
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12088
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12747

SRPMS 9/core

• rsync-3.2.7-1.2.mga9

Publication date: 20 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57823 Description In the Raptor RDF Syntax Library there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path(). References

• https://bugs.mageia.org/show_bug.cgi?id=33929
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7S7ZVXAGSBLZGFFVSEHSDXQND2DNAKY2/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57823

SRPMS 9/core

• raptor2-2.0.15-23.1.mga9

Publication date: 20 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-47796 , CVE-2024-52333 Description An improper array index validation vulnerability exists in the nowindow functionality of OFFIS. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability, CVE-2024-47796. An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability, CVE-2024-52333. References

• https://bugs.mageia.org/show_bug.cgi?id=33930
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JUKUCNFPV6HQLIZ5S6NYRJ4LAZYRZSXJ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47796
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52333

SRPMS 9/core

• dcmtk-3.6.7-4.3.mga9

Publication date: 20 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-50349 , CVE-2024-52006 Description Git does not sanitize URLs when asking for credentials interactively. (CVE-2024-50349) Newline confusion in credential helpers can lead to credential exfiltration in git. (CVE-2024-52006) References

• https://bugs.mageia.org/show_bug.cgi?id=33921
• https://www.openwall.com/lists/oss-security/2025/01/14/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50349
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52006

SRPMS 9/core

• git-2.41.3-1.mga9

Publication date: 20 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-48651 Description In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. (CVE-2024-48651) References

• https://bugs.mageia.org/show_bug.cgi?id=33922
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VVHALJQJ6EOQ3LXU5PV576XZHRQTOZGI/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48651

SRPMS 9/core

• proftpd-1.3.8c-1.mga9

Publication date: 20 Jan 2025
Type: bugfix
Affected Mageia releases : 9
Description Applications that rely on kio can't expand subfolders on tree view. This update fixes the issue. References

• https://bugs.mageia.org/show_bug.cgi?id=33936
• https://bugs.kde.org/show_bug.cgi?id=479597

SRPMS 9/core

• kio-5.114.0-1.1.mga9

Publication date: 18 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-22134 Description Heap-buffer-overflow with visual mode in Vim < 9.1.1003. (CVE-2025-22134) References

• https://bugs.mageia.org/show_bug.cgi?id=33911
• https://openwall.com/lists/oss-security/2025/01/11/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22134

SRPMS 9/core

• vim-9.1.1012-1.mga9