The updated packages fix security vulnerabilities: A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault. (CVE-2021-3610)
The updated packages fix a security vulnerability: Irssi 1.3.x and 1.4.x before 1.4.4 has a use-after-free because of use of a stale special collector reference. This occurs when printing of a non-formatted line is concurrent with printing of a formatted line. (CVE-2023-29132)
The MPlayer Project mencoder SVN-r38374-13.0.1 is vulnerable to Divide By Zero via the function config () of llibmpcodecs/vf_scale.c. (CVE-2022-38850) Certain The MPlayer Project products are vulnerable to Out-of-bounds Read via function read_meta_record() of mplayer/libmpdemux/asfheader.c.
The updated packages fix security vulnerabilities: Array out-of-bounds access due to missing range check in C1 compiler. (CVE-2024-20918) RSA padding issue and timing side-channel attack against TLS. (CVE-2024-20952)
As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem
When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. (CVE-2023-22742) Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. (CVE-2024-24577)
The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix(es): OpenJDK: memory corruption issue on x86_64 with AVX-512 (8317121) (CVE-2023-22025)
The updated packages fix a security vulnerability: The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused
Sympa 6.2.72 fixes many bugs, including the security one related in CVE-2021-32850 It is required to manually run sympa upgrade after get this update References:
The updated packages fix security vulnerabilities: Out-of-bounds memory read in networking channels. (CVE-2024-1546) Alert dialog could have been spoofed on another site. (CVE-2024-1547) Fullscreen Notification could have been hidden by select element. (CVE-2024-1548)
The updated packages fix security vulnerabilities: Timing attack against RSA decryption in TLS. (CVE-2023-5388) Out-of-bounds memory read in networking channels. (CVE-2024-1546) Alert dialog could have been spoofed on another site. (CVE-2024-1547) Fullscreen Notification could have been hidden by select element.
The updated packages fix security vulnerabilities: A possible heap overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. (CVE-2024-20290) A possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. (CVE-2024-20328)
This update fixes several security issues and also improves stability. References: - https://bugs.mageia.org/show_bug.cgi?id=32332 - https://xenbits.xen.org/xsa/advisory-431.html
This is a security release. The following CVEs are fixed in this release: CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded
This update fixes two security issues: CVE-2023-4322 - heap-buffer-overflow in the brainfuck dissassembler CVE-2023-5686 - heap-buffer-overflow in /radare2/shlr/java/code.c References:
This updated dnsmasq package fixes security issues: Certain DNSSEC aspects of the DNS protocol allow a remote attacker to trigger a denial of service via extreme consumption of resource caused by DNSSEC query or response: - KeyTrap - Extreme CPU consumption in DNSSEC validator.
The updated packages fix a security vulnerability: Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. (CVE-2024-22667)