Mageia 2018-0382: webkit2 security update
The webkit2 package has been updated to version 2.20.5, fixing several security issues and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=23408
Mageia 2018-0381: xml-security-c security update
It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data. References:
Mageia 2018-0380: libcgroup security update
The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with world readable and writable permissions (0o666) due to a reset of the file mode creation mask (umask(0)) in the daemon/cgrulesengd.c:cgre_start_daemon() function (CVE-2018-14348).
Mageia 2018-0379: unixODBC security update
unixODBC before version 2.3.5 is vulnerable to a buffer overflow in the DriverManager/__info.c:unicode_to_ansi_copy() method. An attacker could exploit this to cause a denial of service or other unspecified impact (CVE-2018-7409).
Mageia 2018-0376: bouncycastle security update
Updated bouncycastle packages fix security vulnerabilities: Ensure full validation of ASN.1 encoding of signature on verification. It was possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may have
Mageia 2018-0378: ghostscript security update
Updated ghostscript packages fix several security vulnerabilities including: In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files
Mageia 2018-0377: libx11 security update
Updated libx11 packages fix security vulnerabilities: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later
Mageia 2018-0375: kernel-linus security update
This kernel-linus update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Other fixes in this update:
Mageia 2018-0374: kernel-tmb security update
This kernel-tmb update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Memory leak in the irda_bind function in net/irda/af_irda.c and later in
Mageia 2018-0373: kernel security update
This kernel update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Memory leak in the irda_bind function in net/irda/af_irda.c and later in
Mageia 2018-0371: ntp security update
Updated ntp packages fix security vulnerability: Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6
Mageia 2018-0372: flash-player-plugin security update
Updated flash-player-plugin packages fix security vulnerability: Successful exploitation of the currently un-disclosed vulerability could lead to information disclosure (CVE-2018-15967).
Mageia 2018-0369: libxkbcommon security update
Updated libxkbcommon packages fix security vulnerabilities: Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation
Mageia 2018-0370: wireshark security update
Updated wireshark packages fix security vulnerabilities: Bluetooth Attribute Protocol dissector crash (CVE-2018-16056). Radiotap dissector crash (CVE-2018-16057).
Mageia 2018-0368: sleuthkit security update
Updated sleuthkit packages fix security vulnerabilities: In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image triggers an out-of-bounds read in iso9660_proc_dir() in tsk/fs/iso9660_dent.c in libtskfs.a, as demonstrated by fls (CVE-2017-13755).
Mageia 2018-0367: libgd security update
The updated packages fix security vulnerabilities: gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a
Mageia 2018-0366: java-1.8.0-openjdk security update
Updated java-1.8.0-openjdk packages fixes atleast the following security vulnerability: OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (CVE-2018-2952)
Mageia 2018-0365: openssl security update
Updated openssl packages fix security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a
Mageia 2018-0357: squirrelmail security update
Updated squirrelmail packages fix XSS-security vulnerability: It was discovered that some special tags have not been filtered accordingly which can be used for an XSS-attack.
Mageia 2018-0364: libxcursor security update
Updated libxcursor packages fix security vulnerability _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. (CVE-2015-9262)
