When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. (CVE-2023-22742) Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. (CVE-2024-24577)
The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix(es): OpenJDK: memory corruption issue on x86_64 with AVX-512 (8317121) (CVE-2023-22025)
The updated packages fix a security vulnerability: The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused
Sympa 6.2.72 fixes many bugs, including the security one related in CVE-2021-32850 It is required to manually run sympa upgrade after get this update References:
The updated packages fix security vulnerabilities: Out-of-bounds memory read in networking channels. (CVE-2024-1546) Alert dialog could have been spoofed on another site. (CVE-2024-1547) Fullscreen Notification could have been hidden by select element. (CVE-2024-1548)
The updated packages fix security vulnerabilities: Timing attack against RSA decryption in TLS. (CVE-2023-5388) Out-of-bounds memory read in networking channels. (CVE-2024-1546) Alert dialog could have been spoofed on another site. (CVE-2024-1547) Fullscreen Notification could have been hidden by select element.
The updated packages fix security vulnerabilities: A possible heap overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. (CVE-2024-20290) A possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. (CVE-2024-20328)
This update fixes several security issues and also improves stability. References: - https://bugs.mageia.org/show_bug.cgi?id=32332 - https://xenbits.xen.org/xsa/advisory-431.html
This is a security release. The following CVEs are fixed in this release: CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded
This update fixes two security issues: CVE-2023-4322 - heap-buffer-overflow in the brainfuck dissassembler CVE-2023-5686 - heap-buffer-overflow in /radare2/shlr/java/code.c References:
This updated dnsmasq package fixes security issues: Certain DNSSEC aspects of the DNS protocol allow a remote attacker to trigger a denial of service via extreme consumption of resource caused by DNSSEC query or response: - KeyTrap - Extreme CPU consumption in DNSSEC validator.
The updated packages fix a security vulnerability: Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. (CVE-2024-22667)
Unbound is updated to version 1.9.1 to fix security issues CVE-2023-50387 and CVE-2023-50868. References: - https://bugs.mageia.org/show_bug.cgi?id=32841
The updated packages fix security vulnerabilities: Parsing large DNS messages may cause excessive CPU load. (CVE-2023-4408) Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled. (CVE-2023-5517) Enabling both DNS64 and serve-stale may cause an assertion failure
This update brings the mbedtls packages from 2.28.3 to the latest 2.28.7 release in the LTS branch, fixing a number of bugs as well the following security vulnerabilities: - Buffer overread in TLS stream cipher suites. - Timing side channel in private key RSA operations.
The updated packages fix security vulnerabilities: Excessive time spent in DH check / generation with large Q parameter value. (CVE-2023-5678) POLY1305 MAC implementation corrupts vector registers on PowerPC. (CVE-2023-6129)
The updated packages fix security vulnerabilities: Logic bug in text extractor led to invalid memory access. (CVE-2022-30524) Integer overflow in rasterizer. (CVE-2022-30775) PDF object loop in Catalog::countPageTree. (CVE-2022-33108)