Updated clamav packages fix security vulnerability

A vulnerability in the filesystem image parser for Hierarchical File System Plus HFS+ of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is...

Updated libtiff packages fix security vulnerability

A null pointer dereference issue was found in Libtiff's tifdir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial o...

Updated librsvg packages fix security vulnerability

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files on the local filesystem outside of the expected area, as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. CVE-2023-3863...

Updated openssl packages fix security vulnerability

AES-SIV implementation ignores empty associated data entries. CVE-2023-2975 Excessive time spent checking DH keys and parameters. CVE-2023-3446 Excessive time spent checking DH q parameter value. CVE-2023-3817...

Updated postgresql packages fix security vulnerability

Extension script @substitutions@ within quoting allow SQL injection. CVE-2023-39417 MERGE fails to enforce UPDATE or SELECT row security policies. CVE-2023-39418...

Updated python-pypdf2 packages fix security vulnerability

It was discovered that python-pypdf2 contained a vulnerability whereby an attacker can craft a PDF which leads to unexpected long runtime. CVE-2023-36810...

Updated chromium-browser-stable packages fix security vulnerability

The chromium-browser-stable package has been updated to the 116.0.5845.140 release, fixing 5 vulnerabilities. High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim@cassidy6564 on 2023-08-02 High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03 High...

Updated ghostscript packages fix security vulnerability

Ghostscript through 10.01.2 mishandles permission validation for pipe devices with the %pipe% prefix or the | pipe character prefix. CVE-2023-36664 A buffer overflow flaw was found in base/gdevdevn.c:1973 in devnpcxwriterle in ghostscript. This issue may allow a local attacker to cause a denial o...

Updated openldap packages fix security vulnerability

Null pointer dereference in bermemallocx function CVE-2023-2953...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.126 and fixes or adds mitigations for atleast the following security issues: Information exposure through microarchitectural state after transient execution in certain vector execution units for some IntelR Processors may allow an authenticated user to...

Updated redis packages fix security vulnerability

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. CVE-2022-24834...

Updated samba packages fix security vulnerability

Out-of-bounds read due to insufficient length checks in winbinddpamauthcrap.c CVE-2022-2127 Improper SMB2 packet signing mechanism leading to man in the middle risk CVE-2023-3347 Infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight CVE-2023-34966 Type Confusion...

Updated php packages fix security vulnerability

Libxml - GHSA-3qrf-m4j2-pcrr Security issue with external entity loading in XML without enabling it. CVE-2023-3823 Phar - GHSA-jqcx-ccgc-xwhv Buffer mismanagement in phardirread CVE-2023-3824...

Updated docker-containerd packages fix security vulnerability

Memory leak. CVE-2022-23471 Denial of service with maliciously crafted image with a large file CVE-2023-25153 Security bypass due to improper supplementary group handling. CVE-2023-25173...

Updated microcode packages fix security vulnerabilities

This update adds initial microcode updates for AMD and Intel CPUs for the following security issues: AMD: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled...

Updated kernel-linus packages fix security vulnerabilities

This kerne-linusl update is based on upstream 5.15.126 and fixes or adds mitigations for atleast the following security issues: Information exposure through microarchitectural state after transient execution in certain vector execution units for some IntelR Processors may allow an authenticated...

Updated kernel packages fix security vulnerability

This kernel update is based on upstream 5.15.122 and fixes atleast the following security issue: Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register,...

Updated cri-o packages fix security vulnerability

Denial of service due to memory or disk exhaustion. CVE-2022-1708...

Updated mediawiki packages fix security vulnerability

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.15.122 and fixes atleast the following security issues: Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM...

Updated microcode packages fix security vulnerability

Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information CVE-2023-20593, also know...

Updated virtualbox packages fix security vulnerabilities

This update provides the upstream 7.0.10 maintenance release that fixes at least the following security vulnerabilities: Vulnerability in the Oracle VM VirtualBox prior to 7.0.10 contains an easily exploitable vulnerability that allows high privileged attacker with logon to the infrastructure whe...

Updated mutt/neomutt packages fix security vulnerability

Out-of-bounds read in imap/util.c when an IMAP sequence set ends with a comma. CVE-2021-32055 Overflow in uudecoder in Mutt allows read past end of input line CVE-2022-1328...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.120 and fixes atleast the following security issues: A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. This is fixed by removing DECnet support CVE-2023-3338...

Updated qt4/qtsvg5 packages fix security vulnerability

Out-of-bounds write in QtPrivate::QCommonArrayOps::growAppend CVE-2021-45930 QtSvg QSvgFont munitsPerEm initialization is mishandled. CVE-2023-32573...

Updated mingw-nsis packages fix security vulnerability

Mishandles access control for an uninstaller directory. CVE-2023-37378...

Updated php packages fix security vulnerability

Fixed SOAP bug GHSA-76gg-c692-v2mw Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP. CVE-2023-3247...

Updated firefox/nss packages fix security vulnerability

An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS CVE-2023-37201. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free in...

Updated maven packages fix security vulnerability

No longer use http non-SSL repository references by default...

Updated texlive packages fix security vulnerability

Any document compiled with older versions of LuaTeX can execute arbitrary shell commands, even with shell escape disabled. CVE-2023-32700...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.15.120 and fixes atleast the following security issues: A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. This is fixed by removing DECnet support...

Updated systemd packages fix security vulnerability

Local information leak due to systemd-coredump not respecting the fs.suiddumpable kernel setting CVE-2022-4415...

Updated testng packages fix security vulnerability

Path traversal in zip files CVE-2022-4065...

Updated golang packages fix security vulnerability

Code injection via go command with cgo in cmd/go CVE-2023-29402 Ignoring setuid/setgid bits. CVE-2023-29403 Arbitrary code execution CVE-2023-29404 Arbitrary code execution CVE-2023-29405...

Updated perl-DBD-SQLite packages fix security vulnerability

Possible unfixed security issues due to bundled sqlite3...

Updated python-wheel packages fix security vulnerability

Denial of service via attacker controlled input to wheel cli CVE-2022-40898...

Updated python-setuptools packages fix security vulnerability

Denial of service via crafted HTML CVE-2022-40897...

Updated nodejs packages fix security vulnerability

Current nodejs 14 branch in Mageia 8 is end of life and there are no more security updates. This release allows to move to the new nodejs 18 LTS branch and fixes the following CVEs CVE-2023-30581: mainModule.proto Bypass Experimental Policy Mechanism High CVE-2023-30585: Privilege escalation via...

Updated skopeo/buildah/podman packages fix security vulnerability

Information disclosure flaw was found in Buildah CVE-2021-3602 podman allows forwarding hosts ports to vm from within vm CVE-2021-4024 Allows use "../" separators in containernetworking/cni to reference binaries such as 'reboot' in network configuration CVE-2021-20206 github.com/containers/storag...

Updated keepass packages fix security vulnerability

Allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. Disputed by vendor due to level of access required. CVE-2023-24055 Possible to recover the cleartext master password from a memory dump, even when a workspace is...

Updated opensc packages fix security vulnerability

Crash or info leak due to heap-based buffer out of bounds read CVE-2023-2977...

Updated cups packages fix security vulnerability

Use-after-free in cupsdAcceptClient. CVE-2023-34241...

Updated libreoffice packages fix security vulnerability

Arbitrary File Write in hsqldb 1.8.0. CVE-2023-1183...

Updated webkit2 packages fix security vulnerability

Details not available at this time. CVE-2022-48503 Memory corruption issue may lead to arbitrary code execution CVE-2023-32435 Type confusion issue may lead to arbitrary code execution CVE-2023-32439...

Updated glances packages fix security vulnerability

Regular Expression Denial of Service ReDoS in angular CVE-2022-25844...

Updated apache-ivy packages fix security vulnerability

Improper path allowed when extracting archive.CVE-2022-37865 Possible path traversal in download path CVE-2022-37866...

Updated minidlna packages fix security vulnerability

Out-of-bounds read/write due to buffer overflow CVE-2023-33476...

Updated curaengine packages fix security vulnerability

Denial of service due to integer overflow CVE-2022-28041...

Updated libx11 packages fix security vulnerability

Buffer overflows in InitExt.c in libX11 prior to 1.8.6. CVE-2023-3138...

Updated docker-docker-registry packages fix security vulnerability

Denail of service through excessive use of memory. CVE-2023-2253...