Updated pacemaker packages fix security vulnerabilities

The updated packages fix security vulnerabilities: A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. CVE-2019-3885 A flaw was found in the way pacemaker's client-server authenticatio...

Updated flightcrew packages fix security vulnerabilities

The updated packages fix security vulnerabilities: An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx or GetRelativePathsToXhtmlDocuments when a NULL pointer is passed to xc::XMLUri::isValidURI. This affects third-party software not...

Updated htmldoc packages fix security vulnerability

Updated htmldoc packages fix security vulnerability: In HTMLDOC, there was a one-byte underflow in htmldoc/ps-pdf.cxx caused by a floating point math difference between GCC and Clang CVE-2019-19630...

Updated samba packages fix security vulnerabilities

Updated samba packages fix security vulnerabilities: Malicious servers can cause Samba client code to return filenames containing path separators to calling code CVE-2019-10218. When the password contains multi-byte non-ASCII characters, the check password script does not receive the full passwor...

Updated freerdp packages fix security vulnerabilities

Updated freerdp packages fix security vulnerabilities: Multiple memory leaks in libfreerdp/codec/region.c CVE-2019-17177. Memory leak in HuffmanTreemakeFromFrequencies CVE-2019-17178...

Updated rsyslog packages fix security vulnerabilities

Updated rsyslog packages fix security vulnerabilities: Heap overflow in the parser for AIX log messages CVE-2019-17041. Heap overflow in the parser for Cisco log messages CVE-2019-17042...

Updated libvirt packages fix security vulnerabilities

Updated libvirt packages fix security vulnerabilities: An information leak which allowed to retrieve the guest hostname under readonly mode CVE-2019-3886. Wrong permissions in systemd admin-sock due to missing SocketMode parameter CVE-2019-10132. Arbitrary file read/exec via...

Updated libgit2 packages fix security vulnerabilities

libgit2 has been updated to version 0.28.4 to fix several security issues: A carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service. CVE-2019-1348: the fast-import stream command "feature export-marks=path"...

Updated libcroco packages fix security vulnerability

Updated libcroco packages fix security vulnerabilities: Heap overflow input: check end of input before reading a byte CVE-2017-7960. Undefined behavior tknzr: support only max long rgb values CVE-2017-7961. Denial of service memory allocation error via a crafted CSS file CVE-2017-8834. Denial of...

Updated git packages fix security vulnerabilities

The updated packages fix security vulnerabilities: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. CVE-2019-1348 When submodules are cloned recursively, under certain circumstances Git could...

Updated dnsmasq packages fix security vulnerability

A vulnerability was found in dnsmsq through version 2.90, where the memory leak allows remote attackers to cause a denial of service memory consumption via vectors involving DHCP response creation. CVE-2019-14834...

Updated signing-party packages fix security vulnerability

Updated signing-party package fixes security vulnerability: The gpg-key2ps tool in signing-party contained an unsafe shell call enabling shell injection via a User ID CVE-2019-11627...

Updated kernel packages fix security vulnerability

This update provides an update to 5.4 series kernels, currently based on upstream 5.4.2, adding support for new hardware and features, and fixing at least the following security issue: KVM: x86: fix out-of-bounds write in KVMGETEMULATEDCPUID CVE-2019-19332 WireGuard has been updated to...

Updated ncurses packages fix security vulnerabilities

Updated ncurses packages fix security vulnerabilities: Heap-based buffer over-read in the ncfindentry function CVE-2019-17594. Heap-based buffer over-read in the fmtentry function CVE-2019-17595...

Updated kdelibs4 packages fix security vulnerability

kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction CVE-2019-14744...

Updated qbittorrent packages fix security vulnerability

In qBittorrent before 4.1.7, the function Application::runExternalProgram located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed...

Updated clementine packages fix security vulnerability

NULL ptr dereference crash in the moodbar pipeline CVE-2019-14332...

Updated wireshark packages fix security vulnerability

Version 3.0.7 fixes the following security vulnerability: CMS dissector crash CVE-2019-19553. This update also brings the Mageia package from version 3.0.4 to 3.0.7...

Updated jasper packages fix security vulnerabilities

Heap based overflow in jasicctxtdescinput CVE-2018-19540. Heap based overread in jasimagedepalettize CVE-2018-19541...

Updated proftpd packages fix security vulnerability

An issue was discovered in tlsverifycrl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL skX509REVOKEDvalue function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the...

Updated openafs packages fix security vulnerabilities

Update to security-release 1.8.5, adresses: OPENAFS-SA-2019-001: Skip server OUT args on error OPENAFS-SA-2019-002: Zero all server RPC args OPENAFS-SA-2019-003: ubik: Avoid unlocked ubikcurrentTrans deref Update to official version 1.8.4: support Linux-kernel 5.3 Avoid non-dir ENOENT errors in...

Updated squid packages fix security vulnerabilities

Potential remote code execution during URN processing CVE-2019-12526. Multiple improper validations in URI processing CVE-2019-12523, CVE-2019-18676. Cross-Site Request Forgery in HTTP Request processing CVE-2019-18677. Incorrect message parsing which could have led to HTTP request splitting issu...

Updated nss packages fix security vulnerability

Updated nss packages fix security vulnerability: Out-of-bounds write when passing an output buffer smaller than the block size to NSCEncryptUpdate CVE-2019-11745. Also, rootcerts has been updated to 20191126.00...

Updated thunderbird packages fix security vulnerabilities

Updated thunderbird packages fix security vulnerabilities: Stack corruption due to incorrect number of arguments in WebRTC code. CVE-2019-13722 Buffer overflow in plain text serializer. CVE-2019-17005 Use-after-free in worker destruction. CVE-2019-17008 Updater temporary files accessible to...

Updated openexr packages fix security vulnerability

The updated packages fix a security vulnerability: Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service excessive memory allocation via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp...

Updated lz4 packages fix security vulnerability

Updated lz4 packages fix security vulnerability: Heap-based buffer overflow in LZ4write32 CVE-2019-17543...

Updated firefox packages fix security vulnerabilities

Updated firefox packages fix security vulnerabilities: Stack corruption due to incorrect number of arguments in WebRTC code. CVE-2019-13722 Buffer overflow in plain text serializer. CVE-2019-17005 Use-after-free in worker destruction. CVE-2019-17008 Updater temporary files accessible to...

Updated ansible packages fix security vulnerability

Updated ansible package fixes security vulnerability: Splunk and Sumologic callback plugins leak sensitive data in logs CVE-2019-14864...

Updated python-twisted packages fix security vulnerabilities

Updated python-twisted packages fix security vulnerabilities: Improper sanitization of URIs or HTTP which could allow attackers to perform CRLF attacks CVE-2019-12387. In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS,...

Updated libvncserver packages fix security vulnerability

Updated libvncserver packages fix security vulnerability: LibVNC contained a memory leak in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR...

Updated python-psutil packages fix security vulnerability

Updated python-psutil packages fix security vulnerability: Riccardo Schirone discovered that psutil incorrectly handled certain reference counting operations. An attacker could use this issue to cause psutil to crash, resulting in a denial of service, or possibly execute arbitrary code...

Updated QT stack fix security vulnerability

This update provides the 5.12.6 QT stack maintenance release and fixes the following security issue: An out-of-bounds memory access in the generateDirectionalRuns function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an...

Updated libcryptopp packages fix security vulnerability

The updated packages fix a security vulnerability: Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The iss...

Updated openjpeg2 packages fix security vulnerability

The updated packages fix a security vulnerability: In OpenJPEG 2.3.1, there is excessive iteration in the opjt1encodecblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616...

Updated tnef packages fix security vulnerability

Updated tnef package fixes security vulnerability: In tnef, an attacker may be able to write to the victim's .ssh/authorizedkeys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup CVE-2019-18849...

Updated libvpx packages fix security vulnerabilities

Updated libvpx packages fix security vulnerabilities: It was discovered that libvpx did not properly handle certain malformed WebM media files. If an application using libvpx opened a specially crafted WebM file, a remote attacker could cause a denial of service, or possibly execute arbitrary cod...

Updated phpmyadmin packages fix security vulnerability

An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/ table name can be used to trigger a SQL injection attack through the designer feature CVE-2019-18622...

Updated SDL_image packages fix security vulnerabilities

The updated packages fix security vulnerabilities: An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2image-2.0.3. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted imag...

Updated icu packages fix security vulnerability

The updated packages fix a security vulnerability: International Components for Unicode ICU for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString in i18n/numberdecimalquantity.cpp. CVE-2018-18928...

Updated libtasn1 packages fix security vulnerability

Updated libtasn1 packages fix security vulnerability: Denial of service in asn1Parser CVE-2018-1000654...

Updated clamav packages fix security vulnerability

The updated packages fix two packaging problems and a security vulnerability: A Denial-of-Service DoS vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. CVE-2019-15961 The first packaging issue, in the configuration of...

Updated graphicsmagick packages fix security vulnerability

The updated packages fix a security vulnerability: ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. CVE-2019-16709...

Updated evince packages fix security vulnerability

The updated packages fix a security vulnerability: The tiffdocumentrender and tiffdocumentgetthumbnail functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented, leading to uninitialized memory use when processing certain TIFF image...

Updated sysstat packages fix security vulnerability

Updated sysstat package fixes security vulnerability: Memory corruption due to an integer overflow CVE-2019-16167...

Updated libtiff packages fix security vulnerability

The updated packages fix a security vulnerability: tifgetimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition...

Updated openssl packages fix security vulnerabilities

The updated packages fix security vulnerabilities: ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value IV should be 96 bits 12 bytes. OpenSSL allows a variable nonce length and front pads the nonce with 0...

Updated sdl2_image packages fix security vulnerabilities

Updated sdl2image packages fix security vulnerabilities: An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially...

Updated libreoffice packages fix security vulnerabilities

Updated libreoffice packages fix security vulnerabilities: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphi...

Updated mosquitto packages fix security vulnerability

Updated mosquitto packages fix security vulnerability: A vulnerability was discovered in mosquitto, allowing a malicious MQTT client to cause a denial of service stack overflow and daemon crash, by sending a specially crafted SUBSCRIBE packet containing a topic with a extremely deep hierarchy...

Updated unbound packages fix security vulnerability

Updated unbound package to version 1.9.5 to fix a potential security vulnerability. In case users recompiled the Mageia package with --enable-ipsecmod, and ipsecmod is enabled and used in the configuration, shell code execution would end up being possible after receiving a specially crafted answe...