Mageia Security
MGASA-2026-0167 - Updated vim packages fix security vulnerabilities
Publication date: 30 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-45130 , CVE-2026-43961 , CVE-2026-46483 Description Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450. (CVE-2026-45130) Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.0480. (CVE-2026-43961) Command Injection in tar.vim affects Vim < 9.2.0479. (CVE-2026-46483) Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.0495. Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-45130 , CVE-2026-43961 , CVE-2026-46483 Description Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450. (CVE-2026-45130) Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.0480. (CVE-2026-43961) Command Injection in tar.vim affects Vim < 9.2.0479. (CVE-2026-46483) Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.0495. Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496. References
- https://bugs.mageia.org/show_bug.cgi?id=35490
- https://www.openwall.com/lists/oss-security/2026/05/07/9
- https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
- https://www.openwall.com/lists/oss-security/2026/05/14/6
- https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
- https://www.openwall.com/lists/oss-security/2026/05/14/7
- https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3
- https://www.openwall.com/lists/oss-security/2026/05/17/3
- https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c
- https://www.openwall.com/lists/oss-security/2026/05/17/4
- https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45130
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46483
- vim-9.2.498-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0166 - Updated perl-Template-Toolkit packages fix security vulnerability
Publication date: 30 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5090 Description Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. (CVE-2026-5090) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5090 Description Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. (CVE-2026-5090) References
- https://bugs.mageia.org/show_bug.cgi?id=35554
- https://www.openwall.com/lists/oss-security/2026/05/19/40
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5090
- perl-Template-Toolkit-3.101.0-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0165 - Updated nspr, nss and firefox(-l10n) packages fix security issues
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151. (CVE-2026-8974) Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151. (CVE-2026-8975) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151. (CVE-2026-8974) Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151. (CVE-2026-8975) References
- https://bugs.mageia.org/show_bug.cgi?id=35555
- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/S3z0rOO1xpg
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_124.html
- https://www.firefox.com/en-US/firefox/140.11.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-48/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8391
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8947
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8950
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8953
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8956
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8958
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8970
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8975
- nspr-4.39.0-1.mga9
- nss-3.124.0-1.mga9
- firefox-140.11.0-1.mga9
- firefox-l10n-140.11.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0164 - Updated thunderbird(-l10n) packages fix security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8974) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8975) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975 Description The updated packages fix security vulnerabilities: Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-8946) Incorrect boundary conditions in the JavaScript Engine: JIT component. (CVE-2026-8388) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947) Other issue in the JavaScript Engine component. (CVE-2026-8391) Sandbox escape in the Profile Backup component. (CVE-2026-8401) Same-origin policy bypass in the Networking: HTTP component. (CVE-2026-8950) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-8953) Incorrect boundary conditions, integer overflow in the Audio/Video component. (CVE-2026-8954) Privilege escalation in the DOM: Workers component. (CVE-2026-8955) Integer overflow in the Networking: JAR component. (CVE-2026-8956) Privilege escalation in the Enterprise Policies component. (CVE-2026-8957) Information disclosure, sandbox escape in the Security: Process Sandboxing component. (CVE-2026-8958) Spoofing issue in the Form Autofill component. (CVE-2026-8961) Mitigation bypass in the DOM: Security component. (CVE-2026-8962) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. (CVE-2026-8968) Privilege escalation in the Security component. (CVE-2026-8970) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8974) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151. (CVE-2026-8975) References
- https://bugs.mageia.org/show_bug.cgi?id=35560
- https://www.thunderbird.net/en-US/thunderbird/140.11.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-51/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8391
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8947
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8950
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8953
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8956
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8958
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8970
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8975
- thunderbird-140.11.0-1.mga9
- thunderbird-l10n-140.11.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0163 - Updated bind packages fix security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-3039 , CVE-2026-3592 , CVE-2026-3593 , CVE-2026-5946 , CVE-2026-5947 , CVE-2026-5950 Description Updated bind package fixes security vulnerabilities: bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb BIND 9 server memory exhaustion during GSS-API TKEY negotiation (CVE-2026-3039) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Amplification vulnerabilities via self-pointed glue records (CVE-2026-3592) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation (CVE-2026-3593) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Invalid handling of CLASS != IN (CVE-2026-5946) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb SIG(0) validation during query flood may lead to undefined behavior (CVE-2026-5947) *Unbounded resend loop in BIND 9 resolver (CVE-2026-5950) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-3039 , CVE-2026-3592 , CVE-2026-3593 , CVE-2026-5946 , CVE-2026-5947 , CVE-2026-5950 Description Updated bind package fixes security vulnerabilities: bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb BIND 9 server memory exhaustion during GSS-API TKEY negotiation (CVE-2026-3039) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Amplification vulnerabilities via self-pointed glue records (CVE-2026-3592) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation (CVE-2026-3593) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb Invalid handling of CLASS != IN (CVE-2026-5946) bashrc.bak bin certbot-auto.bak certchecker certis.vfmbofh check-mk-agent_1.6.0p17-1_all.deb config.txt Riferimenti KB Cloud Aruba.txt rss tailer.sh test-acme zabbix-release_4.0-2+jessie_all.deb SIG(0) validation during query flood may lead to undefined behavior (CVE-2026-5947) *Unbounded resend loop in BIND 9 resolver (CVE-2026-5950) References
- https://bugs.mageia.org/show_bug.cgi?id=35557
- https://www.openwall.com/lists/oss-security/2026/05/20/11
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3039
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3592
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3593
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5947
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5950
- bind-9.18.49-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0162 - Updated graphicsmagick packages fix a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42050 Description The updated packages fix a security vulnerability: Stack buffer overflow in XTileImage. (CVE-2026-42050) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-42050 Description The updated packages fix a security vulnerability: Stack buffer overflow in XTileImage. (CVE-2026-42050) References
- https://bugs.mageia.org/show_bug.cgi?id=35556
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O6OYKKQT2LLKS52FQTHRZ7GJJSUXW3YH/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42050
- graphicsmagick-1.3.40-1.6.mga9
- graphicsmagick-1.3.40-1.6.mga9.tainted
Categorías: Actualizaciones de Seguridad
MGASA-2026-0161 - Updated microcode package fixes security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-35979 Description The updated package fixes a security vulnerability: A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability. (CVE-2025-35979) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-35979 Description The updated package fixes a security vulnerability: A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability. (CVE-2025-35979) References
- https://bugs.mageia.org/show_bug.cgi?id=35558
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20260512
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01420.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-35979
- microcode-0.20260512-1.mga9.nonfree
Categorías: Actualizaciones de Seguridad
MGASA-2026-0160 - Updated perl-Catalyst-Plugin-Authentication package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5091 Description The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. (CVE-2026-5091) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5091 Description The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. (CVE-2026-5091) References
- https://bugs.mageia.org/show_bug.cgi?id=35569
- https://www.openwall.com/lists/oss-security/2026/05/21/19
- https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5091
- perl-Catalyst-Plugin-Authentication-0.100.230-12.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0159 - Updated nginx package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-9256 Description The updated package fixes a security vulnerability: NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-9256) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-9256 Description The updated package fixes a security vulnerability: NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-9256) References
- https://bugs.mageia.org/show_bug.cgi?id=35581
- https://www.openwall.com/lists/oss-security/2026/05/22/14
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9256
- nginx-1.30.2-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0158 - Updated perl-IO-Compress package fixes security vulnerabilities
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-15649 , CVE-2026-48959 , CVE-2026-48961 , CVE-2026-48962 Description The updated package fixes security vulnerabilities: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. (CVE-2025-15649) IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. (CVE-2026-48959) IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. (CVE-2026-48962) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-15649 , CVE-2026-48959 , CVE-2026-48961 , CVE-2026-48962 Description The updated package fixes security vulnerabilities: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. (CVE-2025-15649) IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. (CVE-2026-48959) IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. (CVE-2026-48962) References
- https://bugs.mageia.org/show_bug.cgi?id=35593
- https://www.openwall.com/lists/oss-security/2026/05/27/1
- https://www.openwall.com/lists/oss-security/2026/05/27/2
- https://www.openwall.com/lists/oss-security/2026/05/27/3
- https://www.openwall.com/lists/oss-security/2026/05/27/4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48959
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48962
- perl-IO-Compress-2.204.0-1.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0157 - Updated perl-HTTP-Daemon package fixes a security vulnerability
Publication date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8450 Description The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). (CVE-2026-8450) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8450 Description The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). (CVE-2026-8450) References
- https://bugs.mageia.org/show_bug.cgi?id=35594
- https://www.openwall.com/lists/oss-security/2026/05/27/5
- https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8450
- perl-HTTP-Daemon-6.140.0-3.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0156 - Updated nginx packages fix security vulnerabilities
Publication date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40460 , CVE-2026-40701 , CVE-2026-42926 , CVE-2026-42934 , CVE-2026-42945 , CVE-2026-42946 Description NGINX ngx_quic_module vulnerability. (CVE-2026-40460) NGINX ngx_http_ssl_module vulnerability. (CVE-2026-40701) NGINX ngx_http_proxy_v2_module vulnerability. (CVE-2026-42926) NGINX ngx_http_charset_module vulnerability. (CVE-2026-42934) NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-42945) NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability. (CVE-2026-42946) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40460 , CVE-2026-40701 , CVE-2026-42926 , CVE-2026-42934 , CVE-2026-42945 , CVE-2026-42946 Description NGINX ngx_quic_module vulnerability. (CVE-2026-40460) NGINX ngx_http_ssl_module vulnerability. (CVE-2026-40701) NGINX ngx_http_proxy_v2_module vulnerability. (CVE-2026-42926) NGINX ngx_http_charset_module vulnerability. (CVE-2026-42934) NGINX ngx_http_rewrite_module vulnerability. (CVE-2026-42945) NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability. (CVE-2026-42946) References
- https://bugs.mageia.org/show_bug.cgi?id=35529
- https://www.openwall.com/lists/oss-security/2026/05/13/7
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40460
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40701
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42926
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42934
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42945
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42946
- nginx-1.30.1-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0155 - Updated x11-server, x11-server-xwayland & tigervnc packages fix security vulnerabilities
Publication date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33999 , CVE-2026-34000 , CVE-2026-34001 , CVE-2026-34002 , CVE-2026-34003 Description XKB Integer Underflow in XkbSetCompatMap(). (CVE-2026-33999) XKB Out-of-bounds Read in CheckSetGeom(). (CVE-2026-34000) XSYNC Use-after-free in miSyncTriggerFence(). (CVE-2026-34001) XKB Out-of-bounds read in CheckModifierMap(). (CVE-2026-34002) XKB Buffer overflow in CheckKeyTypes(). (CVE-2026-34003) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33999 , CVE-2026-34000 , CVE-2026-34001 , CVE-2026-34002 , CVE-2026-34003 Description XKB Integer Underflow in XkbSetCompatMap(). (CVE-2026-33999) XKB Out-of-bounds Read in CheckSetGeom(). (CVE-2026-34000) XSYNC Use-after-free in miSyncTriggerFence(). (CVE-2026-34001) XKB Out-of-bounds read in CheckModifierMap(). (CVE-2026-34002) XKB Buffer overflow in CheckKeyTypes(). (CVE-2026-34003) References
- https://bugs.mageia.org/show_bug.cgi?id=35366
- https://www.openwall.com/lists/oss-security/2026/04/14/8
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGQLR43Z7T6IISLCOC2Q4WB3D4YWB4QS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RULWKTYNOMHH3NTJ36SDNJVWKXYJ4VVO/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33999
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34000
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34001
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34002
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34003
- x11-server-21.1.8-7.10.mga9
- x11-server-xwayland-22.1.9-1.10.mga9
- tigervnc-1.13.1-2.11.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0154 - Updated perl-Imager packages fix security vulnerabilities
Publication date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8669 Description Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. (CVE-2026-8669) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8669 Description Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. (CVE-2026-8669) References
- https://bugs.mageia.org/show_bug.cgi?id=35541
- https://www.openwall.com/lists/oss-security/2026/05/15/17
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8669
- perl-Imager-1.19.0-2.1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0153 - Updated ffmpeg packages fix security vulnerabilities
Publication date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-30997 , CVE-2026-40962 Description An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. (CVE-2026-30997) FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. (CVE-2026-40962) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-30997 , CVE-2026-40962 Description An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. (CVE-2026-30997) FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. (CVE-2026-40962) References
- https://bugs.mageia.org/show_bug.cgi?id=35546
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4TOCC22G6AHEU62PA7DQARAPJYTW6XSE/
- https://excellent-oatmeal-319.notion.site/CVE-2026-30997-Out-of-Bounds-Access-a7929817b9794568b2f7774397c7d65f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30997
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40962
- ffmpeg-5.1.9-1.mga9
- ffmpeg-5.1.9-1.mga9.tainted
Categorías: Actualizaciones de Seguridad
MGASA-2026-0152 - Updated bind packages fix security vulnerabilities
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13878 , CVE-2026-1519 Description It was discovered that bind contained a vulnerability where a Malformed BRID/HHIT record can cause named to terminate unexpectedly (CVE-2025-13878). If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (CVE-2026-1519). References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-13878 , CVE-2026-1519 Description It was discovered that bind contained a vulnerability where a Malformed BRID/HHIT record can cause named to terminate unexpectedly (CVE-2025-13878). If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (CVE-2026-1519). References
- https://bugs.mageia.org/show_bug.cgi?id=35283
- https://bugs.mageia.org/show_bug.cgi?id=35049
- https://www.openwall.com/lists/oss-security/2026/01/21/3
- https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries
- https://kb.isc.org/docs/cve-2026-1519
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13878
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1519
- bind-9.18.47-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0151 - Updated postgresql15 packages fix security vulnerabilities
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6472 , CVE-2026-6473 , CVE-2026-6474 , CVE-2026-6475 , CVE-2026-6476 , CVE-2026-6477 , CVE-2026-6478 , CVE-2026-6479 , CVE-2026-6575 , CVE-2026-6637 , CVE-2026-6638 Description PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege. (CVE-2026-6472) PostgreSQL server undersizes allocations, via integer wraparound. (CVE-2026-6473) PostgreSQL timeofday() can disclose portions of server memory. (CVE-2026-6474) PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice. (CVE-2026-6475) PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory. (CVE-2026-6477) PostgreSQL discloses MD5-hashed passwords via covert timing channel. (CVE-2026-6478) PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion. (CVE-2026-6479) PostgreSQL refint allows stack buffer overflow and SQL injection. (CVE-2026-6637) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6472 , CVE-2026-6473 , CVE-2026-6474 , CVE-2026-6475 , CVE-2026-6476 , CVE-2026-6477 , CVE-2026-6478 , CVE-2026-6479 , CVE-2026-6575 , CVE-2026-6637 , CVE-2026-6638 Description PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege. (CVE-2026-6472) PostgreSQL server undersizes allocations, via integer wraparound. (CVE-2026-6473) PostgreSQL timeofday() can disclose portions of server memory. (CVE-2026-6474) PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice. (CVE-2026-6475) PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory. (CVE-2026-6477) PostgreSQL discloses MD5-hashed passwords via covert timing channel. (CVE-2026-6478) PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion. (CVE-2026-6479) PostgreSQL refint allows stack buffer overflow and SQL injection. (CVE-2026-6637) References
- https://bugs.mageia.org/show_bug.cgi?id=35534
- https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6472
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6474
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6475
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6476
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6477
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6478
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6479
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6575
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6638
- postgresql15-15.18-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0150 - Updated perl-libwww-perl & perl-HTTP-Message packages fix security vulnerabilities
Publication date: 19 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8368 Description LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8368 Description LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects References
- https://bugs.mageia.org/show_bug.cgi?id=35524
- https://www.openwall.com/lists/oss-security/2026/05/12/7
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8368
- perl-libwww-perl-6.830.0-1.mga9
- perl-HTTP-Message-7.10.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0149 - Updated perl-WWW-Mechanize-Cached, perl-File-XDG & perl-Path-Tiny packages fix security vulnerabilities
Publication date: 18 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8612 Description WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8612 Description WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. References
- https://bugs.mageia.org/show_bug.cgi?id=35533
- https://www.openwall.com/lists/oss-security/2026/05/15/1
- https://metacpan.org/release/OALDERS/WWW-Mechanize-Cached-2.00/changes
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8612
- perl-WWW-Mechanize-Cached-2.0.0-1.mga9
- perl-Path-Tiny-0.150.0-1.mga9
- perl-File-XDG-1.30.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2026-0148 - Updated perl-YAML-Syck package fixes security vulnerability
Publication date: 18 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5089 Description YAML::Syck versions before 1.38 for Perl have an out-of-bounds read. References
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-5089 Description YAML::Syck versions before 1.38 for Perl have an out-of-bounds read. References
- https://bugs.mageia.org/show_bug.cgi?id=35525
- https://www.openwall.com/lists/oss-security/2026/05/12/16
- https://metacpan.org/release/TODDR/YAML-Syck-1.45/source/Changes
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5089
- perl-YAML-Syck-1.450.0-1.mga9
Categorías: Actualizaciones de Seguridad
