Fedora has issued an advisory on June 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XITIPFJQFQIYBAV5Y3UA5AL6T5ATFDFX/
Fixed by: https://github.com/stefanberger/libtpms/commit/9f9baccdba9cd3fc32f1355613abd094b21f7ba0 (v0.9.7)
CVE: (none) => CVE-2025-49133Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 0.10.1 and 0.9.7Source RPM: (none) => libtpms-0.10.0-2.mga10.src.rpm, libtpms-0.9.6-1.mga9.src.rpm
This will probably land up with DavidG, but in the past other people commited this, so someone else might pick it up.
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory on July 5: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/S6HQ4BINRZZFZRPF4SB4T6ST7YK7DMS7/
Cauldron fixed with libtpms-0.10.1-1.mga10. Package patched for Mageia 9 Advisory: ======================== Patched libtpms package fixes security vulnerability: It was discovered that libtpms had a potential out-of-bound access & abort due to HMAC signing issue (CVE-2025-49133). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XITIPFJQFQIYBAV5Y3UA5AL6T5ATFDFX/ https://www.cve.org/CVERecord?id=CVE-2025-49133 ======================== Updated packages in core/updates_testing: ======================== lib64tpms0-0.9.6-1.1.mga9.x86_64.rpm lib64tpms-devel-0.9.6-1.1.mga9.x86_64.rpm from libtpms-0.9.6-1.1.mga9.src.rpm
CC: (none) => mhrambo3501Version: Cauldron => 9Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)
Installed and tested without issues. The package lib64tpms0 is used by the package swtpm which is used by QEMU/KVM to provide a TPM emulation to virtual machines. I have two virtual machines configured with TPM emulation, one runs Windows 10 and the other runs Windows 11. After installation, both VMs continued to function as usual, and checking in the settings, the emulated TPM information is still showing up as before. For now that is all the testing I can think of, and searching for other TPM bugs did not show anything useful. Will do more testing if anyone give some pointers. System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.105-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Sep 10 13:53:34 UTC 2025 x86_64 GNU/Linux $ rpm -q lib64tpms0 lib64tpms0-0.9.6-1.1.mga9
CC: (none) => mageia
Keywords: (none) => advisory
Two previous updates were sent along on a clean install, so you've already done more than we tried before. Since Windows 11 requires a TPM to work, and your VM continued to function after the update, I would think that's enough. Giving this an OK, and validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0248.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The Mageia Updates repository now provides an update for this problem. https://advisories.mageia.org/MGASA-2025-0248.html https://fnaf-2.com
CC: (none) => defaro1173
CC: defaro1173 => (none)