Bug 35219 - perl-YAML-Syck new security issue CVE-2026-4177
Summary: perl-YAML-Syck new security issue CVE-2026-4177
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-17 09:56 CET by Nicolas Salguero
Modified: 2026-03-19 19:05 CET (History)
3 users (show)

See Also:
Source RPM: perl-YAML-Syck-1.340.0-4.mga9.src.rpm
CVE: CVE-2026-4177
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-17 09:56:54 CET 
Reference: https://www.openwall.com/lists/oss-security/2026/03/16/6
Nicolas Salguero 2026-03-17 09:58:00 CET

Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-4177
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => perl-YAML-Syck-1.360.0-1.mga10.src.rpm, perl-YAML-Syck-1.340.0-4.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.37 (aka 1.370.0)

Nicolas Salguero 2026-03-17 10:07:07 CET

Assignee: bugsquad => pkg-bugs

Comment 1 Nicolas Salguero 2026-03-17 10:25:56 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. (CVE-2026-4177)

References:
https://www.openwall.com/lists/oss-security/2026/03/16/6
========================

Updated package in core/updates_testing:
========================
perl-YAML-Syck-1.340.0-4.1.mga9

from SRPM:
perl-YAML-Syck-1.340.0-4.1.mga9.src.rpm

Flags: affects_mga9+ => (none)
Status comment: Fixed upstream in 1.37 (aka 1.370.0) => (none)
Source RPM: perl-YAML-Syck-1.360.0-1.mga10.src.rpm, perl-YAML-Syck-1.340.0-4.mga9.src.rpm => perl-YAML-Syck-1.340.0-4.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

katnatek 2026-03-18 01:27:42 CET

Keywords: (none) => advisory

Comment 2 Herman Viaene 2026-03-18 15:06:31 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
No wiki, no previous updates, so
urpmq --whatrequires perl-YAML-Syck
returns, apart from other perl packes, only shelldap.
Installed that one.
$ strace -o perlyam.txt shelldap 
No server specified.
Trace shows call to
newfstatat(AT_FDCWD, "/usr/local/lib64/perl5/5.36/YAML/Syck.pmc", 0x7ffe07c25610, 0) = -1 ENOENT (No such file or directory)
and
openat(AT_FDCWD, "/usr/lib64/perl5/vendor_perl/YAML/Syck.pm", O_RDONLY|O_CLOEXEC) = 4
So looks good.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 3 Thomas Andrews 2026-03-19 15:03:32 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2026-03-19 19:05:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0058.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.