References: https://bugzilla.redhat.com/show_bug.cgi?id=2440530 https://ubuntu.com/security/CVE-2026-27171 https://security-tracker.debian.org/tracker/CVE-2026-27171
Fix: https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77
Source RPM: (none) => zlib-1.2.13-1.3.mga9.src.rpmStatus comment: (none) => Patch available from upstreamCVE: (none) => CVE-2026-27171
Suggested advisory: ======================== The updated packages fix a security vulnerability: zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. (CVE-2026-27171) References: https://bugzilla.redhat.com/show_bug.cgi?id=2440530 https://ubuntu.com/security/CVE-2026-27171 https://security-tracker.debian.org/tracker/CVE-2026-27171 ======================== Updated packages in core/updates_testing: ======================== lib(64)minizip-devel-1.2.13-1.4.mga9 lib(64)minizip1-1.2.13-1.4.mga9 lib(64)zlib-devel-1.2.13-1.4.mga9 lib(64)zlib-static-devel-1.2.13-1.4.mga9 lib(64)zlib1-1.2.13-1.4.mga9 from SRPM: zlib-1.2.13-1.4.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)Assignee: bugsquad => qa-bugs
Keywords: (none) => advisory
RH x86_64 installing lib64minizip1-1.2.13-1.4.mga9.x86_64.rpm lib64zlib1-1.2.13-1.4.mga9.x86_64.rpm lib64zlib-devel-1.2.13-1.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################### 1/3: lib64zlib1 ################################################################################################### 2/3: lib64minizip1 ################################################################################################### 3/3: lib64zlib-devel ################################################################################################### 1/3: removing lib64zlib-devel-1.2.13-1.3.mga9.x86_64 ################################################################################################### 2/3: removing lib64minizip1-1.2.13-1.3.mga9.x86_64 ################################################################################################### 3/3: removing lib64zlib1-1.2.13-1.3.mga9.x86_64 ################################################################################################### Repeat bug 34954 comment 3 test strace smplayer shows openat(AT_FDCWD, "/usr/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 strace vlc openat(AT_FDCWD, "/usr/lib64/libzstd.so.1", O_RDONLY|O_CLOEXEC) = 3 strace zapzap openat(AT_FDCWD, "/usr/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3 The 3 works
Flags: (none) => test_passed_mga9_64+Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0076.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED