For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. (CVE-2026-41082)

References:
https://lists.debian.org/debian-security-announce/2026/msg00126.html
========================

Updated packages in core/updates_testing:
========================
opam-2.1.3-1.1.mga9
opam-doc-2.1.3-1.1.mga9

from SRPM:
opam-2.1.3-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Source RPM: opam-2.3.0-2.mga10.src.rpm, opam-2.1.3-1.mga9.src.rpm => opam-2.1.3-1.mga9.src.rpm
Version: Cauldron => 9
Status comment: Fixed upstream in 2.5.1 and patch available from Debian => (none)
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
No previous updates or wiki, so found some info at https://opam.ocaml.org/doc/Usage.html
$ opam --help
OPAM(1)                           Opam Manual                          OPAM(1)



NAME
       opam - source-based package management

SYNOPSIS
       opam [COMMAND] …

DESCRIPTION
       Opam is a package manager. It uses the powerful mancoosi tools to
       handle dependencies, including support for version constraints,
       optional dependencies, and conflict management. The default
       configuration binds it to the official package repository for OCaml.

       It has support for different remote repositories such as HTTP, rsync,
       git, darcs and mercurial. Everything is installed within a local opam
       directory, that can include multiple installation prefixes with
       different sets of intalled packages.

       Use either opam <command> --help or opam help <command> for more
       information on a specific command.

COMMANDS
       admin [OPTION]…
           Tools for repository administrators

       clean [OPTION]…
           Cleans up opam caches

       config [OPTION]… [COMMAND] [ARG]…

$ opam init
No configuration file found, using built-in defaults.
Checking for available remotes: rsync and local.
  - you won't be able to use git repositories unless you install the git command on your system.
  - you won't be able to use mercurial repositories unless you install the hg command on your system.
  - you won't be able to use darcs repositories unless you install the darcs command on your system.


<><> Fetching repository information ><><><><><><><><><><><><><><><><><><><><><>
[default] Initialised
default (at https://opam.ocaml.org): 
    [WARNING] opam is out-of-date. Please consider updating it (https://opam.ocaml.org/doc/Install.html)


<><> Required setup - please read <><><><><><><><><><><><><><><><><><><><><><><>

  In normal operation, opam only alters files within ~/.opam.

  However, to best integrate with your system, some environment variables
  should be set. If you allow it to, this initialisation step will update
  your bash configuration by adding the following line to ~/.bash_profile:

    test -r /home/tester9/.opam/opam-init/init.sh && . /home/tester9/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true

  Otherwise, every time you want to access your opam installation, you will
  need to run:

    eval $(opam env)

  You can always re-run this setup with 'opam init' later.

Do you want opam to modify ~/.bash_profile? [N/y/f]
(default is 'no', use 'f' to choose a different file) 

<><> Creating initial switch 'default' (invariant ["ocaml" {>= "4.05.0"}] - initially with ocaml-base-compiler) 

<><> Installing new switch packages <><><><><><><><><><><><><><><><><><><><><><>
Switch invariant: ["ocaml" {>= "4.05.0"}]
[NOTE] External dependency handling not supported for OS family 'mandriva'.
       You can disable this check using 'opam option --global depext=false'

<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
∗ installed base-bigarray.base
∗ installed base-threads.base
∗ installed base-unix.base
∗ installed ocaml-options-vanilla.1
⬇ retrieved ocaml-config.3  (2 extra sources)
⬇ retrieved ocaml-compiler.5.4.1  (https://opam.ocaml.org/cache)
∗ installed ocaml-compiler.5.4.1
∗ installed ocaml-base-compiler.5.4.1
∗ installed ocaml-config.3
∗ installed ocaml.5.4.1
∗ installed base-domains.base
∗ installed base-effects.base
∗ installed base-nnp.base
Done.
£ Run eval $(opam env --switch=default) to update the current shell environment

$ opam list -a | more
£ Packages matching: available
[NOTE] External dependency handling not supported for OS family 'mandriva'.
       You can disable this check using 'opam option --global depext=false'
£ Name                                    £ Installed £ Synopsis
0install                                  --          Decentralised installation system
0install-gtk                              --          Decentralised installation system - GTK UI
0install-solver                           --          Package dependency solver
ANSITerminal                              --          Basic control of ANSI compliant terminals and the windows shell
aacplus                                   --          Bindings for the aacplus library which provides functions for decoding AAC audio files
aarch64-esperanto                         --          An OCaml compiler with Cosmopolitan
abella                                    --          Interactive theorem prover based on lambda-tree syntax
absolute                                  --          AbSolute solver
abstract_algebra                          --          A small library describing abstract algebra concepts
accessor                                  --          A library that makes it nicer to work with nested functional data structures
accessor_async                            --          Accessors for Async types, for use with the Accessor library
accessor_base                             --          Accessors for Base types, for use with the Accessor library
accessor_core                             --          Accessors for Core types, for use with the Accessor library
acgtk                                     --          Abstract Categorial Grammar development toolkit
aches                                     --          Caches (bounded-size stores) for in-memory values and for resources
aches-lwt                                 --          Caches (bounded-size stores) for Lwt promises
acp4                                      --          ACP4: AutoCorrelation of Pharmacophore Features
acpc                                      --          Chemoinformatics tool for ligand-based virtual screening
activitypub                               --          ActivityPub in OCaml
activitypub_client                        --          ActivityPub client in OCaml
activitypub_gui                           --          Simple ActivityPub client gui in OCaml
activitypub_server                        --          ActivityPub server in OCaml
activitypub_server_gui                    --          ActivityPub server in OCaml, admin GUI
adelfa                                    --          Proof assistant for reasoning about LF specifications
adobe_font_metrics                        --          Parser for the Adobe Font Metrics format
advi                                      --          Active DVI Dune package!
aez                                       --          Alt-Ergo Zero is an OCaml library for an SMT solver.
afl                                       --          American Fuzzy Lop fuzzer by Michal Zalewski, repackaged for convenient use in opam
afl-persistent                            --          Use afl-fuzz in persistent mode
ago                                       --          ago(1) - compute the number of days between two calendar dates
and a loooong list......
$ opam show albatross
[NOTE] External dependency handling not supported for OS family 'mandriva'.
       You can disable this check using 'opam option --global depext=false'

<><> albatross: information on all versions <><><><><><><><><><><><><><><><><><>
name         albatross
all-versions 1.2.0  1.4.3  1.5.4  2.1.0  2.3.0  2.4.1  2.5.0  2.5.1  2.6.0  2.6.1  2.6.2  2.7.0

<><> Version-specific details <><><><><><><><><><><><><><><><><><><><><><><><><>
version      2.7.0
repository   default
url.src      "https://github.com/robur-coop/albatross/releases/download/v2.7.0/albatross-2.7.0.tbz"
url.checksum
          "sha256=6577b96d36d194132e6b1e1101bb1019918a31ba2b34cd757ead1dc7a7611b3d"
          "sha512=035cf84ebdb66526be03fec45f4f7c3f5b1d1fcef31917ff86e994b663dfbee4b323b754df637cc538c4f1af9ab8b2e61e61390329a3cc8dbf4be6d2d24ca0cf"
homepage     "https://github.com/robur-coop/albatross"
bug-reports  "https://github.com/robur-coop/albatross/issues"
dev-repo     "git+https://github.com/robur-coop/albatross.git"
authors      "Hannes Mehnert <hannes@mehnert.org>"
maintainer   "Hannes Mehnert <hannes@mehnert.org>"
license      "ISC"
depends      "ocaml" {>= "4.14.0"}
             "dune" {>= "2.7.0"}
             "dune-configurator"
             "conf-pkg-config" {build}
             "conf-libnl3" {os = "linux"}
             "conf-libev"
             "lwt" {>= "3.0.0"}
             "ipaddr" {>= "5.3.0"}
             "logs"
             "bos" {>= "0.2.0"}
             "ptime" {>= "1.1.0"}
             "cmdliner" {>= "1.1.0"}
             "fmt" {>= "0.8.7"}
             "x509" {>= "1.0.0"}
             "tls" {>= "1.0.2"}
             "tls-lwt" {>= "1.0.2"}
             "asn1-combinators" {>= "0.3.0"}
             "duration"
             "decompress" {>= "1.3.0"}
             "bigstringaf" {>= "0.2.0"}
             "metrics" {>= "0.5.0"}
             "metrics-lwt" {>= "0.2.0"}
             "metrics-influx" {>= "0.2.0"}
             "metrics-rusage"
             "ohex" {>= "0.2.0"}
             "http-lwt-client" {>= "0.3.0"}
             "happy-eyeballs-lwt"
             "solo5-elftool" {>= "0.4.0"}
             "cachet" {>= "0.0.3"}
             "bstr"
             "fpath" {>= "0.7.3"}
             "logs-syslog" {>= "0.4.1"}
             "digestif" {>= "1.2.0"}
             "alcotest" {with-test}
synopsis     Albatross - orchestrate and manage MirageOS unikernels with Solo5
description  The goal of albatross is robust deployment of [MirageOS](https://mirage.io)
             unikernels using [Solo5](https://github.com/solo5/solo5). Resources managed
             by albatross are network interfaces of kind `tap`, which are connected to
             already existing bridges, block devices, memory, and CPU. Each unikernel is
             pinned (`cpuset` / `taskset`) to a specific core.
I think this shows enough the working of the package.

CC: (none) => herman.viaene
Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0116.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED