Bug 35466 - nano new security issues CVE-2026-684[23]
Summary: nano new security issues CVE-2026-684[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-05-04 16:51 CEST by Nicolas Salguero
Modified: 2026-05-07 07:09 CEST (History)
4 users (show)

See Also:
Source RPM: nano-7.2-1.1.mga9.src.rpm
CVE: CVE-2026-6842, CVE-2026-6843
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-05-04 16:52:35 CEST

Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-6842, CVE-2026-6843
Source RPM: (none) => nano-8.7-1.mga10.src.rpm, nano-7.2-1.1.mga9.src.rpm
Status comment: (none) => Patches available from Fedora

Comment 1 Lewis Smith 2026-05-04 21:11:41 CEST 
Different packagers have maintained Nano, so assigning globally.

Status comment: Patches available from Fedora => Patches available from Fedora, refs given
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-05-05 10:00:55 CEST 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Local attacker can inject malicious .desktop launcher due to insecure directory permissions. (CVE-2026-6842)

Format string vulnerability leads to denial of service. (CVE-2026-6843)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLLMINU5CKQDNMS5OT7OKS5V6YQFIJUC/
========================

Updated package in core/updates_testing:
========================
nano-7.2-1.2.mga9

from SRPM:
nano-7.2-1.2.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from Fedora, refs given => (none)
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Source RPM: nano-8.7-1.mga10.src.rpm, nano-7.2-1.1.mga9.src.rpm => nano-7.2-1.1.mga9.src.rpm

Comment 3 PC LX 2026-05-05 17:56:38 CEST 
Installed and tested without issues.

Tested opening, editing, saving, executing external command, copy & pasta, search, replace, undo.
All seems to be working as expected. No issues found.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.137-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Apr 30 22:24:10 UTC 2026 x86_64 GNU/Linux
$ rpm -q nano
nano-7.2-1.2.mga9

CC: (none) => mageia

Comment 4 Herman Viaene 2026-05-06 15:20:46 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB.
Did a little editing in a txt file, saved and checked updates with kwrite.Looks OK.
In view of tests above, good to go.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2026-05-06 23:07:12 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-05-07 04:43:20 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2026-05-07 07:09:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0121.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.