Advisories » MGASA-2026-0116

Updated opam packages fix security vulnerability

Publication date: 07 May 2026
Modification date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41082

Description

In OCaml opam before 2.5.1, a .install field containing a destination
filepath can use ../ to reach a parent directory. (CVE-2026-41082)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35405
• https://lists.debian.org/debian-security-announce/2026/msg00126.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41082

SRPMS

9/core

• opam-2.1.3-1.1.mga9