aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:15:34Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9900[3.7] aria2: Metadata and potential password leak (CVE-2019-3500)2019-07-23T11:15:34ZAlicha CH[3.7] aria2: Metadata and potential password leak (CVE-2019-3500)aria2c in aria2 1.33.1, when —log is used, can store an HTTP Basic
Authentication username and password in a file,
which might allow local users to obtain sensitive information by reading
this file.
### References:
https://github.com...aria2c in aria2 1.33.1, when —log is used, can store an HTTP Basic
Authentication username and password in a file,
which might allow local users to obtain sensitive information by reading
this file.
### References:
https://github.com/aria2/aria2/issues/1329
https://nvd.nist.gov/vuln/detail/CVE-2019-3500
### Patch:
https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a
*(from redmine: issue id 9900, created on 2019-01-23, closed on 2019-02-14)*
* Changesets:
* Revision c9121abaed924fada67919adf76a978f6e160b87 on 2019-01-31T13:18:36Z:
```
main/aria2: security fix (CVE-2019-3500)
Fixes #9900
```3.7.2Natanael CopaNatanael Copa2019-01-23https://gitlab.alpinelinux.org/alpine/aports/-/issues/10006[3.7] py-django: memory exhaustion in django.utils.numberformat.format() (CVE...2019-07-23T11:14:23ZAlicha CH[3.7] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)A vulnerability was found in Django before versions 2.2b1, 2.1.6,
2.0.11, 1.11.19. If django.utils.numberformat.format(), used by
contrib.admin as well as the the floatformat, filesizeformat, and
intcomma templates filters, received a De...A vulnerability was found in Django before versions 2.2b1, 2.1.6,
2.0.11, 1.11.19. If django.utils.numberformat.format(), used by
contrib.admin as well as the the floatformat, filesizeformat, and
intcomma templates filters, received a Decimal with a large number of
digits or a large exponent, it could lead to significant memory usage
due to a call to ‘{:f}’.format(). To avoid this, decimals with more than
200 digits are now formatted using scientific notation.
### References:
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2019-6975
*(from redmine: issue id 10006, created on 2019-02-21, closed on 2019-03-05)*
* Relations:
* parent #10002
* Changesets:
* Revision e75dee2587e0366d31527c0c11983372be4f532b on 2019-02-28T14:42:28Z:
```
main/py-django: security upgrade to 1.11.20 (CVE-2019-6975)
Fixes #10006
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9999[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2...2021-07-18T07:23:51ZAlicha CH[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2019-6111)**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on...**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on the client side.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20685
https://marc.info/?l=oss-security&m=154745764812881&w=2
### Patch:
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
**CVE-2019-6109**: An issue was discovered in OpenSSH 7.9. Due to
missing character encoding in the progress display, a malicious server
(or Man-in-The-Middle attacker) can employ crafted object names to
manipulate the client output, e.g., by using ANSI control codes to hide
additional files being transferred. This affects
refresh\_progress\_meter() in progressmeter.c.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6109
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
### Patch:
https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c
possibly additionally needed:
https://github.com/openssh/openssh-portable/commit/bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
**CVE-2019-6111**: An issue was discovered in OpenSSH 7.9. Due to the
scp implementation being derived from 1983 rcp, the server chooses which
files/directories are sent to the client. However, the scp client only
performs cursory validation of the object name returned (only directory
traversal attacks are prevented). A malicious scp server (or
Man-in-The-Middle attacker) can overwrite arbitrary files in the scp
client target directory. If recursive operation (-r) is performed, the
server can manipulate subdirectories as well (for example, to overwrite
the .ssh/authorized\_keys file).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6111
### Patch:
https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
*(from redmine: issue id 9999, created on 2019-02-20, closed on 2019-03-05)*
* Relations:
* parent #9995
* Changesets:
* Revision cfa04666c50b8dfbe34b6ac8e6b177add54ce649 on 2019-03-04T15:08:29Z:
```
main/openssh: security fixes
CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Rebased HPN patch, included upstream patch due regression bug due to CVE-2019-6109 fix
Fixes #9999
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9993[3.7] curl: Multiple vulnerabilities (CVE-2018-16890, CVE-2019-3822, CVE-2019...2019-07-23T11:14:39ZAlicha CH[3.7] curl: Multiple vulnerabilities (CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
-----------------------------------------------------
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm\_decode\_type2\_target) does not validate
incoming da...CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
-----------------------------------------------------
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm\_decode\_type2\_target) does not validate
incoming data correctly and is subject to an integer overflow
vulnerability.
Using that overflow, a malicious or broken NTLM server could trick
libcurl to accept a bad length + offset combination that would lead to a
buffer read out-of-bounds.
### Affected versions:
libcurl 7.36.0 to and including 7.63.0
### Not affected versions:
libcurl < 7.36.0 and >= 7.64.0
### References:
https://curl.haxx.se/docs/CVE-2018-16890.html
### Patch:
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
---------------------------------------------------------
The function creating an outgoing NTLM type-3 header
(lib/vauth/ntlm.c:Curl\_auth\_create\_ntlm\_type3\_message()), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed is
implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening.
This output data can grow larger than the local buffer if very large “nt
response” data is extracted from a previous NTLMv2 header provided by
the malicious or broken HTTP server. Such a “large value” needs to be
around 1000 bytes or more. The actual payload data copied to the target
buffer comes from the NTLMv2 type-2 response header.
### Affected versions:
libcurl 7.36.0 to and including 7.63.0
### Not affected versions:
libcurl < 7.36.0 and >= 7.64.0
### References:
https://curl.haxx.se/docs/CVE-2019-3822.html
### Patch:
https://github.com/curl/curl/commit/86724581b6c
CVE-2019-3823: SMTP end-of-response out-of-bounds read
------------------------------------------------------
If the buffer passed to smtp\_endofresp() isn’t NUL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read
contents will not be returned to the caller.
### Affected versions:
libcurl 7.34.0 to and including 7.63.0
### Not affected versions:
libcurl < 7.34.0
### References:
https://curl.haxx.se/docs/CVE-2019-3823.html
### Patch:
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
*(from redmine: issue id 9993, created on 2019-02-20, closed on 2019-03-05)*
* Relations:
* parent #9990
* Changesets:
* Revision f7cc724b9adaf1c7da74f14c8664294e44e73e99 on 2019-03-05T08:32:08Z:
```
main/curl: security fixes
CVE-2018-16890, CVE-2019-3822, CVE-2019-3823
Fixes #9993
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9942[3.7] spice: Off-by-one error in array access in spice/server/memslot.c (CVE-...2019-07-23T11:15:03ZAlicha CH[3.7] spice: Off-by-one error in array access in spice/server/memslot.c (CVE-2019-3813)spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds
read
due to an off-by-one error in memslot\_get\_virt. This may lead to a
denial-of-service, or, in the worst case, code-execution by
unauthenticated
attackers....spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds
read
due to an off-by-one error in memslot\_get\_virt. This may lead to a
denial-of-service, or, in the worst case, code-execution by
unauthenticated
attackers.
### Fixed In Version:
spice 0.14.2
### References:
https://www.openwall.com/lists/oss-security/2019/01/28/2
*(from redmine: issue id 9942, created on 2019-01-29, closed on 2019-02-14)*
* Relations:
* parent #9939
* Changesets:
* Revision c05d87b3b5549a63d4100ca7a890c0055cca7434 on 2019-01-31T11:24:42Z:
```
main/spice: security fix (CVE-2019-3813)
Fixes #9942
Disable test-qxl-parsing failing on armv7 and ppc64le due to CVE fix
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9917[3.7] wavpack: Multiple vulnerabilities (CVE-2018-19840, CVE-2018-19841)2019-07-23T11:15:21ZAlicha CH[3.7] wavpack: Multiple vulnerabilities (CVE-2018-19840, CVE-2018-19841)**CVE-2018-19840**: The function WavpackPackInit in pack\_utils.c in
libwavpack.a in WavPack through 5.1.0 allows attackers to cause a
denial-of-service
(resource exhaustion caused by an infinite loop) via a crafted wav audio
file beca...**CVE-2018-19840**: The function WavpackPackInit in pack\_utils.c in
libwavpack.a in WavPack through 5.1.0 allows attackers to cause a
denial-of-service
(resource exhaustion caused by an infinite loop) via a crafted wav audio
file because WavpackSetConfiguration64 mishandles a sample rate of zero.
### References:
https://github.com/dbry/WavPack/issues/53
### Patch:
https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51
**CVE-2018-19841**: The function WavpackVerifySingleBlock in
open\_utils.c in libwavpack.a in WavPack through 5.1.0 allows
attackers to cause a denial-of-service (out-of-bounds read and
application crash) via a crafted WavPack Lossless Audio file,
as demonstrated by wvunpack.
### References:
https://github.com/dbry/WavPack/issues/54
### Patch:
https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b
*(from redmine: issue id 9917, created on 2019-01-25, closed on 2019-02-14)*
* Relations:
* parent #9914
* Changesets:
* Revision b5b80b2b87d036148c7314cd653d8cf8f57c9556 on 2019-01-31T13:07:48Z:
```
main/wavpack: security fixes (CVE-2018-19840, CVE-2018-19841)
Fixes #9917
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9878[3.7] zeromq: Integer overflow in zmq::v2_decoder_t::size_ready (CVE-2019-6250)2019-07-23T11:15:49ZAlicha CH[3.7] zeromq: Integer overflow in zmq::v2_decoder_t::size_ready (CVE-2019-6250)A pointer overflow, with code execution, was discovered in ZeroMQ libzmq
(aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2\_decoder.cpp
zmq::v2\_decoder\_t::size\_ready integer overflow allows an
authenticated attacker to overwrite an arbitra...A pointer overflow, with code execution, was discovered in ZeroMQ libzmq
(aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2\_decoder.cpp
zmq::v2\_decoder\_t::size\_ready integer overflow allows an
authenticated attacker to overwrite an arbitrary amount of bytes beyond
the bounds of a buffer, which can be leveraged to run arbitrary code on
the target system. The memory layout allows the attacker to inject OS
commands into a data structure located immediately after the problematic
buffer (i.e., it is not necessary to use a typical buffer-overflow
exploitation technique that changes the flow of control).
### References:
https://github.com/zeromq/libzmq/releases/tag/v4.3.1
https://nvd.nist.gov/vuln/detail/CVE-2019-6250
### Patch:
https://github.com/zeromq/libzmq/pull/3353/commits/1a2ed12716693073032d57dac4e269df3d373751
*(from redmine: issue id 9878, created on 2019-01-21, closed on 2019-02-14)*
* Relations:
* parent #9875
* Changesets:
* Revision 9ee02b0dc1aa3d52466d89e31d5dcfc346ffed8b on 2019-02-04T11:21:52Z:
```
main/zeromq: upgrade to 4.2.5, security fix (CVE-2019-6250)
Fixes #9878
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9867[3.7] py-openssl: Multiple vulnerabilities (CVE-2018-1000807, CVE-2018-1000808)2019-07-23T11:15:56ZAlicha CH[3.7] py-openssl: Multiple vulnerabilities (CVE-2018-1000807, CVE-2018-1000808)CVE-2018-1000807: Use-after-free in X509 object handling
--------------------------------------------------------
Python Cryptographic Authority pyopenssl version before 17.5.0 has a
use-after-free vulnerability
in X509 object handlin...CVE-2018-1000807: Use-after-free in X509 object handling
--------------------------------------------------------
Python Cryptographic Authority pyopenssl version before 17.5.0 has a
use-after-free vulnerability
in X509 object handling. This can result in a denial of service or
potentially even code execution.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000807
Patch:
https://github.com/pyca/pyopenssl/pull/723
CVE-2018-1000808: Failure to release memory before removing last reference in PKCS \#12 Store
---------------------------------------------------------------------------------------------
Python Cryptographic Authority pyopenssl version before 17.5.0 fails to
release memory before removing last reference
in PKCS \#12 Store. This can result in a Denial of service if memory
runs low or is exhausted.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000808
### Patch:
https://github.com/pyca/pyopenssl/pull/723
*(from redmine: issue id 9867, created on 2019-01-18, closed on 2019-01-18)*
* Relations:
* parent #9865
* Changesets:
* Revision 2b8672c5739e3b151e3dd2ca6188ac16c26cfbf1 by Natanael Copa on 2019-01-18T16:20:56Z:
```
main/py-openssl: security upgrade to 17.5.0
CVE-2018-1000807, CVE-2018-1000808
fixes #9867
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9841[3.7] tinc: Multiple issues (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758)2019-07-23T11:16:17ZAlicha CH[3.7] tinc: Multiple issues (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758)**CVE-2018-16737**: tinc 1.0.29 and earlier allow an oracle attack that
could allow a remote attacker to establish one-way communication
with a tinc node, allowing it to send fake control messages and inject
packets into the VPN. The a...**CVE-2018-16737**: tinc 1.0.29 and earlier allow an oracle attack that
could allow a remote attacker to establish one-way communication
with a tinc node, allowing it to send fake control messages and inject
packets into the VPN. The attack takes only a few seconds to complete.
Tinc 1.1pre14 and earlier allow the same attack if they are configured
to allow connections from nodes using the legacy 1.0.x protocol.
### Fixed In Version:
tinc 1.0.35
### References:
https://www.tinc-vpn.org/security/
### Patch:
http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a
**CVE-2018-16738**: tinc 1.0.30 through 1.0.34 has a broken
authentication protocol, although there is a partial mitigation.
### Fixed In Version:
tinc 1.0.35
### References:
https://www.tinc-vpn.org/security/
### Patch:
https://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a
**CVE-2018-16758**: Missing message authentication in the meta-protocol
in Tinc VPN version 1.0.34 and earlier
allows a man-in-the-middle attack to disable the encryption of VPN
packets.
### Fixed In Version:
tinc 1.0.35
### References:
https://www.tinc-vpn.org/security/
### Patch:
https://www.tinc-vpn.org/git/browse?p=tinc;a=patch;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f
*(from redmine: issue id 9841, created on 2019-01-10, closed on 2019-02-19)*
* Relations:
* parent #9839
* Changesets:
* Revision 4bae97cf753480617c190b18324ad04d705294b6 on 2019-02-04T08:27:08Z:
```
main/tinc: security upgrade 1.0.35
CVE-2018-16738, CVE-2018-16758
Fixes #9841
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9835[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-...2020-01-18T00:12:52ZAlicha CH[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
...Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
by the django.views.defaults.page\_not\_found() view.
### Fixed In Version:
python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
### References:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
### Patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
*(from redmine: issue id 9835, created on 2019-01-09, closed on 2019-02-19)*
* Relations:
* parent #9832
* Changesets:
* Revision efea0b2841657c90aec0a76835d84fbc2ed2cfb9 on 2019-02-04T11:27:46Z:
```
main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)
Fixes #9835
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9804[3.7] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217)2019-07-23T11:16:49ZAlicha CH[3.7] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217)A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket
using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC b...A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket
using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20217
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
### Patch:
https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
*(from redmine: issue id 9804, created on 2018-12-27, closed on 2019-01-09)*
* Relations:
* parent #9801
* Changesets:
* Revision 5cfdd452b362cbbfe18efc625b108a7e89d86765 on 2019-01-07T08:03:07Z:
```
main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217
Fixes #9804
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9789[3.7] mariadb: Multiple vulnerabilities (CVE-2016-9843, CVE-2018-2755, CVE-20...2019-07-23T11:17:05ZAlicha CH[3.7] mariadb: Multiple vulnerabilities (CVE-2016-9843, CVE-2018-2755, CVE-2018-2761, CVE-2018-2766, CVE…, CVE-2018-3251, CVE-2018-3282)CVE-2018-2755: mariaDB 10.1.33
CVE-2018-2761: mariaDB 10.1.33
CVE-2018-2766: mariaDB 10.1.33
CVE-2018-2767: mariaDB 10.1.33
CVE-2018-2771: mariaDB 10.1.33
CVE-2018-2781: mariaDB 10.1.33
CVE-2018-2782: mariaDB 10.1.33
CVE-20...CVE-2018-2755: mariaDB 10.1.33
CVE-2018-2761: mariaDB 10.1.33
CVE-2018-2766: mariaDB 10.1.33
CVE-2018-2767: mariaDB 10.1.33
CVE-2018-2771: mariaDB 10.1.33
CVE-2018-2781: mariaDB 10.1.33
CVE-2018-2782: mariaDB 10.1.33
CVE-2018-2784: mariaDB 10.1.33
CVE-2018-2787: mariaDB 10.1.33
CVE-2018-2813: mariaDB 10.1.33
CVE-2018-2817: mariaDB 10.1.33
CVE-2018-2819: mariaDB 10.1.33
CVE-2018-3081: mariaDB 10.1.33
CVE-2018-3064: mariaDB 10.1.35
CVE-2018-3063: mariaDB 10.1.35
CVE-2018-3058: mariaDB 10.1.35
CVE-2018-3066: mariaDB 10.1.35
CVE-2018-3282: mariaDB 10.1.37
CVE-2016-9843: mariaDB 10.1.37
CVE-2018-3174: mariaDB 10.1.37
CVE-2018-3143: mariaDB 10.1.37
CVE-2018-3156: mariaDB 10.1.37
CVE-2018-3251: mariaDB 10.1.37
References:
https://mariadb.com/kb/en/library/mariadb-10133-release-notes/
https://mariadb.com/kb/en/library/mariadb-10135-release-notes/
https://mariadb.com/kb/en/library/mariadb-10137-release-notes/
*(from redmine: issue id 9789, created on 2018-12-25, closed on 2019-02-19)*
* Relations:
* parent #9787
* Changesets:
* Revision ad3cd4ee72556149a46fca74da139cc7424bc58a on 2019-02-04T13:09:36Z:
```
main/mariadb: security upgrade to 10.1.37
CVE-2016-9843, CVE-2018-2755, CVE-2018-2761, CVE-2018-2766, CVE-2018-2767,
CVE-2018-2771, CVE-2018-2781, CVE-2018-2782, CVE-2018-2784, CVE-2018-2787,
CVE-2018-2813, CVE-2018-2817, CVE-2018-2819, CVE-2018-3058, CVE-2018-3060,
CVE-2018-3063, CVE-2018-3064, CVE-2018-3066, CVE-2018-3081, CVE-2018-3143,
CVE-2018-3156, CVE-2018-3162, CVE-2018-3173, CVE-2018-3174, CVE-2018-3185,
CVE-2018-3200, CVE-2018-3251, CVE-2018-3277, CVE-2018-3282, CVE-2018-3284
Remove upstreamed patch, fix libressl detection
Fixes #9789
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9760[3.7] cups: Predictable session cookie breaks CSRF protection (CVE-2018-4700)2019-07-23T11:17:27ZAlicha CH[3.7] cups: Predictable session cookie breaks CSRF protection (CVE-2018-4700)A flaw was found in the CUPS printing server. Insufficient randomness
makes session
cookies predictable, breaking CSRF protection.
### References:
https://security-tracker.debian.org/tracker/CVE-2018-4700
https://bugs.debian.org/cg...A flaw was found in the CUPS printing server. Insufficient randomness
makes session
cookies predictable, breaking CSRF protection.
### References:
https://security-tracker.debian.org/tracker/CVE-2018-4700
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915909
### Patch:
https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c
(2.2.10)
*(from redmine: issue id 9760, created on 2018-12-12, closed on 2019-02-19)*
* Relations:
* parent #9757
* Changesets:
* Revision 2f186b4a430de0eab78872fa2d1b61c3d32d45d2 on 2019-02-04T13:42:39Z:
```
main/cups: security upgrade to 2.2.10 (CVE-2018-4700)
Fixes #9760
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9755[3.7] polkit: Improper handling of user with uid > INT_MAX leading to authent...2019-07-23T11:17:32ZAlicha CH[3.7] polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass (CVE-2018-19788)A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with
a uid greater than
INT\_MAX to successfully execute any systemctl command.
### References:
https://gitlab.freedesktop.org/polkit/polkit/issues/74
https://nvd....A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with
a uid greater than
INT\_MAX to successfully execute any systemctl command.
### References:
https://gitlab.freedesktop.org/polkit/polkit/issues/74
https://nvd.nist.gov/vuln/detail/CVE-2018-19788
### Patches:
https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc
https://gitlab.freedesktop.org/zbyszek/polkit/commit/7c8c3abdedbb991a69bc5f1ab0f96576958b55de
*(from redmine: issue id 9755, created on 2018-12-12, closed on 2019-03-05)*
* Relations:
* parent #9752
* Changesets:
* Revision 0b52876162f2412968ff130fbb6ab254a1afad01 by Natanael Copa on 2019-03-05T09:02:42Z:
```
main/polkit: security fix (CVE-2018-19788)
Fixes #9755
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9729[3.7] perl: Multiple vulnerabilities (CVE-2018-18311, CVE-2018-18312, CVE-201...2019-07-23T11:17:45ZAlicha CH[3.7] perl: Multiple vulnerabilities (CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-18314)CVE-2018-18311: Integer overflow leading to buffer overflow
-----------------------------------------------------------
A flaw was found in Perl versions 5.8.0 through 5.28. An Integer
overflow leading to buffer overflow
in Perl\_my\_...CVE-2018-18311: Integer overflow leading to buffer overflow
-----------------------------------------------------------
A flaw was found in Perl versions 5.8.0 through 5.28. An Integer
overflow leading to buffer overflow
in Perl\_my\_setenv function in util.c
### Fixed In Version:
perl 5.29.1, perl 5.26.3
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=133204
### Patch:
https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
Introduced by:
https://perl5.git.perl.org/perl.git/commitdiff/e658793210bbe632a5e80a876acfcd0984c46b87
CVE-2018-18312: Heap-buffer-overflow write / reg\_node overrun
--------------------------------------------------------------
A flaw was found in Perl versions 5.18 through 5.26. A
Heap-buffer-overflow write / reg\_node overrun
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### References:
https://rt.perl.org/Ticket/Display.html?id=133423
https://security-tracker.debian.org/tracker/CVE-2018-18312
CVE-2018-18313: Heap-buffer-overflow read in regcomp.c
------------------------------------------------------
A flaw was found in Perl versions 5.22 through 5.26.
Heap-buffer-overflow read in regcomp.c
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=133192
### Patch:
https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
CVE-2018-18314: Heap-based buffer overflow
------------------------------------------
A flaw was found in Perl versions 5.18 through 5.28. A Heap-based buffer
overflow
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=131649
### Patch:
https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
*(from redmine: issue id 9729, created on 2018-12-04, closed on 2018-12-06)*
* Relations:
* parent #9726
* Changesets:
* Revision 55ef7390a919f51a4513e6f52ba67eae681fd66e by Natanael Copa on 2018-12-04T14:47:51Z:
```
main/perl: security upgrade to 5.26.3
CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-18314
fixes #9729
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9712[3.7] git: Improper handling of PATH allows for commands to executed from cur...2019-07-23T11:18:01ZAlicha CH[3.7] git: Improper handling of PATH allows for commands to executed from current directory (CVE-2018-19486)Git before 2.19.2 on Linux and UNIX executes commands from the current
working directory (as if ‘.’ were at the end of $PATH) in certain
cases involving the run\_command() API and run-command.c, because there
was a dangerous change fro...Git before 2.19.2 on Linux and UNIX executes commands from the current
working directory (as if ‘.’ were at the end of $PATH) in certain
cases involving the run\_command() API and run-command.c, because there
was a dangerous change from execvp to execv during 2017.
### Fixed In Version:
git 2.19.2
### References:
https://git.kernel.org/pub/scm/git/git.git/tree/Documentation/RelNotes/2.19.2.txt
https://nvd.nist.gov/vuln/detail/CVE-2018-19486
### Patch:
Fixed by:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd82389742398d2924640ce3a61791fd27d60
Introduced by:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e3a434468fecca7c14a6bef32050dfa60534fde6
*(from redmine: issue id 9712, created on 2018-11-29, closed on 2018-12-04)*
* Relations:
* parent #9710
* Changesets:
* Revision 4f5598e37777d626dcab46970b984f4e07e56135 by Natanael Copa on 2018-11-30T11:16:10Z:
```
main/git: security fix (CVE-2018-19486)
fixes #9712
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9708[3.7] samba: Multiple vulnerabilities (CVE-2018-14629, CVE-2018-16841, CVE-20...2019-07-23T11:18:04ZAlicha CH[3.7] samba: Multiple vulnerabilities (CVE-2018-14629, CVE-2018-16841, CVE-2018-16851)CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
------------------------------------------------------------------------------------------
All versions of Samba from 4.0.0 onwards are vulnerabl...CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
------------------------------------------------------------------------------------------
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
### Fixed In Version:
Samba 4.7.12, 4.8.7, and 4.9.3
### References:
https://www.samba.org/samba/security/CVE-2018-14629.html
https://www.samba.org/samba/history/security.html
CVE-2018-16841 : Double-free in Samba AD DC KDC with PKINIT
-----------------------------------------------------------
A flaw was found in Samba from 4.3.0 versions. When configured to accept
smart-card authentication, Samba’s KDC
will call talloc\_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
This could result in a Denial of Service attack.
### Fixed In Version:
Samba 4.7.12, 4.8.7 and 4.9.3
### References:
https://www.samba.org/samba/security/CVE-2018-16841.html
https://www.samba.org/samba/history/security.html
CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server
--------------------------------------------------------------------
A flaw was found in Samba versions from 4.0.0. During the processing of
an LDAP search before Samba’s AD DC returns the LDAP
entries to the client, the entries are cached in a single memory object
with a maximum size of 256MB. When this size is reached, the
Samba process providing the LDAP service will follow the NULL pointer,
terminating the process. This can lead to a denial of service attack.
### Fixed In Version:
Samba 4.7.12, 4.8.7 and 4.9.3
### References:
https://www.samba.org/samba/security/CVE-2018-16851.html
https://www.samba.org/samba/history/security.html
*(from redmine: issue id 9708, created on 2018-11-28, closed on 2019-02-19)*
* Relations:
* parent #9705
* Changesets:
* Revision f7ba3ea2bf6a0f6310a8526c95d88f7986735f8c on 2019-02-04T15:01:47Z:
```
main/samba: security fixes
CVE-2018-14629, CVE-2018-16841, CVE-2018-16851
Fixes #9708
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9665[3.7] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CV...2019-07-23T11:18:39ZAlicha CH[3.7] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------...CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------------------------------------------
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8,
the CAB
block input buffer is one byte too small for the maximal Quantum block,
leading to an out-of-bounds write.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584
### Patch:
https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames
---------------------------------------------------------------------------------------------------------------------------------------------
chmd\_read\_headers in mspack/chmd.c in libmspack before 0.8alpha
accepts a filename
that has ‘\\0’ as its first or second character (such as the “/\\0”
name).
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585
### Patch:
https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f
CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames
--------------------------------------------------------------------------------------------------------
DISPUTED chmextract.c in the chmextract sample program, as distributed
with libmspack before 0.8alpha, does not protect against
absolute/relative pathnames in CHM files, leading to Directory
Traversal. NOTE: the vendor disputes that this is a libmspack
vulnerability, because chmextract.c was only intended as a source-code
example, not a supported application.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586
### Patch:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d
*(from redmine: issue id 9665, created on 2018-11-21, closed on 2018-11-28)*
* Relations:
* parent #9662
* Changesets:
* Revision c9b4a96edd80dfc0ae4bd6d76202612f6bbd42d7 by Natanael Copa on 2018-11-27T12:32:31Z:
```
main/libmspack: security upgrade to 0.8_alpha
CVE-2018-18584, CVE-2018-18585, CVE-2018-18586
fixes #9665
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9613[3.7] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-201...2019-07-23T11:18:59ZAlicha CH[3.7] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for ...CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for name and password aren’t too long, then calculates a buffer size to
allocate.
On systems with a 32 bit size\_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.33.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.33.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16839.html
### Patch:
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16840: use-after-free in handle close
----------------------------------------------
When closing and cleaning up an “easy” handle in the Curl\_close()
function, the library code first frees a struct (without nulling the
pointer) and might
then subsequently erroneously write to a struct field within that
already freed struct.
### Affected versions:
libcurl 7.59.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.59.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
### Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
CVE-2018-16842: warning message out-of-buffer read
--------------------------------------------------
The command line tool has a generic function for displaying warning and
informational messages to stderr for various
situations. For example if an unknown command line argument is used, or
passed to it in a “config” file.
This display function formats the output to wrap at 80 columns. The wrap
logic is however flawed, so if a single word in the message is itself
longer than 80 bytes
the buffer arithmetic calculates the remainder wrong and will end up
reading behind the end of the buffer. This could lead to information
disclosure or crash.
### Reference:
https://curl.haxx.se/docs/CVE-2018-16842.html
### Patch:
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
*(from redmine: issue id 9613, created on 2018-11-01, closed on 2018-11-08)*
* Relations:
* parent #9610
* Changesets:
* Revision 45a890319c9dae0764956a1cde0508ea76d5a6d4 on 2018-11-06T14:35:40Z:
```
main/curl: security fixes
(CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)
Fixes #9613
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9599[3.7] xorg-server: Incorrect permission check in Xorg X server allows for pri...2019-07-23T11:19:13ZAlicha CH[3.7] xorg-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console ...A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their
privileges and run arbitrary code under root privileges.
### Fixed In Version:
xorg-server 1.20.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
https://marc.info/?l=oss-security&m=154047832307726&w=2
### Patch:
Introduced by:
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c
(1.19.0)
Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
*(from redmine: issue id 9599, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* parent #9596
* Changesets:
* Revision 200ed130cd6de4484176410175e321c8dfc55f09 by Natanael Copa on 2018-10-29T18:34:51Z:
```
main/xorg-server: security fix (CVE-2018-14665)
fixes #9599
```3.7.2Natanael CopaNatanael Copa