aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:16:00Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9863[3.9] irssi: Use-after-free when hidden lines were expired from the scroll (C...2019-07-23T11:16:00ZAlicha CH[3.9] irssi: Use-after-free when hidden lines were expired from the scroll (CVE-2019-5882)Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are
expired
from the scroll buffer.
### Fixed In Version:
Irssi 1.1.2
### References:
https://irssi.org/security/irssi\_sa\_2019\_01.txt
https://www.openwall.com/lis...Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are
expired
from the scroll buffer.
### Fixed In Version:
Irssi 1.1.2
### References:
https://irssi.org/security/irssi\_sa\_2019\_01.txt
https://www.openwall.com/lists/oss-security/2019/01/10/1
*(from redmine: issue id 9863, created on 2019-01-17, closed on 2019-01-18)*
* Relations:
* parent #9862
* Changesets:
* Revision c4e35c92e1389de8f3e842a194ec98a50a96e219 by Natanael Copa on 2019-01-17T15:13:04Z:
```
main/irssi: security upgrade to 1.1.2 (CVE-2019-5882)
fixes #9863
```3.9.0Natanael CopaNatanael Copa2019-01-17https://gitlab.alpinelinux.org/alpine/aports/-/issues/9823[3.9] keepalived: Multiple vulnerabilities (CVE-2018-19044, CVE-2018-19045, C...2019-07-23T11:16:34ZAlicha CH[3.9] keepalived: Multiple vulnerabilities (CVE-2018-19044, CVE-2018-19045, CVE-2018-19046)**CVE-2018-19044**: kkeepalived before version 2.0.9 didn’t check for
pathnames with symlinks when writing data to a temporary file upon a
call to PrintData or PrintStats. This allowed local users to overwrite
arbitrary files if fs.prote...**CVE-2018-19044**: kkeepalived before version 2.0.9 didn’t check for
pathnames with symlinks when writing data to a temporary file upon a
call to PrintData or PrintStats. This allowed local users to overwrite
arbitrary files if fs.protected\_symlinks is set to 0, as demonstrated
by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to
/etc/passwd.
### Fixed In Version:
keepalived 2.0.9
### References:
https://github.com/acassen/keepalived/issues/1048
http://www.keepalived.org/changelog.html
### Patch:
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
**CVE-2018-19045**: keepalived 2.0.8 used mode 0666 when creating new
temporary files upon a call to PrintData
or PrintStats, potentially leaking sensitive information.
### Fixed In Version:
keepalived 2.0.9
### References:
https://github.com/acassen/keepalived/issues/1048
https://nvd.nist.gov/vuln/detail/CVE-2018-19045
### Patches:
https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6
https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067
**CVE-2018-19046**: keepalived before version 2.0.10 didn’t check for
existing plain files when writing data to a temporary file upon a call
to PrintData or PrintStats. If a local attacker had previously created a
file with the expected name (e.g., /tmp/keepalived.data or
/tmp/keepalived.stats), with read access for the attacker and write
access for the keepalived process, then this potentially leaked
sensitive information.
### Fixed In Version:
keepalived 2.0.10
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-19046
https://github.com/acassen/keepalived/issues/1048
### Patches:
https://github.com/acassen/keepalived/commit/ac8e2ef053de273ce7a0cf0cb611e599dca4b298
https://github.com/acassen/keepalived/commit/26c8d6374db33bcfcdcd758b1282f12ceef4b94f
https://github.com/acassen/keepalived/commit/17f944144b3d9c5131569b1cc988cc90fd676671
*(from redmine: issue id 9823, created on 2019-01-02, closed on 2019-01-09)*
* Relations:
* parent #9822
* Changesets:
* Revision d5456c04c54ef1071228fe009595f420a2dd7e42 on 2019-01-08T11:02:05Z:
```
community/keepalived: security upgrade to 2.0.11
CVE-2018-19044, CVE-2018-19045, CVE-2018-19046
Fixes #9823
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9802[3.9] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217)2019-07-23T11:16:51ZAlicha CH[3.9] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217)A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket
using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC b...A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket
using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20217
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
### Patch:
https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
*(from redmine: issue id 9802, created on 2018-12-27, closed on 2019-01-09)*
* Relations:
* parent #9801
* Changesets:
* Revision bd4ce5b0529e8f12a984bdfd4d231664a613454a on 2019-01-07T07:52:42Z:
```
main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217
Fixes #9802
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9777init.d/urandom: increase saved entropy2019-07-23T11:17:15ZSteffen Nurpmesoinit.d/urandom: increase saved entropymy startup (whether on real hardware or my server VM) currently involves
long hangs of sshd, and warnings on uninitialized random reads by
dnsmasq.
When i look into init.d/urandom i see mysterious calculations which
result in 512 bytes...my startup (whether on real hardware or my server VM) currently involves
long hangs of sshd, and warnings on uninitialized random reads by
dnsmasq.
When i look into init.d/urandom i see mysterious calculations which
result in 512 bytes to be saved for restoring purposes, and i wonder why
this is so.
I would assume that the kernel passes data fed in to seed the PRNG
through (possibly even multiple) sophisticated algorithms.., and uses
conservative guessing on the quality of bytes fed into urandom.
Hence my suggestion to increase the number of bytes saved in between
reboots, e.g., like so (untested):
save\_seed()
{
local ibs=1024
if \[ -e /proc/sys/kernel/random/poolsize \]; then
ibs=$(cat /proc/sys/kernel/random/poolsize)
fi
( \# sub shell to prevent umask pollution
umask 077
dd if=/dev/urandom of=“$urandom\_seed” \\
ibs=$ibs count=1 2>/dev/null
)
}
*(from redmine: issue id 9777, created on 2018-12-19, closed on 2019-01-08)*3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9774Qemu Guest Agent can't shut down Alpine2019-07-23T11:17:16ZAdam CrowderQemu Guest Agent can't shut down AlpineBecause Alpine doesn’t use posix shutdown, the Qemu Guest Agent is
unable to perform a system shutdown (as it is hardcoded to use
/sbin/shutdown)
A patch needs to be made for qga/commands-posix.c (from the qemu source)
which modifies th...Because Alpine doesn’t use posix shutdown, the Qemu Guest Agent is
unable to perform a system shutdown (as it is hardcoded to use
/sbin/shutdown)
A patch needs to be made for qga/commands-posix.c (from the qemu source)
which modifies the qmp\_guest\_shutdown function to shutdown alpine
(with /sbin/poweroff) appropriately.
*(from redmine: issue id 9774, created on 2018-12-19, closed on 2018-12-25)*
* Changesets:
* Revision 76b81b486480fd9c3294cd420bcf2df01c27790d by Natanael Copa on 2018-12-20T16:21:11Z:
```
main/qemu: fix shutdown from guest agent
we dont have /sbin/shutdown so provide a fallback to the busybox
/sbin/poweroff, /sbin/halt and /sbin/reboot.
fixes #9774
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9763[3.9] wireshark: Multiple vulnerabilities (CVE-2018-19622, CVE-2018-19623, CV...2019-07-23T11:17:23ZAlicha CH[3.9] wireshark: Multiple vulnerabilities (CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625 CVE-2018-19626, CVE-2018-19627, CVE-2018-19628)### CVE-2018-19622: MMSE dissector infinite loop
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-54.html
https://bugs.wireshark.org/...### CVE-2018-19622: MMSE dissector infinite loop
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-54.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15250
### CVE-2018-19623: LBMPDM dissector crash
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-53.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15132
### CVE-2018-19624: PVFS dissector crash
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-56.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15280
### CVE-2018-19625: Wireshark dissection engine crash
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-51.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=14466
### CVE-2018-19626: DCOM dissector crash
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-52.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15130
### CVE-2018-19627: IxVeriWave file parser crash.
Affected versions: 2.6.0 to 2.6.4, 2.4.0 to 2.4.10
Fixed versions: 2.6.5, 2.4.11
### References:
https://www.wireshark.org/security/wnpa-sec-2018-55.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15279
### CVE-2018-19628: ZigBee ZCL dissector crash
Affected versions: 2.6.0 to 2.6.4
Fixed versions: 2.6.5
### References:
https://www.wireshark.org/security/wnpa-sec-2018-57.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15281
*(from redmine: issue id 9763, created on 2018-12-12, closed on 2019-01-01)*
* Relations:
* parent #9762
* Changesets:
* Revision d0f7f9ff6bb890cdeda8dcc9bce15ad49d4d8205 by Milan P. Stanić on 2019-01-01T08:48:05Z:
```
community/wireshark: security upgrade to 2.6.5
CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625
CVE-2018-19626, CVE-2018-19627, CVE-2018-19628
Fixes #9763
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9727[3.9] perl: Multiple vulnerabilities (CVE-2018-18311, CVE-2018-18312, CVE-201...2019-07-23T11:17:48ZAlicha CH[3.9] perl: Multiple vulnerabilities (CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-18314)CVE-2018-18311: Integer overflow leading to buffer overflow
-----------------------------------------------------------
A flaw was found in Perl versions 5.8.0 through 5.28. An Integer
overflow leading to buffer overflow
in Perl\_my\_...CVE-2018-18311: Integer overflow leading to buffer overflow
-----------------------------------------------------------
A flaw was found in Perl versions 5.8.0 through 5.28. An Integer
overflow leading to buffer overflow
in Perl\_my\_setenv function in util.c
### Fixed In Version:
perl 5.29.1, perl 5.26.3
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=133204
### Patch:
https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
Introduced by:
https://perl5.git.perl.org/perl.git/commitdiff/e658793210bbe632a5e80a876acfcd0984c46b87
CVE-2018-18312: Heap-buffer-overflow write / reg\_node overrun
--------------------------------------------------------------
A flaw was found in Perl versions 5.18 through 5.26. A
Heap-buffer-overflow write / reg\_node overrun
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### References:
https://rt.perl.org/Ticket/Display.html?id=133423
https://security-tracker.debian.org/tracker/CVE-2018-18312
CVE-2018-18313: Heap-buffer-overflow read in regcomp.c
------------------------------------------------------
A flaw was found in Perl versions 5.22 through 5.26.
Heap-buffer-overflow read in regcomp.c
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=133192
### Patch:
https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
CVE-2018-18314: Heap-based buffer overflow
------------------------------------------
A flaw was found in Perl versions 5.18 through 5.28. A Heap-based buffer
overflow
### Fixed In Version:
perl 5.26.3, perl 5.28.1
### Reference:
https://rt.perl.org/Public/Bug/Display.html?id=131649
### Patch:
https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
*(from redmine: issue id 9727, created on 2018-12-04, closed on 2018-12-06)*
* Relations:
* parent #9726
* Changesets:
* Revision 13074bff64787b9251ec396b8ac6ecd18718d2a0 by Natanael Copa on 2018-12-04T14:46:15Z:
```
main/perl: security upgrade to 5.26.3
CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-18314
fixes #9727
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9696[3.9] roundcubemail: Cross-site Scripting issue in email attachments (CVE-201...2019-07-23T11:18:10ZAlicha CH[3.9] roundcubemail: Cross-site Scripting issue in email attachments (CVE-2018-19206)steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of
<svg>
<style>
, as demonstrated by
an onload attribute in a BODY element, within an HTML attachment.
### References:
https://github.com/roundcube/roundcubemai...steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of
<svg>
<style>
, as demonstrated by
an onload attribute in a BODY element, within an HTML attachment.
### References:
https://github.com/roundcube/roundcubemail/issues/6410
https://nvd.nist.gov/vuln/detail/CVE-2018-19206
### Patch:
https://github.com/roundcube/roundcubemail/commit/102fbf1169116fef32a940b9fb1738bc45276059
*(from redmine: issue id 9696, created on 2018-11-26, closed on 2018-12-04)*
* Relations:
* parent #9695
* Changesets:
* Revision 1d5dbd01274ff36d9839dac79b36803262c62bfa by Natanael Copa on 2018-11-29T14:42:08Z:
```
community/roundcubemail: security upgrade to 1.3.8 (CVE-2018-19206)
fixes #9696
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9663[3.9] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CV...2019-07-23T11:18:41ZAlicha CH[3.9] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------...CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------------------------------------------
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8,
the CAB
block input buffer is one byte too small for the maximal Quantum block,
leading to an out-of-bounds write.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584
### Patch:
https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames
---------------------------------------------------------------------------------------------------------------------------------------------
chmd\_read\_headers in mspack/chmd.c in libmspack before 0.8alpha
accepts a filename
that has ‘\\0’ as its first or second character (such as the “/\\0”
name).
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585
### Patch:
https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f
CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames
--------------------------------------------------------------------------------------------------------
DISPUTED chmextract.c in the chmextract sample program, as distributed
with libmspack before 0.8alpha, does not protect against
absolute/relative pathnames in CHM files, leading to Directory
Traversal. NOTE: the vendor disputes that this is a libmspack
vulnerability, because chmextract.c was only intended as a source-code
example, not a supported application.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586
### Patch:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d
*(from redmine: issue id 9663, created on 2018-11-21, closed on 2018-11-28)*
* Relations:
* parent #9662
* Changesets:
* Revision 3a49d88a9384e72b92ad518a7f8cf56dfe1c4513 by Natanael Copa on 2018-11-27T12:30:37Z:
```
main/libmspack: security upgrade to 0.8_alpha
CVE-2018-18584, CVE-2018-18585, CVE-2018-18586
fixes #9663
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9619Support for xenpci in initramfs so we can build XEN storage driver domains wi...2019-07-23T11:18:54ZHenrik RiomarSupport for xenpci in initramfs so we can build XEN storage driver domains with alpineAdd a new feature to mkinitfs allowing xen-pcifront.ko to be part of
initramfs
PR: https://github.com/alpinelinux/mkinitfs/pull/45
*(from redmine: issue id 9619, created on 2018-11-02, closed on 2019-01-23)*Add a new feature to mkinitfs allowing xen-pcifront.ko to be part of
initramfs
PR: https://github.com/alpinelinux/mkinitfs/pull/45
*(from redmine: issue id 9619, created on 2018-11-02, closed on 2019-01-23)*3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9611[3.9] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-201...2019-07-23T11:19:01ZAlicha CH[3.9] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for ...CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for name and password aren’t too long, then calculates a buffer size to
allocate.
On systems with a 32 bit size\_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.33.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.33.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16839.html
### Patch:
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16840: use-after-free in handle close
----------------------------------------------
When closing and cleaning up an “easy” handle in the Curl\_close()
function, the library code first frees a struct (without nulling the
pointer) and might
then subsequently erroneously write to a struct field within that
already freed struct.
### Affected versions:
libcurl 7.59.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.59.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
### Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
CVE-2018-16842: warning message out-of-buffer read
--------------------------------------------------
The command line tool has a generic function for displaying warning and
informational messages to stderr for various
situations. For example if an unknown command line argument is used, or
passed to it in a “config” file.
This display function formats the output to wrap at 80 columns. The wrap
logic is however flawed, so if a single word in the message is itself
longer than 80 bytes
the buffer arithmetic calculates the remainder wrong and will end up
reading behind the end of the buffer. This could lead to information
disclosure or crash.
### Reference:
https://curl.haxx.se/docs/CVE-2018-16842.html
### Patch:
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
*(from redmine: issue id 9611, created on 2018-11-01, closed on 2018-11-08)*
* Relations:
* parent #9610
* Changesets:
* Revision 8776c8cc044196f8f87d6fbc51e38dfa0f5aa438 on 2018-11-05T08:17:04Z:
```
main/curl: security upgrade to 7.62.0
CVE-2018-16839, CVE-2018-16840, CVE-2018-16842
Fixes #9611
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9602[3.9] wireshark: Multiple vulnerabilities (CVE-2018-12086, CVE-2018-18225, CV...2019-07-23T11:19:09ZAlicha CH[3.9] wireshark: Multiple vulnerabilities (CVE-2018-12086, CVE-2018-18225, CVE-2018-18226, CVE-2018-18227)CVE-2018-12086: OpcUa dissector crash
-------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-50.html
CV...CVE-2018-12086: OpcUa dissector crash
-------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-50.html
CVE-2018-18225: CoAP dissector crash
------------------------------------
Affected versions: 2.6.0 to 2.6.3
Fixed versions: 2.6.4
### References:
https://www.wireshark.org/security/wnpa-sec-2018-49.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15172
CVE-2018-18226: Steam IHS Discovery dissector memory leak
---------------------------------------------------------
Affected versions: 2.6.0 to 2.6.3
Fixed versions: 2.6.4
### References:
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15171
https://www.wireshark.org/security/wnpa-sec-2018-48.html
CVE-2018-18227: MS-WSP dissector crash
--------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-47.html
https://www.wireshark.org/security/wnpa-sec-2018-48.html
*(from redmine: issue id 9602, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* parent #9601
* Changesets:
* Revision 9f7a391b8a4478f35a1b1f3b3b49a51a820e005e by Natanael Copa on 2018-10-29T17:16:56Z:
```
community/wireshark: security upgrade to 2.6.4
CVE-2018-12086, CVE-2018-18225, CVE-2018-18226, CVE-2018-18227
fixes #9602
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9597[3.9] xorg-server: Incorrect permission check in Xorg X server allows for pri...2019-07-23T11:19:15ZAlicha CH[3.9] xorg-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console ...A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their
privileges and run arbitrary code under root privileges.
### Fixed In Version:
xorg-server 1.20.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
https://marc.info/?l=oss-security&m=154047832307726&w=2
### Patch:
Introduced by:
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c
(1.19.0)
Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
*(from redmine: issue id 9597, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* copied_to #9596
* parent #95963.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9533[3.9] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:04ZAlicha CH[3.9] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9533, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision f673b89cd43dc3fe12a443558e82318ed03fb6ef by Natanael Copa on 2018-10-08T11:49:37Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9533
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9521[3.9] libexif: Out-of-bounds heap read in exif_data_save_data_entry function ...2019-07-23T11:20:12ZAlicha CH[3.9] libexif: Out-of-bounds heap read in exif_data_save_data_entry function (CVE-2017-7544)One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the compute...One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the computed read size of the entry data and the size of the
allocated entry data.
The vulnerability can cause Denial-of-Service, even Information
Disclosure (disclosing some critical heap chunk metadata, even other
applications’ private data).
### References:
https://sourceforge.net/p/libexif/bugs/130/
https://nvd.nist.gov/vuln/detail/CVE-2017-7544
*(from redmine: issue id 9521, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9520
* Changesets:
* Revision 9d34941961856b21028cb4a838a1218a8edf332b on 2018-10-08T13:45:08Z:
```
main/libexif: security fix (CVE-2017-7544)
Fixes #9521
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9508Upgrade gnutls to 3.6.4 to support TLS 1.32019-07-23T11:20:25ZJonathan CoetzeeUpgrade gnutls to 3.6.4 to support TLS 1.3Gnutls 3.6.4 was released on 24/09/2018 with support for final TLS 1.3
spec, enabled by default
([source](https://lists.gnupg.org/pipermail/gnutls-help/2018-September/004457.html)).
Think it would be a good idea for Alpine 3.9 to pull th...Gnutls 3.6.4 was released on 24/09/2018 with support for final TLS 1.3
spec, enabled by default
([source](https://lists.gnupg.org/pipermail/gnutls-help/2018-September/004457.html)).
Think it would be a good idea for Alpine 3.9 to pull this in so packages
that depend on it will have support for the improved protocol.
*(from redmine: issue id 9508, created on 2018-10-04, closed on 2019-01-10)*
* Changesets:
* Revision a76c5dbc923991172425263d8952dbe5d6762e99 on 2018-10-14T10:29:16Z:
```
main/gnutls: upgrade to 3.6.4
Fixes #9508
```
* Revision 336d5782ce41d5f07e6fde083d6efc8cfaeaedc5 on 2019-04-12T06:17:35Z:
```
main/gnutls: upgrade to 3.6.4
Fixes #9508
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9483[3.9] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:40ZAlicha CH[3.9] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9483, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision 69cb3c4ebb573f4427b512a8f3ce9f8da6edc356 on 2018-10-02T08:30:00Z:
```
main/strongswan: security upgrade to 5.7.0
- CVE-2018-16151
- CVE-2018-16152
fixes #9483
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9462[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:58ZAlicha CH[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9462, created on 2018-09-25, closed on 2018-12-04)*
* Relations:
* parent #9461
* Changesets:
* Revision 51978afa8a1151a013383d4dfe8297e90c29ff31 by Taner Tas on 2018-11-29T14:47:56Z:
```
main/bind: Upgrade to 9.12.3
* Add "--disable-isc-spnego" to use gss-spnego instead.
fixes #9462
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9443[3.9] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFrom...2019-07-23T11:21:13ZAlicha CH[3.9] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile (CVE-2018-16435)A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the sec...A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the second argument to
cmsIT8LoadFromFile.
### References:
https://github.com/mm2/Little-CMS/issues/171
https://nvd.nist.gov/vuln/detail/CVE-2018-16435
### Patch:
https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
*(from redmine: issue id 9443, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9442
* Changesets:
* Revision 348c14c7421c7d8fcdc82fd7014fb75eed11f56f on 2018-11-06T15:54:09Z:
```
main/lcms2: security fix (CVE-2018-16435)
Fixes #9443
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9427[3.9] libjpeg-turbo: "cjpeg" utility large loop because read_pixel in rdtarga...2019-07-23T11:11:16ZAlicha CH[3.9] libjpeg-turbo: "cjpeg" utility large loop because read_pixel in rdtarga.c mishandles EOF (CVE-2018-11813)“cjpeg” utility large loop because read\_pixel in rdtarga.c mishandles
EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3...“cjpeg” utility large loop because read\_pixel in rdtarga.c mishandles
EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9427, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision d99aa8e3f0c88299d5094270594708793d135723 by Natanael Copa on 2018-09-25T11:00:55Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9427
```3.9.0Natanael CopaNatanael Copa