aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-16T11:21:06Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10666[3.10] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-1...2019-07-16T11:21:06ZAlicha CH[3.10] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue...The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue id 10666, created on 2019-07-09)*
* Relations:
* parent #10664
* Changesets:
* Revision a93510d1c69bc8f6e6fd0e2781ffcad140585f08 by Natanael Copa on 2019-07-11T16:36:30Z:
```
main/squid: upgrade to 4.8 (CVE-2019-13345)
fixes #10666
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10655[3.10] irssi: Use after free when sending SASL login to the server (CVE-2019-...2019-07-23T11:06:09ZAlicha CH[3.10] irssi: Use after free when sending SASL login to the server (CVE-2019-13045)Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/sec...Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/security/irssi\_sa\_2019\_06.txt
https://www.openwall.com/lists/oss-security/2019/06/29/1
*(from redmine: issue id 10655, created on 2019-07-04, closed on 2019-07-04)*
* Relations:
* parent #10653
* Changesets:
* Revision 4a1b35f961328ede5ec6d878950b6f368b83a75d by Natanael Copa on 2019-07-04T10:37:24Z:
```
main/irssi: security upgrade to 1.2.1 (CVE-2019-13045)
fixes #10655
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10649Add Argon2 support for PHP 7.32019-07-23T11:06:14ZAlbert CasademontAdd Argon2 support for PHP 7.3Hi,
It would be great that now that Alpine has the Argon2 libraries, the PHP
package could be compiled with Argon2 support. AFAIK it’s only a matter
of adding a “—with-password-argon2” in the “./configure” options before
compiling.
Tha...Hi,
It would be great that now that Alpine has the Argon2 libraries, the PHP
package could be compiled with Argon2 support. AFAIK it’s only a matter
of adding a “—with-password-argon2” in the “./configure” options before
compiling.
Thanks!
*(from redmine: issue id 10649, created on 2019-07-02, closed on 2019-07-11)*
* Changesets:
* Revision 43d556c0cb086ef5d94e22fc362c779cd2268042 by Andy Postnikov on 2019-07-06T18:57:20Z:
```
community/php7: add argon2 support
Closes #10649
```
* Revision 0a97585438e0dcc3f84c179edb26426db1e950b4 by Andy Postnikov on 2019-07-08T09:37:38Z:
```
community/php7: add argon2 support
Closes #10649
(cherry picked from commit 43d556c0cb086ef5d94e22fc362c779cd2268042)
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10644[3.10] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)2019-07-23T11:06:19ZAlicha CH[3.10] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-1...BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-12900
### Patch:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
*(from redmine: issue id 10644, created on 2019-07-02, closed on 2019-07-09)*
* Relations:
* parent #10642
* Changesets:
* Revision f47a9e1da5b7f33cf5d46c0541deb454729eee51 on 2019-07-04T19:24:02Z:
```
main/bzip2: add patch for CVE-2019-12900
Adding the upstream bzip2 security patch to fix the out of bounds security
vulnerability in bzip2.
fixes #10644
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10630[3.10] expat: large number of colons in input makes parser consume high amoun...2019-07-23T11:06:30ZAlicha CH[3.10] expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service...In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service attacks).
### Fixed In Version:
expat 2.2.7
### References:
https://github.com/libexpat/libexpat/issues/186
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031
*(from redmine: issue id 10630, created on 2019-06-28, closed on 2019-07-02)*
* Relations:
* parent #10629
* Changesets:
* Revision 8ac1f86999bc295c903af1be590a9e898605e2cc by Natanael Copa on 2019-06-30T12:20:14Z:
```
main/expat: security upgrade to 2.2.7 (CVE-2018-20843)
fixes #10630
```3.10.1Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10623[3.10] evince: uninitialized memory use in function tiff_document_render() an...2019-07-23T11:06:32ZAlicha CH[3.10] evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail() (CVE-2019-11459)The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when pr...The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when processing certain TIFF image files.
### Reference:
https://gitlab.gnome.org/GNOME/evince/issues/1129
### Patch:
https://gitlab.gnome.org/GNOME/evince/commit/234f034a4d15cd46dd556f4945f99fbd57ef5f15
*(from redmine: issue id 10623, created on 2019-06-25, closed on 2019-07-09)*
* Relations:
* parent #10621
* Changesets:
* Revision c0566a6218a27e10bfdb13b56c92fe18ff7b71c7 by Natanael Copa on 2019-07-08T12:57:17Z:
```
community/evince: fix CVE-2019-11459
remove unused patch
fixes #10623
```3.10.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/10617[3.10] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE...2019-07-23T11:06:38ZAlicha CH[3.10] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDo...CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe
the
existence of arbitrary files, cause denial of service or cause
libvirtd
to execute arbitrary programs.
This vulnerability was first present in libvirt v0.9.4.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created
by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.
This vulnerability was first present in libvirt v3.6.1.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API
-----------------------------------------------------------------------------------
The virConnectGetDomainCapabilities() libvirt API accepts an
“emulatorbin”
argument to specify the program providing emulation for a domain.
Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for
this
argument, causing libvirtd to execute a crafted executable with its own
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10167
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
-----------------------------------------------------------------------------------------------------------------------
The virConnectBaselineHypervisorCPU() and
virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program
providing
emulation for a domain. Since v1.2.19, libvirt will execute that program
to
probe the domain’s capabilities. Read-only clients could specify an
arbitrary
path for this argument, causing libvirtd to execute a crafted executable
with
its own privileges.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
*(from redmine: issue id 10617, created on 2019-06-25, closed on 2019-07-04)*
* Relations:
* parent #10615
* Changesets:
* Revision d8c86688b6afbadd18a78b88a430ed4cabe78e7c by Francesco Colista on 2019-07-03T09:39:08Z:
```
main/libvirt: security upgrade to 5.5.0
This upgrade fixes the following CVE:
- CVE-2019-10168
- CVE-2019-10167
- CVE-2019-10166
- CVE-2019-10161
Fixes #10617
```3.10.1Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10602[3.10] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)2019-07-23T11:06:44ZAlicha CH[3.10] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combin...Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combined with additional vulnerabilities
this could result in executing arbitrary code on the user’s computer.
### Fixed In Version:
Firefox ESR 60.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
*(from redmine: issue id 10602, created on 2019-06-21, closed on 2019-06-28)*
* Relations:
* parent #10600
* Changesets:
* Revision f1f49be1c7278df89e43c698ccc2e30659902683 on 2019-06-27T14:48:06Z:
```
community/firefox-esr: security upgrade to 60.7.2 (CVE-2019-11708)
fixes #10602
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10590[3.10] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:48ZAlicha CH[3.10] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10590, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* parent #105883.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10587enable kernel options for x86_64 hw error event reporting2019-07-23T11:06:51ZHenrik Riomarenable kernel options for x86_64 hw error event reportingSee PR: https://github.com/alpinelinux/aports/pull/8221
*(from redmine: issue id 10587, created on 2019-06-19, closed on 2019-07-11)*See PR: https://github.com/alpinelinux/aports/pull/8221
*(from redmine: issue id 10587, created on 2019-06-19, closed on 2019-07-11)*3.10.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/10558[3.10] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:10ZAlicha CH[3.10] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10558, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 3192c106fcf98faea0a2e8554ba5b4be87ca45b8 by Natanael Copa on 2019-06-25T21:05:03Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10558
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10552[3.10] heimdal: man-in-the-middle attack in function krb5_init_creds_step in ...2019-07-16T11:25:06ZAlicha CH[3.10] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10552, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision 7f6e6b03d2536a389bb79a29915bd3a8fe881517 by Natanael Copa on 2019-07-11T16:02:02Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10552
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10426[3.10] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (...2019-07-16T11:50:29ZAlicha CH[3.10] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10426, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision 4018db3cdac1d0eef1ad039d1a9120fa79e04b58 by Natanael Copa on 2019-07-08T14:18:59Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10426
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10575[3.10] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:56ZAlicha CH[3.10] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10575, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #105743.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10568[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:02ZAlicha CH[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10568, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision fa0e230be9fd2e79919214ecab466f5149cab5fe by Natanael Copa on 2019-06-17T09:49:34Z:
```
main/dbus: upgrade to 1.12.16 (CVE-2019-12749)
fixes #10568
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10511[3.10] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)2019-07-23T11:07:25ZAlicha CH[3.10] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros pa...S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
### Affected Versions:
All releases of Heimdal from 0.8 including 7.5.0
### Reference:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
https://www.samba.org/samba/security/CVE-2018-16860.html
### Patch:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
*(from redmine: issue id 10511, created on 2019-05-30, closed on 2019-06-05)*
* Relations:
* parent #10510
* Changesets:
* Revision aa2d24fab1e16e497512004aa40a11c032fcab73 on 2019-06-04T14:19:35Z:
```
main/heimdal: security fix (CVE-2018-16860)
Fixes #10511
Remove unused patch, clarify license
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10501[3.10] wireshark: dissection engine crash (CVE-2019-12295)2019-07-23T11:07:33ZAlicha CH[3.10] wireshark: dissection engine crash (CVE-2019-12295)It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or
by convincing someone to read a malformed packet trace file.
Affected versions: 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, 2.4.0 to 2.4.14
Fixed versio...It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or
by convincing someone to read a malformed packet trace file.
Affected versions: 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, 2.4.0 to 2.4.14
Fixed versions: 3.0.2, 2.6.9, 2.4.15
### References:
https://www.wireshark.org/security/wnpa-sec-2019-19.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15778
*(from redmine: issue id 10501, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10500
* Changesets:
* Revision e5bce08f307d563f1c82d22257e76bf9f0bf48fe by Natanael Copa on 2019-06-04T13:38:25Z:
```
community/wireshark: security upgrade to 3.0.2 (CVE-2019-12295)
fixes #10501
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10469Gitea does not start after a reboot when PostgreSQL is used as the database b...2019-07-23T11:07:46ZGhost UserGitea does not start after a reboot when PostgreSQL is used as the database back end.Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the dep...Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the depend function in **/etc/init.d/gitea**:
<code class="text">
depend() {
use logger dns
need net
after firewall postgresql mysql
}
</code>
*(from redmine: issue id 10469, created on 2019-05-20, closed on 2019-06-19)*
* Changesets:
* Revision d8de5b46f6b4719066b2b2752734df68a60b08bd by Kevin Daudt on 2019-06-18T18:24:43Z:
```
community/gitea: start after database
Make sure that the service is started after any of the supported
databases.
Fixes RM: #10469
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10461mpv: missing Lua support2019-07-23T11:09:58ZMY-Rmpv: missing Lua supportedge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua ...edge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua : no ('luajit >= 2.0.0' not found)
*(from redmine: issue id 10461, created on 2019-05-16, closed on 2019-06-19)*3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10442nextcloud-default-apps: Broken depends2019-07-23T11:10:02ZSimon Fsimon-alpine@fraho.eunextcloud-default-apps: Broken dependsCurrent edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
...Current edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
nextcloud-files_rightclick (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-files_rightclick]
nextcloud-privacy (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-privacy]
nextcloud-recommendations (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-recommendations]
nextcloud-viewer (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-viewer]
/ #
The “missing” packages are present in 3.9
*(from redmine: issue id 10442, created on 2019-05-10, closed on 2019-06-17)*
* Changesets:
* Revision 0cb832cfb8231716ecf5419401712a61b335f887 by Simon F on 2019-05-10T06:17:46Z:
```
community/nextcloud: Fix broken dependencies for default-apps
Fixes #10442
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.eu