aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:11:13Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10312[3.10] dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading ...2019-07-23T11:11:13ZAlicha CH[3.10] dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack (CVE-2019-10691)JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. Attacker can repeatedly crash Dovecot
authentication process by logging in using invalid UTF-8 sequence in
username. Crash can also occur i...JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. Attacker can repeatedly crash Dovecot
authentication process by logging in using invalid UTF-8 sequence in
username. Crash can also occur if OX push notification driver is enabled
and an email is delivered with invalid UTF-8 sequence in From or Subject
header.
### Fixed In Version:
dovecot 2.3.5.2
### References:
https://dovecot.org/list/dovecot-news/2019-April/000406.html
https://www.openwall.com/lists/oss-security/2019/04/18/3
### Patch:
https://github.com/dovecot/core/commit/973769d74433de3c56c4ffdf4f343cb35d98e4f7
*(from redmine: issue id 10312, created on 2019-04-22, closed on 2019-06-22)*
* Relations:
* parent #103113.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10304Missing libasan2022-12-20T22:43:30ZSerhii CharykovMissing libasanI use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps t...I use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps to reproduce:
docker run -it —rm alpine
apk add gcc musl-dev
echo “int main() {}” >test.c
gcc test.c -fsanitize=address
Result:
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find libasan\_preinit.o: No such file or directory
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find -lasan
collect2: error: ld returned 1 exit status
*(from redmine: issue id 10304, created on 2019-04-19, closed on 2019-05-06)*3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10287[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-...2019-07-23T11:11:28ZAlicha CH[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequen...CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
### Affected Versions:
Ruby 2.4 series: 2.4.5 and earlier
Ruby 2.5 series: 2.5.3 and earlier
### Reference:
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
### Patches:
https://bugs.ruby-lang.org/attachments/7669 (for Ruby 2.4.5)
https://bugs.ruby-lang.org/attachments/7670 (for Ruby 2.5.3)
*(from redmine: issue id 10287, created on 2019-04-18, closed on 2019-05-06)*
* Relations:
* parent #10286
* Changesets:
* Revision 58244868e7a471ddf96e8d0ece88c240e34bff1c by Natanael Copa on 2019-05-06T17:40:49Z:
```
main/ruby: security upgrade to 2.5.5
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
fixes #10287
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10282py3-jsonschema missing dependency 'pyrsistent>=0.14.0'2019-07-23T11:11:30ZSimon Fsimon-alpine@fraho.eupy3-jsonschema missing dependency 'pyrsistent>=0.14.0'Currently docker-compose in testing is not working:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing docker-compose
fetch http://dl-cdn.alpinelinux.org/alpine/edge/t...Currently docker-compose in testing is not working:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing docker-compose
fetch http://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/36) Installing libbz2 (1.0.6-r6)
(2/36) Installing expat (2.2.6-r0)
(3/36) Installing libffi (3.2.1-r6)
(4/36) Installing gdbm (1.13-r1)
(5/36) Installing xz-libs (5.2.4-r0)
(6/36) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(7/36) Installing ncurses-terminfo (6.1_p20190105-r0)
(8/36) Installing ncurses-libs (6.1_p20190105-r0)
(9/36) Installing readline (8.0.0-r0)
(10/36) Installing sqlite-libs (3.27.2-r0)
(11/36) Installing python3 (3.6.8-r2)
(12/36) Installing py3-setuptools (40.8.0-r0)
(13/36) Installing py3-six (1.12.0-r0)
(14/36) Installing dockerpy-creds (0.4.0-r0)
(15/36) Installing py3-cparser (2.19-r1)
(16/36) Installing py3-cffi (1.11.5-r3)
(17/36) Installing py3-idna (2.8-r0)
(18/36) Installing py3-asn1crypto (0.24.0-r0)
(19/36) Installing py3-cryptography (2.6.1-r0)
(20/36) Installing py3-ipaddress (1.0.22-r0)
(21/36) Installing py3-parsing (2.2.0-r0)
(22/36) Installing py3-packaging (17.1-r0)
(23/36) Installing py3-chardet (3.0.4-r0)
(24/36) Installing py3-certifi (2018.4.16-r0)
(25/36) Installing py3-urllib3 (1.24.1-r0)
(26/36) Installing py3-requests (2.21.0-r1)
(27/36) Installing py3-websocket-client (0.56.0-r0)
(28/36) Installing docker-py (3.7.2-r0)
(29/36) Installing py3-cached-property (1.4.3-r0)
(30/36) Installing py3-dockerpty (0.4.1-r0)
(31/36) Installing py3-docopt (0.6.2-r2)
(32/36) Installing py3-jsonschema (3.0.1-r0)
(33/36) Installing py3-pysocks (1.6.8-r0)
(34/36) Installing py3-texttable (1.4.0-r0)
(35/36) Installing py3-yaml (4.1-r0)
(36/36) Installing docker-compose (1.23.2-r0)
Executing busybox-1.30.1-r0.trigger
OK: 86 MiB in 50 packages
/ # docker-compose -v
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 6, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3191, in <module>
@_call_aside
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3175, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3204, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 583, in _build_master
ws.require(__requires__)
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 900, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 786, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'pyrsistent>=0.14.0' distribution was not found and is required by jsonschema
It seems that there is a dependency missing (pyrsistent>=0.14.0)
*(from redmine: issue id 10282, created on 2019-04-17, closed on 2019-06-19)*3.10.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10278[3.9] libxslt: security framework bypass (CVE-2019-11068)2019-07-23T11:11:35ZAlicha CH[3.9] libxslt: security framework bypass (CVE-2019-11068)libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually in...libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually invalid and is subsequently loaded.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068
### Patch:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
*(from redmine: issue id 10278, created on 2019-04-17, closed on 2019-04-18)*
* Relations:
* parent #10276
* Changesets:
* Revision 4281a184d7a2aab9a0f2352a418084cad73ee2dc by Natanael Copa on 2019-04-17T07:22:42Z:
```
main/libxslt: security fix for CVE-2019-11068
fixes #10278
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10277[3.10] libxslt: security framework bypass (CVE-2019-11068)2019-07-23T11:11:36ZAlicha CH[3.10] libxslt: security framework bypass (CVE-2019-11068)libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually in...libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually invalid and is subsequently loaded.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068
### Patch:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
*(from redmine: issue id 10277, created on 2019-04-17, closed on 2019-04-18)*
* Relations:
* parent #10276
* Changesets:
* Revision 5f61e0e106315c69b9cec8e394286e8cf98c99e2 by Natanael Copa on 2019-04-17T07:17:59Z:
```
main/libxslt: security fix for CVE-2019-11068
fixes #10277
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10275can not encrypt lbu conf anymore with latest openssl2019-12-22T13:45:22ZV Scan not encrypt lbu conf anymore with latest openssltrying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-ciph...trying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-cipher-commands
>Invalid command ‘list-standard-commands’; type “help” for a list.
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
*(from redmine: issue id 10275, created on 2019-04-16, closed on 2019-05-09)*
* Changesets:
* Revision 82448d58fc0232afbaf804bd7e134bd91abddf8e by Richard Mortier on 2019-05-06T16:50:53Z:
```
main/alpine-conf: fix invocation of `openssl` when listing ciphers
openssl.1.1.1b appears to have replaced `list-cipher-commands` with
`enc-ciphers`
fixes #10275
(cherry picked from commit 4992e150a1841363523ae87bffde4c845cbf648e)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10273modbus-usb not enabled in apcupsd package2019-07-23T11:11:38ZCraig Rmodbus-usb not enabled in apcupsd packageapcupsd package on armv7 doesn’t have modbus-usb enabled
Build log shows;
drivers (no-\* are disabled): apcsmart dumb net linux-usb snmp pcnet
modbus no-modbus-usb no-test
Could it be built with modbus-usb enabled please so it will wo...apcupsd package on armv7 doesn’t have modbus-usb enabled
Build log shows;
drivers (no-\* are disabled): apcsmart dumb net linux-usb snmp pcnet
modbus no-modbus-usb no-test
Could it be built with modbus-usb enabled please so it will work with
newer APC models? I believe “—enable-modbus-usb” needs to be passed to
configure when building
Thanks in advance
*(from redmine: issue id 10273, created on 2019-04-16, closed on 2019-06-19)*
* Changesets:
* Revision de0c11db7326ef89ead739928ed6d1e6c71b2d64 by Henrik Riomar on 2019-04-26T06:51:47Z:
```
main/apcupsd: enable enable-modbus-usb
Closes: #10273
While at it modernize.
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10263[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-201...2019-07-23T11:11:43ZAlicha CH[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-2019-1789)**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:...**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1788**: An out-of-bounds heap write condition may occur when
scanning OLE2 files such as
Microsoft Office 97-2003 documents. The invalid write happens when an
invalid pointer is mistakenly
used to initialize a 32bit integer to zero. This is likely to crash the
application.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1789**: An out-of-bounds heap read condition may occur when
scanning PE files (i.e. Windows EXE and DLL files)
that have been packed using Aspack as a result of inadequate
bound-checking.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
*(from redmine: issue id 10263, created on 2019-04-16, closed on 2019-04-18)*
* Relations:
* parent #10261
* Changesets:
* Revision 287dc987d0bfa340aa510b11e2ad691a15b5ea4e on 2019-04-17T13:20:52Z:
```
main/clamav: security upgrade to 0.100.3
CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Fixes #10263
```3.9.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10262[3.10] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-20...2019-07-23T11:11:44ZAlicha CH[3.10] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-2019-1789)**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:...**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1788**: An out-of-bounds heap write condition may occur when
scanning OLE2 files such as
Microsoft Office 97-2003 documents. The invalid write happens when an
invalid pointer is mistakenly
used to initialize a 32bit integer to zero. This is likely to crash the
application.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1789**: An out-of-bounds heap read condition may occur when
scanning PE files (i.e. Windows EXE and DLL files)
that have been packed using Aspack as a result of inadequate
bound-checking.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
*(from redmine: issue id 10262, created on 2019-04-16, closed on 2019-04-18)*
* Relations:
* parent #10261
* Changesets:
* Revision 9538615b581d4d5b661a672dc8585be1cb4a3a7f on 2019-04-17T13:20:09Z:
```
main/clamav: security upgrade to 0.100.3
CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Fixes #10262
```3.10.0Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10253[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)2019-07-23T11:11:51ZAlicha CH[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### Referen...Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### References:
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://security-tracker.debian.org/tracker/CVE-2019-6706
*(from redmine: issue id 10253, created on 2019-04-15, closed on 2019-05-06)*
* Relations:
* parent #10251
* Changesets:
* Revision ebd55722b9637f4559c94b13e5e061ffef9fb4a3 by Natanael Copa on 2019-05-06T17:07:51Z:
```
main/lua5.3: security fix for CVE-2019-6706
fixes #10253
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10252[3.10] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)2019-07-23T11:11:52ZAlicha CH[3.10] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### Referen...Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### References:
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://security-tracker.debian.org/tracker/CVE-2019-6706
*(from redmine: issue id 10252, created on 2019-04-15, closed on 2019-05-06)*
* Relations:
* parent #10251
* Changesets:
* Revision 7571f6ce08088d0644c95da6b1c4a780078951a8 by Natanael Copa on 2019-05-06T17:03:40Z:
```
main/lua5.3: security fix for CVE-2019-6706
fixes #10252
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10247[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-...2019-07-23T11:11:56ZAlicha CH[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-3880)Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hiv...Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
### Affected Versions:
All versions of samba since samba 3.2.0
### Fixed In Version:
samba 4.8.11, 4.9.6 and 4.10.2
### References:
https://www.samba.org/samba/security/CVE-2019-3880.html
https://www.samba.org/samba/history/security.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.8.10-security-2019-04-08.patch
*(from redmine: issue id 10247, created on 2019-04-15, closed on 2019-04-18)*
* Relations:
* parent #10246
* Changesets:
* Revision 46d7859df86413549905a72f31b1f89c45fb34aa on 2019-04-15T13:07:20Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```
* Revision 186547c42b833832f85ac23b0d11eef6805258fc on 2019-04-15T14:45:19Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10222Please remove ssh support from curl2020-10-19T04:45:46ZJustin CormackPlease remove ssh support from curlCurl has support for eg sftp protocol via libssh2. This was re-enabled
about a year ago in https://bugs.alpinelinux.org/issues/8578
However libssh2 is barely maintained, although it is a little better in
recent weeks there will be ongoi...Curl has support for eg sftp protocol via libssh2. This was re-enabled
about a year ago in https://bugs.alpinelinux.org/issues/8578
However libssh2 is barely maintained, although it is a little better in
recent weeks there will be ongoing security issues for some time and it
is clearly understaffed, and there is unlikely to be substantial
investment going forward.
There are tools shipped with ssh itself that work much better for ssh
based use cases, and are morel likely to work as libssh2 has less good
cipher support, may not understand newer known hosts formats etc.
So I would recommend removing the ssh support from curl again.
*(from redmine: issue id 10222, created on 2019-04-09, closed on 2019-06-19)*
* Relations:
* relates #8578
* Changesets:
* Revision 0528182576472cb3b4f561f37c1dccfa64974ee0 by Leo Leo on 2019-04-29T20:56:46Z:
```
main/curl: disable SSH support via libssh2
fixes #10222
See: https://bugs.alpinelinux.org/issues/10222 for more info
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10218Promote amavisd-milter from testing -> main repository2019-07-23T11:12:09ZMiguel Da SilvaPromote amavisd-milter from testing -> main repositoryThe package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 20...The package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 2019-04-08, closed on 2019-05-09)*
* Changesets:
* Revision 05811c2c809d49ffaaa0e3047eee03a90c2a074e by Natanael Copa on 2019-05-06T17:32:31Z:
```
main/amavisd-milter: promote from testing
fixes #10218
```3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10209chpasswd fails starting from Alpine 3.62019-12-10T10:07:51ZDia Jadchpasswd fails starting from Alpine 3.6I’m able to use \`chpasswd\` to set user password until Alpine 3.5.
Starting from Alpine 3.6 I get \`PAM: Authentication failure\` when I
run the command.
To easily reproduce the issue:
$ docker run —rm -it alpine sh
/ \# apk add sha...I’m able to use \`chpasswd\` to set user password until Alpine 3.5.
Starting from Alpine 3.6 I get \`PAM: Authentication failure\` when I
run the command.
To easily reproduce the issue:
$ docker run —rm -it alpine sh
/ \# apk add shadow
/ \# /usr/sbin/useradd -m -u 1000 new\_user
/ \# echo “new\_user:mypassword” | chpasswd
Password: chpasswd: PAM: Authentication failure
*(from redmine: issue id 10209, created on 2019-04-08, closed on 2019-06-19)*3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10207notify-send not displaying messages2019-07-23T11:12:18Zxrsnotify-send not displaying messagesTest with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*Test with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10193[3.10] putty: Multiple vulnerabilities (CVE-2019-9894, CVE-2019-9895, CVE-201...2019-07-23T11:12:27ZAlicha CH[3.10] putty: Multiple vulnerabilities (CVE-2019-9894, CVE-2019-9895, CVE-2019-9897, CVE-2019-9898)**CVE-2019-9894**: A remotely triggerable memory overwrite in RSA key
exchange in
PuTTY before 0.71 can occur before host key verification.
### Fixed In Version:
putty 0.71
### References:
https://www.chiark.greenend.org.uk/~sgtath...**CVE-2019-9894**: A remotely triggerable memory overwrite in RSA key
exchange in
PuTTY before 0.71 can occur before host key verification.
### Fixed In Version:
putty 0.71
### References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9894
### Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f
**CVE-2019-9895**: In PuTTY versions before 0.71 on Unix, a remotely
triggerable
buffer overflow exists in any kind of server-to-client forwarding.
### Fixed In Version:
putty 0.71
### References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9895
### Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5c926d9ea4a9e0a0a2384f06c7583648cdff3ed6
**CVE-2019-9897**: Multiple denial-of-service attacks that can be
triggered by writing
to the terminal exist in PuTTY versions before 0.71.
### Fixed In Version:
putty 0.71
### References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://security-tracker.debian.org/tracker/CVE-2019-9897
### Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=da1c8f15b1bc14c855f0027cf06ba7f1a9c36f3c
**CVE-2019-9898**: Potential recycling of random numbers used in
cryptography exists within PuTTY before 0.71.
### Fixed In Version:
putty 0.71
### References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rng-reuse.html
### Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=320bf8479ff5bcbad239db4f9f4aa63656b0675e
*(from redmine: issue id 10193, created on 2019-04-04, closed on 2019-04-15)*
* Relations:
* parent #10192
* Changesets:
* Revision e29c5d734c6d64bd6709f1e9a9e3404ca37f2211 on 2019-04-08T12:09:43Z:
```
main/putty: security upgrade to 0.71
CVE-2019-9894, CVE-2019-9895, CVE-2019-9897, CVE-2019-9898
Fixes #10193
Update license, disable check
```3.10.0Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10186[3.10] apache2: Multiple vulnerabilities (CVE-2019-0196, CVE-2019-0197, CVE-2...2019-07-23T11:12:35ZAlicha CH[3.10] apache2: Multiple vulnerabilities (CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220)CVE-2019-0196: mod\_http2, read-after-free on a string compare
--------------------------------------------------------------
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
com...CVE-2019-0196: mod\_http2, read-after-free on a string compare
--------------------------------------------------------------
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.
### Versions Affected:
httpd 2.4.17 to 2.4.38
### Fixed In Version:
Apache httpd 2.4.39
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0197: mod\_http2, possible crash on late upgrade
---------------------------------------------------------
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only enabled
it
for https: and did not set“H2Upgrade on” are unaffected by this issue.
### Versions Affected:
httpd 2.4.34 to 2.4.38
### Fixed In Version:
Apache httpd 2.4.39
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/2
CVE-2019-0211: Apache HTTP Server privilege escalation from modules’ scripts
----------------------------------------------------------------------------
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard. Non-Unix
systems are not affected.
### Fixed In Version:
Apache httpd 2.4.39
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/3
CVE-2019-0215: mod\_ssl access control bypass
---------------------------------------------
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod\_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.
### Fixed In Version:
Apache httpd 2.4.39
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/4
CVE-2019-0217: mod\_auth\_digest access control bypass
------------------------------------------------------
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition
in mod\_auth\_digest when running in a threaded server could allow a
user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.
### Fixed In Version:
Apache httpd 2.4.39
### References:
https://www.openwall.com/lists/oss-security/2019/04/02/5
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0220: URL normalization inconsistincies
------------------------------------------------
When the path component of a request URL contains multiple consecutive
slashes
(‘/’), directives such as LocationMatch and RewriteRule must account
for
duplicates in regular expressions while other aspects of the servers
processing
will implicitly collapse them.
### Versions Affected:
httpd 2.4.0 to 2.4.38
### Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
*(from redmine: issue id 10186, created on 2019-04-02, closed on 2019-04-04)*
* Relations:
* parent #101853.10.0Kaarle RitvanenKaarle Ritvanenhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10166[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-...2019-07-23T11:12:55ZAlicha CH[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages havi...CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
### Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
------------------------------------------------------------------------------------------------------------------------
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
-------------------------------------------------------------------------------
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 ->
9.12.3-P2
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2019-6465
*(from redmine: issue id 10166, created on 2019-03-27, closed on 2019-04-15)*
* Relations:
* parent #10164
* Changesets:
* Revision a72d66cd67f20dec8e4eb3d6f2b387a11a0bfbf8 by Chris Ely on 2019-04-12T06:06:29Z:
```
main/bind: security upgrade to 9.12.3-P4
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
Fixes #10166
```
* Revision f760ea50ec9278664e1aa8c0a5fb9f216770113b by Chris Ely on 2019-04-15T06:43:36Z:
```
main/bind: security upgrade to 9.12.3_p4
https://ftp.isc.org/isc/bind9/9.12.3-P4/RELEASE-NOTES-bind-9.12.3-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
- CVE-2018-5737
- CVE-2018-5736
Fixes #10166
BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
BIND 9.12 will be supported until at least May, 2019.
```3.9.4Natanael CopaNatanael Copa