aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:33:49Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8693clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:49ZAlicha CHclamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8693, created on 2018-03-20, closed on 2018-04-16)*
* Relations:
* copied_to #8694
* copied_to #8695
* copied_to #8696
* copied_to #8697
* child #8694
* child #8695
* child #8696
* child #8697Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8692Installation of jq fails2019-07-23T11:33:50ZalgitbotInstallation of jq failsI’m using a Docker image based on alpine:edge and install the jq
package. This used to work but now it fails with the following error:
/ # apk add --update jq
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX....I’m using a Docker image based on alpine:edge and install the jq
package. This used to work but now it fails with the following error:
/ # apk add --update jq
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
so:libonig.so.4 (missing):
required by: jq-1.5-r4[so:libonig.so.4] jq-1.5-r4[so:libonig.so.4]
It seems that libonig (package onigurama-dev) has been upgraded to 5.0.0
without updating the dependend packages.
*(from redmine: issue id 8692, created on 2018-03-20, closed on 2019-05-03)*
* Changesets:
* Revision 2cd9e176e1c4f67913a931ef13a8010488b9c14c by Francesco Colista on 2018-03-20T12:04:57Z:
```
main/jq: rebuild against oniguruma. Fixes #8692
```Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8691[3.4] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-...2019-07-23T11:33:51ZAlicha CH[3.4] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668)CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE...CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE-2018-2668: mariaDB 10.1.31
CVE-2018-2612: mariaDB 10.1.31
### References:
https://mariadb.com/kb/en/library/mariadb-10129-release-notes/
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
*(from redmine: issue id 8691, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8687
* parent #8687
* Changesets:
* Revision 073f1dbb6b8e23211fdfc552d7fc9a1e5a1cd7d1 on 2018-04-11T18:01:07Z:
```
main/mariadb: security upgrade to 10.1.32
CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562
CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668
Fixes #8691
```3.4.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8690[3.5] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-...2019-07-23T11:33:52ZAlicha CH[3.5] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668)CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE...CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE-2018-2668: mariaDB 10.1.31
CVE-2018-2612: mariaDB 10.1.31
### References:
https://mariadb.com/kb/en/library/mariadb-10129-release-notes/
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
*(from redmine: issue id 8690, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8687
* parent #8687
* Changesets:
* Revision cc95b66d5c445617b873bad10b206ba1e1b60e38 on 2018-04-11T18:09:38Z:
```
main/mariadb: security upgrade to 10.1.32
CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562
CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668
Fixes #8690
```3.5.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8689[3.6] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-...2019-07-23T11:33:53ZAlicha CH[3.6] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668)CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE...CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE-2018-2668: mariaDB 10.1.31
CVE-2018-2612: mariaDB 10.1.31
### References:
https://mariadb.com/kb/en/library/mariadb-10129-release-notes/
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
*(from redmine: issue id 8689, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8687
* parent #8687
* Changesets:
* Revision 1f62ce8da4f9d806efed413128423df6193398cd on 2018-04-11T18:07:35Z:
```
main/mariadb: security upgrade to 10.1.32
CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562
CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668
Fixes #8689
```3.6.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8688[3.7] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-...2019-07-23T11:33:54ZAlicha CH[3.7] mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668)CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE...CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE-2018-2668: mariaDB 10.1.31
CVE-2018-2612: mariaDB 10.1.31
### References:
https://mariadb.com/kb/en/library/mariadb-10129-release-notes/
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
*(from redmine: issue id 8688, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8687
* parent #8687
* Changesets:
* Revision 0af8e020357e06efb024840fcd0c25246bec62db on 2018-04-11T15:05:15Z:
```
main/mariadb: security upgrade to 10.1.32
CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562
CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668
Fixes #8688
```3.7.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8687mariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-1...2019-07-23T11:33:55ZAlicha CHmariadb: Multiple vulnerabilities (CVE-2017-10268, CVE-2017-10378, CVE-2017-15365, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668)CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE...CVE-2017-10268: mariaDB 10.1.29
CVE-2017-10378: mariaDB 10.1.29
CVE-2017-15365: mariaDB 10.1.30
CVE-2018-2562: mariaDB 10.1.31
CVE-2018-2622: mariaDB 10.1.31
CVE-2018-2640: mariaDB 10.1.31
CVE-2018-2665: mariaDB 10.1.31
CVE-2018-2668: mariaDB 10.1.31
CVE-2018-2612: mariaDB 10.1.31
### References:
https://mariadb.com/kb/en/library/mariadb-10129-release-notes/
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
*(from redmine: issue id 8687, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8688
* copied_to #8689
* copied_to #8690
* copied_to #8691
* child #8688
* child #8689
* child #8690
* child #8691Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8686py-oauth2client-4.1.2-r1 has incorrect dependencies2019-07-23T11:33:56ZKeith Maxwellpy-oauth2client-4.1.2-r1 has incorrect dependenciesFor example trying to install py3-oauth2client-4.1.2-r1:
$ apk info py3-oauth2client
py3-oauth2client-4.1.2-r1 description:
A client library for OAuth 2.0 (for python3)
py3-oauth2client-4.1.2-r1 webpage:
https://git...For example trying to install py3-oauth2client-4.1.2-r1:
$ apk info py3-oauth2client
py3-oauth2client-4.1.2-r1 description:
A client library for OAuth 2.0 (for python3)
py3-oauth2client-4.1.2-r1 webpage:
https://github.com/google/oauth2client
py3-oauth2client-4.1.2-r1 installed size:
811008
$ sudo apk add py3-oauth2client
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
py3asn1 (missing):
required by: py3-oauth2client-4.1.2-r1[py3asn1]
py3httplib2 (missing):
required by: py3-oauth2client-4.1.2-r1[py3httplib2]
py3asn1-modules (missing):
required by: py3-oauth2client-4.1.2-r1[py3asn1-modules]
py3rsa (missing):
required by: py3-oauth2client-4.1.2-r1[py3rsa]
py3six (missing):
required by: py3-oauth2client-4.1.2-r1[py3six]
*(from redmine: issue id 8686, created on 2018-03-19, closed on 2018-06-26)*
* Changesets:
* Revision 655efc7f52a0db56385e80b16442daf8435880fd by Keith Maxwell on 2018-03-20T10:12:08Z:
```
main/py-oauth2client: fix dependencies
For example for the Python 3 sub-package before this change there was a
dependency upon `py3six`, which is not an Alpine Linux package. After
this change the dependency is upon `py3-six`.
Fixes #8686
```3.8.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8685[3.4] sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:33:57ZAlicha CH[3.4] sqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8685, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8680
* parent #86803.4.7Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8684[3.5] sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:33:59ZAlicha CH[3.5] sqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8684, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8680
* parent #86803.5.3Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8683[3.6] sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:34:00ZAlicha CH[3.6] sqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8683, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8680
* parent #86803.6.3Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8682[3.7] sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:34:01ZAlicha CH[3.7] sqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8682, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8680
* parent #86803.7.1Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8681[3.8] sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:34:02ZAlicha CH[3.8] sqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8681, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8680
* parent #86803.8.0Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8680sqlite: NULL Pointer Dereference (CVE-2018-8740)2019-07-23T11:34:03ZAlicha CHsqlite: NULL Pointer Dereference (CVE-2018-8740)In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/...In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement
could cause a NULL pointer dereference, related to build.c and
prepare.c.
### References:
http://openwall.com/lists/oss-security/2018/03/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-8740
### Patch:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
*(from redmine: issue id 8680, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8681
* copied_to #8682
* copied_to #8683
* copied_to #8684
* copied_to #8685
* child #8681
* child #8682
* child #8683
* child #8684
* child #8685Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8679[3.4] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)2019-07-23T11:34:04ZAlicha CH[3.4] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut...A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut some of the arg-sanitizing code. This vulnerability allows
remote attackers to
bypass the argument-sanitization protection mechanism, which may lead to
a privilege escalation vulnerability.
### Fixed In Version:
rsync 3.1.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5764
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
### Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07
*(from redmine: issue id 8679, created on 2018-03-19, closed on 2018-03-20)*
* Relations:
* copied_to #8675
* parent #8675
* Changesets:
* Revision 5210d540ebb8f27078881e69626388f6ff6a19d7 by Natanael Copa on 2018-03-20T12:24:27Z:
```
main/rsync: security upgrade to 3.1.3 (CVE-2018-5764)
fixes #8679
```3.4.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8678[3.5] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)2019-07-23T11:34:05ZAlicha CH[3.5] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut...A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut some of the arg-sanitizing code. This vulnerability allows
remote attackers to
bypass the argument-sanitization protection mechanism, which may lead to
a privilege escalation vulnerability.
### Fixed In Version:
rsync 3.1.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5764
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
### Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07
*(from redmine: issue id 8678, created on 2018-03-19, closed on 2018-03-20)*
* Relations:
* copied_to #8675
* parent #8675
* Changesets:
* Revision 9cd8a524f060c689c2aaf6c3d204e66a073758f7 by Natanael Copa on 2018-03-20T12:20:00Z:
```
main/rsync: security upgrade to 3.1.3 (CVE-2018-5764)
fixes #8678
```3.5.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8677[3.6] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)2019-07-23T11:34:06ZAlicha CH[3.6] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut...A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut some of the arg-sanitizing code. This vulnerability allows
remote attackers to
bypass the argument-sanitization protection mechanism, which may lead to
a privilege escalation vulnerability.
### Fixed In Version:
rsync 3.1.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5764
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
### Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07
*(from redmine: issue id 8677, created on 2018-03-19, closed on 2018-03-20)*
* Relations:
* copied_to #8675
* parent #8675
* Changesets:
* Revision 715507dc62229f9d5829b78732cae217c1b31865 by Natanael Copa on 2018-03-20T12:14:18Z:
```
main/rsync: security upgrade to 3.1.3 (CVE-2018-5764)
fixes #8677
```3.6.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8676[3.7] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)2019-07-23T11:34:07ZAlicha CH[3.7] rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut...A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut some of the arg-sanitizing code. This vulnerability allows
remote attackers to
bypass the argument-sanitization protection mechanism, which may lead to
a privilege escalation vulnerability.
### Fixed In Version:
rsync 3.1.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5764
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
### Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07
*(from redmine: issue id 8676, created on 2018-03-19, closed on 2018-03-20)*
* Relations:
* copied_to #8675
* parent #8675
* Changesets:
* Revision 4b0114024e6182993b944233c2e726395b599f7b by Natanael Copa on 2018-03-20T12:12:35Z:
```
main/rsync: security upgrade to 3.1.3 (CVE-2018-5764)
fixes #8676
```3.7.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8675rsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)2019-07-23T11:34:08ZAlicha CHrsync: sanitization bypass in parse_argument in options.c (CVE-2018-5764)A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut...A flaw was found in rsync verions before 3.1.3. The parse\_argument
function in options.c in rsyncd component does not prevent multiple
—protect-args uses.
Thus letting the user to specify the arg in the protected-arg list and
shortcut some of the arg-sanitizing code. This vulnerability allows
remote attackers to
bypass the argument-sanitization protection mechanism, which may lead to
a privilege escalation vulnerability.
### Fixed In Version:
rsync 3.1.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5764
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
### Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07
*(from redmine: issue id 8675, created on 2018-03-19, closed on 2018-03-20)*
* Relations:
* copied_to #8676
* copied_to #8677
* copied_to #8678
* copied_to #8679
* child #8676
* child #8677
* child #8678
* child #8679Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8674[3.4] libvorbis: out-of-bounds write (CVE-2018-5146)2019-07-23T11:34:09ZAlicha CH[3.4] libvorbis: out-of-bounds write (CVE-2018-5146)Write out of bounds when processing
malformed Vorbis audio data.
### Fixed In Version:
libvorbis 1.3.6
### References:
https://github.com/xiph/vorbis/releases/tag/v1.3.6
http://openwall.com/lists/oss-security/2018/03/16/4
*(fro...Write out of bounds when processing
malformed Vorbis audio data.
### Fixed In Version:
libvorbis 1.3.6
### References:
https://github.com/xiph/vorbis/releases/tag/v1.3.6
http://openwall.com/lists/oss-security/2018/03/16/4
*(from redmine: issue id 8674, created on 2018-03-19, closed on 2018-07-30)*
* Relations:
* copied_to #8669
* parent #86693.4.7Natanael CopaNatanael Copa