aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:33:30Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8714icinga2: Multiple vulnerabilities (CVE-2018-6532, CVE-2018-6534, CVE-2018-6535)2019-07-23T11:33:30ZAlicha CHicinga2: Multiple vulnerabilities (CVE-2018-6532, CVE-2018-6534, CVE-2018-6535)**CVE-2018-6532**: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted (authenticated and unauthenticated)
requests, an attacker can exhaust a lot of memory on the server side,
triggering the OOM killer.
...**CVE-2018-6532**: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted (authenticated and unauthenticated)
requests, an attacker can exhaust a lot of memory on the server side,
triggering the OOM killer.
### Fixed in Version:
Icinga 2.8.2.
### References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6103
https://nvd.nist.gov/vuln/detail/CVE-2018-6532
**CVE-2018-6534**: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted messages,
an attacker can cause a NULL pointer dereference, which can cause the
product to crash.
### Fixed in Version:
Icinga 2.8.2.
### References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6104
https://nvd.nist.gov/vuln/detail/CVE-2018-6534
**CVE-2018-6535**: An issue was discovered in Icinga 2.x through 2.8.1.
The lack of a constant-time
password comparison function can disclose the password to an attacker.
### Fixed in Version:
Icinga 2.8.2.
### References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/5715
https://nvd.nist.gov/vuln/detail/CVE-2018-6535
*(from redmine: issue id 8714, created on 2018-03-23, closed on 2018-03-29)*
* Relations:
* copied_to #8716
* child #8715
* child #8716Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8713Abuild-tar strips necessary data on aarch64 (qemu) in some cases2019-07-23T11:33:32ZalgitbotAbuild-tar strips necessary data on aarch64 (qemu) in some casesI tried to port package using arm64v8/alpine Docker image and
aarch64-static with binfmt configured.
Overall build process was fine except from created .apk file for main
package who had 6
KiB size and only one broken symlink inside (...I tried to port package using arm64v8/alpine Docker image and
aarch64-static with binfmt configured.
Overall build process was fine except from created .apk file for main
package who had 6
KiB size and only one broken symlink inside (**-dev,**-libs are OK).
Investigated it a bit and apparently `abuild-tar` is the problem here,
tarring main package yields 27.5 MiB file and passing it through
`abuild-tar --hash` reduces it to 6 KiB (again it works fine for \*-dev
and
\*-libs).
Passing the same input to `abuild-tar --hash` on x86\_64 and armhf image
gives correct result
Because of the size I’m putting affected example here:
https://github.com/mati865/abuild-tar-bug
*(from redmine: issue id 8713, created on 2018-03-23, closed on 2019-02-25)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8712rt4 package built incorrectly2019-07-23T11:33:33Zalgitbotrt4 package built incorrectlyThe patch file
0001-email-allow-envelope-from-overriding-from-templates.patch applies
successfully, but results in RT being unable to function.
The root cause is that the $envelope\_from variable is created in one
function and reference...The patch file
0001-email-allow-envelope-from-overriding-from-templates.patch applies
successfully, but results in RT being unable to function.
The root cause is that the $envelope\_from variable is created in one
function and referenced in another. Somewhere between 4.2 and 4.4, RT
split the original function (SendEmail) into two functions, causing the
reference to be out of scope.
I’ve checked a few other distributions (ubuntu, debian, arch) and none
of them seem to have a similar patch, so it might be safe to just remove
it altogether.
To replicate:
$ docker run --rm -it alpine:3.7 sh -c "apk add --no-cache rt4 && rt-server"
Error message:
--snip--
[19] [Thu Mar 22 14:47:40 2018] [critical]: Global symbol "$envelope_from" requires explicit package name (did you forget to declare "my $envelope_from"?) at /usr/lib/rt4/RT/Interface/Email.pm line 758.
Type of arg 1 to RT::Util::safe_run_child must be block or sub {} (not reference constructor) at /usr/lib/rt4/RT/Interface/Email.pm line 1529, near "};"
--snip--
*(from redmine: issue id 8712, created on 2018-03-22, closed on 2019-05-03)*
* Changesets:
* Revision 8a968286ba9850a24c8244137f5bdca3f78cd893 by Kory Prince on 2018-03-26T07:26:06Z:
```
community/rt4: fix email patch for v4.4.2
Fixes #8712
```
* Revision f210d0d2cbfaa48511d81cb49a904c30de877e1b by Kory Prince on 2018-03-26T11:57:28Z:
```
community/rt4: fix email patch for v4.4.2
Fixes #8712
```
* Revision 9f80be0770ff7f3e644916d66abc1175d0265349 by Kory Prince on 2018-04-02T14:19:27Z:
```
community/rt4: quiet chomp warnings
Fixes #8712 #8738
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/8711mongodb 3.6.3-r0 fails because of wrong dependencies2019-07-23T11:33:33Zalgitbotmongodb 3.6.3-r0 fails because of wrong dependencies<code class="text">
# apk --no-cache add mongodb
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisf...<code class="text">
# apk --no-cache add mongodb
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
so:libyaml-cpp.so.0.5 (missing):
required by: mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5] mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5]
mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5] mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5]
mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5] mongodb-3.6.3-r0[so:libyaml-cpp.so.0.5]
</code>
the newest version of libyaml-cpp available is
https://pkgs.alpinelinux.org/package/edge/community/x86\_64/yaml-cpp
0.6.2-r0
In my understanding just a rebuild of the package should solve this.
Thanks!
*(from redmine: issue id 8711, created on 2018-03-22, closed on 2019-05-03)*
* Changesets:
* Revision 0a97ca1dd931ba7fea161fb8d8debb64338afa46 by Natanael Copa on 2018-03-27T15:12:03Z:
```
community/mongodb: rebuild against yaml-cpp
fixes #8711
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/8710[3.4] tiff: uncontrolled resource consumption in TIFFSetDirectory function in...2019-07-23T11:33:34ZAlicha CH[3.4] tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8710, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8705
* parent #8705
* Changesets:
* Revision e132e3f9bf008c2ec054305050040eb7d6958633 on 2018-04-02T17:36:52Z:
```
main/tiff: fix CVE-2018-5784
fixes #8710
```3.4.7https://gitlab.alpinelinux.org/alpine/aports/-/issues/8709[3.5] tiff: uncontrolled resource consumption in TIFFSetDirectory function in...2019-07-23T11:33:35ZAlicha CH[3.5] tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8709, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8705
* parent #8705
* Changesets:
* Revision 39e7a41708bf7726f95f47c383c9af376504e3f7 on 2018-04-02T17:36:16Z:
```
main/tiff: fix CVE-2018-5784
fixes #8709
```3.5.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/8708[3.6] tiff: uncontrolled resource consumption in TIFFSetDirectory function in...2019-07-23T11:33:36ZAlicha CH[3.6] tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8708, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8705
* parent #87053.6.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/8707[3.7] tiff: uncontrolled resource consumption in TIFFSetDirectory function in...2019-07-23T11:33:37ZAlicha CH[3.7] tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8707, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8705
* parent #8705
* Changesets:
* Revision d44bbad626a89045134ceddb388802b67aeb6cc3 on 2018-04-02T10:28:16Z:
```
main/tiff: fix CVE-2018-5784
fixes #8707
```3.7.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/8706[3.8] tiff: uncontrolled resource consumption in TIFFSetDirectory function in...2019-07-23T11:33:38ZAlicha CH[3.8] tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8706, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8705
* parent #8705
* Changesets:
* Revision 332be619a78433b9c764c24921ce1c65be925706 on 2018-04-02T10:23:45Z:
```
main/tiff: fix CVE-2018-5784
fixes #8706
```3.8.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8705tiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_d...2019-07-23T11:33:39ZAlicha CHtiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because...In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif\_dir.c. Remote attackers could
leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2772
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
### Patch:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
*(from redmine: issue id 8705, created on 2018-03-22, closed on 2018-04-03)*
* Relations:
* copied_to #8706
* copied_to #8707
* copied_to #8708
* copied_to #8709
* copied_to #8710
* child #8706
* child #8707
* child #8708
* child #8709
* child #8710https://gitlab.alpinelinux.org/alpine/aports/-/issues/8703Latest curl package has mismatching curl/libcurl version2019-07-15T00:28:49ZalgitbotLatest curl package has mismatching curl/libcurl versionThe latest curl package (7.59.0) comes with a libcurl version (7.57.0)
that doesn’t match. They should be the same in order to work, with the
current published package it doesn’t work as expected.
I’m on Alpine 3.4.6.
OS version:
...The latest curl package (7.59.0) comes with a libcurl version (7.57.0)
that doesn’t match. They should be the same in order to work, with the
current published package it doesn’t work as expected.
I’m on Alpine 3.4.6.
OS version:
<code class="text">
/opt/app # cat /etc/alpine-release
3.4.6
/opt/app # uname -a
Linux ddd8585d376e 4.9.60-linuxkit-aufs #1 SMP Mon Nov 6 16:00:12 UTC 2017 x86_64 Linux
</code>
curl version output:
<code class="text">
/opt/app # curl -V
curl 7.59.0 (x86_64-alpine-linux-musl) libcurl/7.57.0 OpenSSL/1.0.2j zlib/1.2.8 libssh2/1.7.0
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy
</code>
Error occuring:
<code class="text">
/opt/app # curl -O https://bootstrap.pypa.io/get-pip.py
curl: (48) An unknown option was passed in to libcurl
</code>
Also created a curl issue first but we realised this lib mismatch seems
to be the error: https://github.com/curl/curl/issues/2413
Thanks
*(from redmine: issue id 8703, created on 2018-03-21)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8702[3.7] firefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CV...2019-07-23T11:33:40ZAlicha CH[3.7] firefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5145, CVE-2018-5147)CVE-2018-5125: Memory safety bugs
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory
corr...CVE-2018-5125: Memory safety bugs
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory
corruption
CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5145: Memory safety bugs
### Fixed In Version:
Firefox ESR 52.7
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
CVE-2018-5147: Out of bounds memory write in libtremor
### Fixed In Version:
Firefox ESR 52.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
*(from redmine: issue id 8702, created on 2018-03-21, closed on 2018-04-03)*
* Relations:
* copied_to #8700
* parent #8700
* Changesets:
* Revision f8701de7f90a2ca4b4457a9607333faf24854030 on 2018-04-02T17:31:15Z:
```
main/tiff: fix CVE-2018-5784
fixes #8702
```
* Revision 92b326003a43c631a9045967db22285c744c8204 by Natanael Copa on 2018-04-02T18:28:39Z:
```
community/firefox-esr: security upgrade to 52.7.2
fixes #8702
CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7
```3.7.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8701[3.8] firefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CV...2019-07-23T11:33:41ZAlicha CH[3.8] firefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5145, CVE-2018-5147)CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched...CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory
corruption
CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7
### Fixed In Version:
Firefox ESR 52.7
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
CVE-2018-5147: Out of bounds memory write in libtremor
### Fixed In Version:
Firefox ESR 52.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
*(from redmine: issue id 8701, created on 2018-03-21, closed on 2018-04-03)*
* Relations:
* copied_to #8700
* parent #8700
* Changesets:
* Revision 980fe9bdff6617cc00c5e0e2f5c1b254038ed4d2 by Natanael Copa on 2018-04-02T18:26:15Z:
```
community/firefox-esr: security upgrade to 52.7.2
fixes #8701
CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7
```3.8.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8700firefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CVE-2018...2019-07-23T11:33:42ZAlicha CHfirefox-esr: Multiple vulnerabilities (CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5145, CVE-2018-5147)CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched...CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR
52.7
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5130: Mismatched RTP payload type can trigger memory
corruption
CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7
### Fixed In Version:
Firefox ESR 52.7
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
CVE-2018-5147: Out of bounds memory write in libtremor
### Fixed In Version:
Firefox ESR 52.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
*(from redmine: issue id 8700, created on 2018-03-21, closed on 2018-04-03)*
* Relations:
* duplicates #8818
* copied_to #8701
* copied_to #8702
* child #8701
* child #8702Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8698gpsd: please provide the py-gps and py3-gps Python modules2019-07-23T11:33:43ZParide Legovinigpsd: please provide the py-gps and py3-gps Python modulesUpstream gpsd includes a Python module which is currently not being
installed by the Alpine Linux gpsd package. Please do so, possibly
providing the py-gps and py3-gps packages. The Python code in gpsd is
compatible with both Python2 and...Upstream gpsd includes a Python module which is currently not being
installed by the Alpine Linux gpsd package. Please do so, possibly
providing the py-gps and py3-gps packages. The Python code in gpsd is
compatible with both Python2 and Python3, as stated in the comment
headers:
# This code runs compatibly under Python 2 and 3.x for x >= 2.
*(from redmine: issue id 8698, created on 2018-03-20, closed on 2018-07-18)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8697[3.4] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:44ZAlicha CH[3.4] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8697, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8693
* parent #8693
* Changesets:
* Revision daeca7a60515632355e7380ea79af439a01e2bb1 on 2018-04-11T18:27:13Z:
```
main/clamav: security upgrade 0.99.4
CVE-2018-0202, CVE-2018-1000085
Fixes #8697
```3.4.7Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8696[3.5] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:45ZAlicha CH[3.5] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8696, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8693
* parent #8693
* Changesets:
* Revision b4b20e148bb4cc6d70c787ff565bbc1dc3c33b95 on 2018-04-11T18:24:05Z:
```
main/clamav: security upgrade 0.99.4
CVE-2018-0202, CVE-2018-1000085
Fixes #8696
```3.5.3Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8695[3.6] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:47ZAlicha CH[3.6] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8695, created on 2018-03-20, closed on 2018-04-16)*
* Relations:
* copied_to #8693
* parent #8693
* Changesets:
* Revision 271f0c5a69090b247eb2e7dcf3297272c5e557d6 on 2018-04-11T18:19:15Z:
```
main/clamav: security upgrade 0.99.4
CVE-2018-0202, CVE-2018-1000085
Fixes #8695
```3.6.3Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8694[3.7] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:48ZAlicha CH[3.7] clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8694, created on 2018-03-20, closed on 2018-04-12)*
* Relations:
* copied_to #8693
* parent #8693
* Changesets:
* Revision 46ab307937563eeb8acb82c3fa85fc67c712ec7f on 2018-04-11T18:15:28Z:
```
main/clamav: security upgrade 0.99.4
CVE-2018-0202, CVE-2018-1000085
Fixes #8694
```3.7.1Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8693clamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)2019-07-23T11:33:49ZAlicha CHclamav: Multiple vulnerabilities (CVE-2018-0202, CVE-2018-1000085)CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tra...CVE-2018-0202: Out-of-bounds access in the PDF parser
-----------------------------------------------------
### Fixed In Version:
clamav 0.99.4
### References:
https://bugzilla.clamav.net/show\_bug.cgi?id=11973
https://security-tracker.debian.org/tracker/CVE-2018-0202
CVE-2018-1000085: Out of bounds heap memory read in xar parser
--------------------------------------------------------------
ClamAV version version 0.99.3 contains a Out of bounds heap memory read
vulnerability in XAR parser,
function xar\_hash\_check() that can result in Leaking of memory, may
help in developing exploit chains..
This attack appear to be exploitable via The victim must scan a crafted
XAR file.
### Fixed In Version:
clamav 0.99.4
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085
http://www.openwall.com/lists/oss-security/2017/09/29/4
### Patch:
https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
*(from redmine: issue id 8693, created on 2018-03-20, closed on 2018-04-16)*
* Relations:
* copied_to #8694
* copied_to #8695
* copied_to #8696
* copied_to #8697
* child #8694
* child #8695
* child #8696
* child #8697Carlo LandmeterCarlo Landmeter