aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T14:06:57Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3054Alpine 3 OSPF protocol unrecognized2019-07-23T14:06:57ZAlessandro MussoAlpine 3 OSPF protocol unrecognizedrtr:/\# iptable -A INPUT -p ospf -j ACCEPT
iptables v1.4.21: unknown protocol “ospf” specified
rtr:/\# uname -rv
3.14.5-0-grsec \#1-Alpine SMP Tue Jun 3 07:45:15 GMT 2014
rtr:/\# apk version musl
Installed: Available:
musl-1.1....rtr:/\# iptable -A INPUT -p ospf -j ACCEPT
iptables v1.4.21: unknown protocol “ospf” specified
rtr:/\# uname -rv
3.14.5-0-grsec \#1-Alpine SMP Tue Jun 3 07:45:15 GMT 2014
rtr:/\# apk version musl
Installed: Available:
musl-1.1.2-r0 = 1.1.2-r0
*(from redmine: issue id 3054, created on 2014-06-18, closed on 2014-06-26)*3.0.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/3053cvs version2019-07-23T14:06:58Zalgitbotcvs versionThe cvs version in Alpine, cvs-1.12.13-r3 seems to hang in some
situations.
I don’t quite understand cvs versions, but 1.12 seems to be form the
non stable branch, and 1.11.23 from
http://ftp.gnu.org/non-gnu/cvs/source/stable/1.11.2...The cvs version in Alpine, cvs-1.12.13-r3 seems to hang in some
situations.
I don’t quite understand cvs versions, but 1.12 seems to be form the
non stable branch, and 1.11.23 from
http://ftp.gnu.org/non-gnu/cvs/source/stable/1.11.23/ is as far as I
can see the latest stable version (and released later), and works
without problems (compiles fine with the patch from sabotage Linux
https://github.com/sabotage-linux/sabotage/blob/master/KEEP/cvs1.patch
).
for me this command line hangs and gdb not very useful:
cvs -z3 -d :pserver:anoncvs@anoncvs.netbsd.org:/cvsroot checkout -P
src/build.sh src/Makefile src/Makefile.inc src/tools src/common
src/include src/share/mk src/etc/Makefile.params src/etc/master.passwd
src/etc/group src/lib/libc src/lib/libutil src/lib/librump
src/lib/librumpuser src/lib/librumpclient src/lib/librumphijack
src/lib/librumpdev src/lib/librumpnet src/lib/librumpvfs
src/external/bsd/flex src/external/bsd/mdocml src/external/bsd/byacc
src/external/cddl/osnet src/external/historical/nawk src/bin/cat
src/usr.bin/make src/usr.bin/xinstall src/usr.bin/config
src/usr.bin/mktemp src/usr.bin/sed src/usr.bin/tsort
src/usr.bin/lorder src/usr.bin/join src/usr.bin/cksum src/usr.bin/m4
src/usr.bin/mkdep src/usr.bin/Makefile.inc src/usr.bin/rpcgen
src/usr.bin/rump\_server src/usr.bin/rump\_allserver
src/usr.bin/rump\_wmd src/usr.bin/stat src/usr.bin/shmif\_dumpbus
src/usr.sbin/mtree !src/sys/arch src/sys src/sys/arch/amd64/include
src/sys/arch/amd64/amd64 src/sys/arch/amd64/Makefile
src/sys/arch/i386/include src/sys/arch/i386/i386
src/sys/arch/i386/Makefile src/sys/arch/x86/include
src/sys/arch/x86/x86 src/sys/arch/x86/Makefile
src/sys/arch/arm/include src/sys/arch/arm/arm
src/sys/arch/arm/Makefile src/sys/arch/evbarm/include
src/sys/arch/evbarm/evbarm src/sys/arch/evbarm/Makefile
src/sys/arch/sparc/include src/sys/arch/sparc/sparc
src/sys/arch/sparc/Makefile src/sys/arch/sparc64/include
src/sys/arch/sparc64/sparc64 src/sys/arch/sparc64/Makefile
src/sys/arch/powerpc/include src/sys/arch/powerpc/powerpc
src/sys/arch/powerpc/Makefile src/sys/arch/evbppc/include
src/sys/arch/evbppc/evbppc src/sys/arch/evbppc/Makefile
src/sys/arch/mips/include src/sys/arch/mips/mips
src/sys/arch/mips/Makefile src/sys/arch/evbmips/include
src/sys/arch/evbmips/evbmips src/sys/arch/evbmips/Makefile
src/sys/arch/arm/arm32 src/sys/arch/Makefile
Justin
*(from redmine: issue id 3053, created on 2014-06-17, closed on 2014-06-26)*
* Changesets:
* Revision 88d93b7f7c885b50d119e8163baa3b9fa95d76db by Timo Teräs on 2014-06-26T10:38:03Z:
```
main/cvs: downgrade to newest stable release 1.11.23
patch is from sabotage
use "apk upgrade -a" to allow downgrade
fixes #3053
(cherry picked from commit 83ffc4f50711f8ed4a73a0962ad0dcf9c5e89c7f)
```3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3052[v3.0] kernel: multiple issues2019-07-23T14:06:59ZAlexander Belous[v3.0] kernel: multiple issuesMultiple vulnerabilities were discovered and fixed in the Linux kernel:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069
http://cve.mitre.org/cgi-bin/cvename.cgi...Multiple vulnerabilities were discovered and fixed in the Linux kernel:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2039
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3917
*(from redmine: issue id 3052, created on 2014-06-16, closed on 2017-05-17)*
* Relations:
* parent #30483.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3008util-linux chsh or is there an alternative2019-07-23T11:40:53Zalgitbotutil-linux chsh or is there an alternativeHi,
I’d like to have chsh or an alternative tool that give users a way to
change the shell. chsh seems to be provided with util-linux, but it’s
currently not enabled in the APKBUILD. I guess that’s because linux-pam
would become a depen...Hi,
I’d like to have chsh or an alternative tool that give users a way to
change the shell. chsh seems to be provided with util-linux, but it’s
currently not enabled in the APKBUILD. I guess that’s because linux-pam
would become a dependency with —enable-chfn-chsh, but I’m not completely
confident that this is the case.
I’ve talked with barthalion in the IRC and he said I should create a
task here for it. Maybe it could be re-enabled.
Thank you.
*(from redmine: issue id 3008, created on 2014-06-07, closed on 2014-06-26)*
* Changesets:
* Revision db61b55e3528084f2bca9cf3807c1eec4e955421 by Natanael Copa on 2014-06-11T08:22:03Z:
```
main/util-linux: enable chsh
ref #3008
```
* Revision 94cd4e1bf8f3fbf320d6ed3a6101cf82aee6aec7 by Natanael Copa on 2014-06-26T10:31:42Z:
```
main/util-linux: enable chsh
fixes #3008
(cherry picked from commit db61b55e3528084f2bca9cf3807c1eec4e955421)
```3.0.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/2984Postgresql will not start2019-07-23T14:08:03ZTed TraskPostgresql will not startUsing alpine 3.0\_rc3 (both with and without an upgrade from the
repositories), postgresql refuses to start:
localhost:~\# apk add postgresql
(1/1) Installing postgresql (9.3.4-r0)
Executing busybox-1.22.1-r5.trigger
OK: 52 MiB in...Using alpine 3.0\_rc3 (both with and without an upgrade from the
repositories), postgresql refuses to start:
localhost:~\# apk add postgresql
(1/1) Installing postgresql (9.3.4-r0)
Executing busybox-1.22.1-r5.trigger
OK: 52 MiB in 50 packages
localhost:~\# /etc/init.d/postgresql setup
\* Creating a new PostgreSQL database cluster …
mv /var/lib/postgresql/9.3/data/\* /var/lib/postgresql/9.3/tmp
The files belonging to this database system will be owned by user
“postgres”.
This user must also own the server process.
The database cluster will be initialized with locale “C.UTF-8”.
The default database encoding has accordingly been set to “UTF8”.
The default text search configuration will be set to “english”.
Data page checksums are disabled.
fixing permissions on existing directory /var/lib/postgresql/9.3/data …
ok
creating subdirectories … ok
selecting default max\_connections … 100
selecting default shared\_buffers … 128MB
creating configuration files … ok
creating template1 database in /var/lib/postgresql/9.3/data/base/1 …
ok
initializing pg\_authid … ok
initializing dependencies … ok
creating system views … ok
loading system objects’ descriptions … ok
creating collations … sh: locale: not found
ok
No usable system locales were found.
Use the option “—debug” to see details.
creating conversions … ok
creating dictionaries … ok
setting privileges on built-in objects … ok
creating information schema … ok
loading PL/pgSQL server-side language … ok
vacuuming database template1 … ok
copying template1 to template0 … ok
copying template1 to postgres … ok
syncing data to disk … ok
WARNING: enabling “trust” authentication for local connections
You can change this by editing pg\_hba.conf or using the option -A, or
—auth-local and —auth-host, the next time you run initdb.
Success.
\[ ok \]
localhost:~\# /etc/init.d/postgresql start
\* Caching service dependencies … \[ ok \]
\* Starting PostgreSQL …
pg\_ctl: could not start server
Examine the log output.
\* start-stop-daemon: failed to start \`/usr/bin/pg\_ctl’
\* Check the log for a possible explanation of the above error.
\* /var/lib/postgresql/9.3/data/postmaster.log \[ !! \]
\* ERROR: postgresql failed to start
localhost:~\# cat /var/lib/postgresql/9.3/data/postmaster.log
invalid option — -
Try “postgres —help” for more information.
localhost:~\#
I also tried starting the server manually, and got the same basic
outcome:
localhost:/$ /usr/bin/pg\_ctl start -s -w -t 10 -l
/var/lib/postgresql/9.3/data/postmaster.log -D
/var/lib/postgresql/9.3/data -o
—data-directory=/var/lib/postgresql/9.3/data
pg\_ctl: could not start server
Examine the log output.
*(from redmine: issue id 2984, created on 2014-05-30, closed on 2014-06-26)*
* Changesets:
* Revision 8f9cc28a3ff039ab11211c58f014aa1a344f1b91 by Timo Teräs on 2014-06-04T13:52:42Z:
```
main/postgresql: remove invalid and redundant options from init.d
makes postgres start again. fixes #2984
```3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2979xl2tpd: does not build with musl2019-07-23T14:08:08ZNatanael Copaxl2tpd: does not build with musl*(from redmine: issue id 2979, created on 2014-05-30, closed on 2014-06-26)*
* Changesets:
* Revision c1864fcef3de8a6b2e2410f52fd696ddc09aa9e6 on 2014-06-24T21:49:16Z:
```
main/xl2tpd: build fix for musl
ref #2979
```
* Revision ...*(from redmine: issue id 2979, created on 2014-05-30, closed on 2014-06-26)*
* Changesets:
* Revision c1864fcef3de8a6b2e2410f52fd696ddc09aa9e6 on 2014-06-24T21:49:16Z:
```
main/xl2tpd: build fix for musl
ref #2979
```
* Revision c49ea5b19ccc757b9dcf976ba59325044755f0ba on 2014-06-24T21:51:19Z:
```
main/xl2tpd: build fix for musl
fixes #2979
```3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2978freeswitch: does not build with musl2019-07-23T14:08:09ZNatanael Copafreeswitch: does not build with musl*(from redmine: issue id 2978, created on 2014-05-30, closed on 2014-06-13)**(from redmine: issue id 2978, created on 2014-05-30, closed on 2014-06-13)*3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2974hwclock starts even if removed from runlevel boot2019-07-23T14:08:12ZCarlo Landmeterhwclock starts even if removed from runlevel bootrpi does not have rtc, so I needed to remove hwclock from runlevel, but
it still executes.
*(from redmine: issue id 2974, created on 2014-05-30, closed on 2014-05-30)*rpi does not have rtc, so I needed to remove hwclock from runlevel, but
it still executes.
*(from redmine: issue id 2974, created on 2014-05-30, closed on 2014-05-30)*3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2837[3.x.x] Minor bugs in package xendomains2019-07-23T14:10:14ZPanthera Tigris[3.x.x] Minor bugs in package xendomainsOn systems with a temp drive mounted to /var, the pygrub script will
crash due to the missing sub-folders straight after booting, issuing the
error message:
libxl: error: libxl\_bootloader.c:364:libxl\_\_bootloader\_run: failed
to creat...On systems with a temp drive mounted to /var, the pygrub script will
crash due to the missing sub-folders straight after booting, issuing the
error message:
libxl: error: libxl\_bootloader.c:364:libxl\_\_bootloader\_run: failed
to create bootloader dir /var/run/xen/bootloader.5.d: No such file or
directory
I recommend the following solution:
—- /etc/init.d/xendomains
<span class="underline"></span>+ /etc/init.d/xendomains
@@ –72,0 +73 @@
+ checkpath -d -m 755 /var/run/xen
Furthermore, xendomains requires Perl for script execution, which is not
stated as requirement in the corresponding APKBUILD of xendomain and
should therefore be added. It took me quite a while to figure out why
the domains wouldn’t start only to realize that Perl was not installed
on my test system. Adding Perl as requirement for xendomains will
prevent other users from making the same mistake.
*(from redmine: issue id 2837, created on 2014-04-11, closed on 2014-06-26)*
* Changesets:
* Revision 382912ec55c9dcf411764579a173eb0ece6d4445 by Natanael Copa on 2014-06-11T13:18:03Z:
```
main/xen: make sure /var/run/xen exists
- start xendomains after localmount so localmount does not mount over
our /var
- add checkpath to xendomains, just in case
ref #2837
```
* Revision f209a1ace87b04c5ecfb9b2c3ecc856b716ce83f by Natanael Copa on 2014-06-26T10:27:41Z:
```
main/xen: make sure /var/run/xen exists
- start xendomains after localmount so localmount does not mount over
our /var
- add checkpath to xendomains, just in case
fixes #2837
```3.0.1Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2286Midori crashes on x862019-07-23T14:18:17Zfreedomrun freedomrunMidori crashes on x86message from /var/log/messages:
kern.alert kernel: \[61351.312481\] grsec: Illegal instruction occurred
at 3d52b015 in /usr/bin/midori\[midori:4799\] uid/euid:1002/1002
gid/egid:1002/1002, parent /bin/busybox\[init:1\] uid/euid:0/0
gid/...message from /var/log/messages:
kern.alert kernel: \[61351.312481\] grsec: Illegal instruction occurred
at 3d52b015 in /usr/bin/midori\[midori:4799\] uid/euid:1002/1002
gid/egid:1002/1002, parent /bin/busybox\[init:1\] uid/euid:0/0
gid/egid:0/0
kern.alert kernel: \[61351.312654\] grsec: denied resource overstep by
requesting 4096 for RLIMIT\_CORE against limit 0 for
/usr/bin/midori\[midori:4799\] uid/euid:1002/1002 gid/egid:1002/1002,
parent /bin/busybox\[init:1\] uid/euid:0/0 gid/egid:0/0
kern.alert kernel: \[61429.066797\] grsec: Illegal instruction occurred
at 380561d5 in /usr/bin/midori\[midori:4855\] uid/euid:1002/1002
gid/egid:1002/1002, parent /bin/busybox\[init:1\] uid/euid:0/0
gid/egid:0/0
kern.alert kernel: \[61429.066972\] grsec: denied resource overstep by
requesting 4096 for RLIMIT\_CORE against limit 0 for
/usr/bin/midori\[midori:4855\] uid/euid:1002/1002 gid/egid:1002/1002,
parent /bin/busybox\[init:1\] uid/euid:0/0 gid/egid:0/0
*(from redmine: issue id 2286, created on 2013-10-17, closed on 2014-06-26)*3.0.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3259[v3.0] cacti: multiple XSS vulnerabilities (CVE-2014-5025 CVE-2014-5026)2019-07-23T14:03:57ZAlexander Belous[v3.0] cacti: multiple XSS vulnerabilities (CVE-2014-5025 CVE-2014-5026)XSS vulnerabilities disclosed in cacti.
Product version affected: cacti 0.8.8b.
Patch:
http://bugs.cacti.net/file\_download.php?file\_id=1125&type=bug
References:
http://bugs.cacti.net/view.php?id=2456
http://seclists.org/oss-se...XSS vulnerabilities disclosed in cacti.
Product version affected: cacti 0.8.8b.
Patch:
http://bugs.cacti.net/file\_download.php?file\_id=1125&type=bug
References:
http://bugs.cacti.net/view.php?id=2456
http://seclists.org/oss-sec/2014/q3/216
*(from redmine: issue id 3259, created on 2014-07-29, closed on 2014-08-22)*
* Relations:
* parent #3255
* Changesets:
* Revision cdbeb449d01875c26f923b2485c7f5e3598bf237 by Natanael Copa on 2014-07-30T10:24:55Z:
```
main/cacti: security fix for CVE-2014-5025,CVE-2014-5026
fixes #3259
```3.0.2Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3254[v3.0] cups: incomplete fix for CVE-2014-3537 (CVE-2014-5029 CVE-2014-5030 CV...2019-07-23T14:04:03ZAlexander Belous[v3.0] cups: incomplete fix for CVE-2014-3537 (CVE-2014-5029 CVE-2014-5030 CVE-2014-5031)Incomplete fix for CVE-2014-3537 (http://www.cups.org/str.php?L4450)
results in CVE-2014-5029/5030/5031.
Affected versions: could be CUPS before 1.7.4.
Patches are available for 2.0 and 1.7:
2.0: https://cups.org/strfiles.php/3370/st...Incomplete fix for CVE-2014-3537 (http://www.cups.org/str.php?L4450)
results in CVE-2014-5029/5030/5031.
Affected versions: could be CUPS before 1.7.4.
Patches are available for 2.0 and 1.7:
2.0: https://cups.org/strfiles.php/3370/str4455\_v2.patch
1.7: https://cups.org/strfiles.php/3371/str4455-1.7.patch
References:
https://cups.org/str.php?L4455
http://seclists.org/oss-sec/2014/q3/220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
*(from redmine: issue id 3254, created on 2014-07-29, closed on 2014-08-22)*
* Relations:
* parent #3250
* Changesets:
* Revision 9f63973f52df08430f80a8f102b0a90341a2d3cc by Natanael Copa on 2014-07-29T14:11:20Z:
```
main/cups: security upgrade to 1.7.4 (CVE-2014-5029/5030/5031)
fixes #3254
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3239[v3.0] php: SPL Iterators use-after-free (CVE-2014-4670).2019-07-23T14:04:15ZNatanael Copa[v3.0] php: SPL Iterators use-after-free (CVE-2014-4670).Use-after-free vulnerability in ext/spl/spl\_dllist.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact via
crafted iterator usage within ...Use-after-free vulnerability in ext/spl/spl\_dllist.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact via
crafted iterator usage within applications in certain web-hosting
environments.
https://bugs.php.net/bug.php?id=67538
Affects only 5.5.x.
Upgrade to 5.5.15
*(from redmine: issue id 3239, created on 2014-07-25, closed on 2014-07-29)*
* Changesets:
* Revision 2ce571b88067a6a79a7623a780077988330d4261 by Natanael Copa on 2014-07-25T09:24:41Z:
```
main/php: security upgrade to 5.5.15 (CVE-2014-4670)
fixes #3239
```3.0.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/3227[v3.0] file: remote DoS (CVE-2014-3538)2019-07-23T14:04:22ZAlexander Belous[v3.0] file: remote DoS (CVE-2014-3538)file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a denial
of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an...file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a denial
of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2013-7345.
•MLIST:\[file\] 20140612 file-5.19 is now available
•URL: http://mx.gw.com/pipermail/file/2014/001553.html
•MLIST:\[oss-security\] 20140630 changing CVE ID for RH Bugzilla 1098222
(from CVE-2014-0235)
•URL: http://openwall.com/lists/oss-security/2014/06/30/7
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1098222
•CONFIRM:
https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320
•CONFIRM:
https://github.com/file/file/commit/69a5a43b3b71f53b0577f41264a073f495799610
•CONFIRM:
https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668
•CONFIRM:
https://github.com/file/file/commit/74cafd7de9ec99a14f4480927580e501c8f852c3
•CONFIRM:
https://github.com/file/file/commit/758e066df72fb1ac08d2eea91ddc3973d259e991
*(from redmine: issue id 3227, created on 2014-07-21, closed on 2014-07-24)*
* Relations:
* parent #3223
* Changesets:
* Revision 1faa3f503104ad3e8cb9273cc73b15894e48c650 by Natanael Copa on 2014-07-21T16:57:01Z:
```
main/file: security upgrade to 5.19 (CVE-2014-3538)
fixes #3227
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3222[v3.0] php: multiple issues fixed in new 5.5.142019-07-23T14:04:27ZAlexander Belous[v3.0] php: multiple issues fixed in new 5.5.14The PHP Development Team announces the immediate availability of PHP
5.5.14. This release fixes several bugs against PHP 5.5.13. Also, this
release fixes a total of 8 CVEs, half of them concerning the FileInfo
extension:
http://web.nvd....The PHP Development Team announces the immediate availability of PHP
5.5.14. This release fixes several bugs against PHP 5.5.13. Also, this
release fixes a total of 8 CVEs, half of them concerning the FileInfo
extension:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4698
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3478
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3479
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3480
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3487
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515
References and downloads:
http://php.net/archive/2014.php\#id2014-06-27-1
http://php.net/downloads.php
*(from redmine: issue id 3222, created on 2014-07-21, closed on 2014-07-24)*
* Relations:
* parent #32183.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3212[v3.0] krb5: remote DoS (CVE-2014-4341 CVE-2014-4342)2019-07-23T14:04:36ZAlexander Belous[v3.0] krb5: remote DoS (CVE-2014-4341 CVE-2014-4342)MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause
a denial of service (buffer over-read and application crash) by
injecting invalid tokens into a GSSAPI application session
(CVE-2014-4341).
krb5 1.7.x through 1.12...MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause
a denial of service (buffer over-read and application crash) by
injecting invalid tokens into a GSSAPI application session
(CVE-2014-4341).
krb5 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause
a denial of service (buffer over-read or NULL pointer dereference, and
application crash) by injecting invalid tokens into a GSSAPI application
session (CVE-2014-4342).
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4341
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4342
Patch (fixes the both issues):
https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
*(from redmine: issue id 3212, created on 2014-07-21, closed on 2014-07-24)*
* Relations:
* parent #3208
* Changesets:
* Revision 95f95cb860a4c60a7ea24ab181a6db5668693de4 by Natanael Copa on 2014-07-22T08:48:49Z:
```
main/krb5: security fix for CVE-2014-4341,CVE-2014-4342
fixes #3212
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3207[v3.0] apache2: multiple issues (CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CV...2019-07-23T14:04:41ZAlexander Belous[v3.0] apache2: multiple issues (CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231)The mod\_proxy module in the Apache HTTP Server 2.4.x before 2.4.10,
when a reverse proxy is enabled, allows remote attackers to cause a
denial of service (child-process crash) via a crafted HTTP Connection
header (CVE-2014-0117).
The d...The mod\_proxy module in the Apache HTTP Server 2.4.x before 2.4.10,
when a reverse proxy is enabled, allows remote attackers to cause a
denial of service (child-process crash) via a crafted HTTP Connection
header (CVE-2014-0117).
The deflate\_in\_filter function in mod\_deflate.c in the mod\_deflate
module in the Apache HTTP Server before 2.4.10, when request body
decompression is enabled, allows remote attackers to cause a denial of
service (resource consumption) via crafted request data that
decompresses to a much larger size (CVE-2014-0117).
Race condition in the mod\_status module in the Apache HTTP Server
before 2.4.10 allows remote attackers to cause a denial of service
(heap-based buffer overflow), or possibly obtain sensitive credential
information or execute arbitrary code, via a crafted request that
triggers improper scoreboard handling within the status\_handler
function in modules/generators/mod\_status.c and the
lua\_ap\_scoreboard\_worker function in modules/lua/lua\_request.c
(CVE-2014-0226).
The mod\_cgid module in the Apache HTTP Server before 2.4.10 does not
have a timeout mechanism, which allows remote attackers to cause a
denial of service (process hang) via a request to a CGI script that does
not read from its stdin file descriptor (CVE-2014-0231).
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0117
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231
The latest version with the issues fixed:
http://httpd.apache.org/download.cgi\#apache24
*(from redmine: issue id 3207, created on 2014-07-21, closed on 2014-07-24)*
* Relations:
* parent #3203
* Changesets:
* Revision ca0e870c60ad78ba2a6ce5eb3b5cc9b4e8ed4844 by Natanael Copa on 2014-07-22T08:28:12Z:
```
main/apache2: security upgrade to 2.4.10 (CVE-2014-0117,CVE-2014-0118,CVE-2014-0226,CVE-2014-0231)
fixes #3207
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3201[v3.0] phpmyadmin: multiple issues (CVE-2014-4987 CVE-2014-4986 CVE-2014-4955...2019-07-23T14:04:46ZAlexander Belous[v3.0] phpmyadmin: multiple issues (CVE-2014-4987 CVE-2014-4986 CVE-2014-4955 CVE-2014-4954)CVE-2014-4987:
An unpriviledged user could view the MySQL user list and manipulate the
tabs displayed in phpMyAdmin for them. This vulnerability can be
triggered only by someone who is logged in to phpMyAdmin, as the usual
token protec...CVE-2014-4987:
An unpriviledged user could view the MySQL user list and manipulate the
tabs displayed in phpMyAdmin for them. This vulnerability can be
triggered only by someone who is logged in to phpMyAdmin, as the usual
token protection prevents non-logged-in users from accessing the
required pages. Moreover, the configuration storage must be set up for
the user groups feature.
Affected Versions: versions 4.1.x (prior to 4.1.14.2) and 4.2.x (prior
to 4.2.6); so only Alpine Linux v3.0 is affected.
Solution: upgrade to phpMyAdmin 4.1.14.2 or newer, or 4.2.6 or newer, or
apply the patch:
4.2 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/395265e9937beb21134626c01a21f44b28e712e5
4.1 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/45550b8cff06ad128129020762f9b53d125a6934
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-7.php
CVE-2014-4986:
With a crafted column name it is possible to trigger an XSS when
dropping the column in table structure page. With a crafted table name
it is possible to trigger an XSS when dropping or truncating the table
in table operations page. This vulnerability can be triggered only by
someone who is logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required pages.
Affected Versions: versions 4.0.x (prior to 4.0.10.1), 4.1.x (prior to
4.1.14.2) and 4.2.x (prior to 4.2.6); so Alpine Linux v3.0, v2.7, v2.6
are affected.
Solution: upgrade to phpMyAdmin 4.0.10.1 or newer, or 4.1.14.2 or newer,
or 4.2.6 or newer, or apply the patch:
4.2 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/29a1f56495a7d1d98da31a614f23c0819a606a4d
4.1 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/cd5697027a2ee7e1f7d7000b23be6051cdb0516c
4.0 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/a92753bd65e1f8b72c46ed3dda6c362628e0daf7
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-6.php
CVE-2014-4955:
When navigating into the database triggers page, it is possible to
trigger an XSS with a crafted trigger name. This vulnerability can be
triggered only by someone who is logged in to phpMyAdmin, as the usual
token protection prevents non-logged-in users from accessing the
required page.
Affected Versions: versions 4.0.x (prior to 4.0.10.1), 4.1.x (prior to
4.1.14.2) and 4.2.x (prior to 4.2.6); so Alpine Linux v3.0, v2.7, v2.6
are affected.
Solution: upgrade to phpMyAdmin 4.0.10.1 or newer, or 4.1.14.2 or newer,
or 4.2.6 or newer, or apply the patch:
4.2 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/10014d4dc596b9e3a491bf04f3e708cf1887d5e1
4.1 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/511c596b175889b8e6b9c423e352ca64fa20af2b
4.0 branch:
https://github.com/phpmyadmin/phpmyadmin/commit/1b5592435617fa1b9dd68e2dc263de64c69fdc8a
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-5.php
CVE-2014-4954:
With a crafted table comment, it is possible to trigger an XSS in
database structure page. This vulnerability can be triggered only by
someone who is logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required page.
Affected Versions: versions 4.2.x (prior to 4.2.6); so only Alpine Linux
v3.0 is affected.
Solution: upgrade to phpMyAdmin 4.2.6 or newer, or apply the patch:
https://github.com/phpmyadmin/phpmyadmin/commit/57475371a5b515c83bfc1bb2efcdf3ddb14787ed
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-4.php
*(from redmine: issue id 3201, created on 2014-07-21, closed on 2014-07-24)*
* Relations:
* parent #3198
* Changesets:
* Revision a68e62dc417d84943621aa3a8f173b4c9d1d1384 by Natanael Copa on 2014-07-22T08:54:39Z:
```
main/phpmyadmin: security upgrade to 4.2.6 (CVE-2014-4987,CVE-2014-4986,CVE-2014-4955,CVE-2014-4954)
fixes #3201
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3194[v3.0] perl-email-address: inefficient regular expressions could cause DoS (C...2019-07-23T14:04:54ZAlexander Belous[v3.0] perl-email-address: inefficient regular expressions could cause DoS (CVE-2014-0477 CVE-2014-4720)The parse function in Email::Address module before 1.905 for Perl uses
an inefficient regular expression, which allows remote attackers to
cause a denial of service (CPU consumption) via an empty quoted string
in an RFC 2822 address (CVE...The parse function in Email::Address module before 1.905 for Perl uses
an inefficient regular expression, which allows remote attackers to
cause a denial of service (CPU consumption) via an empty quoted string
in an RFC 2822 address (CVE-2014-0477).
References:
•MLIST:\[oss-security\] 20140618 CVE-2014-0477: Email::Address:
Denial-of-Service in Email::Address::parse
•URL: http://seclists.org/oss-sec/2014/q2/563
•CONFIRM:
https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5
Email::Address module before 1.904 for Perl uses an inefficient regular
expression, which allows remote attackers to cause a denial of service
(CPU consumption) via vectors related to “backtracking into the phrase”
(CVE-2014-4720).
References:
•MLIST:\[oss-security\] 20140614 CVE-2014-0477: Email::Address:
Denial-of-Service in Email::Address::parse
•URL: http://seclists.org/oss-sec/2014/q2/563
•CONFIRM: https://github.com/rjbs/Email-Address/blob/master/Changes
*(from redmine: issue id 3194, created on 2014-07-18, closed on 2014-07-21)*
* Relations:
* parent #3190
* Changesets:
* Revision bc8efb9ddc35c480c2a251347e7537fbc91692bb by Natanael Copa on 2014-07-21T09:33:26Z:
```
main/perl-email-address: security upgrade to 1.905 (CVE-2014-0477,CVE-2014-4720)
fixes #3194
```3.0.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3188[v3.0] mysql: SRINFOSC and SRCHAR related issues (CVE-2014-4258 CVE-2014-4260)2019-07-23T14:04:59ZAlexander Belous[v3.0] mysql: SRINFOSC and SRCHAR related issues (CVE-2014-4258 CVE-2014-4260)Unspecified vulnerability in the MySQL Server component in Oracle MySQL
5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated
users to affect confidentiality, integrity, and availability via vectors
related to SRINFOSC (C...Unspecified vulnerability in the MySQL Server component in Oracle MySQL
5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated
users to affect confidentiality, integrity, and availability via vectors
related to SRINFOSC (CVE-2014-4258):
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows
unauthorized modification; Allows disruption of service
Unspecified vulnerability in the MySQL Server component in Oracle MySQL
5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated
users to affect integrity and availability via vectors related to SRCHAR
(CVE-2014-4260):
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Required to exploit
Impact Type: Allows unauthorized modification; Allows disruption of
service
New version 5.5.38 is available.
References:
CONFIRM:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
DOWNLOAD: ftp://sunsite.icm.edu.pl/pub/unix/mysql/Downloads/MySQL-5.5/
*(from redmine: issue id 3188, created on 2014-07-18, closed on 2014-07-21)*
* Relations:
* parent #3184
* Changesets:
* Revision aa791b7797dbf40f26ee41e708311f424088c2a0 by Natanael Copa on 2014-07-21T09:49:10Z:
```
main/mysql: security upgrade to 5.5.38 (CVE-2014-4258,CVE-2014-4260)
fixes #3188
```3.0.2Natanael CopaNatanael Copa