aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:10:51Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10353Provide a default static() function for packaging static libraries2019-07-23T11:10:51ZLeoProvide a default static() function for packaging static librariesStatic libraries are generally kept inside -dev() packages but it is not
an optimal solution\[1\]\[2\], so $pkgname-static is prefered instead.
Have abuild provide a default static() function for $pkgname-static
packages.
Things to kee...Static libraries are generally kept inside -dev() packages but it is not
an optimal solution\[1\]\[2\], so $pkgname-static is prefered instead.
Have abuild provide a default static() function for $pkgname-static
packages.
Things to keep in mind:
\- modify dev() to not add static libraries if $pkgname-static is
present, or not add them at all
- Add code to check for ‘.a’ and warn the user for the need of adding
$pkgname-static
\[1\]
https://github.com/alpinelinux/aports/pull/7299\#pullrequestreview-231006771
\[2\]
https://github.com/alpinelinux/aports/pull/7300\#issuecomment-486952274
*(from redmine: issue id 10353, created on 2019-04-26, closed on 2019-06-19)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10354postgresql-client: SIGSEGV with libedit when pasting long lines2022-02-21T22:09:07ZJoão Vieirapostgresql-client: SIGSEGV with libedit when pasting long linesIt seems alpine postgresql-client is being compiled against libedit
instead of readline. I am getting some SIGSEGV when pasting long lines
and getting the string ‘*HiStOrY\_V2*’ on my history randomly.
See:
https://www.postgresql.org/me...It seems alpine postgresql-client is being compiled against libedit
instead of readline. I am getting some SIGSEGV when pasting long lines
and getting the string ‘*HiStOrY\_V2*’ on my history randomly.
See:
https://www.postgresql.org/message-id/opsdtodlpwg2z5qo%40relay.plus.net
*(from redmine: issue id 10354, created on 2019-04-26)*Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10355acme.sh: add openssl dependency2019-07-23T11:10:50ZPaul Gauretacme.sh: add openssl dependencyThe acme.sh package (currently in edge/testing) needs the ‘openssl’
binary command to operate.
Please add as a package dependency.
*(from redmine: issue id 10355, created on 2019-04-27, closed on 2019-06-19)*The acme.sh package (currently in edge/testing) needs the ‘openssl’
binary command to operate.
Please add as a package dependency.
*(from redmine: issue id 10355, created on 2019-04-27, closed on 2019-06-19)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10356sudo do not respect environment variables for proxy2023-02-07T14:59:11ZOleg Titovsudo do not respect environment variables for proxyI have a setup with proxy enabled. Everything works fine in root shell
and for ordinary user.
Running \`sudo\` brings problem as the proxy corresponding environment
variables are not exported right.
To reproduce the problem I experienc...I have a setup with proxy enabled. Everything works fine in root shell
and for ordinary user.
Running \`sudo\` brings problem as the proxy corresponding environment
variables are not exported right.
To reproduce the problem I experience enable proxy and run \`sudo wget
www.google.com\`, it should block.
Typical problematic use cases are:
1. sudo apk update|upgrade|add
2. abuild -r
In both cases any web operations will be blocked as the proxy
configuration is missed.
A temporary workaround could be to use \`sudo -E\`. I was suggested to
edit /etc/sudoers to include http\_proxy variables.
I consider that setup-proxy could take care of this.
*(from redmine: issue id 10356, created on 2019-04-28)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10357stardict unconditionally depends on long deprecated gconf-dev2019-07-14T01:44:40ZLeostardict unconditionally depends on long deprecated gconf-dev*(from redmine: issue id 10357, created on 2019-04-28)**(from redmine: issue id 10357, created on 2019-04-28)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10359Add WebP support for graphicsmagick2019-07-23T11:10:49ZFumihiro XueAdd WebP support for graphicsmagickAdd WebP support for current graphicsmagick package or create a new
graphicsmagick-webp package
*(from redmine: issue id 10359, created on 2019-04-28, closed on 2019-06-19)*
* Changesets:
* Revision ea7dc0fe9bd64bc29fcef24eaf832716b...Add WebP support for current graphicsmagick package or create a new
graphicsmagick-webp package
*(from redmine: issue id 10359, created on 2019-04-28, closed on 2019-06-19)*
* Changesets:
* Revision ea7dc0fe9bd64bc29fcef24eaf832716b09ec8b3 by Leo Leo on 2019-05-06T12:30:14Z:
```
community/graphicsmagick: add webp support
fixes #10359
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/10360libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:48ZAlicha CHlibpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10360, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* child #10361
* child #10362
* child #10363
* child #10364
* child #10365Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10361[3.10] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:47ZAlicha CH[3.10] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10361, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #103603.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10362[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:46ZAlicha CH[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10362, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision c6ea56540262710775618c19e90adbe0e1177be3 by Leo Leo on 2019-05-06T07:42:25Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
- Split $pkgname-static
fixes #10362
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10363[3.8] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:45ZAlicha CH[3.8] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10363, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision aca534846f09aee2bd3cbccdbbeb49277730af57 by Leo Leo on 2019-05-06T08:38:54Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
fixes #10363
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10364[3.7] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:43ZAlicha CH[3.7] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10364, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision 7343860d339ba29c5188614207d226094fbf746b by Leo Leo on 2019-05-06T08:41:55Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
fixes #10364
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10365[3.6] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:42ZAlicha CH[3.6] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10365, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision 64ccf246bf0c9f29e14017895a65cd46f68c36af by Leo Leo on 2019-05-06T08:44:30Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
fixes #10365
```3.6.6Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10366bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)2019-07-23T11:10:41ZAlicha CHbind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The ...CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
CVE-2019-6467: flaw in nxredirect can cause assertion failure
-------------------------------------------------------------
A programming error in the nxdomain-redirect feature can cause an
assertion failure in query.c if the alternate namespace used by
nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in
addition to performing NXDOMAIN redirection for recursive clients, is
also serving a local copy of the root zone or using mirroring
to provide the root zone, although other configurations are also
possible.
### Affected Versions:
BIND 9.12.0->9.12.4, 9.14.0. Also affects all releases in the 9.13
development branch.
### Fixed In Version:
bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2019-6467
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10366, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* child #10367
* child #10368
* child #10369
* child #10370
* child #10371Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10367[3.10] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)2019-07-23T11:10:40ZAlicha CH[3.10] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The ...CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
CVE-2019-6467: flaw in nxredirect can cause assertion failure
-------------------------------------------------------------
A programming error in the nxdomain-redirect feature can cause an
assertion failure in query.c if the alternate namespace used by
nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in
addition to performing NXDOMAIN redirection for recursive clients, is
also serving a local copy of the root zone or using mirroring
to provide the root zone, although other configurations are also
possible.
### Affected Versions:
BIND 9.12.0->9.12.4, 9.14.0. Also affects all releases in the 9.13
development branch.
### Fixed In Version:
bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2019-6467
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10367, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 4a3cd5e69c83561fa3b30cf07f92104a81cdbac6 by Chris Ely on 2019-04-30T12:38:37Z:
```
main/bind: security upgrade to 9.14.1
- CVE-2019-6467
- CVE-2018-5743
fixes #10367
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10368[3.9] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)2019-07-23T11:10:38ZAlicha CH[3.9] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The ...CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
CVE-2019-6467: flaw in nxredirect can cause assertion failure
-------------------------------------------------------------
A programming error in the nxdomain-redirect feature can cause an
assertion failure in query.c if the alternate namespace used by
nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in
addition to performing NXDOMAIN redirection for recursive clients, is
also serving a local copy of the root zone or using mirroring
to provide the root zone, although other configurations are also
possible.
### Affected Versions:
BIND 9.12.0->9.12.4, 9.14.0. Also affects all releases in the 9.13
development branch.
### Fixed In Version:
bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2019-6467
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10368, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 06bfe718fd41663cb0f35a441af82a32ca3ec15b by Natanael Copa on 2019-05-02T11:51:29Z:
```
main/bind: security upgrade to 9.12.4_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
fixes #10368
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10369[3.8] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)2019-07-23T11:10:37ZAlicha CH[3.8] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The ...CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
CVE-2019-6467: flaw in nxredirect can cause assertion failure
-------------------------------------------------------------
A programming error in the nxdomain-redirect feature can cause an
assertion failure in query.c if the alternate namespace used by
nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in
addition to performing NXDOMAIN redirection for recursive clients, is
also serving a local copy of the root zone or using mirroring
to provide the root zone, although other configurations are also
possible.
### Affected Versions:
BIND 9.12.0->9.12.4, 9.14.0. Also affects all releases in the 9.13
development branch.
### Fixed In Version:
bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2019-6467
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10369, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 9308e5b9ccb34e36206ae4390d0c6b06c46e06d2 by Natanael Copa on 2019-05-02T12:57:51Z:
```
main/bind: security upgrade to 9.12.4_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
fixes #10369
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10370[3.7] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)2019-07-23T11:10:37ZAlicha CH[3.7] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfort...By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10370, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 935add8c0f7f6c11b2382695b3369beb40d3618c by Natanael Copa on 2019-05-03T06:33:15Z:
```
main/bind: security upgrade to 9.11.6_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
fixes #10370
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10371[3.6] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)2019-07-23T11:10:35ZAlicha CH[3.6] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfort...By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10371, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision aae4252e693b8d9f14125c4ec15b1bd746895f39 by Natanael Copa on 2019-05-03T08:02:54Z:
```
main/bind: security upgrade to 9.11.6_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
fixes #10371
```3.6.6Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10375[3.8] mercurial: Path-checking logic bypass via symlinks and subrepositories ...2019-07-23T10:32:32ZAlicha CH[3.8] mercurial: Path-checking logic bypass via symlinks and subrepositories (CVE-2019-3902)A flaw was found in Mercurial before 4.9. It was possible to use
symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a
repository.
This issue affects Mercurial version from 1.5.3 up to 4.8.2....A flaw was found in Mercurial before 4.9. It was possible to use
symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a
repository.
This issue affects Mercurial version from 1.5.3 up to 4.8.2.
### Fixed In Version:
mercurial 4.9
### References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.9\_.282019-02-01.29
https://nvd.nist.gov/vuln/detail/CVE-2019-3902
### Patches:
https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd
https://www.mercurial-scm.org/repo/hg/rev/31286c9282df
https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0
*(from redmine: issue id 10375, created on 2019-04-29)*
* Relations:
* parent #103723.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10376[3.7] mercurial: Path-checking logic bypass via symlinks and subrepositories ...2019-07-23T10:32:33ZAlicha CH[3.7] mercurial: Path-checking logic bypass via symlinks and subrepositories (CVE-2019-3902)A flaw was found in Mercurial before 4.9. It was possible to use
symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a
repository.
This issue affects Mercurial version from 1.5.3 up to 4.8.2....A flaw was found in Mercurial before 4.9. It was possible to use
symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a
repository.
This issue affects Mercurial version from 1.5.3 up to 4.8.2.
### Fixed In Version:
mercurial 4.9
### References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.9\_.282019-02-01.29
https://nvd.nist.gov/vuln/detail/CVE-2019-3902
### Patches:
https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd
https://www.mercurial-scm.org/repo/hg/rev/31286c9282df
https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0
*(from redmine: issue id 10376, created on 2019-04-29)*
* Relations:
* parent #103723.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10378certbot in edge requires py3-urllib version older than current2019-07-23T11:10:35ZEdward Wcertbot in edge requires py3-urllib version older than currentAs of 4/29 in edge, ‘py3-urllib3’ is at version 1.25.1. The package
‘certbot’ requires a urllib3 version >= 1.21.1 and < 1.25, which
means this update has broken certbot.
=
OUTPUT
=
:~$ sudo apk add certbot
(1/33) Installing py...As of 4/29 in edge, ‘py3-urllib3’ is at version 1.25.1. The package
‘certbot’ requires a urllib3 version >= 1.21.1 and < 1.25, which
means this update has broken certbot.
=
OUTPUT
=
:~$ sudo apk add certbot
(1/33) Installing py3-setuptools (40.8.0-r1)
(2/33) Installing py3-cparser (2.19-r2)
(3/33) Installing py3-cffi (1.11.5-r4)
(4/33) Installing py3-idna (2.8-r1)
(5/33) Installing py3-asn1crypto (0.24.0-r1)
(6/33) Installing py3-six (1.12.0-r1)
(7/33) Installing py3-cryptography (2.6.1-r1)
(8/33) Installing py3-pbr (5.2.0-r0)
(9/33) Installing py3-mock (2.0.0-r4)
(10/33) Installing py3-openssl (19.0.0-r0)
(11/33) Installing py3-josepy (1.1.0-r1)
(12/33) Installing py3-tz (2018.9-r1)
(13/33) Installing py3-rfc3339 (1.1-r1)
(14/33) Installing py-requests (2.21.0-r2)
(15/33) Installing py3-chardet (3.0.4-r1)
(16/33) Installing py3-certifi (2019.3.9-r0)
(17/33) Installing py3-urllib3 (1.25.1-r0)
(18/33) Installing py3-requests (2.21.0-r2)
(19/33) Installing py3-requests-toolbelt (0.8.0-r1)
(20/33) Installing py3-acme (0.33.1-r1)
(21/33) Installing py3-argparse (1.4.0-r3)
(22/33) Installing py3-configargparse (0.14.0-r1)
(23/33) Installing py3-configobj (5.0.6-r4)
(24/33) Installing py3-future (0.17.1-r0)
(25/33) Installing py3-parsedatetime (2.4-r4)
(26/33) Installing py3-zope-interface (4.6.0-r1)
(27/33) Installing py3-zope-proxy (4.3.1-r1)
(28/33) Installing py3-zope-deferredimport (4.3-r1)
(29/33) Installing py3-zope-deprecation (4.4.0-r1)
(30/33) Installing py3-zope-event (4.4-r1)
(31/33) Installing py3-zope-hookable (4.2.0-r1)
(32/33) Installing py3-zope-component (4.5-r2)
(33/33) Installing certbot (0.33.1-r1)
Executing busybox-1.30.1-r1.trigger
OK: 204 MiB in 116 packages
:~$ sudo certbot
Traceback (most recent call last):
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
583, in \_build\_master
ws.require(*requires*)
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
900, in require
needed = self.resolve(parse\_requirements(requirements))
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
791, in resolve
raise VersionConflict(dist, req).with\_context(dependent\_req)
pkg\_resources.ContextualVersionConflict: (urllib3 1.25.1
(/usr/lib/python3.7/site-packages),
Requirement.parse(‘urllib3<1.25,>=1.21.1’), {’requests’})
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 6, in <module>
from pkg\_resources import load\_entry\_point
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
3191, in <module>
@\_call\_aside
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
3175, in \_call\_aside
f(**args,**\*kwargs)
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
3204, in \_initialize\_master\_working\_set
working\_set = WorkingSet.\_build\_master()
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
585, in \_build\_master
return cls.*build\_from\_requirements(requires*\_)
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
598, in \_build\_from\_requirements
dists = ws.resolve(reqs, Environment())
File “/usr/lib/python3.7/site-packages/pkg\_resources/*init*.py”, line
786, in resolve
raise DistributionNotFound(req, requirers)
pkg\_resources.DistributionNotFound: The ‘urllib3<1.25,>=1.21.1’
distribution was not found and is required by requests
*(from redmine: issue id 10378, created on 2019-04-29, closed on 2019-06-19)*
* Changesets:
* Revision acca60d0c4ddde0d324a68bdfa2fe455cc187855 by prs pkt on 2019-05-01T06:43:11Z:
```
main/py-requests: upgrade support for urllib3 1.25
Fixes #10378
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/10379Numpy illegal operation crash due to openblas2019-07-23T11:10:34ZAleks BuninNumpy illegal operation crash due to openblasRecently I’ve upgraded my system to iMac Pro, which has Skylake CPU and
one of the test started to fail.
Reproducing code example:
<code class="python">
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot...Recently I’ve upgraded my system to iMac Pro, which has Skylake CPU and
one of the test started to fail.
Reproducing code example:
<code class="python">
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
Illegal instruction
</code>
Now, more detailed log:
<code class="text">
$ docker run -it --rm alpine:3.9
/ # apk add python3 py3-numpy
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/16) Installing libgcc (8.3.0-r0)
(2/16) Installing libquadmath (8.3.0-r0)
(3/16) Installing libgfortran (8.3.0-r0)
(4/16) Installing openblas (0.3.3-r2)
(5/16) Installing libbz2 (1.0.6-r6)
(6/16) Installing expat (2.2.6-r0)
(7/16) Installing libffi (3.2.1-r6)
(8/16) Installing gdbm (1.13-r1)
(9/16) Installing xz-libs (5.2.4-r0)
(10/16) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(11/16) Installing ncurses-terminfo (6.1_p20190105-r0)
(12/16) Installing ncurses-libs (6.1_p20190105-r0)
(13/16) Installing readline (7.0.003-r1)
(14/16) Installing sqlite-libs (3.26.0-r3)
(15/16) Installing python3 (3.6.8-r2)
(16/16) Installing py3-numpy (1.15.4-r0)
Executing busybox-1.29.3-r10.trigger
OK: 108 MiB in 30 packages
/ # python3
Python 3.6.8 (default, Apr 8 2019, 18:17:52)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
Illegal instruction
</code>
I’ve tried to upgrade numpy to the latest version, and still see the
problem.
This is related to the https://github.com/xianyi/OpenBLAS/issues/1947,
which was fixed in openblas 0.3.6, release few hours ago.
Possible workaround, is to set OPENBLAS\_CORETYPE environmental variable
to haswell prior to starting Python:
<code class="text">
/ # export OPENBLAS_CORETYPE=haswell
/ # python3
Python 3.6.8 (default, Apr 8 2019, 18:17:52)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from numpy import array
Core: Haswell
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
30.0
</code>
*(from redmine: issue id 10379, created on 2019-04-29, closed on 2019-06-19)*3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10380Typo in mariadb-openrc package2019-07-23T11:10:33ZMiroslav HrachovecTypo in mariadb-openrc packageIn this file
https://git.alpinelinux.org/aports/plain/main/mariadb/mariadb.initd,
there is missing ‘=’ character for mysql install command in the setup()
function…
currently:
mysql_install_db --user=mysql --datadir /var/lib/mys...In this file
https://git.alpinelinux.org/aports/plain/main/mariadb/mariadb.initd,
there is missing ‘=’ character for mysql install command in the setup()
function…
currently:
mysql_install_db --user=mysql --datadir /var/lib/mysql
should be:
mysql_install_db --user=mysql --datadir=/var/lib/mysql
*(from redmine: issue id 10380, created on 2019-04-30, closed on 2019-06-17)*
* Changesets:
* Revision 0a215b75098de4ba0acee6c6c77638bb5004b5c8 by Natanael Copa on 2019-04-30T08:57:20Z:
```
main/mariadb: fix typo in init.d script
ref #10380
```3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10382https://dl-3.alpinelinux.org/alpine/edge/community - invalid certificate2019-07-23T11:10:32ZRobin Keethttps://dl-3.alpinelinux.org/alpine/edge/community - invalid certificateTrying to use the URL https://dl-3.alpinelinux.org/alpine/edge/community
using https instead of http gives an invalid certificate warning
*(from redmine: issue id 10382, created on 2019-05-01, closed on 2019-06-19)*Trying to use the URL https://dl-3.alpinelinux.org/alpine/edge/community
using https instead of http gives an invalid certificate warning
*(from redmine: issue id 10382, created on 2019-05-01, closed on 2019-06-19)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10383[3.9] znc: crash on invalid encoding (CVE-2019-9917)2019-07-23T11:10:29ZAlicha CH[3.9] znc: crash on invalid encoding (CVE-2019-9917)ZNC before 1.7.3-rc1 allows an existing remote user to cause
a Denial of Service (crash) via invalid encoding.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-9917
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925285
...ZNC before 1.7.3-rc1 allows an existing remote user to cause
a Denial of Service (crash) via invalid encoding.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-9917
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925285
### Patch:
https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973
*(from redmine: issue id 10383, created on 2019-05-01, closed on 2019-05-06)*
* Changesets:
* Revision 16956b90ab430f1836112c44807b832d8f520760 by Natanael Copa on 2019-05-06T16:17:54Z:
```
community/znc: security fix for CVE-2019-9917
fixes #10383
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10384OpenSSH 8.02019-07-23T11:10:28Zrenos renosOpenSSH 8.0Please update
*(from redmine: issue id 10384, created on 2019-05-01, closed on 2019-05-04)*Please update
*(from redmine: issue id 10384, created on 2019-05-01, closed on 2019-05-04)*3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10386dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:27ZAlicha CHdovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10386, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* child #10387
* child #10388
* child #10389Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10387[3.10] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:26ZAlicha CH[3.10] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10387, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* parent #10386
* Changesets:
* Revision 4cbff22201d9f2fb21d860bae0e62f3bf814ed45 on 2019-05-06T09:01:20Z:
```
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10387
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10388[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:25ZAlicha CH[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10388, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* parent #10386
* Changesets:
* Revision f82ad4a4bd0bcfe6c75ff43189ad29dc14c38add on 2019-05-06T09:09:53Z:
```
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10388
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10389[3.8] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:23ZAlicha CH[3.8] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10389, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* parent #10386
* Changesets:
* Revision 7f9b5fbadaf37d0e9b4a716239593edb14d4db6b on 2019-05-16T11:42:31Z:
```
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10389
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10393openexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)2019-07-24T10:32:14ZAlicha CHopenexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issu...makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issue id 10393, created on 2019-05-02)*
* Relations:
* child #10394
* child #10395LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10394[3.10] openexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)2019-07-24T10:32:11ZAlicha CH[3.10] openexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issu...makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issue id 10394, created on 2019-05-02)*
* Relations:
* parent #103933.10.2LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10395[3.9] openexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)2019-07-24T10:32:08ZAlicha CH[3.9] openexr: Out-of-bounds write in makeMultiView.cpp (CVE-2018-18444)makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issu...makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds
write, leading to
an assertion failure or possibly unspecified other impact.
### References:
https://github.com/openexr/openexr/issues/351
*(from redmine: issue id 10395, created on 2019-05-02)*
* Relations:
* parent #103933.9.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10398[3.8] jasper: Multiple vulnerabilities (CVE-2018-18873, CVE-2018-19539, CVE-2...2020-12-11T03:32:54ZAlicha CH[3.8] jasper: Multiple vulnerabilities (CVE-2018-18873, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622)CVE-2018-18873: An issue was discovered in JasPer 2.0.14. There is a
NULL pointer
dereference in the function ras\_putdatastd in ras/ras\_enc.c.
### References:
https://github.com/mdadams/jasper/issues/184
CVE-2018-19539: An issue w...CVE-2018-18873: An issue was discovered in JasPer 2.0.14. There is a
NULL pointer
dereference in the function ras\_putdatastd in ras/ras\_enc.c.
### References:
https://github.com/mdadams/jasper/issues/184
CVE-2018-19539: An issue was discovered in JasPer 2.0.14. There is an
access violation in the function
jas\_image\_readcmpt in libjasper/base/jas\_image.c, leading to a denial
of service.
### References:
https://github.com/mdadams/jasper/issues/182
CVE-2018-19540: An issue was discovered in JasPer 2.0.14. There is a
heap-based
buffer overflow of size 1 in the function jas\_icctxtdesc\_input in
libjasper/base/jas\_icc.c.
### References:
https://github.com/mdadams/jasper/issues/182
https://nvd.nist.gov/vuln/detail/CVE-2018-19540
CVE-2018-19541: An issue was discovered in JasPer 2.0.14. There is a
heap-based buffer over-read
of size 8 in the function jas\_image\_depalettize in
libjasper/base/jas\_image.c.
### References:
https://github.com/mdadams/jasper/issues/182
https://nvd.nist.gov/vuln/detail/CVE-2018-19541
CVE-2018-19542: An issue was discovered in JasPer 2.0.14. There is a
NULL pointer dereference
in the function jp2\_decode in libjasper/jp2/jp2\_dec.c, leading to a
denial of service.
### References:
https://github.com/mdadams/jasper/issues/182
https://nvd.nist.gov/vuln/detail/CVE-2018-19542
CVE-2018-20570: jp2\_encode in jp2/jp2\_enc.c in JasPer 2.0.14 has
a heap-based buffer over-read.
### References:
https://github.com/mdadams/jasper/issues/191
CVE-2018-20584: JasPer 2.0.14 allows remote attackers to cause a
denial
of service (application hang) via an attempted conversion to the jp2
format.
### References:
https://github.com/mdadams/jasper/issues/192
CVE-2018-20622: JasPer 2.0.14 has a memory leak in base/jas\_malloc.c
in libjasper.a when “—output-format jp2” is used.
### References:
https://github.com/mdadams/jasper/issues/193
*(from redmine: issue id 10398, created on 2019-05-02)*
* Relations:
* parent #103963.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10401py-msgpack: borgbackup complains about packaging2019-07-23T11:10:22ZDanny Ben Shitritpy-msgpack: borgbackup complains about packagingThe borgbackup apk package triggers the following warning:
Using a pure-python msgpack! This will result in lower performance
The guys at the borgbackup GitHub repository believe it is a packaging
issue and not a borg issue, as dis...The borgbackup apk package triggers the following warning:
Using a pure-python msgpack! This will result in lower performance
The guys at the borgbackup GitHub repository believe it is a packaging
issue and not a borg issue, as discussed in this ticket:
https://github.com/borgbackup/borg/issues/4538
I have verified the issue exists in alpine 3.9.0 and 3.10\_alpha20190408
which are the currently stable and edge versions.
To reproduce the issue:
$ apk --no-cache add borgbackup
$ borg init ./repo -e none
*(from redmine: issue id 10401, created on 2019-05-02, closed on 2019-06-19)*3.10.0Fabian AffolterFabian Affolterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10402litespeed: Move to community?2021-12-26T20:24:07ZChun-Shemg Lilitespeed: Move to community?Hi all, I use the Alpine Linux inside Docker container, but it seems
that I cannot install the litespeed package.
Instruction
===========
- Using the following Dockerfile
<!-- -->
<code class="text">
FROM alpine:3.7
R...Hi all, I use the Alpine Linux inside Docker container, but it seems
that I cannot install the litespeed package.
Instruction
===========
- Using the following Dockerfile
<!-- -->
<code class="text">
FROM alpine:3.7
RUN apk update
RUN apk add --no-cache litespeed
</code>
- Finally. I got this message:
<!-- -->
<code class="text">
Step 3/3 : RUN apk add --no-cache litespeed
---> Running in d49c2a1063fe
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
litespeed (missing):
required by: world[litespeed]
The command '/bin/sh -c apk add --no-cache litespeed' returned a non-zero code: 1
</code>
I also check the all available mirror lists in Alpine Linux and it seems
that they don’t include the litespeed package.
Please include this package in mirror lists.
Thanks.
*(from redmine: issue id 10402, created on 2019-05-03)*Valery KartelValery Kartelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10403zerofree: Add package2019-07-23T11:10:21ZMax Pealzerofree: Add packageit would be awesome to have a package, so we can easily Shrinking VM
images with without need a bload download like the SystemRescueCd Live
Image, witch is 931 MB
zerofree 1.1.1 — Zero non-allocated regions in ext2/ext3/ext4 file
system...it would be awesome to have a package, so we can easily Shrinking VM
images with without need a bload download like the SystemRescueCd Live
Image, witch is 931 MB
zerofree 1.1.1 — Zero non-allocated regions in ext2/ext3/ext4 file
systems
Zerofree finds the unallocated blocks with non-zero value content in an
ext2, ext3, or ext4 file system and fills them with zeroes (or another
value). This is a simple way to make disk images more compressible.
Zerofree requires the file system to be unmounted or mounted read-only.
https://frippery.org/uml/zerofree-1.1.1.tgz
md5: 4f2d6bdba4212e54eb7dd22a8fbb6d29
sha1: 16ff5d5030c52566bc8b88b824e35869f978c093
sha256: 956bc861b55ba0a2b7593c58d32339dab1a0e7da6ea2b813d27c80f08b723867
Website: https://frippery.org/uml/.
License: GPL 2.
*(from redmine: issue id 10403, created on 2019-05-03, closed on 2019-06-19)*
* Changesets:
* Revision 964e2acd21475a8c1d05332fcec2719682ff02bd by Oleg Titov on 2019-05-06T04:49:05Z:
```
testing/zerofree: new aport
https://frippery.org/uml/
Zero free blocks from ext2, ext3 and ext4 file-systems
Closes GH-7582
Closes #10403
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10405qt5-qtwebengine receiving ILL_ILLOPN on edge with musl >= 1.222020-02-14T17:34:13ZRasmus Thomsenoss@cogitri.devqt5-qtwebengine receiving ILL_ILLOPN on edge with musl >= 1.22This can be observed with e.g. nextcloudclient or mellowplayer.
qt5-qtwebengine crashes as soon as the webpage has finished loading with
the following output:
@
Received signal 4 ILL\_ILLOPN 7f8b2b0e13de
r8: 0000000000000041 r9: 000...This can be observed with e.g. nextcloudclient or mellowplayer.
qt5-qtwebengine crashes as soon as the webpage has finished loading with
the following output:
@
Received signal 4 ILL\_ILLOPN 7f8b2b0e13de
r8: 0000000000000041 r9: 00002fdb150018a0 r10: 0000000000000000 r11:
0000000000000203
r12: 00007ffd843cfd90 r13: 000055866a4d9000 r14: 000055866a5c0da0 r15:
00000000004d710a
di: 000055866a635900 si: 0000000000000001 bp: 00007ffd843cfd20 bx:
0000000000000001
dx: 0000000000000002 ax: 00007ffd843cfc88 cx: 0000000000000001 sp:
00007ffd843cfc48
ip: 00007f8b2b0e13de efl: 0000000000010206 cgf: 002b000000000033 erf:
0000000000000000
trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
\[end of stack trace\]
Calling \_exit(1). Core file will not be generated.
@
*(from redmine: issue id 10405, created on 2019-05-05)*
* Changesets:
* Revision 1bd21214d7e3fd4921cd026bc3203bcb306da21d by Natanael Copa on 2019-05-31T15:18:13Z:
```
community/qt5-qtwebengine: upgrade to 5.12.3
ref #10405
```
* Revision 8db3a0d827c836fb62e2a49a58ad5ac07e99e596 by Natanael Copa on 2019-06-17T11:44:30Z:
```
community/qt5-qtwebengine: backport membarrier fix for sandbox
ref #10405
```Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10407Raspberry Pi One Kernel missing from Alpine 3.9.3 (armhf)2021-07-21T02:23:17ZJoão BrázioRaspberry Pi One Kernel missing from Alpine 3.9.3 (armhf)The official release of Alpine 3.9.3 for armhf is missing the kernel and
initrd for the original Raspberry Pi model B.
Config.txt correctly lists:
[pi1]
kernel=boot/vmlinuz-rpi
initramfs boot/initramfs-rpi
But all the requ...The official release of Alpine 3.9.3 for armhf is missing the kernel and
initrd for the original Raspberry Pi model B.
Config.txt correctly lists:
[pi1]
kernel=boot/vmlinuz-rpi
initramfs boot/initramfs-rpi
But all the required files are missing from boot/.
*(from redmine: issue id 10407, created on 2019-05-07)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10408hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-...2019-07-23T11:10:20ZAlicha CHhostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10408, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* child #10409
* child #10410
* child #10411
* child #10412Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10409[3.10] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CV...2019-07-23T11:10:19ZAlicha CH[3.10] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10409, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10408
* Changesets:
* Revision ef10b27afb6ce933891b3e0abf3f090f3e583900 on 2019-06-04T14:40:30Z:
```
main/hostapd: security upgrade to 2.8 (CVE-2019-11555)
Fixes #10409
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10410[3.9] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE...2019-07-23T11:10:18ZAlicha CH[3.9] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10410, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10408
* Changesets:
* Revision 4b95dd4491b9df33d3c835de96f56aa076b00de7 on 2019-06-05T08:14:58Z:
```
main/hostapd: security fix (CVE-2019-11555)
Fixes #10410
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10411[3.8] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE...2019-07-23T11:10:17ZAlicha CH[3.8] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10411, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10408
* Changesets:
* Revision 41b28e3b3b465fa8dab151dbe5e40975f014421b on 2019-06-05T08:24:24Z:
```
main/hostapd: security fix (CVE-2019-11555)
Fixes #10411
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10412[3.7] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE...2019-07-23T11:10:16ZAlicha CH[3.7] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10412, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10408
* Changesets:
* Revision 71e80d98081071b4d10324039fe65145316ec81c on 2019-06-05T08:26:11Z:
```
main/hostapd: security fix (CVE-2019-11555)
Fixes #10412
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10413wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CV...2019-07-23T11:10:15ZAlicha CHwpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10413, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* child #10414
* child #10415
* child #10416
* child #10417Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10414[3.10] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragm...2019-07-23T11:10:14ZAlicha CH[3.10] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10414, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #104133.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10415[3.9] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragme...2019-07-23T11:10:13ZAlicha CH[3.9] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10415, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10413
* Changesets:
* Revision 5e5822d55734bcd1be8d9bd61f1360af2fd9459e on 2019-06-05T07:24:47Z:
```
main/wpa_supplicant: security fix (CVE-2019-11555)
Fixes #10415
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10416[3.8] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragme...2019-07-23T11:10:12ZAlicha CH[3.8] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10416, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10413
* Changesets:
* Revision 7da74780cb6ede70d4440b97f6a5878065b52889 on 2019-06-05T07:28:04Z:
```
main/wpa_supplicant: security fix (CVE-2019-11555)
Fixes #10416
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10417[3.7] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragme...2019-07-23T11:10:11ZAlicha CH[3.7] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10417, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10413
* Changesets:
* Revision 8caec8957d86cbdfe758cbfba62dcb1b73514bc9 on 2019-06-05T07:30:50Z:
```
main/wpa_supplicant: security fix (CVE-2019-11555)
Fixes #10417
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10418golang needs musl-dev as dependency.2019-07-23T11:10:09ZArto Kitulagolang needs musl-dev as dependency.go is not able to link without crti.o Scrt1.o etc. musl-dev is needed
dependency.
Simple Dockerfile added for example.
*(from redmine: issue id 10418, created on 2019-05-07, closed on 2019-06-19)*
* Uploads:
* [Dockerfile](/uploads...go is not able to link without crti.o Scrt1.o etc. musl-dev is needed
dependency.
Simple Dockerfile added for example.
*(from redmine: issue id 10418, created on 2019-05-07, closed on 2019-06-19)*
* Uploads:
* [Dockerfile](/uploads/e46a1530c17b9c3245ebae4bd0bce6db/Dockerfile)3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10419QEMU is unusable from GTK frontend after upgrade to 4.0.02020-03-30T03:41:23ZMogens JensenQEMU is unusable from GTK frontend after upgrade to 4.0.0After upgrading QEMU to version 4.0.0 on Alpine Edge, keys stick and
mouse scrolling is extremely sensitive in guests if using the GTK
frontend.
I can replicate this bug reliably by creating a guest like this:
qemu-system-x86_64 -d...After upgrading QEMU to version 4.0.0 on Alpine Edge, keys stick and
mouse scrolling is extremely sensitive in guests if using the GTK
frontend.
I can replicate this bug reliably by creating a guest like this:
qemu-system-x86_64 -display gtk -usb -device usb-kbd -device usb-tablet -m 512M -drive file=./alpine-virt-3.9.3-x86_64.iso,media=cdrom
After booting the system and pressing a key at the console for a few
seconds, it will stick and repeat infinitely. If X is installed and a
terminal emulator is opened, pressed keys will stick and repeat after
holding for barely a second and mouse scrolling is way too sensitive.
This behaviour first began in guests after upgrading QEMU a few days
ago.
Any ideas on how I can debug this as QEMU is unusable for me in this
state?
*(from redmine: issue id 10419, created on 2019-05-07)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10421libvirt: A NULL pointer dereference flaw (CVE-2019-3840)2019-07-23T11:10:09ZAlicha CHlibvirt: A NULL pointer dereference flaw (CVE-2019-3840)A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of servi...A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of service.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-3840
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73
*(from redmine: issue id 10421, created on 2019-05-08, closed on 2019-06-20)*
* Relations:
* child #10422
* child #10423
* child #10424Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10422[3.9] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)2019-07-23T11:10:07ZAlicha CH[3.9] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of servi...A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of service.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-3840
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73
*(from redmine: issue id 10422, created on 2019-05-08, closed on 2019-06-20)*
* Relations:
* parent #10421
* Changesets:
* Revision 9da537d1b323376225597712b61c1f965a531c2d on 2019-06-05T08:36:38Z:
```
main/libvirt: security fix (CVE-2019-3840)
Fixes #10422
```3.9.5Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10423[3.8] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)2019-07-12T15:47:56ZAlicha CH[3.8] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of servi...A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of service.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-3840
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73
*(from redmine: issue id 10423, created on 2019-05-08, closed on 2019-06-05)*
* Relations:
* parent #104213.8.5Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10424[3.7] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)2019-07-12T15:47:57ZAlicha CH[3.7] libvirt: A NULL pointer dereference flaw (CVE-2019-3840)A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of servi...A NULL pointer dereference flaw was discovered in libvirt before version
5.0.0 in the
way it gets interface information through the QEMU agent. An attacker in
a guest VM
can use this flaw to crash libvirtd and cause a denial of service.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-3840
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73
*(from redmine: issue id 10424, created on 2019-05-08, closed on 2019-06-05)*
* Relations:
* parent #104213.7.4Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10426[3.10] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (...2019-07-16T11:50:29ZAlicha CH[3.10] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10426, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision 4018db3cdac1d0eef1ad039d1a9120fa79e04b58 by Natanael Copa on 2019-07-08T14:18:59Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10426
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10427[3.9] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (C...2019-07-16T11:49:59ZAlicha CH[3.9] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10427, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision 22a1991b6aefae41eafb2721f112e2d353c4e224 by Natanael Copa on 2019-07-08T14:21:13Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10427
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10428[3.8] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (C...2019-07-16T11:49:42ZAlicha CH[3.8] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10428, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision 5d1740c1d6657b8588cf9055efbe7fd47ef5aab2 by Natanael Copa on 2019-07-08T14:24:41Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10428
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10429[3.7] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (C...2019-07-16T11:48:51ZAlicha CH[3.7] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10429, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision f9f4e0e8b1cc5aeab558b091c9a9d003303d1d6e by Natanael Copa on 2019-07-08T14:27:05Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10429
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10430perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018...2020-07-17T23:13:39ZAlicha CHperl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10430, created on 2019-05-09)*
* Relations:
* child #10431
* child #10432
* child #10433
* child #10435Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10431[3.10] perl-email-address: DOS vulnerability in perl module Email::Address (C...2019-07-23T11:10:06ZAlicha CH[3.10] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10431, created on 2019-05-09, closed on 2019-06-13)*
* Relations:
* parent #104303.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10432[3.9] perl-email-address: DOS vulnerability in perl module Email::Address (CV...2019-07-23T11:10:05ZAlicha CH[3.9] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10432, created on 2019-05-09, closed on 2019-06-13)*
* Relations:
* parent #10430
* Changesets:
* Revision 587d0f6837182b94b1c14fb78949b85ac188c60c on 2019-06-05T09:48:52Z:
```
main/perl-email-address: security upgrade to 1.912 (CVE-2018-12558)
Fixes #10432
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10433[3.8] perl-email-address: DOS vulnerability in perl module Email::Address (CV...2019-07-23T11:10:04ZAlicha CH[3.8] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10433, created on 2019-05-09, closed on 2019-06-06)*
* Relations:
* parent #10430
* Changesets:
* Revision 7def72e88762d07dcb50382ca5266d0f83b38cce on 2019-06-05T12:33:34Z:
```
main/perl-email-address: security upgrade to 1.912 (CVE-2018-12558)
Fixes #10433
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10434proj4 is missing datum grids2019-07-14T22:46:52ZAlexander Njemzproj4 is missing datum gridsAs of version 5.0.0 PROJ expects certain datum grids to be present in
the proj directory. Otherwise, PROJ performs coordinate
transformations
in certain cases without applying the correct grid shift. This leads
to incorrect coordin...As of version 5.0.0 PROJ expects certain datum grids to be present in
the proj directory. Otherwise, PROJ performs coordinate
transformations
in certain cases without applying the correct grid shift. This leads
to incorrect coordinates after transformation.
The datum grids can be obtained from
https://github.com/OSGeo/proj-datumgrid
and should probably be added to the proj package.
*(from redmine: issue id 10434, created on 2019-05-09)*
* Changesets:
* Revision 78fab2034506bac4356c3d25d2eb18179f11f2ed by Holger Jaekel on 2019-06-16T08:40:25Z:
```
testing/proj4: add datumgrid subpackage
add subpackage for datum grids
closes #10434
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/10435[3.7] perl-email-address: DOS vulnerability in perl module Email::Address (CV...2019-07-23T11:10:03ZAlicha CH[3.7] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10435, created on 2019-05-09, closed on 2019-06-06)*
* Relations:
* parent #10430
* Changesets:
* Revision 18070a9ba09af91c141de190a77de4d154f310e4 on 2019-06-05T12:38:19Z:
```
main/perl-email-address: security upgrade to 1.912 (CVE-2018-12558)
Fixes #10435
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10436[3.8] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-1...2019-07-23T10:32:30ZAlicha CH[3.8] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-14498)get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the c...get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the color indices is out of range for the number of palette entries.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
https://nvd.nist.gov/vuln/detail/CVE-2018-14498
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
*(from redmine: issue id 10436, created on 2019-05-09)*
* Relations:
* parent #103063.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10437[3.7] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-1...2019-07-23T10:32:28ZAlicha CH[3.7] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-14498)get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the c...get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the color indices is out of range for the number of palette entries.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
https://nvd.nist.gov/vuln/detail/CVE-2018-14498
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
*(from redmine: issue id 10437, created on 2019-05-09)*
* Relations:
* parent #103063.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10438[3.9] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-1...2019-07-23T10:32:29ZAlicha CH[3.9] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-14498)get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the c...get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the color indices is out of range for the number of palette entries.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
https://nvd.nist.gov/vuln/detail/CVE-2018-14498
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
*(from redmine: issue id 10438, created on 2019-05-09)*
* Relations:
* parent #103063.9.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10440vagrant halt on the Official Vagrant box alpine/alpine64 dont work: bash: lin...2021-08-01T00:06:15ZMax Pealvagrant halt on the Official Vagrant box alpine/alpine64 dont work: bash: line 4: shutdown: command not foundThe official Vagrant box alpine/alpine64 /
https://app.vagrantup.com/alpine
vagrant halt gives an error:
————————————————————————-
$ vagrant halt
==>default: Attempting graceful shutdown of VM…
The following SSH command responde...The official Vagrant box alpine/alpine64 /
https://app.vagrantup.com/alpine
vagrant halt gives an error:
————————————————————————-
$ vagrant halt
==>default: Attempting graceful shutdown of VM…
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
shutdown -h now
Stdout from the command:
Stderr from the command:
bash: line 4: shutdown: command not found
------------------------------------------------------------------------
also with no link and no user information (see also
https://bugs.alpinelinux.org/issues/8902 )
its no way to conact the maintainer.
*(from redmine: issue id 10440, created on 2019-05-09)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10442nextcloud-default-apps: Broken depends2019-07-23T11:10:02ZSimon Fsimon-alpine@fraho.eunextcloud-default-apps: Broken dependsCurrent edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
...Current edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
nextcloud-files_rightclick (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-files_rightclick]
nextcloud-privacy (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-privacy]
nextcloud-recommendations (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-recommendations]
nextcloud-viewer (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-viewer]
/ #
The “missing” packages are present in 3.9
*(from redmine: issue id 10442, created on 2019-05-10, closed on 2019-06-17)*
* Changesets:
* Revision 0cb832cfb8231716ecf5419401712a61b335f887 by Simon F on 2019-05-10T06:17:46Z:
```
community/nextcloud: Fix broken dependencies for default-apps
Fixes #10442
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10443Raspberry Pi 3 Mod B not booting2021-01-30T13:23:56ZPeter EggenRaspberry Pi 3 Mod B not bootingHi,
following the install procedure for Mac I tried to install the new
version 3.9.4. Whithout anychanges, the Pi did not boot up at all
signaling a
missing kernel - green LED will blink 7 times.
After editing the config.txt file a...Hi,
following the install procedure for Mac I tried to install the new
version 3.9.4. Whithout anychanges, the Pi did not boot up at all
signaling a
missing kernel - green LED will blink 7 times.
After editing the config.txt file and including a section for Pi3 (see
below) I was able to at least start the boot process but ending in a
kernel panic.
Wondering if anyone has ever tested this out.
Regards Gunhawk
disable\_splash=1
boot\_delay=0
gpu\_mem=256
gpu\_mem\_256=64
\[pi3\]
kernel=boot/vmlinuz-rpi2
Initramfs boot/initramfs-rpi2
\[pi0\]
kernel=boot/vmlinuz-rpi
initramfs boot/initramfs-rpi
\[pi1\]
kernel=boot/vmlinuz-rpi
initramfs boot/initramfs-rpi
\[all\]
include usercfg.txt
*(from redmine: issue id 10443, created on 2019-05-10)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10446busybox wget doesn't support HTTP CONNECT2021-11-25T06:23:29ZAndre tjebusybox wget doesn't support HTTP CONNECTWhen using the wget from busybox in combination with an Proxy (squid) it
won’t work.
Manual downloading the “full” wget solves the problem
*(from redmine: issue id 10446, created on 2019-05-13)*When using the wget from busybox in combination with an Proxy (squid) it
won’t work.
Manual downloading the “full” wget solves the problem
*(from redmine: issue id 10446, created on 2019-05-13)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10448Can you build an apk package for cdist?2019-07-14T22:11:00ZDarko PoljakCan you build an apk package for cdist?cdist is a usable configuration management system. It adheres to the
KISS principle and is being used in small up to enterprise grade
environments. cdist is an alternative to other configuration management
systems (like bcfg2,chef, cfeng...cdist is a usable configuration management system. It adheres to the
KISS principle and is being used in small up to enterprise grade
environments. cdist is an alternative to other configuration management
systems (like bcfg2,chef, cfengine, puppet).
Homepage:
https://www.cdi.st/
Latest source package:
https://code.ungleich.ch/ungleich-public/cdist/uploads/a8fe71883c32f00db104961379d4b41a/cdist-5.0.1.tar.gz
(https://code.ungleich.ch/ungleich-public/cdist/tags/5.0.1)
Source code repository:
https://code.ungleich.ch/ungleich-public/cdist
*(from redmine: issue id 10448, created on 2019-05-13)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10453shotwell-0.28.2 installation error: /usr/bin/gconftool-2: not found2019-07-14T18:18:34ZNico Schotteliusshotwell-0.28.2 installation error: /usr/bin/gconftool-2: not foundWhen trying to install shotwell on alpine 3.9 with cdist I get the
following error:
Error processing object '__package_apk/shotwell'
================================================
name: __package_apk/shotwell
path: /tm...When trying to install shotwell on alpine 3.9 with cdist I get the
following error:
Error processing object '__package_apk/shotwell'
================================================
name: __package_apk/shotwell
path: /tmp/tmpas6jful2/4a091293196d1eac3c182bd2ba2ea0ef/data/object/__package_apk/shotwell/.cdist-oofzypay
source: /tmp/tmpas6jful2/4a091293196d1eac3c182bd2ba2ea0ef/data/conf/type/__package/manifest
type: /home/nico/vcs/cdist/cdist/conf/type/__package_apk
code-remote:stdout
------------------
Installing GConf2 schema shotwell.schemas.
code-remote:stderr
------------------
var/cache/misc/shotwell-0.28.2-r0.post-install: line 1: /usr/bin/gconftool-2: not found
var/cache/misc/shotwell-0.28.2-r0.post-install: line 5: /usr/bin/gconftool-2: not found
ERROR: shotwell-0.28.2-r0.post-install: script exited with error 127
Warning: Schema “org.gnome.crypto.pgp” has path “/desktop/gnome/crypto/pgp/”. Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
*(from redmine: issue id 10453, created on 2019-05-14)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10454openconnect-8.02: so:libpskc.so.0 (missing)2020-05-03T19:26:18ZNico Schotteliusopenconnect-8.02: so:libpskc.so.0 (missing)Trying to install it results into:
alpine:~# apk add openconnect@testing
ERROR: unsatisfiable constraints:
so:libpskc.so.0 (missing):
required by: openconnect-8.02-r0[so:libpskc.so.0]
alpine:~#
*(from redmin...Trying to install it results into:
alpine:~# apk add openconnect@testing
ERROR: unsatisfiable constraints:
so:libpskc.so.0 (missing):
required by: openconnect-8.02-r0[so:libpskc.so.0]
alpine:~#
*(from redmine: issue id 10454, created on 2019-05-14)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10458[alpine-conf] update-kernel makes broken initramfs when /tmp is symlink2021-02-08T12:52:50ZAlexander Zubkov[alpine-conf] update-kernel makes broken initramfs when /tmp is symlinkHello.
I have had an issue with unbootable iso generated from aports. It looked
like that during boot:
Error loading shared library libblkid.so.1: No such file or directory (needed by /sbin/nlplug-findfs)
Error loading shared l...Hello.
I have had an issue with unbootable iso generated from aports. It looked
like that during boot:
Error loading shared library libblkid.so.1: No such file or directory (needed by /sbin/nlplug-findfs)
Error loading shared library libkmod.so.2: No such file or directory (needed by /sbin/nlplug-findfs)
Error loading shared library libcryptsetup.so.12: No such file or directory (needed by /sbin/nlplug-findfs)
During my investigation I have found that it was because of the broken
initramfs, containing symlinks to libraries, but not libraries itself:
$ ls -lh /tmp/mkinitfs.CLoaFG/lib/libblkid.so*
lrwxrwxrwx 1 build abuild 17 May 15 09:30 /tmp/mkinitfs.CLoaFG/lib/libblkid.so.1 -> libblkid.so.1.1.0
$
And that was caused by me having /tmp symlinked to /mnt/tmp. Because of
that lddtree shows different path for those libraries:
$ lddtree -R /tmp/update-kernel.kLMceA/root/
-l --no-auto-root /tmp/update-kernel.kLMceA/root/sbin/nlplug-findfs
/tmp/update-kernel.kLMceA/root/sbin/nlplug-findfs
/tmp/update-kernel.kLMceA/root/lib/ld-musl-x86_64.so.1
/tmp/update-kernel.kLMceA/root/lib/libblkid.so.1
/mnt/tmp/update-kernel.kLMceA/root/lib/libblkid.so.1.1.0
/tmp/update-kernel.kLMceA/root/lib/libuuid.so.1
/mnt/tmp/update-kernel.kLMceA/root/lib/libuuid.so.1.3.0
...
You can see that `libblkid.so.1` is shown in `/tmp/...` and
`libblkid.so.1.1.0` is in `/mnt/tmp/...` and I think that causes the
problem.
So I suppose at least to return an error in such case.
*(from redmine: issue id 10458, created on 2019-05-15)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10460putpwent doesn't support full 2^32 range for UID/GID2019-07-23T10:34:52ZTaylor Buchananputpwent doesn't support full 2^32 range for UID/GIDThe Linux kernel has supposedly supported UID/GID values up to 2^32
(4,294,967,296) since 2001. However, the Alpine version of putpwent only
seems to support up to 2,147,483,647. This causes shadow’s useradd,
usermod, and groupmod module...The Linux kernel has supposedly supported UID/GID values up to 2^32
(4,294,967,296) since 2001. However, the Alpine version of putpwent only
seems to support up to 2,147,483,647. This causes shadow’s useradd,
usermod, and groupmod modules to create unusable user accounts when
provided with larger values.
For example, given:
**test.c:**
<code class="c">
#include <stdio.h>
#include <pwd.h>
int main()
{
struct passwd pw =
{
.pw_name = "test",
.pw_passwd = "x",
.pw_uid = 2147483648,
.pw_gid = 100,
.pw_gecos = "",
.pw_dir = "/",
.pw_shell = "/sbin/nologin"
};
FILE* file = fopen("/etc/passwd", "a");
return putpwent(&pw, file);
}
</code>
Shell:
<code class="bash">
sudo docker run -it --rm alpine /bin/sh
apk update
apk add --no-cache build-base nano
cd /tmp
nano test.c
gcc test.c -o test
./test
tail -1 /etc/passwd
id test
</code>
**Outputs:**
<code class="text">
test:x:-2147483648:100::/:/sbin/nologin
id: unknown user test
</code>
However, manually updating the UID in ‘/etc/passwd’ resolves the issue
as mentioned here: https://stackoverflow.com/q/41807026/1409101
My particular use case is running on my Synology NAS, which seems to
create all joined Active Directory users/groups with very high UID
values. When I try to run the lsiobase/alpine Docker container (which
relies on shadow) as one of my Active Directory users, it fails. This
issue does not occur with the \`ubuntu\` or \`lsiobase\\ubuntu\` images
so I assume it is specific to Alpine, though I could certainly be
missing something.
References:
- https://github.com/linuxserver/docker-baseimage-alpine/issues/39
- https://github.com/shadow-maint/shadow/issues/165
*(from redmine: issue id 10460, created on 2019-05-16)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10461mpv: missing Lua support2019-07-23T11:09:58ZMY-Rmpv: missing Lua supportedge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua ...edge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua : no ('luajit >= 2.0.0' not found)
*(from redmine: issue id 10461, created on 2019-05-16, closed on 2019-06-19)*3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10462SBCL Missing since may 16th in edge/testing repos2019-12-05T07:43:12ZalgitbotSBCL Missing since may 16th in edge/testing reposHello,
I have been building pgloader on Alpine Linux for a few months which
depends on sbcl package. This dependency was ok untill yesterday (May
16th) and was apparently removed between 1pm and 4pm.
Is it possible to make it available...Hello,
I have been building pgloader on Alpine Linux for a few months which
depends on sbcl package. This dependency was ok untill yesterday (May
16th) and was apparently removed between 1pm and 4pm.
Is it possible to make it available again ?
*(from redmine: issue id 10462, created on 2019-05-17)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10463asciinema missing python3 depens2019-07-23T11:09:57ZTru Huynhasciinema missing python3 depensasciinema package is missing the python3 dependancy.
$ sudo docker run -ti alpine
/ # apk update && apk upgrade
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux....asciinema package is missing the python3 dependancy.
$ sudo docker run -ti alpine
/ # apk update && apk upgrade
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
v3.9.4-1-g3c20033f75 [http://dl-cdn.alpinelinux.org/alpine/v3.9/main]
v3.9.4-2-g58b26b850f [http://dl-cdn.alpinelinux.org/alpine/v3.9/community]
OK: 9766 distinct packages available
OK: 6 MiB in 14 packages
/ # apk add asciinema
(1/5) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(2/5) Installing ncurses-terminfo (6.1_p20190105-r0)
(3/5) Installing ncurses-libs (6.1_p20190105-r0)
(4/5) Installing ncurses (6.1_p20190105-r0)
(5/5) Installing asciinema (2.0.2-r0)
Executing busybox-1.29.3-r10.trigger
OK: 14 MiB in 19 packages
/ # apk info| sort
alpine-baselayout
alpine-keys
apk-tools
asciinema
busybox
ca-certificates-cacert
libc-utils
libcrypto1.1
libssl1.1
libtls-standalone
musl
musl-utils
ncurses
ncurses-libs
ncurses-terminfo
ncurses-terminfo-base
scanelf
ssl_client
zlib
/ # type asciinema
asciinema is /usr/bin/asciinema
/ # /usr/bin/asciinema
/bin/sh: /usr/bin/asciinema: not found
/ # head -1 /usr/bin/asciinema
#!/usr/bin/python3
/ # ls -ld /usr/bin/python3
ls: /usr/bin/python3: No such file or directory
*(from redmine: issue id 10463, created on 2019-05-17, closed on 2019-06-19)*
* Changesets:
* Revision be28faf4dbfba4db3dcf7f745eda936627fdff35 by Tru Huynh on 2019-05-31T16:54:26Z:
```
community/asciinema: fix depends
Fixes #10463
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/10465Package request: rtv2019-07-13T21:08:56ZLeoPackage request: rtvhttps://github.com/michael-lazar/rtv
*(from redmine: issue id 10465, created on 2019-05-18)*https://github.com/michael-lazar/rtv
*(from redmine: issue id 10465, created on 2019-05-18)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10466py3-qt5 doesn't provide qtwebchannel bindings2019-07-23T11:07:47ZLeopy3-qt5 doesn't provide qtwebchannel bindingsThey are required by py3-qtwebengine and will fail otherwise.
Python 3.7.3 (default, Apr 17 2019, 11:48:37)
\[GCC 8.3.0\] on linux
Type “help”, “copyright”, “credits” or “license” for more information.
&gt;&gt;>import PyQt5.QtWebE...They are required by py3-qtwebengine and will fail otherwise.
Python 3.7.3 (default, Apr 17 2019, 11:48:37)
\[GCC 8.3.0\] on linux
Type “help”, “copyright”, “credits” or “license” for more information.
>>>import PyQt5.QtWebEngineWidgets
Traceback (most recent call last):
File “<stdin>”, line 1, in <module>
ModuleNotFoundError: No module named ‘PyQt5.QtWebChannel’
>>>
*(from redmine: issue id 10466, created on 2019-05-18, closed on 2019-06-19)*Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10467segfault with openssh client2019-07-23T10:35:36Zxcko _segfault with openssh clientsteps to reproduce:
apk add openssh
adduser test
su - test
mkdir .ssh; chmod 700 .ssh
echo VerifyHostKeyDNS yes >.ssh/config
ssh user@host.tld
ssh should segfault before asking for authentication (so either key or
password b...steps to reproduce:
apk add openssh
adduser test
su - test
mkdir .ssh; chmod 700 .ssh
echo VerifyHostKeyDNS yes >.ssh/config
ssh user@host.tld
ssh should segfault before asking for authentication (so either key or
password based auth doesn’t matter). If host.tld is replaced with an ip
address, connection goes through.
*(from redmine: issue id 10467, created on 2019-05-19)*
* Relations:
* duplicates #83233.9.5https://gitlab.alpinelinux.org/alpine/aports/-/issues/10469Gitea does not start after a reboot when PostgreSQL is used as the database b...2019-07-23T11:07:46ZGhost UserGitea does not start after a reboot when PostgreSQL is used as the database back end.Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the dep...Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the depend function in **/etc/init.d/gitea**:
<code class="text">
depend() {
use logger dns
need net
after firewall postgresql mysql
}
</code>
*(from redmine: issue id 10469, created on 2019-05-20, closed on 2019-06-19)*
* Changesets:
* Revision d8de5b46f6b4719066b2b2752734df68a60b08bd by Kevin Daudt on 2019-06-18T18:24:43Z:
```
community/gitea: start after database
Make sure that the service is started after any of the supported
databases.
Fixes RM: #10469
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10472OpenLDAP cannot be setup using slapd.ldif2019-08-21T13:55:10Zbug reportOpenLDAP cannot be setup using slapd.ldifThere is a minor inconvenience when running slapd (OpenLDAP) without
init.d (i.e inside docker container). One of available options should be
running it as follows:
CMD [ "slapd", "-F", "/etc/openldap/slapd.d", "-h", "ldapi:/// ldap...There is a minor inconvenience when running slapd (OpenLDAP) without
init.d (i.e inside docker container). One of available options should be
running it as follows:
CMD [ "slapd", "-F", "/etc/openldap/slapd.d", "-h", "ldapi:/// ldap:///", "-u", "ldap", "-g", "ldap" ]
To achieve this I would expect I must run prior to this (in some
docker-entrypoint.sh):
slapadd -n0 -F "/etc/openldap/slapd.d" -l "/etc/openldap/slapd.ldif"
But that line will return error if default slapd.ldif is used:
5ce2c909 <= str2entry(olcDatabase=mdb,cn=config) -> 0x55c25f691b08
5ce2c909 oc_check_required entry (olcDatabase=mdb,cn=config), objectClass "olcMdbConfig"
5ce2c909 Entry (olcDatabase=mdb,cn=config): object class 'olcMdbConfig' requires attribute 'olcDbDirectory'
slapadd: dn="olcDatabase=mdb,cn=config" (line=668): (65) object class 'olcMdbConfig' requires attribute 'olcDbDirectory'
5ce2c909 slapadd shutdown: initiated
5ce2c909 slapadd destroy: freeing system resources.
Problem is that following patch:
https://git.alpinelinux.org/aports/tree/main/openldap/configs.patch adds
random empty lines which is unacceptable by \*.ldif format (it instructs
that directive group has ended). This is described in official docs:
https://www.openldap.org/doc/admin24/dbtools.html\#The%20LDIF%20text%20entry%20format
as “Multiple entries within the same LDIF file are separated by blank
lines. Here’s an example of an LDIF file containing three entries.”
@@ -83,13 +85,16 @@
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
+
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: secret
+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
-olcDbDirectory: %LOCALSTATEDIR%/openldap-data
+olcDbDirectory: /var/lib/openldap/openldap-data
+
# Indices to maintain
olcDbIndex: objectClass eq
If those 3 empty lines would get removed everything is fine.
I don’t know how to submit patch to your infrastructure so I’m kindly
ask to patch/fix this.
*(from redmine: issue id 10472, created on 2019-05-20)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10473modprobe unable to load via-rhine from alpine-extended-3.9.4-x86.iso2019-09-01T20:59:46ZOleg Titovmodprobe unable to load via-rhine from alpine-extended-3.9.4-x86.isoI use alpine-extended-3.9.4-x86.iso to install Alpine Linux in sys mode
on VIA ARTiGO A1000 SBC.
I need to load via-rhine module to enable Ethernet controller, but
modprobe via-rhine reports following error:
modprobe: can't load mo...I use alpine-extended-3.9.4-x86.iso to install Alpine Linux in sys mode
on VIA ARTiGO A1000 SBC.
I need to load via-rhine module to enable Ethernet controller, but
modprobe via-rhine reports following error:
modprobe: can't load module mii (kernel/drivers/net/mii.ko): invalid module format
I was able to find several modules which produce same error:
kernel/net/ipv6/ipv6.ko
kernel/virt/lib/irqbypass.ko
kernel/drivers/net/dummy.ko
I need to mention that during boot I also see some errors related to
ipv6 as the module is in invalid format.
*(from redmine: issue id 10473, created on 2019-05-20)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10474Package request: ChezScheme2020-01-20T16:34:37Zfung yuenPackage request: ChezSchemeChezScheme package
dependencies: make, gcc, ncurses, X libs
url: https://github.com/cisco/ChezScheme
*(from redmine: issue id 10474, created on 2019-05-21)*ChezScheme package
dependencies: make, gcc, ncurses, X libs
url: https://github.com/cisco/ChezScheme
*(from redmine: issue id 10474, created on 2019-05-21)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10475Include intel-ucode 20190514a in supported releases2020-05-21T09:47:22ZHenrik RiomarInclude intel-ucode 20190514a in supported releasesintel-ucode 20190514a is needed to mitigate: MSBDS, MFBDS, MLPDS and
MDSUM hardware vulnerabilities, together with updated kernel packages.
The edge change for intel-ucode is here:
https://github.com/alpinelinux/aports/pull/7902
for ed...intel-ucode 20190514a is needed to mitigate: MSBDS, MFBDS, MLPDS and
MDSUM hardware vulnerabilities, together with updated kernel packages.
The edge change for intel-ucode is here:
https://github.com/alpinelinux/aports/pull/7902
for edge & v3.9 we need to update linux 4.19.y and for v3.8 linux kernel
4.14.y as well.
*(from redmine: issue id 10475, created on 2019-05-21)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10479Upgrade Rust to version 1.32.0 or newer2019-07-23T11:07:46ZMogens JensenUpgrade Rust to version 1.32.0 or newerFirefox 67.0 requires at least rustc toolchain version 1.32.0 or newer
to build.
*(from redmine: issue id 10479, created on 2019-05-22, closed on 2019-05-26)*Firefox 67.0 requires at least rustc toolchain version 1.32.0 or newer
to build.
*(from redmine: issue id 10479, created on 2019-05-22, closed on 2019-05-26)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10480Recent upgrade of 'log4cplus' package breaks 'kea' package2020-01-21T22:30:09ZPavel LyulchenkoRecent upgrade of 'log4cplus' package breaks 'kea' package‘kea’ package in edge/testing depends on ‘log4cplus’.
I belive that it was broken when log4cplus was updated to 2.0.4 version
(https://git.alpinelinux.org/aports/commit/testing/log4cplus/APKBUILD?id=8cac6ceaf00cc79306f07da5d116a1943608e...‘kea’ package in edge/testing depends on ‘log4cplus’.
I belive that it was broken when log4cplus was updated to 2.0.4 version
(https://git.alpinelinux.org/aports/commit/testing/log4cplus/APKBUILD?id=8cac6ceaf00cc79306f07da5d116a1943608e4de).
This commit disables implicit initialization of logging library (
--disable-implicit-initialization
), but Kea’s binaries will not start when implicit initialization
disabled.
# ./kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
kea-dhcp4: Fatal error during start up: log4cplus is not initialized and implicit initialization is turned off
Maybe it was premature to disable implicit initialization.
*(from redmine: issue id 10480, created on 2019-05-22)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10483postgresql conflict2019-07-26T13:58:56Zalgitbotpostgresql conflictWhen trying to install postgresql-bdr and postgresql-libs…
ERROR: postgresql-libs-11.3-r1: trying to overwrite
usr/lib/libecpg\_compat.so.3 owned by postgresql-bdr-9.4.14\_p1-r2.
ERROR: postgresql-libs-11.3-r1: trying to overwrite
usr...When trying to install postgresql-bdr and postgresql-libs…
ERROR: postgresql-libs-11.3-r1: trying to overwrite
usr/lib/libecpg\_compat.so.3 owned by postgresql-bdr-9.4.14\_p1-r2.
ERROR: postgresql-libs-11.3-r1: trying to overwrite
usr/lib/libpgtypes.so.3 owned by postgresql-bdr-9.4.14\_p1-r2.
ERROR: postgresql-libs-11.3-r1: trying to overwrite usr/lib/libecpg.so.6
owned by postgresql-bdr-9.4.14\_p1-r2.
*(from redmine: issue id 10483, created on 2019-05-23)*3.10.2Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10485build-edge-x86 has broken abuild2019-07-23T11:07:44ZChloe Kudryavtsevbuild-edge-x86 has broken abuildAccording to Carlo, it runs 3.4.0\_rc4-r0.
However, it is not respecting the cleanup\_srcdir function in
community/caddy, causing a huge srcdir cleanup mess.
Go modules default by writing readonly files, and removing them as
non-root...According to Carlo, it runs 3.4.0\_rc4-r0.
However, it is not respecting the cleanup\_srcdir function in
community/caddy, causing a huge srcdir cleanup mess.
Go modules default by writing readonly files, and removing them as
non-root requires either recursive chroot or \`go clean <s>modcache\` to
be ran</s> usually done in cleanup\_srcdir (which can be overriden as of
a patch that was applied this winter).
However, this is obviously not happening on that builder, for whatever
reason.
*(from redmine: issue id 10485, created on 2019-05-24, closed on 2019-05-24)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10488Package cbindgen fails to install2019-07-23T11:07:43ZMogens JensenPackage cbindgen fails to installPackage cbindgen fails to install after rust has been upgraded to
version 1.33.0:
alpine-linux:~# apk add cbindgen
ERROR: unsatisfiable constraints:
so:libproc_macro-50ea75febfa805e9.so (missing):
required by: cbin...Package cbindgen fails to install after rust has been upgraded to
version 1.33.0:
alpine-linux:~# apk add cbindgen
ERROR: unsatisfiable constraints:
so:libproc_macro-50ea75febfa805e9.so (missing):
required by: cbindgen-0.8.7-r0[so:libproc_macro-50ea75febfa805e9.so]
so:libstd-ded950973fb8ad5f.so (missing):
required by: cbindgen-0.8.7-r0[so:libstd-ded950973fb8ad5f.so]
so:libsyntax-f48514f48fd1d20b.so (missing):
required by: cbindgen-0.8.7-r0[so:libsyntax-f48514f48fd1d20b.so]
so:libsyntax_pos-fe1b49e9232b5061.so (missing):
required by: cbindgen-0.8.7-r0[so:libsyntax_pos-fe1b49e9232b5061.so]
*(from redmine: issue id 10488, created on 2019-05-26, closed on 2019-06-19)*
* Changesets:
* Revision 4603e599d6542f062da0add04d5c7c048825ab06 by Leo Leo on 2019-05-26T02:43:41Z:
```
testing/cbindgen: rebuild against new rust
fixes #10488
Closes: GH-8093
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/10489py-opencl-2018.2.5 fails to compile on ppc64le2019-10-11T19:51:37ZTBKpy-opencl-2018.2.5 fails to compile on ppc64lepy-opencl has been disabled for ppc64le (commit
0e2edeb21bbd2f12b0817e5681548ff5b318ab15) until a solution for the error
below has been found:
<code class="diff">
/usr/include/c++/8.3.0/chrono:826:38: required from here
/u...py-opencl has been disabled for ppc64le (commit
0e2edeb21bbd2f12b0817e5681548ff5b318ab15) until a solution for the error
below has been found:
<code class="diff">
/usr/include/c++/8.3.0/chrono:826:38: required from here
/usr/include/c++/8.3.0/type_traits:1925:64: error: 'value' is not a member of 'std::is_array<long int>'
typedef typename __decay_selector<__remove_type>::__type type;
^~~~
In file included from /usr/include/c++/8.3.0/thread:38,
from src/wrap_cl.hpp:76,
from src/wrap_constants.cpp:27:
/usr/include/c++/8.3.0/chrono: In instantiation of 'constexpr unsigned int std::chrono::operator<(const std::chrono::duration<_Rep1, _Period1>&, const std::chrono::duration<_Rep2, _Period2>&) [with _Rep1 = long int; _Period1 = std::ratio<1, 1000000000>; _Rep2 = long int; _Period2 = std::ratio<1, 1000000000>]':
/usr/include/c++/8.3.0/chrono:826:38: required from here
/usr/include/c++/8.3.0/chrono:564:52: error: no type named 'type' in 'struct std::common_type<std::chrono::duration<long int, std::ratio<1, 1000000000> >, std::chrono::duration<long int, std::ratio<1, 1000000000> > >'
typedef typename common_type<__dur1,__dur2>::type __ct;
^~~~
error: command 'gcc' failed with exit status 1
>>> ERROR: py-opencl: build failed
>>> py-opencl: Uninstalling dependencies...
</code>
*(from redmine: issue id 10489, created on 2019-05-26)*
* Uploads:
* [py-opencl-2018.2.5-r0.log](/uploads/7fa32ed59b36197e5d840053c859cca7/py-opencl-2018.2.5-r0.log)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10491monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:41ZAlicha CHmonit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10491, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* child #10492
* child #10493
* child #10494Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10492[3.9] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:40ZAlicha CH[3.9] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10492, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10491
* Changesets:
* Revision b3c4cba85e047ff7101bb58a0acf2a266f0d3f34 on 2019-06-05T13:39:23Z:
```
main/monit: security fixes (CVE-2019-11454, CVE-2019-11455)
Fixes #10492
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10493[3.8] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:39ZAlicha CH[3.8] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10493, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10491
* Changesets:
* Revision 8ae19acb1269f568cc856f52a50234227872b0bd on 2019-06-05T13:42:06Z:
```
main/monit: upgrade to 5.25.2, security fixes
CVE-2019-11454, CVE-2019-11455
Fixes #10493
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10494[3.7] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:38ZAlicha CH[3.7] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10494, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10491
* Changesets:
* Revision 165df433b6fd3e30ce578c4f54946a2079aa963c on 2019-06-05T14:16:54Z:
```
main/monit: upgrade to 5.25.2, security fixes
CVE-2019-11454, CVE-2019-11455
Fixes #10494
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10495Backport HylafaxPlus2019-07-23T11:07:37ZFrancesco ColistaBackport HylafaxPlusPlease backport this to 3.8 and 3.9, since I need to use this in
production, and I cannot upgrade to edge.
Moreover, I’m available to maintain longer than the latest release.
*(from redmine: issue id 10495, created on 2019-05-28, clo...Please backport this to 3.8 and 3.9, since I need to use this in
production, and I cannot upgrade to edge.
Moreover, I’m available to maintain longer than the latest release.
*(from redmine: issue id 10495, created on 2019-05-28, closed on 2019-05-28)*3.8.5Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10496curl: Multiple vulnerabilities (CVE-2019-5435, CVE-2019-5436)2019-07-23T11:07:36ZAlicha CHcurl: Multiple vulnerabilities (CVE-2019-5435, CVE-2019-5436)CVE-2019-5435: Integer overflows in curl\_url\_set()
----------------------------------------------------
libcurl contains two integer overflows in the curl\_url\_set() function
that if triggered, can lead to
a too small buffer alloca...CVE-2019-5435: Integer overflows in curl\_url\_set()
----------------------------------------------------
libcurl contains two integer overflows in the curl\_url\_set() function
that if triggered, can lead to
a too small buffer allocation and a subsequent heap buffer overflow.
Affected versions: libcurl 7.62.0 to and including 7.64.1
Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0
### Reference:
https://curl.haxx.se/docs/CVE-2019-5435.html
### Patch:
https://github.com/curl/curl/commit/5fc28510a4664f4
CVE-2019-5436: TFTP receive buffer overflow
-------------------------------------------
libcurl contains a heap buffer overflow in the function
(tftp\_receive\_packet()) that recevives data from
a TFTP server. It calls recvfrom() with the default size for the buffer
rather than with the size that was
used to allocate it. Thus, the content that might overwrite the heap
memory is entirely controlled by the server.
The flaw exists if the user selects to use a “blksize” of 504 or smaller
(default is 512). The smaller size that is used,
the larger the possible overflow becomes. Users chosing a smaller size
than default should be rare as the primary
use case for changing the size is to make it larger.
Affected versions: libcurl 7.19.4 to and including 7.64.1
Not affected versions: libcurl < 7.19.4 and >= libcurl 7.65.0
### Reference:
https://curl.haxx.se/docs/CVE-2019-5436.html
### Patch:
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
*(from redmine: issue id 10496, created on 2019-05-28, closed on 2019-06-06)*
* Relations:
* child #10497
* child #10498
* child #10499Natanael CopaNatanael Copa