aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2022-04-19T20:16:05Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12123musl: wcsnrtombs destination buffer overflow (CVE-2020-28928)2022-04-19T20:16:05ZAlicha CHmusl: wcsnrtombs destination buffer overflow (CVE-2020-28928)The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progr...The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffera.
This function is not used internally in musl and is not widely used,
but does appear in some applications. The non-input-limiting form
wcsrtombs is not affected.
All users of musl 1.2.1 and prior versions should apply the attached
patch, which replaces the overly complex and erroneous implementation.
The upcoming 1.2.2 release will adopt this new implementation.
#### Reference:
https://www.openwall.com/lists/musl/2020/11/19/1
#### Patch:
https://git.musl-libc.org/cgit/musl/commit/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4
### Affected branches:
* [x] master (9e3ec61a)
* [x] 3.12-stable (908046ad)
* [x] 3.11-stable (646c516367f8746a5d153ee00cf264316451b196)
* [x] 3.10-stable (5c22bb085e8e49c9cb402315efad998f7f992dff)
* [x] 3.9-stable (60aa954b2f8c9e3f4f0274165fcdffba95ba1abfhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12682Graphviz CVE-2020-180322022-01-10T20:55:15ZMiroslav MachuraGraphviz CVE-2020-18032JFrog XRay detects [CVE-2020-18032](https://nvd.nist.gov/vuln/detail/CVE-2020-18032) for graphviz library in alpine 3.13, which has a critical severity.
Please apply a patch to the vulnerability or upgrade the library.
Fix was introduc...JFrog XRay detects [CVE-2020-18032](https://nvd.nist.gov/vuln/detail/CVE-2020-18032) for graphviz library in alpine 3.13, which has a critical severity.
Please apply a patch to the vulnerability or upgrade the library.
Fix was introduced in [this MR](https://gitlab.com/graphviz/graphviz/-/merge_requests/1480/commits) and when I run `git tag --contains 784411c` (commit with fix) in graphviz lib, it returns:
```
2.46.0
2.46.1
2.47.0
2.47.1
```
So upgrading the library to version >= 2.46.0 in alpine 3.13 should also resolve the issue.
## Branches
* [x] master (06464b7)
* [x] 3.13-stable (5b55a7e)
* [x] 3.12-stable (4518bb2)
* [x] 3.11-stable (e6ce8b0)
* [ ] ~~3.10-stable~~Kevin DaudtKevin Daudthttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12274dovecot: Multiple vulnerabilities (CVE-2020-25275, CVE-2020-24386)2021-11-24T14:56:15ZAlicha CHdovecot: Multiple vulnerabilities (CVE-2020-25275, CVE-2020-24386)### CVE-2020-25275: MIME parsing crash
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Vulnerable...### CVE-2020-25275: MIME parsing crash
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Vulnerable version: 2.3.11-2.3.11.3
Fixed version: 2.3.13
#### References:
* https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
* https://www.openwall.com/lists/oss-security/2021/01/04/3
### CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
When imap hibernation is active, an attacker can cause Dovecot to
discover file system directory structure and access other users' emails using
specially crafted command. The attacker must have valid credentials to access the mail server.
Vulnerable version: 2.2.26-2.3.11.3
Fixed version: 2.3.13
#### References:
* https://www.openwall.com/lists/oss-security/2021/01/04/4
* https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
### Affected branches:
* [x] master (579394558547f8f589ab5cdca6b9cb32d6955d47)
* [x] 3.12-stable (6bd01a05ab9aa278c9113f3f81f32f55cde5f990)
* [ ] 3.11-stable
* [ ] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10764Asterisk 16.3.0 in Alpine Linux 3.10, autoloader not working for chan_pjsip.so2021-10-17T13:58:40ZMartin LantzAsterisk 16.3.0 in Alpine Linux 3.10, autoloader not working for chan_pjsip.soThe auto-loader fails to load chan_pjsip, with the errors below. Most likely this is related to [#6644].
Versions: Asterisk 16.3.0 in Alpine Linux 3.10.
`[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_...The auto-loader fails to load chan_pjsip, with the errors below. Most likely this is related to [#6644].
Versions: Asterisk 16.3.0 in Alpine Linux 3.10.
`[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_acl.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_acl.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_phoneprov_provider.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_phoneprov_provider.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_rfc3326.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_rfc3326.so: ast_sip_add_header: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_mwi.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_mwi.so: ast_sip_create_request: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_diversion.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_diversion.so: ast_sip_session_unregister_supplement: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_t38.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_t38.so: ast_sip_session_media_state_free: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_exten_state.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_exten_state.so: ast_sip_publish_client_user_send: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_path.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_path.so: ast_sip_location_retrieve_aor: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_refer.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_refer.so: ast_sip_dialog_get_session: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'func_pjsip_contact.so': Error relocating /usr/lib/asterisk/modules/func_pjsip_contact.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_outbound_registration.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_outbound_registration.so: ast_sip_set_tpselector_from_transport_name: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_transport_websocket.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_transport_websocket.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_caller_id.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_caller_id.so: ast_sip_session_unregister_supplement: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_pidf_eyebeam_body_supplement.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_pidf_eyebeam_body_supplement.so: ast_sip_presence_xml_create_attr: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_sips_contact.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_sips_contact.so: ast_sip_unregister_service: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_one_touch_record_info.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_one_touch_record_info.so: ast_sip_session_unregister_supplement: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_publish_asterisk.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_publish_asterisk.so: ast_sip_register_event_publisher_handler: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_dialog_info_body_generator.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_dialog_info_body_generator.so: ast_sip_presence_xml_create_attr: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_history.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_history.so: ast_sip_push_task_wait_servant: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_endpoint_identifier_user.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_endpoint_identifier_user.so: ast_sip_unregister_endpoint_identifier: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_logger.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_logger.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_mwi_body_generator.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_mwi_body_generator.so: ast_sip_pubsub_register_body_generator: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_registrar.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_registrar.so: ast_sip_send_stateful_response: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_pubsub.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_pubsub.so: ast_sip_is_content_type: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'func_pjsip_aor.so': Error relocating /usr/lib/asterisk/modules/func_pjsip_aor.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_outbound_publish.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_outbound_publish.so: ast_sip_set_tpselector_from_transport_name: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_messaging.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_messaging.so: ast_sip_send_stateful_response: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_nat.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_nat.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_notify.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_notify.so: ast_sip_create_request: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_pidf_body_generator.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_pidf_body_generator.so: ast_sip_presence_exten_state_to_str: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_endpoint_identifier_ip.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_endpoint_identifier_ip.so: ast_sip_unregister_endpoint_identifier: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'func_pjsip_endpoint.so': Error relocating /usr/lib/asterisk/modules/func_pjsip_endpoint.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_send_to_voicemail.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_send_to_voicemail.so: ast_sip_session_remove_datastore: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_config_wizard.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_config_wizard.so: ast_sip_get_sorcery: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_sdp_rtp.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_sdp_rtp.so: ast_sip_is_content_type: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_authenticator_digest.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_authenticator_digest.so: ast_sip_get_artificial_auth: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_pidf_digium_body_supplement.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_pidf_digium_body_supplement.so: ast_sip_presence_xml_create_attr: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_endpoint_identifier_anonymous.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_endpoint_identifier_anonymous.so: ast_sip_unregister_endpoint_identifier: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_header_funcs.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_header_funcs.so: ast_sip_session_remove_datastore: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_session.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_session.so: ast_sip_create_request_with_auth: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_outbound_authenticator_digest.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_outbound_authenticator_digest.so: ast_sip_cleanup_auths: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip.so': Error relocating /usr/lib/asterisk/modules/res_pjsip.so: pjsip_use_compact_form: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_empty_info.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_empty_info.so: ast_sip_session_unregister_supplement: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_xpidf_body_generator.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_xpidf_body_generator.so: ast_sip_presence_xml_find_node_attr: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_dlg_options.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_dlg_options.so: ast_sip_add_header: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'res_pjsip_dtmf_info.so': Error relocating /usr/lib/asterisk/modules/res_pjsip_dtmf_info.so: ast_sip_session_unregister_supplement: symbol not found
[Aug 28 12:44:36] ERROR[1]: loader.c:2396 load_modules: Error loading module 'chan_pjsip.so': Error relocating /usr/lib/asterisk/modules/chan_pjsip.so: ast_sip_session_remove_datastore: symbol not found
`3.10.3Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12184curl: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286)2021-04-14T08:28:50ZAlicha CHcurl: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286)### CVE-2020-8284: trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default.
A server res...### CVE-2020-8284: trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default.
A server response to a PASV command includes the (IPv4) address and port number for the client to connect back to in order to perform the actual data transfer.
Affected versions: curl 4.0 to and including 7.73.0
Not affected versions: curl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8284.html
### CVE-2020-8285: FTP wildcard stack overflow
libcurl offers a wildcard matching functionality, which allows a callback (set with CURLOPT_CHUNK_BGN_FUNCTION) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries.
Affected versions: libcurl 7.21.0 to and including 7.73.0
Not affected versions: libcurl < 7.21.0 and libcurl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8285.html
### CVE-2020-8286: Inferior OCSP verification
libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool.
Affected versions: libcurl 7.41.0 to and including 7.73.0
Not affected versions: libcurl < 7.41.0 and libcurl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8286.html
### Affected branches:
* [x] master (a2da5d177a121c47684eb9ee6e49351cdaeae06b)
* [x] 3.12-stable (90e58b3d833e1a1e51c524cdaa5091dbcd80c0f0, e22439933a2d17400077b8165d3268d02ec27030)
* [x] 3.11-stable
* [x] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12569nodejs, nodejs-current: security release on April 6th, 20212021-04-13T17:20:06ZMichał Polańskinodejs, nodejs-current: security release on April 6th, 2021### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The ...### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The 15.x release line of Node.js is vulnerable to two high severity issues.
* The 14.x release line of Node.js is vulnerable to three high severity issues.
* The 12.x release line of Node.js is vulnerable to three high severity issues.
* The 10.x release line of Node.js is vulnerable to three high severity issues.
### Affected aports with active support
* [x] ~~master: nodejs-current 15.13.0-r0 (community)~~ not affected
* [x] master: nodejs 14.16.0-r0 (main)
* [x] ~~3.13-stable: nodejs-current 15.10.0-r0 (community)~~ not affected
* [x] 3.13-stable: nodejs 14.16.0-r0 (main)
* [x] 3.12-stable: nodejs 12.21.0-r0 (main)
* [x] 3.11-stable: nodejs 12.21.0-r0 (main)
* [x] 3.10-stable: nodejs 10.24.0-r0 (main)Jakub JirutkaJakub Jirutka2021-04-06https://gitlab.alpinelinux.org/alpine/aports/-/issues/12558spamassassin: Malicious rule configuration files can be configured to run sys...2021-04-13T06:39:42ZAlicha CHspamassassin: Malicious rule configuration files can be configured to run system commands (CVE-2020-1946)In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading t...In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
#### References:
* https://www.openwall.com/lists/oss-security/2021/03/24/3
* https://s.apache.org/3r1wh
### Affected branches:
* [x] master (959e525e7a66fb2347f9e9109784d47cd4b8c4c4)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12581tar: Memory leak in read_header() in list.c (CVE-2021-20193)2021-04-07T03:37:28ZAlicha CHtar: Memory leak in read_header() in list.c (CVE-2021-20193)A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system avai...A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
#### References:
* https://savannah.gnu.org/bugs/?59897
* https://nvd.nist.gov/vuln/detail/CVE-2021-20193
#### Patch:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
### Affected branches:
* [x] master (eda7fb6bd07c8cf2d48aa6aae3c2f051571132fa)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableCarlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10759nodejs: Multiple vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513...2021-04-02T02:51:16ZAlicha CHnodejs: Multiple vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518)* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Dependi...* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
#### Affected Versions:
All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current).
#### Fixed In Version:
Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1
#### Reference:
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
### Affected branches:
* [x] master
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stable
* [x] 3.7-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10970bind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)2021-04-02T02:51:12ZAlicha CHbind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from co...By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
#### Affected Versions:
bind 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7
#### Fixed In Version:
bind 9.11.13, 9.14.8, 9.15.6.
#### References:
* https://kb.isc.org/docs/cve-2019-6477
* https://www.openwall.com/lists/oss-security/2019/11/20/8
### Affected branches:
* [x] master (85f2bc39b0cdf3fbb1804e1bde6a0f1570c8931d)
* [x] 3.10-stable (9e6955f54ef0ef060d47afd63899a6d9379a6edf)
* [x] 3.9-stable
* [x] 3.8-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11052clamav: Long scanning time of specially crafted email file leads to denial of...2021-04-02T02:50:20ZAlicha CHclamav: Long scanning time of specially crafted email file leads to denial of service (CVE-2019-15961)A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing ...A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
#### Affected Versions:
clamav 0.102.0 and 0.101.4 and prior.
#### Fixed In Version:
clamav 0.102.1, 0.101.5.
#### References:
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
### Affected branches:
* [x] master (96acef60c9151088282c9cfee2085369f44d4855)
* [x] 3.10-stable (d4a978d74e6d14729113d02112827a851a2e53fd)
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10919lz4: heap-based buffer overflow in LZ4_write32 (CVE-2019-17543)2021-04-02T02:47:38ZAlicha CHlz4: heap-based buffer overflow in LZ4_write32 (CVE-2019-17543)LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor s...LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-17543
* https://github.com/lz4/lz4/pull/756
* https://github.com/lz4/lz4/pull/760
### Affected branches:
* [x] master (cd1f4c1a98949365fb26014853a1f48000142e05)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stable
* [x] 3.7-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12549squid: HTTP Request Smuggling (CVE-2020-25097)2021-04-02T02:27:10ZAlicha CHsquid: HTTP Request Smuggling (CVE-2020-25097)An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This oc...An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
#### Fixed In Version:
squid 4.14 and 5.0.5.
#### References:
* https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
* https://nvd.nist.gov/vuln/detail/CVE-2020-25097
#### Patch:
Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch
### Affected branches:
* [x] master (6d446c6e6d358a7ebbfa3b88cc7e8f60709b9c70)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12447nodejs, nodejs-current: security release on February 23th, 20212021-03-31T18:38:02ZMichał Polańskinodejs, nodejs-current: security release on February 23th, 2021Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critica...Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critical severity issue
One High severity issue
One Low severity issue
# Impact
The 15.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 14.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 12.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 10.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
# Affected aports with active support
* [x] master: nodejs 14.15.5-r0 (main)
* [x] master: nodejs-current 15.8.0-r1 (community)
* [x] 3.13-stable: nodejs 14.15.5-r0 (main)
* [x] 3.13-stable: nodejs-current 15.5.1-r0 (community)
* [x] 3.12-stable: nodejs 12.20.1-r0 (main)
* [x] 3.11-stable: nodejs 12.20.1-r0 (main)
* [x] 3.10-stable: nodejs 10.19.0-r0 (main)2021-02-23https://gitlab.alpinelinux.org/alpine/aports/-/issues/11884bind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622,...2021-03-31T16:17:59ZAlicha CHbind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624)### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum bu...### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received.
Affected Versions: BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In Version: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8620
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c
While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit.
Affected Versions: BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In versions: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8621
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.
Affected Versions: BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8622
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
If BIND is built with "--enable-native-pkcs11" then a specially crafted query for a zone signed with RSA can trigger an assertion failure.
Affected Versions: BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8623
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain.
Affected Versions: BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
References:
https://kb.isc.org/docs/cve-2020-8624
https://www.openwall.com/lists/oss-security/2020/08/20/2
### Affected branches:
* [x] master (552c946)
* [x] 3.12-stable (8bacbe7)
* [x] 3.11-stable
* [x] 3.10-stable
* [ ] 3.9-stable (EOL)3.12.6Kevin DaudtKevin Daudthttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12566busybox: invalid free or segmentation fault via malformed gzip data (CVE-2021...2021-03-31T04:59:32ZAlicha CHbusybox: invalid free or segmentation fault via malformed gzip data (CVE-2021-28831)decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/...decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2021-28831
* https://security-tracker.debian.org/tracker/CVE-2021-28831
#### Patch:
https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
### Affected branches:
* [x] master: 1.33.0-r5 (8457a320f13d202a1c65be2652f0d030880f17f0)
* [x] 3.13-stable: 1.32.1-r4 (7acc3190c16c19db5767c094d5ea6de75bbc2ae8)
* [x] 3.12-stable: 1.31.1-r20 (0d639f13e315e43a11821d963031ed5b49b15a15)
* [x] 3.11-stable: 1.31.1-r10 (7332e004b92f2a688a28eee7628a1e6e16d76147)
* [x] 3.10-stable: 1.30.1-r5 (26527b0535f65a4ac0ae7f3c9afb2294885b21cc)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12539haserl: information disclosure due to setuid binaries (CVE-2021-29133)2021-03-30T10:40:55ZKevin Daudthaserl: information disclosure due to setuid binaries (CVE-2021-29133)Lack of verification in haserl, a component of Alpine Linux Configuration Framework, in version 0.9.35 an below, allows local users to read the contents of any file on the filesystem.
## Affected versions
* v0.9.35 and below
## Fixed ...Lack of verification in haserl, a component of Alpine Linux Configuration Framework, in version 0.9.35 an below, allows local users to read the contents of any file on the filesystem.
## Affected versions
* v0.9.35 and below
## Fixed in version
* v0.9.36
## References
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29133
* https://nvd.nist.gov/vuln/detail/CVE-2021-29133
* https://twitter.com/steaIth/status/1364940271054712842
* https://github.com/rapid7/metasploit-framework/pull/14833
* #12491
## Branches
* [x] master haserl-0.9.36-r0 (9ed42b3)
* [x] 3.13-stable haserl-0.9.36-r0 (c82aabb012ba)
* [x] 3.12-stable haserl-0.9.36-r0 (88cf7914f395)
* [x] 3.11-stable haserl-0.9.36-r0 (4f43aacac6e0)
* [x] 3.10-stable haserl-0.9.36-r0 (691d020dbd55)https://gitlab.alpinelinux.org/alpine/aports/-/issues/12546openssl: Multiple vulnerabilities (CVE-2021-3449, CVE-2021-3450)2021-03-29T08:51:59ZNatanael Copaopenssl: Multiple vulnerabilities (CVE-2021-3449, CVE-2021-3450)### CVE-2021-3449: NULL pointer deref in signature_algorithms processing
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the sig...### CVE-2021-3449: NULL pointer deref in signature_algorithms processing
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue.
#### Reference:
https://www.openssl.org/news/vulnerabilities.html
### CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue.
#### Reference:
https://www.openssl.org/news/vulnerabilities.html
### Affected branches:
* [x] master (92ff3f34184c589fa4d811f96fa7f607b803975a)
* [x] 3.13-stable (36515dd3bda2fc9f66fb4c16e0f97689be0a192f)
* [x] 3.12-stable (762b65ec5a84fff28c614cc527a56eb0d12d35eb)
* [x] 3.11-stable (69ad9d9b8dbc23884600181b0f0a07c3428705ee)
* [x] 3.10-stable (b5417b32170f2c945de1735ea728199291ff97b6)https://gitlab.alpinelinux.org/alpine/aports/-/issues/12196openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)2021-03-25T14:28:32ZAlicha CHopenssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
t...The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.(Affected 1.1.1-1.1.1h)
#### Fixed In Version:
openssl 1.1.1i
#### Reference:
https://www.openssl.org/news/secadv/20201208.txt
### Affected branches:
* [x] master (797148556e648800c8fc39a426ef8df37b989f9e)
* [x] 3.12-stable (9e04b0fdd0665f27ea5d557286eda64cc877322f)
* [x] 3.11-stable
* [x] 3.10-stableTimo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12543gnutls: Multiple vulnerabilities (CVE-2021-20231, CVE-2021-20232)2021-03-24T15:10:55ZAlicha CHgnutls: Multiple vulnerabilities (CVE-2021-20231, CVE-2021-20232)### CVE-2021-20231: Use after free in client key_share extension
A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
#### Fixed In Version:
gn...### CVE-2021-20231: Use after free in client key_share extension
A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
#### Fixed In Version:
gnutls 3.7.1
#### References:
* https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
* https://nvd.nist.gov/vuln/detail/CVE-2021-20231
### CVE-2021-20232: Use after free in client_send_params in lib/ext/pre_shared_key.c
A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.
#### Fixed In Version:
gnutls 3.7.1
#### References:
* https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
* https://nvd.nist.gov/vuln/detail/CVE-2021-20232
### Affected branches:
* [x] master (a6a29b59574fe2eb241231ab5604780f0b4ee240)
* [x] 3.13-stable (c1538cc832955947054f76d3cc9e28460291c3f9)
* [x] 3.12-stable (4fe3ca4189cf75baafae0266f3c900cbedc10c2f)
* [x] 3.11-stable (696ea45aea1f48e8a177df39dfc174b609bea9a7)
* [x] 3.10-stable (f15d1c4a97433880b929b06b8604e19d76f7cb36)Natanael CopaNatanael Copa