aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2022-04-19T20:16:05Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12123musl: wcsnrtombs destination buffer overflow (CVE-2020-28928)2022-04-19T20:16:05ZAlicha CHmusl: wcsnrtombs destination buffer overflow (CVE-2020-28928)The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progr...The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffera.
This function is not used internally in musl and is not widely used,
but does appear in some applications. The non-input-limiting form
wcsrtombs is not affected.
All users of musl 1.2.1 and prior versions should apply the attached
patch, which replaces the overly complex and erroneous implementation.
The upcoming 1.2.2 release will adopt this new implementation.
#### Reference:
https://www.openwall.com/lists/musl/2020/11/19/1
#### Patch:
https://git.musl-libc.org/cgit/musl/commit/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4
### Affected branches:
* [x] master (9e3ec61a)
* [x] 3.12-stable (908046ad)
* [x] 3.11-stable (646c516367f8746a5d153ee00cf264316451b196)
* [x] 3.10-stable (5c22bb085e8e49c9cb402315efad998f7f992dff)
* [x] 3.9-stable (60aa954b2f8c9e3f4f0274165fcdffba95ba1abfhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/13051py3-pillow: CVE-2021-234372022-01-31T06:00:07ZRich Braunpy3-pillow: CVE-2021-23437CVE-2021-23437 was reported 7-Sep-2021, a day-0 high-sev:
> The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Edge repo has 8.1.x at this time. 3.14 repo ...CVE-2021-23437 was reported 7-Sep-2021, a day-0 high-sev:
> The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Edge repo has 8.1.x at this time. 3.14 repo has 8.2.0-r0.Fabian AffolterFabian Affolterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12682Graphviz CVE-2020-180322022-01-10T20:55:15ZMiroslav MachuraGraphviz CVE-2020-18032JFrog XRay detects [CVE-2020-18032](https://nvd.nist.gov/vuln/detail/CVE-2020-18032) for graphviz library in alpine 3.13, which has a critical severity.
Please apply a patch to the vulnerability or upgrade the library.
Fix was introduc...JFrog XRay detects [CVE-2020-18032](https://nvd.nist.gov/vuln/detail/CVE-2020-18032) for graphviz library in alpine 3.13, which has a critical severity.
Please apply a patch to the vulnerability or upgrade the library.
Fix was introduced in [this MR](https://gitlab.com/graphviz/graphviz/-/merge_requests/1480/commits) and when I run `git tag --contains 784411c` (commit with fix) in graphviz lib, it returns:
```
2.46.0
2.46.1
2.47.0
2.47.1
```
So upgrading the library to version >= 2.46.0 in alpine 3.13 should also resolve the issue.
## Branches
* [x] master (06464b7)
* [x] 3.13-stable (5b55a7e)
* [x] 3.12-stable (4518bb2)
* [x] 3.11-stable (e6ce8b0)
* [ ] ~~3.10-stable~~Kevin DaudtKevin Daudthttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11529bubblewrap: --bind does not work (0.4.1-r0)2021-11-25T02:53:25Zminusbubblewrap: --bind does not work (0.4.1-r0)The current version in the repo (0.4.1-r0) fails to bind mount anything.
```
$ bwrap --ro-bind /bin /bin --ro-bind /lib /lib /bin/busybox sh
bwrap: Can't bind mount /oldroot/bin on /newroot/bin: No such file or directory
```
When build...The current version in the repo (0.4.1-r0) fails to bind mount anything.
```
$ bwrap --ro-bind /bin /bin --ro-bind /lib /lib /bin/busybox sh
bwrap: Can't bind mount /oldroot/bin on /newroot/bin: No such file or directory
```
When building the package myself, it works fine. There is a workaround patch for a realpath issue in aports. The error message is exactly the same as when this patch is not applied.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12274dovecot: Multiple vulnerabilities (CVE-2020-25275, CVE-2020-24386)2021-11-24T14:56:15ZAlicha CHdovecot: Multiple vulnerabilities (CVE-2020-25275, CVE-2020-24386)### CVE-2020-25275: MIME parsing crash
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Vulnerable...### CVE-2020-25275: MIME parsing crash
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Vulnerable version: 2.3.11-2.3.11.3
Fixed version: 2.3.13
#### References:
* https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
* https://www.openwall.com/lists/oss-security/2021/01/04/3
### CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
When imap hibernation is active, an attacker can cause Dovecot to
discover file system directory structure and access other users' emails using
specially crafted command. The attacker must have valid credentials to access the mail server.
Vulnerable version: 2.2.26-2.3.11.3
Fixed version: 2.3.13
#### References:
* https://www.openwall.com/lists/oss-security/2021/01/04/4
* https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
### Affected branches:
* [x] master (579394558547f8f589ab5cdca6b9cb32d6955d47)
* [x] 3.12-stable (6bd01a05ab9aa278c9113f3f81f32f55cde5f990)
* [ ] 3.11-stable
* [ ] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11519drbd-lts: many errors while trying to install on Alpine 3.11.6 x86_642021-08-08T14:10:40ZFernando Casas Schössowdrbd-lts: many errors while trying to install on Alpine 3.11.6 x86_64While trying to install drbd-lts on Alpine 3.11.6 x86_64 many errors are displayed by apk. I'm not sure how critical they are or not, so I decided to open this issue.
I'm running Alpine from RAM (booting from a USB drive).
I tried to ins...While trying to install drbd-lts on Alpine 3.11.6 x86_64 many errors are displayed by apk. I'm not sure how critical they are or not, so I decided to open this issue.
I'm running Alpine from RAM (booting from a USB drive).
I tried to install drbd-utils among other packages and the installation is fine, only drbd-lts is generating all these errors.
Please find attached the output of the apk add command.
[apk_add_drbd-lts.txt](/uploads/c48d5e4709df8d1850078048d7bb5988/apk_add_drbd-lts.txt)
Thanks.
PS: I tried to flag the package at https://pkgs.alpinelinux.org/package/v3.11/main/x86_64/drbd-lts but I got a 404 error when clicking on the "Flag" button.https://gitlab.alpinelinux.org/alpine/aports/-/issues/11452alpine network delay when operating HBASE via phoenix2021-08-07T22:27:55Zprodanalpine network delay when operating HBASE via phoenixSystem environment
```~ $ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.5
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
~ $ uname -r
3.10.0-1062.1...System environment
```~ $ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.5
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
~ $ uname -r
3.10.0-1062.18.1.el7.x86_64
~ $ apk list | grep musl
musl-1.1.24-r2 x86_64 {musl} (MIT) [installed]
musl-utils-1.1.24-r2 x86_64 {musl} (MIT BSD GPL2+) [installed]
musl-dev-1.1.24-r2 x86_64 {musl} (MIT) [installed]
~ $
```
Run test script in alpine
```
~ $ time python test.py
1587781799.9128911
23.95860481262207
33667
0.6693758964538574
351
real 0m 25.33s
user 0m 24.46s
sys 0m 0.47s
~ $
```
Run test script on CentOS
```
(base) [root@bigdata-dev03 ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
(base) [root@bigdata-dev03 ~]# uname -r
3.10.0-1062.18.1.el7.x86_64
(base) [root@bigdata-dev03 ~]# time python test.py
1587781936.8903282
2.4388413429260254
33667
0.6046943664550781
351
real 0m3.930s
user 0m3.003s
sys 0m0.244s
(base) [root@bigdata-dev03 ~]#
```
Run the test script in alpine after upgrading the kernel
```
~ $ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.5
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
~ $ uname -r
5.6.7-1.el7.elrepo.x86_64
~ $ time python test.py
1587781294.1356337
10.101239442825317
33667
0.367321252822876
351
real 0m 10.86s
user 0m 10.28s
sys 0m 0.09s
~ $
```
tcpdump intercepts packets
```
2273 21.438452 192.168.1.72 172.16.0.199 TCP 7006 [TCP Out-Of-Order] 80 → 33258 [ACK] Seq=7098353 Ack=5443 Win=50304 Len=6940 TSval=991811317 TSecr=979000685
2274 21.438487 192.168.1.72 172.16.0.199 TCP 4230 [TCP Out-Of-Order] 80 → 33258 [ACK] Seq=7105293 Ack=5443 Win=50304 Len=4164 TSval=991811317 TSecr=979000685
2275 21.438632 172.16.0.199 192.168.1.72 TCP 78 [TCP Window Update] 33258 → 80 [ACK] Seq=5443 Ack=7098353 Win=332672 Len=0 TSval=979000685 TSecr=991811316 SLE=7109457 SRE=7116397
2276 21.438701 172.16.0.199 192.168.1.72 TCP 78 [TCP Dup ACK 2270#1] 33258 → 80 [ACK] Seq=5443 Ack=7098353 Win=332672 Len=0 TSval=979000685 TSecr=991811316 SLE=7109457 SRE=7123337
```
I suspect it was caused by musl libc ......https://gitlab.alpinelinux.org/alpine/aports/-/issues/11533FFMPEG libx264 Segfault error2021-07-27T14:55:29ZAriel FrischerFFMPEG libx264 Segfault errorI'm installing ffmpeg 4.2.1 on alpine:3.11 image and I continuously get segfault errors which using ffmpeg with libx264.
```
Step 18/33 : RUN ffmpeg -version
ffmpeg version 4.2.1 Copyright (c) 2000-2019 the FFmpeg developers
built wit...I'm installing ffmpeg 4.2.1 on alpine:3.11 image and I continuously get segfault errors which using ffmpeg with libx264.
```
Step 18/33 : RUN ffmpeg -version
ffmpeg version 4.2.1 Copyright (c) 2000-2019 the FFmpeg developers
built with gcc 9.2.0 (Alpine 9.2.0)
configuration: --prefix=/usr --enable-avresample --enable-avfilter --enable-gnutls --enable-gpl --enable-libass --enable-libmp3lame --enable-libvorbis --enable-libvpx --enable-libxvid --enable-libx264 --enable-libx265 --enable-libtheora --enable-libv4l2 --enable-postproc --enable-pic --enable-pthreads --enable-shared --enable-libxcb --disable-stripping --disable-static --disable-librtmp --enable-vaapi --enable-vdpau --enable-libopus --disable-debug
libavutil 56. 31.100 / 56. 31.100
libavcodec 58. 54.100 / 58. 54.100
libavformat 58. 29.100 / 58. 29.100
libavdevice 58. 8.100 / 58. 8.100
libavfilter 7. 57.100 / 7. 57.100
libavresample 4. 0. 0 / 4. 0. 0
libswscale 5. 5.100 / 5. 5.100
libswresample 3. 5.100 / 3. 5.100
libpostproc 55. 5.100 / 55. 5.100
```
The command is:
```
ffmpeg -f rawvideo -vcodec rawvideo -pix_fmt rgba -s 320x180 -r 15 -i - -map 0:v:0 -vf format=yuv420p -vcodec libx264 -profile:v high -preset:v ultrafast -crf 18 -mov
```
The error is: `Segmentation fault (core dumped)` and that's it. I'm using xvfb to run node, inside node a package called editly is running this ffmpeg command. Other fluent-ffmpeg commands seem to work without issues, only libx264 crashes.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12768open-iscsi does not honor exec_prefix at build time2021-06-18T14:46:29ZFrancesco Colistaopen-iscsi does not honor exec_prefix at build time```APKBUILD``` of open-iscsi has as ```exec_prefix=/usr```.
The Makefile has ```exec_prefix = /```
At build time, ```exec_prefix=/usr``` is not honored, this ends up in having binary files in ```/sbin``` rather than ```/usr/sbin```.
So...```APKBUILD``` of open-iscsi has as ```exec_prefix=/usr```.
The Makefile has ```exec_prefix = /```
At build time, ```exec_prefix=/usr``` is not honored, this ends up in having binary files in ```/sbin``` rather than ```/usr/sbin```.
So far, commit:28e8f052e8d863d85ff95ed5a4ffe6844d3ba522 has modified the path to ```/sbin``` to make it work, but this actually was incomplete, since the init has also ```iscsi-iname``` in the wrong, not existing, path.
In order to fix it, we can:
1. remove ```exec_prefix``` in Makefile and adjust the initd to have the all binaries called pointing to ```/sbin```
2. patch the Makefile in order to correct exec_prefix, still fix the initd which basically reverts commit:28e8f052e8d863d85ff95ed5a4ffe6844d3ba522
I will leave the choice to @larena since he's the maintainer.
If we go to option .2 (which I prefer) this is a possible patch (which I've tested and it's working):
```
diff --git a/Makefile b/Makefile
index 7f52cc8..32a86d3 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@
DESTDIR ?=
prefix = /usr
-exec_prefix = /
+exec_prefix = $(prefix)
sbindir = $(exec_prefix)/sbin
bindir = $(exec_prefix)/bin
mandir = $(prefix)/share/man
```
.: Francesco ColistaLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11204nginx http-client-body-temp-path change broke upgrade2021-06-14T14:35:16ZTom Parrottnginx http-client-body-temp-path change broke upgradeI recently upgraded nginx from 3.10 to 3.11 and then nginx wouldn't start complaining about missing a directory `/var/lib/nginx/tmp/client_body`.
I tracked it back to this change:
https://git.alpinelinux.org/aports/commit/main/nginx/APK...I recently upgraded nginx from 3.10 to 3.11 and then nginx wouldn't start complaining about missing a directory `/var/lib/nginx/tmp/client_body`.
I tracked it back to this change:
https://git.alpinelinux.org/aports/commit/main/nginx/APKBUILD?id=8ded1028a7bcdabc411b39367920a61f7919fdd6
Creating the directory manually fixed the issue, but it would be good if upgrades created these missing directories if possible.
Thanks3.12.8https://gitlab.alpinelinux.org/alpine/aports/-/issues/11142Asterisk logrotate - Alpine 3.11.32021-06-12T07:16:49ZRyan CampoAsterisk logrotate - Alpine 3.11.3First start of asterisk creates logs with permissions 644. After logrotate, logs are created with 640 via /etc/logrotate.d/asteriskFirst start of asterisk creates logs with permissions 644. After logrotate, logs are created with 640 via /etc/logrotate.d/asterisk3.14.0Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12184curl: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286)2021-04-14T08:28:50ZAlicha CHcurl: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286)### CVE-2020-8284: trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default.
A server res...### CVE-2020-8284: trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default.
A server response to a PASV command includes the (IPv4) address and port number for the client to connect back to in order to perform the actual data transfer.
Affected versions: curl 4.0 to and including 7.73.0
Not affected versions: curl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8284.html
### CVE-2020-8285: FTP wildcard stack overflow
libcurl offers a wildcard matching functionality, which allows a callback (set with CURLOPT_CHUNK_BGN_FUNCTION) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries.
Affected versions: libcurl 7.21.0 to and including 7.73.0
Not affected versions: libcurl < 7.21.0 and libcurl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8285.html
### CVE-2020-8286: Inferior OCSP verification
libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool.
Affected versions: libcurl 7.41.0 to and including 7.73.0
Not affected versions: libcurl < 7.41.0 and libcurl >= 7.74.0
#### Reference:
https://curl.se/docs/CVE-2020-8286.html
### Affected branches:
* [x] master (a2da5d177a121c47684eb9ee6e49351cdaeae06b)
* [x] 3.12-stable (90e58b3d833e1a1e51c524cdaa5091dbcd80c0f0, e22439933a2d17400077b8165d3268d02ec27030)
* [x] 3.11-stable
* [x] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12569nodejs, nodejs-current: security release on April 6th, 20212021-04-13T17:20:06ZMichał Polańskinodejs, nodejs-current: security release on April 6th, 2021### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The ...### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The 15.x release line of Node.js is vulnerable to two high severity issues.
* The 14.x release line of Node.js is vulnerable to three high severity issues.
* The 12.x release line of Node.js is vulnerable to three high severity issues.
* The 10.x release line of Node.js is vulnerable to three high severity issues.
### Affected aports with active support
* [x] ~~master: nodejs-current 15.13.0-r0 (community)~~ not affected
* [x] master: nodejs 14.16.0-r0 (main)
* [x] ~~3.13-stable: nodejs-current 15.10.0-r0 (community)~~ not affected
* [x] 3.13-stable: nodejs 14.16.0-r0 (main)
* [x] 3.12-stable: nodejs 12.21.0-r0 (main)
* [x] 3.11-stable: nodejs 12.21.0-r0 (main)
* [x] 3.10-stable: nodejs 10.24.0-r0 (main)Jakub JirutkaJakub Jirutka2021-04-06https://gitlab.alpinelinux.org/alpine/aports/-/issues/12558spamassassin: Malicious rule configuration files can be configured to run sys...2021-04-13T06:39:42ZAlicha CHspamassassin: Malicious rule configuration files can be configured to run system commands (CVE-2020-1946)In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading t...In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
#### References:
* https://www.openwall.com/lists/oss-security/2021/03/24/3
* https://s.apache.org/3r1wh
### Affected branches:
* [x] master (959e525e7a66fb2347f9e9109784d47cd4b8c4c4)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12581tar: Memory leak in read_header() in list.c (CVE-2021-20193)2021-04-07T03:37:28ZAlicha CHtar: Memory leak in read_header() in list.c (CVE-2021-20193)A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system avai...A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
#### References:
* https://savannah.gnu.org/bugs/?59897
* https://nvd.nist.gov/vuln/detail/CVE-2021-20193
#### Patch:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
### Affected branches:
* [x] master (eda7fb6bd07c8cf2d48aa6aae3c2f051571132fa)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableCarlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12549squid: HTTP Request Smuggling (CVE-2020-25097)2021-04-02T02:27:10ZAlicha CHsquid: HTTP Request Smuggling (CVE-2020-25097)An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This oc...An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
#### Fixed In Version:
squid 4.14 and 5.0.5.
#### References:
* https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6
* https://nvd.nist.gov/vuln/detail/CVE-2020-25097
#### Patch:
Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch
### Affected branches:
* [x] master (6d446c6e6d358a7ebbfa3b88cc7e8f60709b9c70)
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12551py3-pygments: ReDos via crafted malicious input (CVE-2021-27291)2021-04-01T18:03:41ZAlicha CHpy3-pygments: ReDos via crafted malicious input (CVE-2021-27291)In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By craftin...In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
#### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-27291
#### Patch:
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
### Affected branches:
* [x] master (5a7b755050736b28b503dfa74d6e519e8234273c)
* [x] 3.13-stable (5a7b755050736b28b503dfa74d6e519e8234273c)
* [x] 3.12-stable
* [x] 3.11-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12447nodejs, nodejs-current: security release on February 23th, 20212021-03-31T18:38:02ZMichał Polańskinodejs, nodejs-current: security release on February 23th, 2021Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critica...Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critical severity issue
One High severity issue
One Low severity issue
# Impact
The 15.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 14.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 12.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 10.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
# Affected aports with active support
* [x] master: nodejs 14.15.5-r0 (main)
* [x] master: nodejs-current 15.8.0-r1 (community)
* [x] 3.13-stable: nodejs 14.15.5-r0 (main)
* [x] 3.13-stable: nodejs-current 15.5.1-r0 (community)
* [x] 3.12-stable: nodejs 12.20.1-r0 (main)
* [x] 3.11-stable: nodejs 12.20.1-r0 (main)
* [x] 3.10-stable: nodejs 10.19.0-r0 (main)2021-02-23https://gitlab.alpinelinux.org/alpine/aports/-/issues/11884bind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622,...2021-03-31T16:17:59ZAlicha CHbind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624)### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum bu...### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received.
Affected Versions: BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In Version: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8620
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c
While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit.
Affected Versions: BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In versions: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8621
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.
Affected Versions: BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8622
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
If BIND is built with "--enable-native-pkcs11" then a specially crafted query for a zone signed with RSA can trigger an assertion failure.
Affected Versions: BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8623
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain.
Affected Versions: BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
References:
https://kb.isc.org/docs/cve-2020-8624
https://www.openwall.com/lists/oss-security/2020/08/20/2
### Affected branches:
* [x] master (552c946)
* [x] 3.12-stable (8bacbe7)
* [x] 3.11-stable
* [x] 3.10-stable
* [ ] 3.9-stable (EOL)3.12.6Kevin DaudtKevin Daudthttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12566busybox: invalid free or segmentation fault via malformed gzip data (CVE-2021...2021-03-31T04:59:32ZAlicha CHbusybox: invalid free or segmentation fault via malformed gzip data (CVE-2021-28831)decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/...decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2021-28831
* https://security-tracker.debian.org/tracker/CVE-2021-28831
#### Patch:
https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
### Affected branches:
* [x] master: 1.33.0-r5 (8457a320f13d202a1c65be2652f0d030880f17f0)
* [x] 3.13-stable: 1.32.1-r4 (7acc3190c16c19db5767c094d5ea6de75bbc2ae8)
* [x] 3.12-stable: 1.31.1-r20 (0d639f13e315e43a11821d963031ed5b49b15a15)
* [x] 3.11-stable: 1.31.1-r10 (7332e004b92f2a688a28eee7628a1e6e16d76147)
* [x] 3.10-stable: 1.30.1-r5 (26527b0535f65a4ac0ae7f3c9afb2294885b21cc)Natanael CopaNatanael Copa