aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T14:11:06Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2778open-vm-tools in edge fails to install2019-07-23T14:11:06ZFrancisco Lazuropen-vm-tools in edge fails to installI’m just upgraded to edge in a Vmware virtual machine (X86\_64) and I’m
now trying to install open-vm-tools but apk fails with the following
message:
>WARNING: Ignoring /media/cdrom/apks/x86\_64/APKINDEX.tar.gz: No such
file or direc...I’m just upgraded to edge in a Vmware virtual machine (X86\_64) and I’m
now trying to install open-vm-tools but apk fails with the following
message:
>WARNING: Ignoring /media/cdrom/apks/x86\_64/APKINDEX.tar.gz: No such
file or directory
>ERROR: unsatisfiable constraints:
>so:libprocps.so.1 (missing):
>required by: open-vm-tools-9.4.0\_p1280544-r0\[so:libprocps.so.1\]
I can’t see how to install the missing dependency and I can see that
libprocps.so.3 is installed in /lib.
*(from redmine: issue id 2778, created on 2014-03-24, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/2982ocfs2-tools: fails to build with musl2019-07-23T14:08:05ZNatanael Copaocfs2-tools: fails to build with musl*(from redmine: issue id 2982, created on 2014-05-30, closed on 2019-01-10)**(from redmine: issue id 2982, created on 2014-05-30, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/5105open-vm-tools (vmtoolsd) segfaults when hypervisor sents shutdown request2020-02-05T18:06:39ZJeff Polczynskiopen-vm-tools (vmtoolsd) segfaults when hypervisor sents shutdown requestpackage open-vm-tools-10.0.0\_p3000743-r0
When issuing a “guest OS shutdown” the vmtoolsd process segfaults:
vmtoolsd\[2596\]: segfault at 0 ip 00006cba1552a9a1 sp 00007c03b44dbfe0
error 4 in libvmtools.so.0.0.0\[6cba154f7000+282000\] ...package open-vm-tools-10.0.0\_p3000743-r0
When issuing a “guest OS shutdown” the vmtoolsd process segfaults:
vmtoolsd\[2596\]: segfault at 0 ip 00006cba1552a9a1 sp 00007c03b44dbfe0
error 4 in libvmtools.so.0.0.0\[6cba154f7000+282000\]
vmtoolsd\[2928\]: segfault at 0 ip 000070fa2e2899a1 sp 000075e8d672e6d0
error 4 in libvmtools.so.0.0.0\[70fa2e256000+282000\]
Steps to replicate:
1. Install Alpine to disk (‘lvmsys’ install).
2. Install open-vm-tools (apk add open-vm-tools).
3. Add open-vm-tools as boot server (rc-update add open-vm-tools
boot).
4. Reboot or start open-vm-tools service (rc-service open-vm-tools
start).
5. From VMware client, issue a “Shut Down Guest”.
*(from redmine: issue id 5105, created on 2016-02-11, closed on 2019-01-10)*
* Uploads:
* [0013-fix-System_Reboot-binary.patch](/uploads/3b8bd8da875586e9eb2045926b404fe1/0013-fix-System_Reboot-binary.patch) Fix System_Reboot() for alpine linux3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/6477easy-rsa not compatible with libressl2019-07-23T12:04:19ZCarlo Landmetereasy-rsa not compatible with libresslhttps://github.com/OpenVPN/easy-rsa/issues/76
*(from redmine: issue id 6477, created on 2016-11-22, closed on 2019-01-23)*https://github.com/OpenVPN/easy-rsa/issues/76
*(from redmine: issue id 6477, created on 2016-11-22, closed on 2019-01-23)*3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/6703Missing packages virtualbox-additions-virtgrsec, virtualbox-guest-additions (...2019-07-23T12:01:15ZMichal MičkoMissing packages virtualbox-additions-virtgrsec, virtualbox-guest-additions (x86)When I use **VIRTUAL** version of AlpineLinux (**x86-64**) in
VirtualBox, can I use kernel modules from package
**virtualbox-additions-grsec** (branch edge)? If I can’t, then I need
package like **virtualbox-additions-virtgrsec** and it ...When I use **VIRTUAL** version of AlpineLinux (**x86-64**) in
VirtualBox, can I use kernel modules from package
**virtualbox-additions-grsec** (branch edge)? If I can’t, then I need
package like **virtualbox-additions-virtgrsec** and it missing.
When I use **VIRTUAL** version of AlpineLinux (**x86**) in VirtualBox, I
miss package **virtualbox-guest-additions** too.
In both cases I need use shared folder from the host.
*(from redmine: issue id 6703, created on 2017-01-19, closed on 2019-01-23)*3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7178request, enable perf tools2019-07-23T11:55:24ZV Krishnrequest, enable perf toolsThis tool comes with the kernel, would be nice to have it enabled.
https://packages.debian.org/stretch/linux-perf-4.9
Seems nice development tool (feel free to ignore, as its unstable)
https://packages.debian.org/stretch/perf-tools-...This tool comes with the kernel, would be nice to have it enabled.
https://packages.debian.org/stretch/linux-perf-4.9
Seems nice development tool (feel free to ignore, as its unstable)
https://packages.debian.org/stretch/perf-tools-unstable
*(from redmine: issue id 7178, created on 2017-04-19, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/7351Add cntlm package2019-07-23T11:53:18ZAlex EllisAdd cntlm packageHi - I’d like to request the cntlm package for x64 and armhf variants.
I’ve seen that Nathan has done some testing and that this was requested
once in the past long ago.
https://git.alpinelinux.org/cgit/aports/commit/?id=8dd4322146bcbe...Hi - I’d like to request the cntlm package for x64 and armhf variants.
I’ve seen that Nathan has done some testing and that this was requested
once in the past long ago.
https://git.alpinelinux.org/cgit/aports/commit/?id=8dd4322146bcbec8de25104f6c3899057bc6ee49
https://bugs.alpinelinux.org/issues/1075
https://github.com/alvarow/docker-cntlm
https://github.com/protenhan/docker-cntlm
This tool is essential for working with a corporate
AD/LDAP-authenticating proxy.
Cheers,
Alex
*(from redmine: issue id 7351, created on 2017-05-31, closed on 2019-01-10)*
* Changesets:
* Revision 4bda782ed5286fe600a9b52e55bca0618c8fe6f7 by Natanael Copa on 2017-05-31T11:36:37Z:
```
testing/cntlm: ressurect from unmaintained
ref #7351
```
* Revision e6646bd43c370a6784fa06e98791b3ca8e257c70 by Natanael Copa on 2019-01-10T13:51:05Z:
```
community/cntlm: move from testing
fixes #7351
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/7885PowerDNS: "service pdns reload" fails because of guardian=no2019-07-23T11:43:40ZalgitbotPowerDNS: "service pdns reload" fails because of guardian=noAfter installing and configuring pdns-4.0.3-r2 the following command
fails:
service pdns reload
This is because in “/etc/init.d/pdns” the option “guardian=no” is
hardcoded and the “service pdns reload” command uses the “cycle” command
...After installing and configuring pdns-4.0.3-r2 the following command
fails:
service pdns reload
This is because in “/etc/init.d/pdns” the option “guardian=no” is
hardcoded and the “service pdns reload” command uses the “cycle” command
of “pdns\_control”. The documentation of PowerDNS states:
QUOTE “cycle : Restart the nameserver so it reloads its configuration.
Only works when the server is running in guardian mode”
*(from redmine: issue id 7885, created on 2017-09-23, closed on 2019-01-23)*
* Changesets:
* Revision cdca14c596c1f8832983501857c61ccbe8ac180b by Chris Ely on 2019-01-16T20:06:42Z:
```
community/pdns: use guardian mode
This fixes the reload command which relies on the guardian
to cycle the running instance.
fixes #7885
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8001MonetDB package2019-07-23T11:42:11ZArtem KlevtsovMonetDB packageDependencies: musl-dev gcc bison make python libressl-dev libxml2-dev
xz-dev bzip2-dev lz4-dev readline-dev snappy-dev curl-dev pcre-dev
unixodbc-dev libatomic\_ops-dev
Source tarballs: https://www.monetdb.org/downloads/sources/Jul2017...Dependencies: musl-dev gcc bison make python libressl-dev libxml2-dev
xz-dev bzip2-dev lz4-dev readline-dev snappy-dev curl-dev pcre-dev
unixodbc-dev libatomic\_ops-dev
Source tarballs: https://www.monetdb.org/downloads/sources/Jul2017-SP1/
*(from redmine: issue id 8001, created on 2017-10-14, closed on 2019-01-10)*
* Changesets:
* Revision 10b492044d9db302390ff04a524117ddaf3f4975 by Roberto Oliveira on 2018-07-05T13:25:04Z:
```
testing/monetdb: new aport (fixes #8001)
Column-oriented database management system
```3.9.0Roberto OliveiraRoberto Oliveirahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8425Improve fuse and fuse3 packaging to make them co-installable2019-07-23T11:37:01ZPrzemysław PawełczykImprove fuse and fuse3 packaging to make them co-installableAt this moment fuse3 is still in testing, but it will be possibly moved
to main in future. Let’s assume for now that it will happen before
3.8.0.
According to maintainer’s notes to [libfuse
3.0.0](https://github.com/libfuse/libfuse/rele...At this moment fuse3 is still in testing, but it will be possibly moved
to main in future. Let’s assume for now that it will happen before
3.8.0.
According to maintainer’s notes to [libfuse
3.0.0](https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0):
>libfuse 3 is designed to be co-installable with libfuse 2. However,
some files will be installed by both libfuse 2 and libfuse 3 (e.g.
/etc/fuse.conf, the udev and init scripts, and the mount.fuse(8)
manpage). These files should be taken from libfuse 3. The format/content
is guaranteed to remain backwards compatible with libfuse 2.
>
>We recommend to ship libfuse2 and libfuse3 in three separate
packages: a libfuse-common package that contains files shared by libfuse
2+3 (taken from the libfuse3 tarball), and libfuse2 and libfuse3
packages that contain the shared library and helper programs for the
respective version.
*(from redmine: issue id 8425, created on 2018-01-26, closed on 2019-01-23)*3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8449open-vm-tools floods logs2019-07-23T11:36:44ZA. Klitzingopen-vm-tools floods logsHi there,
I’m using Alpine v 3.7.0 and system installed open-vm-tools. But it
floods /var/log/vmware-vmsvc.log.
It logs A LOT of “\[Jan 29 23:57:12.616\] \[ warning\] \[guestinfo\]
Failed to get nic info.” warnings.
Sometimes it logs ...Hi there,
I’m using Alpine v 3.7.0 and system installed open-vm-tools. But it
floods /var/log/vmware-vmsvc.log.
It logs A LOT of “\[Jan 29 23:57:12.616\] \[ warning\] \[guestinfo\]
Failed to get nic info.” warnings.
Sometimes it logs something like this
\[Jan 30 00:18:12.639\] \[ warning\] \[guestinfo\] Failed to get nic
info.
\[Jan 30 00:18:29.877\] \[ message\] \[vmtoolsd\] Unloading plugin
‘vmbackup’.
\[Jan 30 00:18:29.877\] \[ message\] \[vmtoolsd\] Unloading plugin
‘timeSync’.
\[Jan 30 00:18:29.877\] \[ message\] \[vmtoolsd\] Unloading plugin
‘powerops’.
\[Jan 30 00:18:29.877\] \[ message\] \[vmtoolsd\] Unloading plugin
‘guestInfo’.
\[Jan 30 00:18:29.877\] \[ message\] \[vmtoolsd\] Unloading plugin
‘grabbitmqProxy’.
\[Jan 30 00:18:29.878\] \[ message\] \[vmtoolsd\] Unloading plugin
‘deployPkg’.
\[Jan 30 00:18:29.878\] \[ message\] \[vmtoolsd\] Unloading plugin
‘vix’.
\[Jan 30 00:18:29.878\] \[ message\] \[vmtoolsd\] Unloading plugin
‘hgfsServer’.
\[Jan 30 00:18:52.792\] \[ message\] \[vmsvc\] Log caching is enabled
with maxCacheEntries=4096.
\[Jan 30 00:18:52.793\] \[ message\] \[vmsvc\] Core dump limit set to
–1
\[Jan 30 00:18:52.793\] \[ message\] \[vmtoolsd\] Tools Version:
10.1.15.65452 (build-6677369)
\[Jan 30 00:18:52.837\] \[ message\] \[vmtoolsd\] Plugin ‘hgfsServer’
initialized.
\[Jan 30 00:18:52.837\] \[ message\] \[vmtoolsd\] Plugin ‘vix’
initialized.
\[Jan 30 00:18:52.837\] \[ message\] \[vmtoolsd\] Plugin ‘deployPkg’
initialized.
\[Jan 30 00:18:52.851\] \[ message\] \[vmtoolsd\] Plugin
‘grabbitmqProxy’ initialized.
\[Jan 30 00:18:52.851\] \[ message\] \[vmtoolsd\] Plugin ‘guestInfo’
initialized.
\[Jan 30 00:18:52.851\] \[ message\] \[vmtoolsd\] Plugin ‘powerops’
initialized.
\[Jan 30 00:18:52.851\] \[ message\] \[vmtoolsd\] Plugin ‘timeSync’
initialized.
\[Jan 30 00:18:52.851\] \[ message\] \[vmtoolsd\] Plugin ‘vmbackup’
initialized.
\[Jan 30 00:18:52.855\] \[ message\] \[vix\]
VixTools\_ProcessVixCommand: command 62
\[Jan 30 00:18:52.856\] \[ warning\] \[vmsvc\] FileGetUserName:
sysconf(\_SC\_GETPW\_R\_SIZE\_MAX) failed.
\[Jan 30 00:18:52.857\] \[ warning\] \[vmsvc\] File\_GetSafeTmpDir:
FileGetUserName failed, using numeric ID as username instead.
\[Jan 30 00:18:52.857\] \[ message\] \[vix\]
ToolsDaemonTcloReceiveVixCommand: command 62, additionalError = 22
*(from redmine: issue id 8449, created on 2018-01-30, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8601if grub is used, why to load /etc/update-extlinux.conf2019-07-23T11:34:58Zjiri bif grub is used, why to load /etc/update-extlinux.confHi,
apk del syslinux
apk add grub
…so one wants to use grub. but why is grub patched to load a kind of
syslinux (extlinux) related script?
1. grep -nC3 /etc/update-extlinux.conf /etc/grub.d/10\_linux
21-exec\_prefix=“/usr”
...Hi,
apk del syslinux
apk add grub
…so one wants to use grub. but why is grub patched to load a kind of
syslinux (extlinux) related script?
1. grep -nC3 /etc/update-extlinux.conf /etc/grub.d/10\_linux
21-exec\_prefix=“/usr”
22-datarootdir=“/usr/share”
23-
24:. /etc/update-extlinux.conf
25-. “$pkgdatadir/grub-mkconfig\_lib”
26-
27-GRUB\_CMDLINE\_LINUX\_DEFAULT=“modules=${modules}
${default\_kernel\_opts} ${GRUB\_CMDLINE\_LINUX\_DEFAULT}”
imo there should be condition if possible.
*(from redmine: issue id 8601, created on 2018-03-02, closed on 2019-01-23)*
* Changesets:
* Revision cb6c7c4b66dc4640425f875c7d9545dad9e7823c by Natanael Copa on 2019-01-17T18:59:46Z:
```
main/grub: misc alpine fixes for /etc/grub.d/10_linux
- do not depend on /etc/update-extlinux.conf
- remove GNU when GRUB_DISTRIBUTOR="Alpine"
- clean up initramfs search
fixes #8601
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8777Update smokeping to 2.7.x2019-07-23T11:32:53ZRui CarmoUpdate smokeping to 2.7.xThe current version of smokeping in 3.7/edge is 2.6.11, which is four
years old and does not support some probe types (in particular,
TraceroutePing cannot be made to work without a full manual reinstall).
Please consider updating the p...The current version of smokeping in 3.7/edge is 2.6.11, which is four
years old and does not support some probe types (in particular,
TraceroutePing cannot be made to work without a full manual reinstall).
Please consider updating the package for 3.8.
*(from redmine: issue id 8777, created on 2018-04-08, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8925please upgrade community/wxgtk2019-07-23T11:31:13Zalgitbotplease upgrade community/wxgtkCan you please upgrade wxgtk aport to latest version? (3.1.1)
https://github.com/wxWidgets/wxWidgets/releases/tag/v3.1.1
The maintainer doesn’t answer emails and appears to have abandoned
alpine (at least for now).
Thanks.
*(from...Can you please upgrade wxgtk aport to latest version? (3.1.1)
https://github.com/wxWidgets/wxWidgets/releases/tag/v3.1.1
The maintainer doesn’t answer emails and appears to have abandoned
alpine (at least for now).
Thanks.
*(from redmine: issue id 8925, created on 2018-05-22, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9092[3.9] phpmyadmin: Multiple vulnerabilities (CVE-2018-12581, CVE-2018-12613)2019-07-23T11:25:43ZAlicha CH[3.9] phpmyadmin: Multiple vulnerabilities (CVE-2018-12581, CVE-2018-12613)CVE-2018-12581: XSS in Designer feature
---------------------------------------
A Cross-Site Scripting vulnerability was found in the Designer feature,
where an attacker can
deliver a payload to a user through a specially-crafted data...CVE-2018-12581: XSS in Designer feature
---------------------------------------
A Cross-Site Scripting vulnerability was found in the Designer feature,
where an attacker can
deliver a payload to a user through a specially-crafted database name.
### Affected Versions:
phpMyAdmin versions prior to 4.8.2.
### Reference:
https://www.phpmyadmin.net/security/PMASA-2018-3/
### Patch:
https://github.com/phpmyadmin/phpmyadmin/commit/6943fff87324bd54c3a37a5160a5fb77498c355e
CVE-2018-12613: File inclusion and remote code execution attack
---------------------------------------------------------------
A flaw has been discovered where an attacker can include (view and
potentially execute) files on the server.
The vulnerability comes from a portion of code where pages are
redirected and loaded within phpMyAdmin, and an improper test for
whitelisted pages.
An attacker must be authenticated, except in these situations:
- $cfg\[‘AllowArbitraryServer’\] = true: attacker can specify any host
he/she is already in control of, and execute arbitrary code on
phpMyAdmin
- $cfg\[‘ServerDefault’\] = 0: this bypasses the login and runs the
vulnerable code without any authentication
### Affected Versions:
phpMyAdmin 4.8.0 and 4.8.1 are affected.
### Reference:
https://www.phpmyadmin.net/security/PMASA-2018-4/
### Patch:
https://github.com/phpmyadmin/phpmyadmin/commit/7662d02939fb3cf6f0d9ec32ac664401dcfe7490
*(from redmine: issue id 9092, created on 2018-07-16, closed on 2018-07-17)*
* Relations:
* copied_to #9091
* parent #9091
* Changesets:
* Revision 7b247d9a30036bc793da142933227d7148840609 by Natanael Copa on 2018-07-16T17:52:52Z:
```
community/phpmyadmin: security upgrade to 4.8.2 (CVE-2018-12581,CVE-2018-12613)
fixes #9092
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9100[3.9] znc: Multiple vulnerabilities (CVE-2018-14055, CVE-2018-14056)2019-07-23T11:25:35ZAlicha CH[3.9] znc: Multiple vulnerabilities (CVE-2018-14055, CVE-2018-14056)**CVE-2018-14055**: ZNC before 1.7.1-rc1 does not properly validate
untrusted lines coming from the
network, allowing a non-admin user to escalate his privilege and inject
rogue values into znc.conf.
### Reference:
https://nvd.nist.g...**CVE-2018-14055**: ZNC before 1.7.1-rc1 does not properly validate
untrusted lines coming from the
network, allowing a non-admin user to escalate his privilege and inject
rogue values into znc.conf.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14055
### Patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d
**CVE-2018-14056**: ZNC before 1.7.1-rc1 is prone to a path traversal
flaw via ../ in a web
skin name to access files outside of the intended skins directories.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14056
### Patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
*(from redmine: issue id 9100, created on 2018-07-17, closed on 2018-07-19)*
* Relations:
* copied_to #9099
* parent #9099
* Changesets:
* Revision bd4fb24c372fc0a49ab402a6773ad26ee7314d80 by Natanael Copa on 2018-07-18T07:33:45Z:
```
main/znc: security upgrade to 1.7.1 (CVE-2018-14055,CVE-2018-14056)
fixes #9100
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9115[3.9] ffmpeg: Multiple vulnerabilities (CVE-2018-7557, CVE-2018-10001, CVE-20...2019-07-23T11:25:22ZAlicha CH[3.9] ffmpeg: Multiple vulnerabilities (CVE-2018-7557, CVE-2018-10001, CVE-2018-12458, CVE-2018-13300, CVE-2018-13302)**CVE-2018-7557**: The decode\_init function in libavcodec/utvideodec.c
in FFmpeg through 3.4.2 allows remote attackers
to cause a denial of service (Out of array read) via an AVI file with
crafted dimensions within chroma subsampling ...**CVE-2018-7557**: The decode\_init function in libavcodec/utvideodec.c
in FFmpeg through 3.4.2 allows remote attackers
to cause a denial of service (Out of array read) via an AVI file with
crafted dimensions within chroma subsampling data.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-7557
### Patch:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96
**CVE-2018-10001**: The decode\_init function in libavcodec/utvideodec.c
in FFmpeg through 3.4.2 allows
remote attackers to cause a denial of service (out of array read) via an
AVI file.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-10001
### Patch:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=47b7c68ae54560e2308bdb6be4fb076c73b93081
**CVE-2018-12458**: An improper integer type in the
mpeg4\_encode\_gop\_header function in libavcodec/mpeg4videoenc.c in
FFmpeg 4.0 may trigger an assertion violation while converting a crafted
AVI file to MPEG4, leading to a denial of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-12458
### Patch:
https://github.com/FFmpeg/FFmpeg/commit/e1182fac1afba92a4975917823a5f644bee7e6e8
**CVE-2018-13300**: In FFmpeg 4.0.1, an improper argument
(AVCodecParameters) passed to the avpriv\_request\_sample
function in the handle\_eac3 function in libavformat/movenc.c may
trigger an out-of-array read while converting a
crafted AVI file to MPEG4, leading to a denial of service and possibly
an information disclosure.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-13300
### Patch:
https://github.com/FFmpeg/FFmpeg/commit/95556e27e2c1d56d9e18f5db34d6f756f3011148
**CVE-2018-13302**: In FFmpeg 4.0.1, improper handling of frame types
(other than EAC3\_FRAME\_TYPE\_INDEPENDENT) that
have multiple independent substreams in the handle\_eac3 function in
libavformat/movenc.c may trigger an out-of-array access
while converting a crafted AVI file to MPEG4, leading to a denial of
service or possibly unspecified other impact.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-13302
### Patch:
https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50
*(from redmine: issue id 9115, created on 2018-07-19, closed on 2018-08-29)*
* Relations:
* copied_to #9114
* parent #9114
* Changesets:
* Revision 2a92300f12bdc3ed7fc960459e6b5a37868da059 by Natanael Copa on 2018-08-28T13:49:05Z:
```
community/ffmpeg: security upgrade to 3.4.4
fixes #9115
fixes #9353
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9128[3.9] mutt: Multiple vulnerabilities (CVE-2018-14349, CVE-2018-14350, CVE-201...2019-07-23T11:25:15ZAlicha CH[3.9] mutt: Multiple vulnerabilities (CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14362)CVE-2018-14349: Heap Overflow in imap/command.c
-----------------------------------------------
### Fixed In Version:
mutt 1.10.1
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14349
### Patches:
https://gitlab.com/muttm...CVE-2018-14349: Heap Overflow in imap/command.c
-----------------------------------------------
### Fixed In Version:
mutt 1.10.1
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14349
### Patches:
https://gitlab.com/muttmua/mutt/commit/9347b5c01dc52682cb6be11539d9b7ebceae4416
CVE-2018-14350: stack-based buffer overflow in imap/message.c
-------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14349
### Patch:
https://gitlab.com/muttmua/mutt/commit/3287534daa3beac68e2e83ca4b4fe8a3148ff870
CVE-2018-14351: IMAP status mailbox literal mishandled in imap/command.c
------------------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### References:
http://www.mutt.org/news.html
https://nvd.nist.gov/vuln/detail/CVE-2018-14351
### Patch:
https://gitlab.com/muttmua/mutt/commit/e57a8602b45f58edf7b3ffb61bb17525d75dfcb1
CVE-2018-14352: stack-based buffer overflow in imap/util.c
----------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14352
### Patch:
https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865d
CVE-2018-14353: integer underflow in imap/util.c
------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### References:
http://www.mutt.org/news.html
https://nvd.nist.gov/vuln/detail/CVE-2018-14353
### Patch:
https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865d
CVE-2018-14354: Remote code injection vulnerability to an IMAP mailbox
----------------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14354
### Patch:
https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d
CVE-2018-14355: IMAP header caching path traversal vulnerability
----------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14355
### Patch:
https://gitlab.com/muttmua/mutt/commit/31eef6c766f47df8281942d19f76e35f475c781d
CVE-2018-14356: mishandles a zero-length UID in pop.c
-----------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14356
### Patch:
https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6
CVE-2018-14357: Remote Code Execution via backquote characters
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14357
### Patch:
https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d
CVE-2018-14358: stack-based buffer overflow in imap/message.c
-------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14358
### Patch:
https://gitlab.com/muttmua/mutt/commit/3287534daa3beac68e2e83ca4b4fe8a3148ff870
CVE-2018-14359: buffer overflow via base64 data
-----------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14359
### Patch:
https://gitlab.com/muttmua/mutt/commit/3d9028fec8f4d08db2251096307c0bbbebce669a
CVE-2018-14362: POP body caching path traversal vulnerability
-------------------------------------------------------------
### Fixed In Version:
mutt 1.10.1
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14362
### Patch:
https://gitlab.com/muttmua/mutt/commit/6aed28b40a0410ec47d40c8c7296d8d10bae7576
*(from redmine: issue id 9128, created on 2018-07-24, closed on 2018-07-27)*
* Relations:
* copied_to #9127
* parent #9127
* Changesets:
* Revision ed115862c323b563d378a0ca48ef4f6e7cf55388 by Natanael Copa on 2018-07-24T15:23:25Z:
```
main/mutt: security upgrade to 1.10.1
CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352,
CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356,
CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14362
fixes #9128
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9140[3.9] libvorbis: heap buffer overflow in mapping0_forward function (CVE-2018-...2019-07-23T11:25:07ZAlicha CH[3.9] libvorbis: heap buffer overflow in mapping0_forward function (CVE-2018-10392)A flaw was found in libvorbis 1.3.6. The mapping0\_forward function in
mapping0.c file in Xiph.Org does not validate the number of channels,
which allows remote attackers to cause a denial of service (heap-based
buffer overflow or over...A flaw was found in libvorbis 1.3.6. The mapping0\_forward function in
mapping0.c file in Xiph.Org does not validate the number of channels,
which allows remote attackers to cause a denial of service (heap-based
buffer overflow or over-read) via a crafted file.
### References:
https://gitlab.xiph.org/xiph/vorbis/issues/2335
https://nvd.nist.gov/vuln/detail/CVE-2018-10392
### Patch:
https://gitlab.xiph.org/xiph/vorbis/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b
*(from redmine: issue id 9140, created on 2018-07-27, closed on 2018-07-30)*
* Relations:
* copied_to #9139
* parent #91393.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9151[3.9] fuse: bypass of the "user_allow_other" restriction when SELinux is acti...2019-07-23T11:24:57ZAlicha CH[3.9] fuse: bypass of the "user_allow_other" restriction when SELinux is active (CVE-2018-10906)In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is
vulnerable to a restriction bypass when SELinux is active. This allows
non-root users to mount a FUSE file system with the ‘allow\_other’
mount
option regardless of ...In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is
vulnerable to a restriction bypass when SELinux is active. This allows
non-root users to mount a FUSE file system with the ‘allow\_other’
mount
option regardless of whether ‘user\_allow\_other’ is set in the fuse
configuration. An attacker may use this flaw to mount a FUSE file
system,
accessible by other users, and trick them into accessing files on that
file
system, possibly causing Denial of Service or other unspecified effects.
### References:
http://openwall.com/lists/oss-security/2018/07/24/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10906
### Patches:
https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466
https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414
*(from redmine: issue id 9151, created on 2018-07-30, closed on 2018-07-31)*
* Relations:
* copied_to #9150
* parent #9150
* Changesets:
* Revision cab094ae856f8729453475a6c5fff8e35d8844ab by Natanael Copa on 2018-07-30T16:03:32Z:
```
main/fuse: security upgrade to 2.9.8 (CVE-2018-10906)
fixes #9151
```3.9.0Natanael CopaNatanael Copa