aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-12-12T13:05:22Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11020v3.11 rc1: /etc/update-extlinux.conf still "vanilla"2019-12-12T13:05:22ZChristian Dietrichv3.11 rc1: /etc/update-extlinux.conf still "vanilla"```
# default
# default kernel to boot
default=vanilla
```
That should probably be "lts" (or not?)```
# default
# default kernel to boot
default=vanilla
```
That should probably be "lts" (or not?)3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10665[3.11] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-1...2019-07-16T11:21:56ZAlicha CH[3.11] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue...The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue id 10665, created on 2019-07-09)*
* Relations:
* parent #10664
* Changesets:
* Revision 1bd365a6732f045db6dd96f516dec5764f0c8c57 by Natanael Copa on 2019-07-11T16:35:18Z:
```
main/squid: upgrade to 4.8
fixes #10665
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10654[3.11] irssi: Use after free when sending SASL login to the server (CVE-2019-...2019-07-23T11:06:11ZAlicha CH[3.11] irssi: Use after free when sending SASL login to the server (CVE-2019-13045)Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/sec...Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/security/irssi\_sa\_2019\_06.txt
https://www.openwall.com/lists/oss-security/2019/06/29/1
*(from redmine: issue id 10654, created on 2019-07-04, closed on 2019-07-04)*
* Relations:
* parent #10653
* Changesets:
* Revision a95d7efded7650a16db9f1cfa01e95bc5513cf83 by Natanael Copa on 2019-07-04T10:36:31Z:
```
main/irssi: security upgrade to 1.2.1 (CVE-2019-13045)
fixes #10654
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10643[3.11] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)2019-07-23T11:06:20ZAlicha CH[3.11] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-1...BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-12900
### Patch:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
*(from redmine: issue id 10643, created on 2019-07-02, closed on 2019-07-09)*
* Relations:
* parent #10642
* Changesets:
* Revision 53b02f8b1597aabb4ec836bb5aa421e0d1f95189 on 2019-07-04T15:37:46Z:
```
main/bzip2: add patch for CVE-2019-12900
Adding the upstream bzip2 security patch to fix the out of bounds security
vulnerability in bzip2.
fixes #10643
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10626[3.11] bind: Race condition when discarding malformed packets can cause bind ...2019-08-08T10:00:24ZAlicha CH[3.11] bind: Race condition when discarding malformed packets can cause bind to exit with assertion failure (CVE-2019-6471)A race condition which may occur when discarding malformed packets can
result in BIND exiting due to a REQUIRE assertion failure in
dispatch.c.
An attacker who can cause a resolver to perform queries which will be
answered by a server ...A race condition which may occur when discarding malformed packets can
result in BIND exiting due to a REQUIRE assertion failure in
dispatch.c.
An attacker who can cause a resolver to perform queries which will be
answered by a server which responds with deliberately malformed
answers
can cause named to exit, denying service to clients.
### Versions affected:
BIND 9.11.0 ->9.11.7, 9.12.0 ->9.12.4-P1, 9.14.0 ->9.14.2.
Also all releases of the BIND 9.13 development branch and
version 9.15.0 of the BIND 9.15 development branch. BIND Supported
Preview Edition versions 9.11.3-S1 ->9.11.7-S1.
### Fixed In Version:
bind 9.11.8, bind 9.12.4-P2, bind 9.14.3, bind 9.15.1
### References:
https://kb.isc.org/docs/cve-2019-6471
*(from redmine: issue id 10626, created on 2019-06-27)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10622[3.11] evince: uninitialized memory use in function tiff_document_render() an...2019-07-23T11:06:33ZAlicha CH[3.11] evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail() (CVE-2019-11459)The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when pr...The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when processing certain TIFF image files.
### Reference:
https://gitlab.gnome.org/GNOME/evince/issues/1129
### Patch:
https://gitlab.gnome.org/GNOME/evince/commit/234f034a4d15cd46dd556f4945f99fbd57ef5f15
*(from redmine: issue id 10622, created on 2019-06-25, closed on 2019-07-09)*
* Relations:
* parent #10621
* Changesets:
* Revision 21b65c26f6a56dd83992ba9783befc0455e3bdb0 by Natanael Copa on 2019-07-08T12:20:43Z:
```
community/evince: fix CVE-2019-11459
remove unused patch
fixes #10622
```3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10616[3.11] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE...2019-07-23T11:06:40ZAlicha CH[3.11] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDo...CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe
the
existence of arbitrary files, cause denial of service or cause
libvirtd
to execute arbitrary programs.
This vulnerability was first present in libvirt v0.9.4.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created
by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.
This vulnerability was first present in libvirt v3.6.1.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API
-----------------------------------------------------------------------------------
The virConnectGetDomainCapabilities() libvirt API accepts an
“emulatorbin”
argument to specify the program providing emulation for a domain.
Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for
this
argument, causing libvirtd to execute a crafted executable with its own
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10167
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
-----------------------------------------------------------------------------------------------------------------------
The virConnectBaselineHypervisorCPU() and
virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program
providing
emulation for a domain. Since v1.2.19, libvirt will execute that program
to
probe the domain’s capabilities. Read-only clients could specify an
arbitrary
path for this argument, causing libvirtd to execute a crafted executable
with
its own privileges.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
*(from redmine: issue id 10616, created on 2019-06-25, closed on 2019-07-04)*
* Relations:
* parent #106153.11.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10601[3.11] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)2019-07-24T09:55:29ZAlicha CH[3.11] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combin...Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combined with additional vulnerabilities
this could result in executing arbitrary code on the user’s computer.
### Fixed In Version:
Firefox ESR 60.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
*(from redmine: issue id 10601, created on 2019-06-21, closed on 2019-06-28)*
* Relations:
* parent #10600
* Changesets:
* Revision ed5e768abd1db57117bb63de5dcff4da11d0576e on 2019-06-27T14:41:49Z:
```
community/firefox-esr: security upgrade to 60.7.2 (CVE-2019-11708)
fixes #10601
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10589[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:49ZAlicha CH[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10589, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* parent #10588
* Changesets:
* Revision bcc49b4c70d8234ad73c32628b01f58554ec5b5e on 2019-06-20T08:09:34Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```
* Revision a80d49fcecdaa5350d709fc4e9b5d71716661eb7 on 2019-06-20T08:43:16Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10586udhcpc default config missing in minirootfs - no IPv4 connectivity2020-07-08T11:35:17ZTaylor Buchananudhcpc default config missing in minirootfs - no IPv4 connectivityI’ve been messing around with using minirootfs as a base for lxc with
s6. However, IPv4 connectivity doesn’t seem to work by default (not
setting IP on interface). I was able to get it working by copying
/usr/share/udhcpc/default.script ...I’ve been messing around with using minirootfs as a base for lxc with
s6. However, IPv4 connectivity doesn’t seem to work by default (not
setting IP on interface). I was able to get it working by copying
/usr/share/udhcpc/default.script from the main alpine lxc image.
The default config currently resides in busybox-initscripts which is not
deployed on minirootfs since it has primarily been focused around
Docker. After a brief chat with Natanael on IRC he said it might be
better located in the busybox package. I agree in this case since
minirootfs is targeted towards containers and LXC on Proxmox can be
configured to use DHCP.
*(from redmine: issue id 10586, created on 2019-06-18)*3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10258Nginx init-script not working when /var/tmp is bind-mounted to /tmp2019-07-12T15:46:45ZMiguel Da SilvaNginx init-script not working when /var/tmp is bind-mounted to /tmpThe nginx init script requires an existing directory /var/tmp/nginx.
In case the /var/tmp directory is bind-mounted to /tmp and therefore
wiped on each reboot, nginx refuses to start.
It is suggested to create the missing directory in...The nginx init script requires an existing directory /var/tmp/nginx.
In case the /var/tmp directory is bind-mounted to /tmp and therefore
wiped on each reboot, nginx refuses to start.
It is suggested to create the missing directory in case it is not there
yet.
See the proposal in the attached patch file
*(from redmine: issue id 10258, created on 2019-04-15, closed on 2019-06-03)*
* Relations:
* relates #9364
* Changesets:
* Revision 8ded1028a7bcdabc411b39367920a61f7919fdd6 by Natanael Copa on 2019-06-21T10:20:45Z:
```
Revert "main/nginx: move /var/lib/nginx/tmp to /var/tmp/nginx"
FHS-3.0 says that /var/tmp should survive reboots, but for it is common
practice to ignore FHS for security reasons and wipe dirs that are world
writable.
There is no good reason to store nginx data under a world writable
directory, so move it back to /var/lib/nginx/tmp. Other distros does
something similar.
fixes #9246
fixes #10258
ref #9364
This reverts commit d6d624a149ca62af8679baf9cc99ce1354c190f0.
```
* Uploads:
* [0001-nginx-missing-directory.patch](/uploads/cb4568118481ecf44c8122d6a75133f3/0001-nginx-missing-directory.patch)3.11.0Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10235ossec-hids: several issues2019-07-23T11:12:01ZMiguel Da Silvaossec-hids: several issuesThere are several issues with the ossec-hids package:
1. Currently only the installation type ‘server’ is supported. In
addition, the installation types ‘agent’ and ‘local’ should also be
supported.
In the attached patch we added supp...There are several issues with the ossec-hids package:
1. Currently only the installation type ‘server’ is supported. In
addition, the installation types ‘agent’ and ‘local’ should also be
supported.
In the attached patch we added support for the agent type.
However, to get it working, the following parameter in APKBUILD needs to
be changed:
export USER\_INSTALL\_TYPE=agent
It is suggested to create several separate (sub-)packages for the agent
and server, such as ossec-server and ossec-agent (local is imho not
needed)
2. The source directory contains several old patch files which are not
used anymore.
In the attached patch we removed these files
3. The ossec users (ossec, ossecm, ossecr) are currently created with
the default shell /bin/false. However, the common no-login shell in
Alpine Linux seems to be /sbin/nologin
The attached patch contains this change
4. Ossec is installed in a chroot under /var/ossec, the configuration
files are stored in /var/ossec/etc. It seems that these configuration
files in /var/ossec/etc are overwritten during the upgrade. They should
be preserved and addressed with ‘update-conf’
5. The file /var/ossec/etc/ossec.conf contains wrong path definitions,
such as
<rootkit_files>/var/buildserver/aports/testing/ossec-hids/pkg/ossec-hids/var/ossec/etc/shared/rootkit\_files.txt</rootkit_files>
correct would be:
<rootkit_files>/var/ossec/etc/shared/rootkit\_files.txt</rootkit_files>
*(from redmine: issue id 10235, created on 2019-04-13, closed on 2019-07-11)*
* Changesets:
* Revision 841a0b258509a745b79e279404ec092f5d50385c by Francesco Colista on 2019-07-09T07:11:42Z:
```
testing/ossec-hids: added agent, updated APKBUILD, fixes #10235
```
* Uploads:
* [0001-add-support-for-ossec-agents-and-remove-old-patch-fi.patch](/uploads/2717cb93557f7affd21d813856b190e3/0001-add-support-for-ossec-agents-and-remove-old-patch-fi.patch)3.11.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7332Stripping does not work for .a files2019-12-25T08:18:19ZShiz ...Stripping does not work for .a filesIn abuild, automatic debug information separation as done by
default\_dbg() does not separate debug info from static .a libraries,
causing them to bloat in size immensely.
For instance, with the LLVM package, simply adding a $pkgname-d...In abuild, automatic debug information separation as done by
default\_dbg() does not separate debug info from static .a libraries,
causing them to bloat in size immensely.
For instance, with the LLVM package, simply adding a $pkgname-dbg
subpackage causes the llvm4-static package to bloat in size to 1.7GB.
It seems like stripping is also not applied to .a files in general,
leading to probably needless code bloat.
*(from redmine: issue id 7332, created on 2017-05-26)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/5378php7 pecl: XML Extension not found2019-11-19T08:22:39ZAlex Nphp7 pecl: XML Extension not foundHi,
I’m running alpine 3.3 in docker with the testing repo for php7
packages, after installing php7-pear, and trying to run pecl I get a
bunch of warnings/notices :
~ # pecl
Warning: Invalid argument supplied for foreach() in C...Hi,
I’m running alpine 3.3 in docker with the testing repo for php7
packages, after installing php7-pear, and trying to run pecl I get a
bunch of warnings/notices :
~ # pecl
Warning: Invalid argument supplied for foreach() in Command.php on line 249
Warning: Invalid argument supplied for foreach() in /usr/share/php7/PEAR/Command.php on line 249
Notice: Undefined index: honorsbaseinstall in Role.php on line 173
Notice: Undefined index: installable in Role.php on line 139
Notice: Undefined index: phpfile in Role.php on line 204
Notice: Undefined index: config_vars in Role.php on line 46
And if I try to install mongodb for example, I’ll get the same warnings
as before with an extra “XML Extension not found” at the end.
I compared the “/usr/bin/pecl” with one from ubuntu and the only
difference is the “-n” in the exec line :
alpine:
exec $PHP -C -n -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"
ubuntu:
exec $PHP -C -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"
-n meaning: “No configuration (ini) files will be used”
If not using conf, xml won’t be loaded, so I’m pretty sure the “-n”
should be removed.
I tested after removing it, and got no warning or anything and was able
to install my extension.
*(from redmine: issue id 5378, created on 2016-04-06)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/2847'lbu diff' does not handle symlinks right2019-07-15T14:13:19ZTimo Teräs'lbu diff' does not handle symlinks rightIt should not derefence the symlinks. Would be preferable to say
“symlink has changed from A to B” or similar, instead of diffing the
dereferenced contents.
This should also fix the errors that come if symlink points to
non-existing fil...It should not derefence the symlinks. Would be preferable to say
“symlink has changed from A to B” or similar, instead of diffing the
dereferenced contents.
This should also fix the errors that come if symlink points to
non-existing file.
*(from redmine: issue id 2847, created on 2014-04-18)*
* Changesets:
* Revision 9cfd35abf9b00914739d3f84255cb440fa683bce by Natanael Copa on 2014-07-28T14:48:17Z:
```
main/busybox: add support for --no-dereference in 'diff'
ref #2847
```
* Revision 5e0bfe298c4ff28f1babb78659d125fd1fff8149 by Natanael Copa on 2014-08-26T12:00:44Z:
```
main/alpine-conf: fix symlink handling with lbu diff
ref #2847
```3.11.0Natanael CopaNatanael Copa