aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:06:56Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10575[3.10] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:56ZAlicha CH[3.10] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10575, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #105743.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10572argon2-dev is missing libargon2.pc2019-07-23T11:06:58ZHugh McMasterargon2-dev is missing libargon2.pcThe current version of argon2-dev is missing its pkg-config file,
libargon2.pc.
This makes compiling against libargon2 much more difficult than it needs
to be.
For example, due to upstream PHP switching to pkg-config, the argon2
extens...The current version of argon2-dev is missing its pkg-config file,
libargon2.pc.
This makes compiling against libargon2 much more difficult than it needs
to be.
For example, due to upstream PHP switching to pkg-config, the argon2
extension is no longer buildable in Alpine Linux.
Please package libargon2.pc to make the package usable for development.
*(from redmine: issue id 10572, created on 2019-06-13, closed on 2019-06-19)*
* Changesets:
* Revision e3fca245193e6da4fd8d842fdc2e2c8353529eeb by Leo Leo on 2019-06-19T11:16:24Z:
```
main/argon2: provide pc: file
fixes #10572
(cherry picked from commit f567a84abd86ddcc795647cee19a8edf9268bd4e)
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10568[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:02ZAlicha CH[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10568, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision fa0e230be9fd2e79919214ecab466f5149cab5fe by Natanael Copa on 2019-06-17T09:49:34Z:
```
main/dbus: upgrade to 1.12.16 (CVE-2019-12749)
fixes #10568
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10511[3.10] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)2019-07-23T11:07:25ZAlicha CH[3.10] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros pa...S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
### Affected Versions:
All releases of Heimdal from 0.8 including 7.5.0
### Reference:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
https://www.samba.org/samba/security/CVE-2018-16860.html
### Patch:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
*(from redmine: issue id 10511, created on 2019-05-30, closed on 2019-06-05)*
* Relations:
* parent #10510
* Changesets:
* Revision aa2d24fab1e16e497512004aa40a11c032fcab73 on 2019-06-04T14:19:35Z:
```
main/heimdal: security fix (CVE-2018-16860)
Fixes #10511
Remove unused patch, clarify license
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10501[3.10] wireshark: dissection engine crash (CVE-2019-12295)2019-07-23T11:07:33ZAlicha CH[3.10] wireshark: dissection engine crash (CVE-2019-12295)It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or
by convincing someone to read a malformed packet trace file.
Affected versions: 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, 2.4.0 to 2.4.14
Fixed versio...It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or
by convincing someone to read a malformed packet trace file.
Affected versions: 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, 2.4.0 to 2.4.14
Fixed versions: 3.0.2, 2.6.9, 2.4.15
### References:
https://www.wireshark.org/security/wnpa-sec-2019-19.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15778
*(from redmine: issue id 10501, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10500
* Changesets:
* Revision e5bce08f307d563f1c82d22257e76bf9f0bf48fe by Natanael Copa on 2019-06-04T13:38:25Z:
```
community/wireshark: security upgrade to 3.0.2 (CVE-2019-12295)
fixes #10501
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10469Gitea does not start after a reboot when PostgreSQL is used as the database b...2019-07-23T11:07:46ZGhost UserGitea does not start after a reboot when PostgreSQL is used as the database back end.Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the dep...Gitea does not start after a reboot when PostgreSQL is used as the
database back end. This is due to the fact that PostgreSQL starts after
Gitea.
This issue can be fixed by adding **postgresl** and **mysql** to the
after line of the depend function in **/etc/init.d/gitea**:
<code class="text">
depend() {
use logger dns
need net
after firewall postgresql mysql
}
</code>
*(from redmine: issue id 10469, created on 2019-05-20, closed on 2019-06-19)*
* Changesets:
* Revision d8de5b46f6b4719066b2b2752734df68a60b08bd by Kevin Daudt on 2019-06-18T18:24:43Z:
```
community/gitea: start after database
Make sure that the service is started after any of the supported
databases.
Fixes RM: #10469
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10464deluge not starting after latest libtorrent-rasterbar update2019-07-23T11:09:55ZMatthieu Castellazzideluge not starting after latest libtorrent-rasterbar updateGood evening,
After updating libtorrent-rasterbar from 1.1.12-r0 to 1.1.13-r0,
deluge-1.3.15-r3 is not starting anymore.
$ deluged
[ERROR ] 18:30:14 main:248 No module named libtorrent
Traceback (most recent call last):...Good evening,
After updating libtorrent-rasterbar from 1.1.12-r0 to 1.1.13-r0,
deluge-1.3.15-r3 is not starting anymore.
$ deluged
[ERROR ] 18:30:14 main:248 No module named libtorrent
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/deluge/main.py", line 241, in start_daemon
Daemon(options, args)
File "/usr/lib/python2.7/site-packages/deluge/core/daemon.py", line 144, in __init__
from deluge.core.core import Core
File "/usr/lib/python2.7/site-packages/deluge/core/core.py", line 38, in <module>
from deluge._libtorrent import lt
File "/usr/lib/python2.7/site-packages/deluge/_libtorrent.py", line 59, in <module>
import libtorrent as lt
ImportError: No module named libtorrent
Looks like the following commit broke something:
https://git.alpinelinux.org/aports/commit/?id=bb2b956ae9787706a773a25e5a2d13ff9edc0aa1
Thanks for your help.
Matthieu
*(from redmine: issue id 10464, created on 2019-05-18, closed on 2019-06-19)*
* Changesets:
* Revision b911ba3c98d2f11988cc6fbb658c152ab94d71e0 by prs pkt on 2019-05-27T23:31:30Z:
```
testing/deluge: fix source url
- Rebuild against py2-libtorrent-rasterbar.
Fixes #10464
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10461mpv: missing Lua support2019-07-23T11:09:58ZMY-Rmpv: missing Lua supportedge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua ...edge
mpv-0.29.1-r2
Default minimal GUI of mpv (OSC) not working without Lua.
https://build.alpinelinux.org/buildlogs/build-edge-x86\_64/community/mpv/mpv-0.29.1-r2.log
Checking for Lua : no ('luajit >= 2.0.0' not found)
*(from redmine: issue id 10461, created on 2019-05-16, closed on 2019-06-19)*3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10459urxvt : panic: locale.c: 893: Unexpected character in locale name '2E.2019-07-23T11:10:00ZTaner Tasurxvt : panic: locale.c: 893: Unexpected character in locale name '2E.I can’t run urxvt anymore. I don’t what what caused this. Maybe latest
update.
edge repository
rxvt-unicode-9.22-r6
urxvt : panic: locale.c: 893: Unexpected character in locale name '2E.
*(from redmine: issue id 10459, created ...I can’t run urxvt anymore. I don’t what what caused this. Maybe latest
update.
edge repository
rxvt-unicode-9.22-r6
urxvt : panic: locale.c: 893: Unexpected character in locale name '2E.
*(from redmine: issue id 10459, created on 2019-05-15, closed on 2019-06-19)*
* Changesets:
* Revision 04747e4e2db80406782fa71d7744da0c613987e9 by Natanael Copa on 2019-05-27T16:57:49Z:
```
main/perl: fix locale issue
fixes #10459
```3.10.0Sören TempelSören Tempelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10442nextcloud-default-apps: Broken depends2019-07-23T11:10:02ZSimon Fsimon-alpine@fraho.eunextcloud-default-apps: Broken dependsCurrent edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
...Current edge package cannot be installed due to unmet dependencies:
# docker run --rm -it alpine:edge /bin/ash
/ # apk add nextcloud-default-apps
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
nextcloud-files_rightclick (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-files_rightclick]
nextcloud-privacy (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-privacy]
nextcloud-recommendations (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-recommendations]
nextcloud-viewer (missing):
required by: nextcloud-default-apps-16.0.0-r0[nextcloud-viewer]
/ #
The “missing” packages are present in 3.9
*(from redmine: issue id 10442, created on 2019-05-10, closed on 2019-06-17)*
* Changesets:
* Revision 0cb832cfb8231716ecf5419401712a61b335f887 by Simon F on 2019-05-10T06:17:46Z:
```
community/nextcloud: Fix broken dependencies for default-apps
Fixes #10442
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10431[3.10] perl-email-address: DOS vulnerability in perl module Email::Address (C...2019-07-23T11:10:06ZAlicha CH[3.10] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10431, created on 2019-05-09, closed on 2019-06-13)*
* Relations:
* parent #104303.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10418golang needs musl-dev as dependency.2019-07-23T11:10:09ZArto Kitulagolang needs musl-dev as dependency.go is not able to link without crti.o Scrt1.o etc. musl-dev is needed
dependency.
Simple Dockerfile added for example.
*(from redmine: issue id 10418, created on 2019-05-07, closed on 2019-06-19)*
* Uploads:
* [Dockerfile](/uploads...go is not able to link without crti.o Scrt1.o etc. musl-dev is needed
dependency.
Simple Dockerfile added for example.
*(from redmine: issue id 10418, created on 2019-05-07, closed on 2019-06-19)*
* Uploads:
* [Dockerfile](/uploads/e46a1530c17b9c3245ebae4bd0bce6db/Dockerfile)3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10414[3.10] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragm...2019-07-23T11:10:14ZAlicha CH[3.10] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10414, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #104133.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10409[3.10] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CV...2019-07-23T11:10:19ZAlicha CH[3.10] hostapd: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could res...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate
fragmentation reassembly state properly for a case where an unexpected
fragment could be received. This could result in
process termination due to a NULL pointer dereference (denial of
service). This affects eap\_server/eap\_server\_pwd.c and
eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10409, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10408
* Changesets:
* Revision ef10b27afb6ce933891b3e0abf3f090f3e583900 on 2019-06-04T14:40:30Z:
```
main/hostapd: security upgrade to 2.8 (CVE-2019-11555)
Fixes #10409
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10403zerofree: Add package2019-07-23T11:10:21ZMax Pealzerofree: Add packageit would be awesome to have a package, so we can easily Shrinking VM
images with without need a bload download like the SystemRescueCd Live
Image, witch is 931 MB
zerofree 1.1.1 — Zero non-allocated regions in ext2/ext3/ext4 file
system...it would be awesome to have a package, so we can easily Shrinking VM
images with without need a bload download like the SystemRescueCd Live
Image, witch is 931 MB
zerofree 1.1.1 — Zero non-allocated regions in ext2/ext3/ext4 file
systems
Zerofree finds the unallocated blocks with non-zero value content in an
ext2, ext3, or ext4 file system and fills them with zeroes (or another
value). This is a simple way to make disk images more compressible.
Zerofree requires the file system to be unmounted or mounted read-only.
https://frippery.org/uml/zerofree-1.1.1.tgz
md5: 4f2d6bdba4212e54eb7dd22a8fbb6d29
sha1: 16ff5d5030c52566bc8b88b824e35869f978c093
sha256: 956bc861b55ba0a2b7593c58d32339dab1a0e7da6ea2b813d27c80f08b723867
Website: https://frippery.org/uml/.
License: GPL 2.
*(from redmine: issue id 10403, created on 2019-05-03, closed on 2019-06-19)*
* Changesets:
* Revision 964e2acd21475a8c1d05332fcec2719682ff02bd by Oleg Titov on 2019-05-06T04:49:05Z:
```
testing/zerofree: new aport
https://frippery.org/uml/
Zero free blocks from ext2, ext3 and ext4 file-systems
Closes GH-7582
Closes #10403
```3.10.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10401py-msgpack: borgbackup complains about packaging2019-07-23T11:10:22ZDanny Ben Shitritpy-msgpack: borgbackup complains about packagingThe borgbackup apk package triggers the following warning:
Using a pure-python msgpack! This will result in lower performance
The guys at the borgbackup GitHub repository believe it is a packaging
issue and not a borg issue, as dis...The borgbackup apk package triggers the following warning:
Using a pure-python msgpack! This will result in lower performance
The guys at the borgbackup GitHub repository believe it is a packaging
issue and not a borg issue, as discussed in this ticket:
https://github.com/borgbackup/borg/issues/4538
I have verified the issue exists in alpine 3.9.0 and 3.10\_alpha20190408
which are the currently stable and edge versions.
To reproduce the issue:
$ apk --no-cache add borgbackup
$ borg init ./repo -e none
*(from redmine: issue id 10401, created on 2019-05-02, closed on 2019-06-19)*3.10.0Fabian AffolterFabian Affolterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10387[3.10] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:26ZAlicha CH[3.10] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10387, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* parent #10386
* Changesets:
* Revision 4cbff22201d9f2fb21d860bae0e62f3bf814ed45 on 2019-05-06T09:01:20Z:
```
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10387
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10384OpenSSH 8.02019-07-23T11:10:28Zrenos renosOpenSSH 8.0Please update
*(from redmine: issue id 10384, created on 2019-05-01, closed on 2019-05-04)*Please update
*(from redmine: issue id 10384, created on 2019-05-01, closed on 2019-05-04)*3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10380Typo in mariadb-openrc package2019-07-23T11:10:33ZMiroslav HrachovecTypo in mariadb-openrc packageIn this file
https://git.alpinelinux.org/aports/plain/main/mariadb/mariadb.initd,
there is missing ‘=’ character for mysql install command in the setup()
function…
currently:
mysql_install_db --user=mysql --datadir /var/lib/mys...In this file
https://git.alpinelinux.org/aports/plain/main/mariadb/mariadb.initd,
there is missing ‘=’ character for mysql install command in the setup()
function…
currently:
mysql_install_db --user=mysql --datadir /var/lib/mysql
should be:
mysql_install_db --user=mysql --datadir=/var/lib/mysql
*(from redmine: issue id 10380, created on 2019-04-30, closed on 2019-06-17)*
* Changesets:
* Revision 0a215b75098de4ba0acee6c6c77638bb5004b5c8 by Natanael Copa on 2019-04-30T08:57:20Z:
```
main/mariadb: fix typo in init.d script
ref #10380
```3.10.0Simon Fsimon-alpine@fraho.euSimon Fsimon-alpine@fraho.euhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10379Numpy illegal operation crash due to openblas2019-07-23T11:10:34ZAleks BuninNumpy illegal operation crash due to openblasRecently I’ve upgraded my system to iMac Pro, which has Skylake CPU and
one of the test started to fail.
Reproducing code example:
<code class="python">
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot...Recently I’ve upgraded my system to iMac Pro, which has Skylake CPU and
one of the test started to fail.
Reproducing code example:
<code class="python">
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
Illegal instruction
</code>
Now, more detailed log:
<code class="text">
$ docker run -it --rm alpine:3.9
/ # apk add python3 py3-numpy
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/16) Installing libgcc (8.3.0-r0)
(2/16) Installing libquadmath (8.3.0-r0)
(3/16) Installing libgfortran (8.3.0-r0)
(4/16) Installing openblas (0.3.3-r2)
(5/16) Installing libbz2 (1.0.6-r6)
(6/16) Installing expat (2.2.6-r0)
(7/16) Installing libffi (3.2.1-r6)
(8/16) Installing gdbm (1.13-r1)
(9/16) Installing xz-libs (5.2.4-r0)
(10/16) Installing ncurses-terminfo-base (6.1_p20190105-r0)
(11/16) Installing ncurses-terminfo (6.1_p20190105-r0)
(12/16) Installing ncurses-libs (6.1_p20190105-r0)
(13/16) Installing readline (7.0.003-r1)
(14/16) Installing sqlite-libs (3.26.0-r3)
(15/16) Installing python3 (3.6.8-r2)
(16/16) Installing py3-numpy (1.15.4-r0)
Executing busybox-1.29.3-r10.trigger
OK: 108 MiB in 30 packages
/ # python3
Python 3.6.8 (default, Apr 8 2019, 18:17:52)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from numpy import array
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
Illegal instruction
</code>
I’ve tried to upgrade numpy to the latest version, and still see the
problem.
This is related to the https://github.com/xianyi/OpenBLAS/issues/1947,
which was fixed in openblas 0.3.6, release few hours ago.
Possible workaround, is to set OPENBLAS\_CORETYPE environmental variable
to haswell prior to starting Python:
<code class="text">
/ # export OPENBLAS_CORETYPE=haswell
/ # python3
Python 3.6.8 (default, Apr 8 2019, 18:17:52)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from numpy import array
Core: Haswell
>>> x = array([1.,2.,3.,4.])
>>> x.dot(x)
30.0
</code>
*(from redmine: issue id 10379, created on 2019-04-29, closed on 2019-06-19)*3.10.0