aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-02-23T19:44:20Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12087OpenJDK 11 Security Update 11.0.9 - CVE-2020-28302021-02-23T19:44:20ZBob BobbovskiOpenJDK 11 Security Update 11.0.9 - CVE-2020-2830There is an security update to OpenJDK 11.0.9. Alpine stable release 3.12 is on 11.0.8.
Compare [Debian Security announcement](https://security-tracker.debian.org/tracker/CVE-2020-2830)
I suggest to update this package on stable also.
...There is an security update to OpenJDK 11.0.9. Alpine stable release 3.12 is on 11.0.8.
Compare [Debian Security announcement](https://security-tracker.debian.org/tracker/CVE-2020-2830)
I suggest to update this package on stable also.
### Branches
* [x] master (b85efc501595136485aea134946fa459bff115b0)
* [x] 3.12-stable3.12.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/11898curl - multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177, CVE-2020-8231)2020-12-09T22:05:13ZNagasudhancurl - multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177, CVE-2020-8231)## CVE-2020-8169:Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS s...## CVE-2020-8169:Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).
### References
https://curl.haxx.se/docs/CVE-2020-8169.html
## CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.
### References
https://curl.haxx.se/docs/CVE-2020-8177.html
## CVE-2020-8231: libcurl: wrong connect-only connection
An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
### References
https://curl.haxx.se/docs/CVE-2020-8231.html
## Affected versions
libcurl 7.29.0 to and including 7.71.1
## Recommendation
Upgrade to curl 7.72.0
### Affected branches:
* [x] master
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stable
* [x] 3.9-stable3.12.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/11896squid: Multiple issues (CVE-2020-15810, CVE-2020-15811, CVE-2020-24606)2020-10-29T11:19:24ZAlicha CHsquid: Multiple issues (CVE-2020-15810, CVE-2020-15811, CVE-2020-24606)### CVE-2020-15810: HTTP Request Smuggling could result in cache poisoning
Due to incorrect data validation Squid is vulnerable to HTTP Request Smuggling
attacks against HTTP and HTTPS traffic. This leads to cache poisoning.
Affected V...### CVE-2020-15810: HTTP Request Smuggling could result in cache poisoning
Due to incorrect data validation Squid is vulnerable to HTTP Request Smuggling
attacks against HTTP and HTTPS traffic. This leads to cache poisoning.
Affected Versions: 2.5-3.5.28, 4.0-4.12, 5.0.1-5.0.3
Fixed Versions: 4.13, 5.0.4
#### Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
#### Patch:
https://github.com/squid-cache/squid/commit/9c8e2a71aa1d3c159a319d9365c346c48dc783a5
### CVE-2020-15811: HTTP Request Splitting could result in cache poisoning
Due to incorrect data validation Squid is vulnerable to HTTP Request Splitting
attacks against HTTP and HTTPS traffic. This leads to cache poisoning.
Affected Versions: 2.7-3.5.28, 4.0-4.12, 5.0.1-5.0.3
Fixed Versions: 4.13, 5.0.4
#### Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
#### Patch:
https://github.com/squid-cache/squid/commit/fd68382860633aca92065e6c343cfd1b12b126e7
#### CVE-2020-24606: Improper Input Validation could result in a DoS
Due to Improper Input Validation Squid is vulnerable to a Denial of Service attack
against the machine operating Squid.
Affected Versions: 3.0-4.12, 5.0.1-5.0.3
Fixed Versions: 4.13, 5.0.4
#### Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
### Affected branches:
* [x] master (1b1174f4734079258cf68f23cd87f03db61f8bb4)
* [x] 3.12-stable (e724957f3efcb46781ea97e6a818c83f3f11fcca)
* [x] 3.11-stable (7300bf0a9813153ef15f97952cfb41a06e65769c)
* [x] 3.10-stable (dd335d7b73b301ef247eab133d8784257b87bb06)
* [x] 3.9-stable (99db9460e9bbcdfb2c8cb20976a3d7e89e7d859d)3.12.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11883sane-backends: Multiple vulnerabilities (CVE-2020-12862, CVE-2020-12863, CVE-...2020-12-09T23:19:17ZAlicha CHsane-backends: Multiple vulnerabilities (CVE-2020-12862, CVE-2020-12863, CVE-2020-12865, CVE-2020-12867)### CVE-2020-12862: Out-of-bounds read in decode_binary
A flaw was found in sane-backends before version 1.0.30. An out-of-bounds read in decode_binary may lead to disclosure of information.
#### References:
* https://gitlab.com/sane-...### CVE-2020-12862: Out-of-bounds read in decode_binary
A flaw was found in sane-backends before version 1.0.30. An out-of-bounds read in decode_binary may lead to disclosure of information.
#### References:
* https://gitlab.com/sane-project/backends/-/releases
* https://nvd.nist.gov/vuln/detail/CVE-2020-12862
#### Patch:
https://gitlab.com/sane-project/backends/-/commit/3d005c2570a71fe93a63192d9c47ee54cb39049b
### CVE-2020-12863: Out-of-bounds read in esci2_check_header
A flaw was found in sane-backends before version 1.0.30. An out-of-bounds read in esci2_check_header function may lead to disclosure of information.
#### References:
* https://gitlab.com/sane-project/backends/-/releases
* https://nvd.nist.gov/vuln/detail/CVE-2020-12863
#### Patch:
https://gitlab.com/sane-project/backends/-/commit/226d9c92899facf4b22b98c73be6ad2cd0effc4a
### CVE-2020-12865: Heap buffer overflow in esci2_img
A flaw was found in sane-backends before version 1.0.30. A heap buffer overflow in esci2_img function may lead to remote code execution.
#### References:
* https://gitlab.com/sane-project/backends/-/issues/279
* https://nvd.nist.gov/vuln/detail/CVE-2020-12865
#### Patch:
https://gitlab.com/sane-project/backends/-/commit/b9b0173409df73e235da2aa0dae5edd21fb55967
### CVE-2020-12867: NULL pointer dereference in sanei_epson_net_read function
A NULL pointer dereference in sanei_epson_net_read in SANE Backends through 1.0.29 allows a malicious device connected
to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.
#### References:
* https://gitlab.com/sane-project/backends/-/issues/279
* https://nvd.nist.gov/vuln/detail/CVE-2020-12867
#### Patch:
https://gitlab.com/sane-project/backends/-/commit/4c9e4efd4a82214719eeb1377a900e3a85c1c369
### Affected branches:
* [x] master
* [x] 3.12-stable3.12.2Valery KartelValery Kartelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11882curl: wrong connect-only connection (CVE-2020-8231)2020-12-09T22:05:07ZAlicha CHcurl: wrong connect-only connection (CVE-2020-8231)An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and ...An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.
* Affected versions: libcurl 7.29.0 to and including 7.71.1
* Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0
#### References:
* https://curl.haxx.se/docs/CVE-2020-8231.html
* https://www.openwall.com/lists/oss-security/2020/08/19/1
#### Patch:
https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
### Affected branches:
* [x] master
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stable
* [x] 3.9-stable3.12.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11872luajit: out-of-bounds read because __gc handler frame traversal is mishandled...2020-12-10T10:46:36ZAlicha CHluajit: out-of-bounds read because __gc handler frame traversal is mishandled (CVE-2020-15890 )LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.
#### References:
* https://github.com/LuaJIT/LuaJIT/issues/601
* https://nvd.nist.gov/vuln/detail/CVE-2020-15890
### Affected bra...LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.
#### References:
* https://github.com/LuaJIT/LuaJIT/issues/601
* https://nvd.nist.gov/vuln/detail/CVE-2020-15890
### Affected branches:
* [x] master
* [ ] 3.12-stable
* [ ] 3.11-stable
* [ ] 3.10-stable
* [ ] 3.9-stable3.12.2Jakub JirutkaJakub Jirutka