aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T13:50:45Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4431Update Node.js package to v0.12.62019-07-23T13:50:45ZScott MebbersonUpdate Node.js package to v0.12.6There has been a critical security release for Node.js, v0.12.6
(https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852).
Please update the Node.js package to the latest version, 0.12.6
accordingly.
Ho...There has been a critical security release for Node.js, v0.12.6
(https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852).
Please update the Node.js package to the latest version, 0.12.6
accordingly.
Homepage: https://nodejs.org/
Source: http://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz
*(from redmine: issue id 4431, created on 2015-07-08, closed on 2015-07-08)*
* Changesets:
* Revision 8bdc523ace5ec61cf1ce5429c197f507ec1da64e on 2015-07-08T06:34:20Z:
```
main/nodejs: upgrade to 0.12.6. Fixes #4431
```3.2.1Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4422Additional Sounds for freeswitch2019-07-23T13:50:48ZJoao Vitor ArrudaAdditional Sounds for freeswitchIts possible to create 2 new sounds packages for freeswitch based on
their repository?
Only the 8000 Hz version is ok at the moment.
The languages are:
\- French: fr-ca-june
- Portuguese (BRA): pt-BR-karina
The files are available...Its possible to create 2 new sounds packages for freeswitch based on
their repository?
Only the 8000 Hz version is ok at the moment.
The languages are:
\- French: fr-ca-june
- Portuguese (BRA): pt-BR-karina
The files are available in:
http://files.freeswitch.org/releases/sounds/
In both cases the latest version (1.0.51) can be used
*(from redmine: issue id 4422, created on 2015-07-01, closed on 2015-07-08)*
* Changesets:
* Revision 59c22fa03b58ac1efe070f22e6054ee2dc4662ca on 2015-07-02T21:33:51Z:
```
testing/freeswitch-sounds-pt-br-karina-8000: new aport
ref #4422
```
* Revision 1037e75ccb55065e99100d248ca2aed26c1cc12c on 2015-07-07T14:29:10Z:
```
main/freeswitch-sounds-pt-br-karina-8000: move from testing
fixes #4422
(cherry picked from commit 9485fcd2d360167cc28ae121e9840d48c7547681)
```
* Revision 244d70926be696fe7d4491c549aecfe8c8dba562 by Natanael Copa on 2015-07-08T09:06:37Z:
```
main/freeswitch-sounds-fr-*: move from testing
ref #4422
```
* Revision 9014781a74372563006ee028cc731008bc65cbcb by Natanael Copa on 2015-07-08T09:13:25Z:
```
main/freeswitch-sounds-fr-*: move from testing
ref #4422
(cherry picked from commit 244d70926be696fe7d4491c549aecfe8c8dba562)
```
* Revision 54a04c67e08e794c4b0fcbe25403b87318f5535a by Natanael Copa on 2015-07-08T09:14:18Z:
```
main/freeswitch-sounds-fr-ca-june-8000: upgrade to 1.0.51
fixes #4422
(cherry picked from commit 64fb8f27c6db8fee32688fa19b6b6ef867c72cf7)
```3.2.1Alan LacerdaAlan Lacerdahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4421setup-disk does not add 'raid' feature if root device is on lvm and physical ...2019-07-23T13:50:49ZNatanael Copasetup-disk does not add 'raid' feature if root device is on lvm and physical disk is /dev/cciss/* hw raidif lvm is used on top of /dev/cciss/\* hardware raid (typically HP
server) then will setup-disk fail to add the hwraid driver in initramfs
resulting that system does not boot.
*(from redmine: issue id 4421, created on 2015-07-01, close...if lvm is used on top of /dev/cciss/\* hardware raid (typically HP
server) then will setup-disk fail to add the hwraid driver in initramfs
resulting that system does not boot.
*(from redmine: issue id 4421, created on 2015-07-01, closed on 2015-07-08)*
* Changesets:
* Revision e51d4fc223b60b41a3d5748122a547565b347031 by Natanael Copa on 2015-07-07T12:36:15Z:
```
main/alpine-conf: fix issue when for it on lvm on cciss raid
fixes #4421
(cherry picked from commit f06947663b0d988c62c583e121839c62a75c775a)
```
* Revision c0ad60b0f9fdb31bd3398d898ecb653c916d0ef9 by Natanael Copa on 2015-07-15T13:12:04Z:
```
setup-disk: add raid to initfs if root is on lvm
ref #4421
```3.2.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/4420[3.2] squashfs-tools: Integer overflow issue and other flaws (CVE-2015-4645 /...2019-07-23T13:50:50ZAlexander Belous[3.2] squashfs-tools: Integer overflow issue and other flaws (CVE-2015-4645 / CVE-2015-4646)Reference:
https://admin.fedoraproject.org/updates/FEDORA-2015-10750/squashfs-tools-4.3-11.fc22
*(from redmine: issue id 4420, created on 2015-07-01, closed on 2015-08-05)*
* Relations:
* parent #4416
* Changesets:
* Revision ed...Reference:
https://admin.fedoraproject.org/updates/FEDORA-2015-10750/squashfs-tools-4.3-11.fc22
*(from redmine: issue id 4420, created on 2015-07-01, closed on 2015-08-05)*
* Relations:
* parent #4416
* Changesets:
* Revision eda97ba58d739a78737006295c03cbe3d77ebceb by Natanael Copa on 2015-07-07T19:54:55Z:
```
main/squashfs-tools: security fix for CVE-2015-4645/4646
ref #4416
fixes #4420
(cherry picked from commit 10422f18285619f8f57b8b4ab5ca829eb21c115f)
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4415[v3.2] polkit: cookie generator can wrap and two identical cookies could exis...2019-07-23T13:50:55ZAlexander Belous[v3.2] polkit: cookie generator can wrap and two identical cookies could exist; DoS (CVE-2015-4625)The “cookie” value that Polkit hands out is global to all polkit
users. And when \`AuthenticationAgentResponse\` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The...The “cookie” value that Polkit hands out is global to all polkit
users. And when \`AuthenticationAgentResponse\` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
Reference:
https://security-tracker.debian.org/tracker/CVE-2015-4625
https://bugs.freedesktop.org/show\_bug.cgi?id=90837
*(from redmine: issue id 4415, created on 2015-07-01, closed on 2015-08-06)*
* Relations:
* parent #4411
* Changesets:
* Revision 6fe5385eb32b42ebe7440f307380873153658bc0 by Natanael Copa on 2015-07-08T09:04:27Z:
```
main/polkit: various security fixes
CVE-2015-3218
CVE-2015-3255
CVE-2015-4625
ref #4411
fixes #4415
(cherry picked from commit a215f1937c91916b1b5162e49e996708eb456e67)
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4410[v3.2] rsyslog: some log files are created world-readable (CVE-2015-3243)2019-07-23T13:51:00ZAlexander Belous[v3.2] rsyslog: some log files are created world-readable (CVE-2015-3243)The default for syslog is $FileCreateMode 0644 but the rsyslog.conf
provided by the Debian package sets $FileCreateMode 0640
Reference:
https://security-tracker.debian.org/tracker/CVE-2015-3243
*(from redmine: issue id 4410, create...The default for syslog is $FileCreateMode 0644 but the rsyslog.conf
provided by the Debian package sets $FileCreateMode 0640
Reference:
https://security-tracker.debian.org/tracker/CVE-2015-3243
*(from redmine: issue id 4410, created on 2015-07-01, closed on 2018-08-23)*
* Relations:
* parent #44063.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4404[v3.2] pcre: heap overflow vulnerability was found in pcre3, in find_fixedlen...2019-07-23T13:51:05ZAlexander Belous[v3.2] pcre: heap overflow vulnerability was found in pcre3, in find_fixedlenght() (CVE-2015-5073)PCRE library is prone to a vulnerability which leads to Heap Overflow.
During subpattern calculation of a malformed regular expression, an
offset that is used as an array index is fully controlled and can be
large enough so that unexpe...PCRE library is prone to a vulnerability which leads to Heap Overflow.
During subpattern calculation of a malformed regular expression, an
offset that is used as an array index is fully controlled and can be
large enough so that unexpected heap memory regions are accessed.
One could at least exploit this issue to read objects nearby of the
affected application’s memory.
Such information disclosure may also be used to bypass memory protection
method such as ASLR.
Reference:
https://bugs.exim.org/show\_bug.cgi?id=1651
*(from redmine: issue id 4404, created on 2015-06-29, closed on 2015-08-07)*
* Relations:
* parent #4400
* Changesets:
* Revision 1187799566cb8d6a53722bcb8a2bc5dafe23e80a by Natanael Copa on 2015-07-07T13:43:11Z:
```
main/pcre: various security fixes
CVE-2015-3210
CVE-2015-3217
CVE-2015-5073
fixes #4291
fixes #4404
(cherry picked from commit 77345a923c72d9e8d0a4202d893239ba43b903a3)
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4399[v3.2 cups-filters: texttopdf heap-based buffer overflow (CVE-2015-3258)2019-07-23T13:51:11ZAlexander Belous[v3.2 cups-filters: texttopdf heap-based buffer overflow (CVE-2015-3258)A heap-based buffer overflow was discovered in the way the texttopdf
utility of cups-filters processed print jobs with a specially crafted
line size. An attacker being able to submit print jobs could exploit
this flaw to crash text...A heap-based buffer overflow was discovered in the way the texttopdf
utility of cups-filters processed print jobs with a specially crafted
line size. An attacker being able to submit print jobs could exploit
this flaw to crash texttopdf or, possibly, execute arbitrary code.
This was discovered by Petr Sklenar of Red Hat.
This is fixed in cups-filters 1.0.70.
Patch:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7363
Minor note on the side: The commit thanks me for the patch. The patch
was created by Tim Waugh of Red Hat, I’ve merely forwarded it.
Red Hat bug:
https://bugzilla.redhat.com/show\_bug.cgi?id=1235385
Reference:
https://bugs.alpinelinux.org/projects/alpine-security/issues/new
*(from redmine: issue id 4399, created on 2015-06-29, closed on 2018-09-27)*
* Relations:
* parent #43953.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4393Update main/xfce4-notes-plugin to 1.8.12019-07-23T13:51:15ZLeo UnglaubUpdate main/xfce4-notes-plugin to 1.8.1Hey,
i have updated main/xfce4-notes-plugin to 1.8.1. This finally fixes an
anoying styling issue.
Greetings
Leo
*(from redmine: issue id 4393, created on 2015-06-27, closed on 2015-07-08)*
* Changesets:
* Revision ba244108a99...Hey,
i have updated main/xfce4-notes-plugin to 1.8.1. This finally fixes an
anoying styling issue.
Greetings
Leo
*(from redmine: issue id 4393, created on 2015-06-27, closed on 2015-07-08)*
* Changesets:
* Revision ba244108a998f00af4a4c3ead7fc64c05dd5ad85 by Leo Unglaub on 2015-07-01T09:55:50Z:
```
main/xfce4-notes-plugin: Update to 1.8.1
This release fixes some gtk-2.0 them issues and one issue with the
panel deskbar mode.
fixes #4393
(cherry picked from commit b86e6a4d7aca9e2559b822d3c06d5ac850f6db9c)
```
* Uploads:
* [0003-main-xfce4-notes-plugin-Update-to-1.8.1.patch](/uploads/1747ff2610ab1a8efe24d6525c7e7f51/0003-main-xfce4-notes-plugin-Update-to-1.8.1.patch)3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4391[v3.2] Linux-PAM: security issue in the pam_unix module (CVE-2015-3238)2019-07-23T13:51:17ZAlexander Belous[v3.2] Linux-PAM: security issue in the pam_unix module (CVE-2015-3238)Due to a security problem found in Linux-PAM, we released a
new version today: 1.2.1
The only change compared with 1.2.0 is the security fix for
CVE-2015-3238:
If the process executing pam\_sm\_authenticate or pam\_sm\_chauthtok
met...Due to a security problem found in Linux-PAM, we released a
new version today: 1.2.1
The only change compared with 1.2.0 is the security fix for
CVE-2015-3238:
If the process executing pam\_sm\_authenticate or pam\_sm\_chauthtok
method
of pam\_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the \_unix\_run\_helper\_binary function is
called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM\_MAX\_RESP\_SIZE bytes (i.e. 512 bytes) for pam\_exec and pam\_unix.
Reference:
https://www.redhat.com/archives/pam-list/2015-June/msg00001.html
https://security-tracker.debian.org/tracker/CVE-2015-3238
*(from redmine: issue id 4391, created on 2015-06-26, closed on 2019-05-03)*
* Relations:
* parent #4387
* Changesets:
* Revision d294bb94f12a38a2be5c3efc793d6b5e234b0b4b by Natanael Copa on 2015-07-07T19:49:18Z:
```
main/linux-pam: security upgrade to 1.2.1 (CVE-2015-3238)
ref #4387
fixes #4391
```3.2.1Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4381[v3.2] FreeRADIUS: insufficent CRL application (CVE-2015-4680)2019-07-23T13:51:21ZAlexander Belous[v3.2] FreeRADIUS: insufficent CRL application (CVE-2015-4680)The FreeRADIUS server is an open source project that provides a RADIUS
implementation.
The FreeRADIUS server relies on OpenSSL to perform certificate
validation,
including Certificate Revocation List (CRL) checks. The FreeRADIUS usa...The FreeRADIUS server is an open source project that provides a RADIUS
implementation.
The FreeRADIUS server relies on OpenSSL to perform certificate
validation,
including Certificate Revocation List (CRL) checks. The FreeRADIUS usage
of
OpenSSL, in CRL application, limits the checks to leaf certificates,
therefore not detecting revocation of intermediate CA certificates.
An unexpired client certificate, issued by an intermediate CA with a
revoked
certificate, is therefore accepted by FreeRADIUS.
Specifically sets the X509\_V\_FLAG\_CRL\_CHECK flag for leaf
certificate CRL
checks, but does not use X509\_V\_FLAG\_CRL\_CHECK\_ALL for CRL checks
on the
complete trust chain.
The FreeRADIUS project advises that the recommended configuration is to
use
self-signed CAs for all EAP-TLS methods.
Affected version:
FreeRADIUS <= 2.2.7, <= 3.0.8
Fixed version:
FreeRADIUS >= 2.2.8, >= 3.0.9
Reference: http://seclists.org/oss-sec/2015/q2/776
*(from redmine: issue id 4381, created on 2015-06-23, closed on 2019-05-03)*
* Relations:
* parent #4377
* Changesets:
* Revision 1794998b957c4311b20aa504cb0c1576e702d3d9 by Natanael Copa on 2015-07-07T19:45:05Z:
```
main/freeradius: security fix for CVE-2015-4680
ref #4377
fixes #4381
(cherry picked from commit 1314c0d82fee33213ea17cc7805bdf3a60efac78)
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4372llvm build fails on armhf2019-07-23T13:51:27ZK Bllvm build fails on armhfI attempted to install the xorg-server-dev package in order to compile
the Xorg fbturbo video driver, but xorg-server-dev will not install due
to mesa-dev not being available. So, I attempted to build mesa from
aports, but this isn’t pos...I attempted to install the xorg-server-dev package in order to compile
the Xorg fbturbo video driver, but xorg-server-dev will not install due
to mesa-dev not being available. So, I attempted to build mesa from
aports, but this isn’t possible because llvm-dev isn’t available. So, I
attempted to build llvm from aports a few times, but all attempts fail
at the same point far into the abuild process on both Raspberry Pi B+
(rpi1) and Raspberry Pi 2 B (rpi2). I have uploaded abuild logs for both
devices.
*(from redmine: issue id 4372, created on 2015-06-18, closed on 2015-07-07)*
* Relations:
* relates #4374
* relates #4235
* Changesets:
* Revision 9c42240e7b792f8ba3bab94c9f6f55cc5b692221 by Natanael Copa on 2015-06-30T10:26:22Z:
```
main/llvm: build with gcc and fix arm
clang is not ready to use for production yet so we don't bootstrap
clang to build itself.
Also fix arm build.
fixes #4372
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4367[v3.2] ruby-activesupport4.2: Possible Denial of Service attack (CVE-2015-3227)2019-07-23T13:51:32ZAlexander Belous[v3.2] ruby-activesupport4.2: Possible Denial of Service attack (CVE-2015-3227)There is a possible denial of service attack in the XML processing in
Active
Support. This vulnerability has been assigned the CVE identifier
CVE-2015-3227.
Versions Affected: All.
Not affected: None.
Fixed Versions: 4.2.2, 4.1.11...There is a possible denial of service attack in the XML processing in
Active
Support. This vulnerability has been assigned the CVE identifier
CVE-2015-3227.
Versions Affected: All.
Not affected: None.
Fixed Versions: 4.2.2, 4.1.11
Impact
———
Specially crafted XML documents can cause applications to raise a
\`SystemStackError\` and potentially cause a denial of service attack.
This
only impacts applications using REXML or JDOM as their XML processor.
Other
XML processors that Rails supports are not impacted.
All users running an affected release should either upgrade or use one
of the work arounds immediately.
Reference:
http://www.openwall.com/lists/oss-security/2015/06/16/16
*(from redmine: issue id 4367, created on 2015-06-17, closed on 2015-07-10)*
* Relations:
* parent #4366
* Changesets:
* Revision dffc69fd343ad7c419c643f7c85927ba6a20eb04 by Kaarle Ritvanen on 2015-07-08T09:45:20Z:
```
main/ruby-rails4.2: upgrade to 4.2.3 (incl. dependencies)
fixes #4367
(cherry picked from commit 390c5e61822473fce8eca628ebc0105fec79361b)
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4365setup-apkrepos reports errors on some mirrors2019-07-23T13:51:34ZNatanael Copasetup-apkrepos reports errors on some mirrorsEnter mirror number (1-18) or URL to add (or r/f/e/done) [f]:
Finding fastest mirror...
1.46 http://nl.alpinelinux.org/alpine/
1.70 http://dl-2.alpinelinux.org/alpine/
1.45 http://dl-3.alpinelinux.org/alpine/
...Enter mirror number (1-18) or URL to add (or r/f/e/done) [f]:
Finding fastest mirror...
1.46 http://nl.alpinelinux.org/alpine/
1.70 http://dl-2.alpinelinux.org/alpine/
1.45 http://dl-3.alpinelinux.org/alpine/
1.93 http://dl-4.alpinelinux.org/alpine/
0.91 http://dl-5.alpinelinux.org/alpine/
2.55 http://dl-6.alpinelinux.org/alpine/
0.70 http://dl-7.alpinelinux.org/alpine/
1.52 http://distrib-coffee.ipsl.jussieu.fr/pub/linux/alpine/alpine/
1.35 http://mirror.yandex.ru/mirrors/alpine/
3.23 http://mirrors.gigenet.com/alpinelinux/
3.78 http://repos.lax-noc.com/alpine/
3.89 http://repos.dfw.lax-noc.com/alpine/
2.55 http://repos.mia.lax-noc.com/alpine/
0.96 http://mirror1.hs-esslingen.de/pub/Mirrors/alpine/
2.25 http://mirrors.centarra.com/alpine/
ERROR: http://liskamm.alpinelinux.uk//edge/main: Protocol error
1.03 http://mirrors.2f30.org/alpine/
1.10 http://mirror.leaseweb.com/alpine/
The liskamm mirror does appear to be fine. Problem is the double /.
To reproduce:
$ apk update --quiet --repository http://liskamm.alpinelinux.uk//edge/main --repositories-file /dev/null; echo $?
ERROR: http://liskamm.alpinelinux.uk//edge/main: Protocol error
1
*(from redmine: issue id 4365, created on 2015-06-16, closed on 2015-07-08)*
* Changesets:
* Revision 2a97a54f983f16aaea7d9ef77023d32ddcf8b6c7 by Natanael Copa on 2015-06-16T08:36:35Z:
```
setup-apkrepos: fix speed test of mirrors
Some mirrors error on double / in path.
ref #4365
```
* Revision 9b06e4bb86d3151e0d69b6b5ddf6b554e215581a by Natanael Copa on 2015-07-07T14:39:49Z:
```
main/alpine-conf: fix setup-apkrepos
ref #4365
```
* Revision 7a26617a5bf6fd3ba752b735501c4080b2d514ec by Natanael Copa on 2015-07-07T14:40:53Z:
```
main/alpine-conf: fix setup-apkrepos
fixes #4365
(cherry picked from commit 9b06e4bb86d3151e0d69b6b5ddf6b554e215581a)
```3.2.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/4357[v3.2] cacti: SQL Injection and Location header injection from cdef id (CVE-2...2019-07-23T13:51:42ZAlexander Belous[v3.2] cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 435...Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4357, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4356
* Changesets:
* Revision 6265e118d5015269910665d7cbd889b57baf70d2 by Natanael Copa on 2015-06-15T13:24:38Z:
```
main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)
fixes #4357
```3.2.1Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4352[v3.2] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE...2019-07-23T13:51:47ZAlexander Belous[v3.2] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
1. Use the CGI template engine to inject malicious HTML in a hyperlink,
which is executed by the browser (a similar attack could be performed by
a specially written program)
2. A specially-crafted print-job or create-job request is sent to cupsd
containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
3. The language string passed in is /admin, which causes the cupsd.conf
ACL’s copy of the string to become corrupted, allowing anyone to PUT a
new cupsd.conf file.
4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
\- cupsd should use the ippSetCount and ippSetString APIs rather than
manipulating the string values directly, particularly for the processing
of the job-originating-host-name attribute.
\- cupsd shouldn’t use string pool for config stuff
\- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t
support LD*\* and DYLD*\* variables when running as root
\- Need to call cgiClearVariables in more places to prevent input from
leaking into output
- Add new cgiSetVariable function to flag variables that are already
encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4352, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4351
* Changesets:
* Revision ff5aca650b718685ddf975d4f7f26993fc79f235 by Natanael Copa on 2015-06-15T13:40:50Z:
```
main/cups: security upgrade to 2.0.3 (CVE-2015-1158,CVE-2015-1159)
fixes #4352
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4345[v3.2] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,...2019-07-23T13:51:54ZAlexander Belous[v3.2] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade crypt...Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).
OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.
…
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Severity: Moderate
When processing an ECParameters structure OpenSSL enters an infinite
loop if the curve specified is over a specially malformed binary
polynomial field.
This can be used to perform denial of service against any system which
processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with client
authentication enabled.
This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
…
Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
Severity: Moderate
X509\_cmp\_time does not properly check the length of the ASN1\_TIME
string and can read a few bytes out of bounds. In addition,
X509\_cmp\_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in a
DoS on applications that verify certificates or CRLs. TLS clients that
verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
Severity: Moderate
The PKCS\#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS\#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Severity: Moderate
When verifying a signedData message the CMS code can enter an infinite
loop if presented with an unknown hash function OID.
This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Race condition handling NewSessionTicket (CVE-2015-1791)
Severity: Low
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Invalid free in DTLS (CVE-2014-8176)
Severity: Moderate
This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
If a DTLS peer receives application data between the ChangeCipherSpec
and Finished messages, buffering of such data may cause an invalid free,
resulting in a segmentation fault or potentially, memory corruption.
This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.
…
Fix:
The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg)
fix all three issues. These releases also fix a number of
other security issues. Shortly after publishing these updates OpenSSL
issued another update (1.0.2c, 1.0.1o), because the versions contained
an ABI change which should not happen in minor releases.
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4345, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #43443.2.1Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4340[v3.2] wpa_supplicant: vulnerability was found in peer implementation (CVE-20...2019-07-23T13:51:59ZAlexander Belous[v3.2] wpa_supplicant: vulnerability was found in peer implementation (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is...A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa\_supplicant v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build
configuration (wpa\_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
\- Merge the following commits and rebuild hostapd/wpa\_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
\- Update to hostapd/wpa\_supplicant v2.5 or newer, once available
\- Remove CONFIG\_EAP\_PWD=y from build configuration
\- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
*(from redmine: issue id 4340, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4339
* Changesets:
* Revision 62ecb530d43d5bdf1a68d3509993e48bddfdb5de by Natanael Copa on 2015-06-15T11:28:06Z:
```
main/wpa_supplicant: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4340
fixes #4270
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4335[v3.2] hostapd: vulnerability was found in EAP-pwd server (CVE-2015-4143, CVE...2019-07-23T13:52:04ZAlexander Belous[v3.2] hostapd: vulnerability was found in EAP-pwd server (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is...A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa\_supplicant v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build
configuration (wpa\_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
\- Merge the following commits and rebuild hostapd/wpa\_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
\- Update to hostapd/wpa\_supplicant v2.5 or newer, once available
\- Remove CONFIG\_EAP\_PWD=y from build configuration
\- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
*(from redmine: issue id 4335, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4334
* Changesets:
* Revision d8639f35f2edbddd0d541d199154f7c5bd5230ee by Natanael Copa on 2015-06-15T11:32:40Z:
```
main/hostapd: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4335
fixes #4270
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4330[v3.2] lighttpd: Log injection vulnerability in mod_auth (CVE-2015-3200)2019-07-23T13:52:07ZAlexander Belous[v3.2] lighttpd: Log injection vulnerability in mod_auth (CVE-2015-3200)When basic HTTP authentication base64 string does not contain colon
character (or contains it after NULL byte - can be inserted inside
base64 encoding), then that ituation is logged with a string “: is
missing in ” and the simply decoded...When basic HTTP authentication base64 string does not contain colon
character (or contains it after NULL byte - can be inserted inside
base64 encoding), then that ituation is logged with a string “: is
missing in ” and the simply decoded base64 string. This means that new
lines, NULL byte and everything else can be encoded with base64 and are
then inserted to logs as they are after decoding.
Reference: http://redmine.lighttpd.net/issues/2646
https://security-tracker.debian.org/tracker/CVE-2015-3200
*(from redmine: issue id 4330, created on 2015-06-15, closed on 2019-05-03)*
* Relations:
* parent #4329
* Changesets:
* Revision a7cd05c24e19250420da81b72e89a4abf367b785 by Natanael Copa on 2015-07-07T14:23:40Z:
```
main/lighttpd: security fix for CVE-2015-3200
The upstream patch does not apply without applying lot other stuff so we
simply apply all since 1.4.35 release.
fixes #4330
(cherry picked from commit c1ee7a6e6d21447788c7512e7197d49ebfbc3096)
```3.2.1Natanael CopaNatanael Copa