aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2020-01-22T11:34:32Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5064php-memcache2020-01-22T11:34:32ZJesús García Crespophp-memcache### Problem
php-memcache extension fails to install properly:
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/modules/memcache.so' - Error relocating /usr/lib/php/modules/memcache.so: mmc_buffer_alloc: symbo...### Problem
php-memcache extension fails to install properly:
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/modules/memcache.so' - Error relocating /usr/lib/php/modules/memcache.so: mmc_buffer_alloc: symbol not found in Unknown on line 0
### How to reproduce
$ docker run -it alpine:latest sh -c "apk update && apk upgrade && apk add php php-memcache && php -v"
Output:
fetch http://dl-4.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-4.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
v3.3.1-45-ge9b054a [http://dl-4.alpinelinux.org/alpine/v3.3/main]
v3.3.1-33-gee8882c [http://dl-4.alpinelinux.org/alpine/v3.3/community]
OK: 5859 distinct packages available
(1/4) Upgrading musl (1.1.12-r1 -> 1.1.12-r2)
(2/4) Upgrading libcrypto1.0 (1.0.2e-r0 -> 1.0.2f-r0)
(3/4) Upgrading libssl1.0 (1.0.2e-r0 -> 1.0.2f-r0)
(4/4) Upgrading musl-utils (1.1.12-r1 -> 1.1.12-r2)
Executing busybox-1.24.1-r7.trigger
OK: 5 MiB in 11 packages
(1/10) Installing php-common (5.6.17-r0)
(2/10) Installing pcre (8.38-r0)
(3/10) Installing ncurses-terminfo-base (6.0-r6)
(4/10) Installing ncurses-terminfo (6.0-r6)
(5/10) Installing ncurses-libs (6.0-r6)
(6/10) Installing readline (6.3.008-r4)
(7/10) Installing libxml2 (2.9.3-r0)
(8/10) Installing php-cli (5.6.17-r0)
(9/10) Installing php (5.6.17-r0)
(10/10) Installing php-memcache (3.0.8-r3)
Executing busybox-1.24.1-r7.trigger
OK: 23 MiB in 21 packages
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/modules/memcache.so' - Error relocating /usr/lib/php/modules/memcache.so: mmc_buffer_alloc: symbol not found in Unknown on line 0
PHP 5.6.17 (cli) (built: Jan 24 2016 22:24:02)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
*(from redmine: issue id 5064, created on 2016-02-03, closed on 2016-03-18)*
* Changesets:
* Revision 0aa4af1a9360dbbcccf3327bc451b0813a60d42b on 2016-02-09T10:08:22Z:
```
main/php-memcache: fix relocation error. Fixes #5064
```
* Revision 2be177666eb1958255ddc91babdb0cb0add9a280 on 2016-02-10T09:14:27Z:
```
main/php-memcache: fix relocation error. Fixes #5064
(cherry picked from commit 0aa4af1a9360dbbcccf3327bc451b0813a60d42b)
```3.3.2Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4128OpenJDK build creates an empty certificate keystore2019-07-23T13:54:30ZalgitbotOpenJDK build creates an empty certificate keystoreOpenJDK 1.7 build creates an empty trusted certificate authority
keystore. It results in such cryptic errors as:
>Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
I encountered s...OpenJDK 1.7 build creates an empty trusted certificate authority
keystore. It results in such cryptic errors as:
>Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
I encountered such issue trying to start Logstash 1.5 on Alpine Linux.
Here, I am checking the keystore for Alpine Linux:
bash-4.3\# cat /etc/issue
Welcome to Alpine Linux 3.1
bash-4.3\# keytool -list -keystore
/usr/lib/jvm/java-1.7-openjdk/jre/lib/security/cacerts -storepass
changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
Just to compare, I am checking the keystore for Ubuntu Linux:
root@b1c19f12ce4a:/\# cat /etc/issue
Ubuntu 14.04.2 LTS
root@b1c19f12ce4a:/\# keytool -list -keystore
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts -storepass
changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 173 entries
Is that reasonable to supply Alpine with some pre-installed
certificates?
Thank you.
*(from redmine: issue id 4128, created on 2015-04-28, closed on 2016-03-18)*
* Changesets:
* Revision 94969c8a556eedeeafb78a33752ab6b6e6f7f892 by Natanael Copa on 2016-01-14T13:42:23Z:
```
community/openjdk8: fix cacerts
ref #4128
```
* Revision 2445067072ee0b830308575d5d63ce0981a73de3 by Natanael Copa on 2016-01-14T13:59:48Z:
```
community/openjdk8: fix cacerts
fixes #4128
(cherry picked from commit 94969c8a556eedeeafb78a33752ab6b6e6f7f892)
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4275libffi is broken2019-07-23T13:52:50ZJack Linglibffi is brokenlibffi seems to be completely broken on Alpine:
half the testsuite segfaults.
*(from redmine: issue id 4275, created on 2015-06-07, closed on 2016-03-18)*
* Changesets:
* Revision 81070afb94cd7454dd87cadfb0d0faed7e556de8 on 2015-0...libffi seems to be completely broken on Alpine:
half the testsuite segfaults.
*(from redmine: issue id 4275, created on 2015-06-07, closed on 2016-03-18)*
* Changesets:
* Revision 81070afb94cd7454dd87cadfb0d0faed7e556de8 on 2015-07-20T12:50:17Z:
```
main/libffi: added patch which fixes #4275
```
* Revision 64490d2252667b4b52c6c7c50ce2d06be72d3f07 on 2016-01-13T11:30:39Z:
```
main/libffi: added patch which fixes #4275
(cherry picked from commit 81070afb94cd7454dd87cadfb0d0faed7e556de8)
```
* Revision bb024fd8ec6f27a76d88396c9f7c5c4b5800d580 by Natanael Copa on 2016-01-13T11:33:35Z:
```
main/libffi: actually apply the fix for #4275
fixes #4275
(cherry picked from commit d836f6e8fb1d5165bf70839a7c953a56568848d7)
```
* Uploads:
* [libffi-fix-define-for-musl.patch](/uploads/2be4f802df07729b1e23a8f341f7dad3/libffi-fix-define-for-musl.patch)3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4703TTF font support in imagemagick2019-07-23T13:47:03ZJerome PetazzoniTTF font support in imagemagick**What I do:**
apk update
apk add imagemagick ttf-liberation
convert -list font
**What I expect to see:**
A list of font
**What I see instead:**
Nothing (empty output)
I’m on Alpine 3.2. I don’t know if that’s supposed to work ...**What I do:**
apk update
apk add imagemagick ttf-liberation
convert -list font
**What I expect to see:**
A list of font
**What I see instead:**
Nothing (empty output)
I’m on Alpine 3.2. I don’t know if that’s supposed to work (so I’m
filing this as “feature”) and I’m willing to try any suggestion to be
able to use fonts with imagemagick :-)
*(from redmine: issue id 4703, created on 2015-09-30, closed on 2016-03-18)*
* Changesets:
* Revision f68e87882164e95675b78d6128431f1e1472b2b8 by Natanael Copa on 2016-01-27T10:50:21Z:
```
main/imagemagick: build with fontconfig support
ref #4703
```
* Revision cff008d2c1d500eb594c376bb3d5353144d4962c by Natanael Copa on 2016-01-27T10:59:23Z:
```
main/imagemagick: build with fontconfig support
fixes #4703
(cherry picked from commit f68e87882164e95675b78d6128431f1e1472b2b8)
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/4938Varnish 4.1 segfault2019-07-23T13:43:35ZChingis SVarnish 4.1 segfaultHi everone,
I’m trying to use Varnish 4.1 with Docker (1.9.1). I’ve built a docker
image in Alpine Linux 3.2 with its musl-libc to reduce the image size.
Dockerfile:
FROM alpine:3.2
RUN echo 'http://dl-4.alpinelinux.org/...Hi everone,
I’m trying to use Varnish 4.1 with Docker (1.9.1). I’ve built a docker
image in Alpine Linux 3.2 with its musl-libc to reduce the image size.
Dockerfile:
FROM alpine:3.2
RUN echo 'http://dl-4.alpinelinux.org/alpine/v3.3/main' >> /etc/apk/repositories && \
apk update && apk upgrade -U -a && \
apk add --update varnish \
&& rm -rf /var/cache/apk/*
When I try to run inside of the container, sometimes I get a segfault,
but sometimes I don’t:
# varnishd -F -W epoll -f /etc/varnish/default.vcl
child (4081) Started
Pushing vcls failed:
CLI communication error (hdr)
Stopping Child
Child (4081) died signal=11
Child (4081) Panic message:
Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 297:
Condition(Segmentation fault by instruction at 0x7f8bec8af9e8) not true.
version = varnish-4.1.0 revision 3041728
ident = Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
Could not create _.vsm.4071: File exists
Sometimes when I get 2-3 segfaults in a row and 3rd, 4th time it runs
successfully.
My environment:
# gcc --version
gcc (Alpine 5.2.0) 5.2.0
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.2.3
PRETTY_NAME="Alpine Linux v3.2"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"
# ldd --version
musl libc
Version 1.1.12
# docker version
Client:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5
Built: Fri Nov 20 13:12:04 UTC 2015
OS/Arch: linux/amd64
Server:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5
Built: Fri Nov 20 13:12:04 UTC 2015
OS/Arch: linux/amd64
Also, when I run it successfully and try to clear cache (ban), child
process exits with a segfault.
Is it caused by musl-libc?
*(from redmine: issue id 4938, created on 2015-12-08, closed on 2016-03-18)*
* Changesets:
* Revision 58fbf6804b9f155bc2f8e467e949b79132c7df3c by Natanael Copa on 2016-01-08T08:21:15Z:
```
main/varnish: add -dbg
ref #4938
```
* Revision 2e4fa20349066e203b84df45a3ec428ecc827a39 by Natanael Copa on 2016-03-02T10:22:03Z:
```
main/varnish: fix stack overflow
ref #4938
```
* Revision 043207f7a3dc7a69739299962b540a8abfccb586 by Natanael Copa on 2016-03-02T10:26:08Z:
```
main/varnish: fix stack overflow
fixes #4938
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/4949Issue reading a structure from libc (calling function getifaddrs) with python...2019-07-23T13:43:24ZAxel VoitierIssue reading a structure from libc (calling function getifaddrs) with python ctypesHello,
Using Docker containers for Alpine, with versions 3.1, 3.2 or edge, I
have the following issue.
I install python
>apk —update add python
I copy over the following python script:
https://gist.github.com/AxelVoitier/8d74496ad...Hello,
Using Docker containers for Alpine, with versions 3.1, 3.2 or edge, I
have the following issue.
I install python
>apk —update add python
I copy over the following python script:
https://gist.github.com/AxelVoitier/8d74496adb169df28d8b
And execute it:
>python test\_libc.py
I get the following results in Alpine:
Traceback (most recent call last):
File "test_libc.py", line 259, in <module>
pp(get_ifaddrs())
File "test_libc.py", line 200, in get_ifaddrs
si = sockaddr_in.from_address(ifa.ifa_ifu.ifu_broadaddr)
TypeError: integer expected
On any other “big” Linux systems I tried this work fine.
Could it be that musl is not correctly typing the structures returned by
getifaddrs?
Cheers,
Axel
*(from redmine: issue id 4949, created on 2015-12-10, closed on 2016-03-18)*
* Changesets:
* Revision 56101f21b652321e32c4a02139ea042fccf6bebd by Timo Teräs on 2016-01-23T16:13:17Z:
```
main/musl: cherry-pick upstream fixes and improvements
fixes #4621
fixes #4949
(cherry picked from commit 8a4ccf53a605414546a73d39dda24fe95c1bc1b2)
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4994[3.3] cacti: Security issues (CVE-2015-8369, CVE-2015-8377)2019-07-23T13:42:27ZAlicha CH[3.3] cacti: Security issues (CVE-2015-8369, CVE-2015-8377)### (CVE-2015-8369) SQL injection in graph.php
SQL Injection of Cacti (0.8.8f and older versions) was discovered in
graph.php
### (CVE-2015-8377) Cacti graphs\_new.php SQL Injection Vulnerability
An SQL injection was found in /cacti/g...### (CVE-2015-8369) SQL injection in graph.php
SQL Injection of Cacti (0.8.8f and older versions) was discovered in
graph.php
### (CVE-2015-8377) Cacti graphs\_new.php SQL Injection Vulnerability
An SQL injection was found in /cacti/graphs\_new.php, affected versions
0.8.8f and older.
### References:
http://bugs.cacti.net/view.php?id=2646
http://svn.cacti.net/viewvc?view=rev&revision=7767
http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti\_sqli%281%29.txt
http://lwn.net/Articles/670044/
*(from redmine: issue id 4994, created on 2016-01-06, closed on 2016-12-15)*
* Relations:
* parent #4992
* Changesets:
* Revision b0c8c4440c4cd0eb5b6e618106cdbae99e30b6ea by Natanael Copa on 2016-03-18T09:16:15Z:
```
main/cacti: security upgrade to 0.8.8g (CVE-2015-8369,CVE-2015-8377)
fixes #4994
```3.3.2Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4999nodejs with broken crypto module after upgrading to 4.2.4-r02019-07-23T13:42:22ZAntonio Marquesnodejs with broken crypto module after upgrading to 4.2.4-r0After upgrading the nodejs package to the latest version (4.2.4-r0), the
crypto module throws the following error when calculating a hash:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex...After upgrading the nodejs package to the latest version (4.2.4-r0), the
crypto module throws the following error when calculating a hash:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex'))"
crypto.js:50
this._handle = new binding.Hash(algorithm);
^
Error: error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at [eval]:1:31
at Object.exports.runInThisContext (vm.js:54:17)
at Object.<anonymous> ([eval]-wrapper:6:22)
at Module._compile (module.js:435:26)
at node.js:578:27
at doNTCallback0 (node.js:419:9)
at process._tickCallback (node.js:348:13)
Using the previous version (4.2.3-r0) of the package:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex'))"
098f6bcd4621d373cade4e832627b4f6
The above error is also present when using npm:
alpine:~$ npm install express
Error: error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at getDefaultSessionIdContext (_tls_wrap.js:27:19)
at _tls_wrap.js:17:33
at NativeModule.compile (node.js:954:5)
at NativeModule.require (node.js:902:18)
at tls.js:221:21
at NativeModule.compile (node.js:954:5)
at NativeModule.require (node.js:902:18)
npm ERR! Linux 4.1.15-2-grsec
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install" "express"
npm ERR! node v4.2.4
npm ERR! npm v2.14.12
npm ERR! error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
crypto.js:50
this._handle = new binding.Hash(algorithm);
^
Error: error:2606906E:engine routines:ENGINE_add:internal list error
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at md5hex (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:6:21)
at getTmpname (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:15:27)
at new WriteStream (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:31:22)
at WriteStream (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:26:12)
at writeLogFile (/usr/lib/node_modules/npm/lib/utils/error-handler.js:394:14)
at exit (/usr/lib/node_modules/npm/lib/utils/error-handler.js:80:28)
at process.errorHandler (/usr/lib/node_modules/npm/lib/utils/error-handler.js:385:3)
*(from redmine: issue id 4999, created on 2016-01-08, closed on 2016-03-18)*
* Changesets:
* Revision 351bd62f71d4ca5138e3d4a33c94852f307cf03c by Timo Teräs on 2016-01-15T06:18:30Z:
```
main/nodejs: fix crypto hash error handling
fixes #4999
Upstream regression. Cherry-pick fix from
https://github.com/nodejs/node/issues/4221
```
* Revision 30beca0f2f1de59e9fc8632d2807da50057217aa by Timo Teräs on 2016-01-15T06:25:04Z:
```
main/nodejs: fix crypto hash error handling
fixes #4999
Upstream regression. Cherry-pick fix from
https://github.com/nodejs/node/issues/4221
(cherry picked from commit 351bd62f71d4ca5138e3d4a33c94852f307cf03c)
```
* Revision 29f1e13e6f54c24c5fac520555da38e763c6c45b by Natanael Copa on 2016-02-04T14:46:16Z:
```
main/openssl: remove padlock autoload patch
it appears they made padlock static upstream again
this fixes nodejs issues
ref #4999
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5003[3.3] git: arbitrary code execution issues via URLs (CVE-2015-7545)2019-07-23T13:42:20ZAlicha CH[3.3] git: arbitrary code execution issues via URLs (CVE-2015-7545)A flaw was found in the way the git-remote-ext helper processed certain
URLs.
If a user had Git configured to automatically clone submodules from
untrusted repositories,
an attacker could inject commands into the URL of a submodule, ...A flaw was found in the way the git-remote-ext helper processed certain
URLs.
If a user had Git configured to automatically clone submodules from
untrusted repositories,
an attacker could inject commands into the URL of a submodule, allowing
them to execute arbitrary
code on the user’s system.
### Fixed in 2.6.1, 2.5.4, 2.4.10, 2.3.10
### References:
http://seclists.org/oss-sec/2015/q4/37
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
https://lkml.org/lkml/2015/10/5/683
https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt
*(from redmine: issue id 5003, created on 2016-01-08, closed on 2017-09-05)*
* Relations:
* parent #50023.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5015[3.3] OpenSSH: client bugs CVE-2016-0777 and CVE-2016-07782019-07-23T13:42:13ZNatanael Copa[3.3] OpenSSH: client bugs CVE-2016-0777 and CVE-2016-0778OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
information disclosure that may allow a malicious server to retrieve
information including under some circumstances, user’s private keys.
This may be mitigated by adding the ...OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
information disclosure that may allow a malicious server to retrieve
information including under some circumstances, user’s private keys.
This may be mitigated by adding the undocumented config option
UseRoaming no to ssh\_config.
This bug is corrected in **OpenSSH 7.1p2** and in OpenBSD’s stable
branch.
### CVE-2016-0777
An information leak (memory disclosure) can be exploited by a rogue SSH
server to trick a client into leaking sensitive data from the client
memory, including for example private keys.
### CVE-2016-0778
A buffer overflow (leading to file descriptor leak), can also be
exploited by a rogue SSH server, but due to another bug in the code is
possibly not exploitable, and only under certain conditions (not the
default configuration), when using ProxyCommand, ForwardAgent or
ForwardX11.
### References
http://www.openssh.com/txt/release-7.1p2
http://www.undeadly.org/cgi?action=article&sid=20160114142733
*(from redmine: issue id 5015, created on 2016-01-14, closed on 2016-01-14)*
* Relations:
* parent #5013
* Changesets:
* Revision 18616413d93252689ab1942e319a5df1a7fb8755 by Natanael Copa on 2016-01-14T20:44:46Z:
```
main/openssh: security upgrade to 7.1_p2 (CVE-2016-0777,CVE-2016-0778)
fixes #5015
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/5020[3.3] libpng: Incomplete fix for CVE-2015-8126 (CVE-2015-8472)2019-07-23T13:42:05ZAlicha CH[3.3] libpng: Incomplete fix for CVE-2015-8126 (CVE-2015-8472)It was discovered that the original fix for CVE-2015-8126 was incomplete
and did not detect
a potential overrun by applications using png\_set\_PLTE directly. A
remote attacker can take advantage
of this flaw to cause a denial of ser...It was discovered that the original fix for CVE-2015-8126 was incomplete
and did not detect
a potential overrun by applications using png\_set\_PLTE directly. A
remote attacker can take advantage
of this flaw to cause a denial of service (application crash).
Use **CVE-2015-8472** for this remaining problem that existed in 1.6.19
### Fixed in 1.6.20
### References:
https://marc.info/?l=oss-security&m=144929077710907&w=2
https://bugzilla.novell.com/show\_bug.cgi?id=CVE-2015-8472
*(from redmine: issue id 5020, created on 2016-01-14, closed on 2016-01-29)*
* Relations:
* parent #5019
* Changesets:
* Revision d692ac089eba175ea2e505433f484898c5adaf43 by Christian Kampka on 2016-01-23T16:10:04Z:
```
main/libpng: new upstream version 1.6.20 (CVE-2015-8472)
fixes #5020
(cherry picked from commit d5a9b2204f3625b8278c9e4725a60b9a64ed720d)
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5027OpenVPN client down script fails to restore original resolv.conf2019-07-23T13:41:56ZChris KankiewiczOpenVPN client down script fails to restore original resolv.confThe default installation of OpenVPN includes an up.sh and down.sh script
in the /etc/openvpn directory. When using these scripts (i.e. openvpn
—script-security 2 —up /etc/openvpn/up.sh —down /etc/openvpn/down.sh)
the up script successful...The default installation of OpenVPN includes an up.sh and down.sh script
in the /etc/openvpn directory. When using these scripts (i.e. openvpn
—script-security 2 —up /etc/openvpn/up.sh —down /etc/openvpn/down.sh)
the up script successfully backs up the original resolv.conf script to
resolv.conf-tun0.sv but upon stopping the OpenVPN client the down script
fails to restore the default resolv.conf. I’ve tracked the issue down to
line 18 of /etc/openvpn/down.sh:
cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
When running this command with verbose output you get the following
error message:
cp: can't create '/etc/resolv.conf': File exists
*(from redmine: issue id 5027, created on 2016-01-17, closed on 2016-03-18)*
* Changesets:
* Revision 34c1dfa8655f06054a8d3bfe37a555ab78926d82 by Chris Kankiewicz on 2016-01-26T22:11:23Z:
```
main/openvpn: fix down script not restoring original resolv.conf
This patch fixes an error where, in the provided OpenVPN down script, the
cp command would fail due to the resolv.conf file already existing.
Instead of using cp we cat the file contents over the exising resolv.conf
file to avoid the error and preserve any symlinks that may exist.
fixes #5027
(cherry picked from commit bfdc08d49cfd221709ce29ad6f81a651461c71e2)
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/5028Dont launch emergency shell if http repo is specified2019-07-23T13:41:55ZSerge FedotovDont launch emergency shell if http repo is specifiedPlease include commits
b4ebbafc0a53288788e6e11ede0b185d71269235..73fd80c87696f72d769aed377cc1bb89c2d540cf
to 3.3.2 release
*(from redmine: issue id 5028, created on 2016-01-18, closed on 2016-03-18)*
* Changesets:
* Revision ca9755b...Please include commits
b4ebbafc0a53288788e6e11ede0b185d71269235..73fd80c87696f72d769aed377cc1bb89c2d540cf
to 3.3.2 release
*(from redmine: issue id 5028, created on 2016-01-18, closed on 2016-03-18)*
* Changesets:
* Revision ca9755b3098c2ab129f2891e1d3a319a84771c2b by Natanael Copa on 2016-01-20T16:13:12Z:
```
main/mkinitfs: upgrade to 3.0.3
fixes #5028
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5034[3.3] bind: multiple issues (CVE-2015-8704, CVE-2015-8705)2019-07-23T13:41:51ZAlicha CH[3.3] bind: multiple issues (CVE-2015-8704, CVE-2015-8705)**CVE-2015-8704:** Specific APL data could trigger an INSIST in
apl\_42.c
**CVE-2015-8705:** Problems converting OPT resource records and ECS
options to text format can cause BIND to terminate.
### Versions affected:
9.3.0<s><span sty...**CVE-2015-8704:** Specific APL data could trigger an INSIST in
apl\_42.c
**CVE-2015-8705:** Problems converting OPT resource records and ECS
options to text format can cause BIND to terminate.
### Versions affected:
9.3.0<s><span style="text-align:right;">9.8.8,
9.9.0</span></s>>9.9.8-P2, 9.9.3-S1<s><span
style="text-align:right;">9.9.8-S3, 9.10.0</span></s>>**9.10.3-P2**
### Solution:
Upgrade to the patched release most closely related to your current
version of BIND.
BIND 9 version 9.9.8-P3
BIND 9 version 9.10.3-P3
http://www.isc.org/downloads
### References:
https://kb.isc.org/article/AA-01335
https://kb.isc.org/article/AA-01336
https://marc.info/?l=oss-security&m=145324023200962&w=2
*(from redmine: issue id 5034, created on 2016-01-21, closed on 2016-01-29)*
* Relations:
* parent #50333.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5041[3.3] samba: Several vulnerabilities (CVE-2015-3223, CVE-2015-5252, CVE-2015-...2019-07-23T13:41:43ZAlicha CH[3.3] samba: Several vulnerabilities (CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-8467)### CVE-2015-3223: libldb: Remote DoS in Samba (AD) LDAP server
All versions of Samba from 4.0.0 to 4.3.2 inclusive are vulnerable to a
denial of service attack in the samba daemon LDAP server.
Fixed In Version:
ldb 1.1.24
### CVE-20...### CVE-2015-3223: libldb: Remote DoS in Samba (AD) LDAP server
All versions of Samba from 4.0.0 to 4.3.2 inclusive are vulnerable to a
denial of service attack in the samba daemon LDAP server.
Fixed In Version:
ldb 1.1.24
### CVE-2015-5252: Insufficient symlink verification in smbd
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a
bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.
Fixed In Version:
samba 4.1.22, samba 4.2.7, samba 4.3.3
### CVE-2015-5296: client requesting encryption vulnerable to downgrade attack
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to a
server.
Fixed In Version:
samba 4.1.22, samba 4.2.7, samba 4.3.3
### CVE-2015-5299: Missing access control check in shadow copy code
All versions of Samba from 3.2.0 to 4.3.1 inclusive are vulnerable to
a missing access control check in the vfs\_shadow\_copy2 module. When
looking for the shadow copy directory under the share path the current
accessing user should have DIRECTORY\_LIST access rights in order to
view the current snapshots.
Fixed In Version:
samba 4.1.22, samba 4.2.7, samba 4.3.3
### CVE-2015-5330: samba, ldb: remote memory read in the Samba LDAP server
Fixed In Version:
ldb 1.1.24, samba 4.1.22, samba 4.2.7, samba 4.3.3
### CVE-2015-8467: Denial of service attack against Windows Active Directory server.
Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.
### References:
https://www.samba.org/samba/security/CVE-2015-3223.html
https://www.samba.org/samba/security/CVE-2015-5252.html
https://www.samba.org/samba/security/CVE-2015-5296.html
https://www.samba.org/samba/security/CVE-2015-5299.html
https://www.samba.org/samba/security/CVE-2015-5330.html
https://www.samba.org/samba/security/CVE-2015-7540.html
https://www.samba.org/samba/security/CVE-2015-8467.html
### Upstream commits:
https://git.samba.org/?p=samba.git;a=commitdiff;h=ec504dbf69636a554add1f3d5703dd6c3ad450b8
https://git.samba.org/?p=samba.git;a=commitdiff;h=aa6c27148b9d3f8c1e4fdd5dd46bfecbbd0ca465
https://git.samba.org/?p=samba.git;a=commitdiff;h=4278ef25f64d5fdbf432ff1534e275416ec9561e
https://git.samba.org/?p=samba.git;a=commitdiff;h=d724f835acb9f4886c0001af32cd325dbbf1f895
https://git.samba.org/?p=samba.git;a=commitdiff;h=1ba49b8f389eda3414b14410c7fbcb4041ca06b1
https://git.samba.org/?p=samba.git;a=commitdiff;h=a819d2b440aafa3138d95ff6e8b824da885a70e9
https://git.samba.org/?p=samba.git;a=commitdiff;h=675fd8d771f9d43e354dba53ddd9b5483ae0a1d7
https://git.samba.org/?p=samba.git;a=commitdiff;h=ba5dbda6d0174a59d221c45cca52ecd232820d48
https://git.samba.org/?p=samba.git;a=commitdiff;h=a118d4220ed85749c07fb43c1229d9e2fecbea6b
https://git.samba.org/?p=samba.git;a=commitdiff;h=538d305de91e34a2938f5f219f18bf0e1918763f
https://git.samba.org/?p=samba.git;a=commitdiff;h=530d50a1abdcdf4d1775652d4c456c1274d83d8d
https://git.samba.org/?p=samba.git;a=commitdiff;h=9d989c9dd7a5b92d0c5d65287935471b83b6e884
*(from redmine: issue id 5041, created on 2016-01-22, closed on 2016-06-15)*
* Relations:
* parent #5039
* Changesets:
* Revision c6dee5b9f0a361471955167bb2165acba300f1c5 on 2016-01-27T14:39:01Z:
```
main/ldb: security upgrade to 1.1.24 (CVE-2015-3223). Ref #5041
(cherry picked from commit 9c474c6aa6af26b79394ed47f17a04d5b29e5026)
```
* Revision 2c8df8d5eb5c12b722deb30952b55b164fc7111a on 2016-01-27T18:16:07Z:
```
main/samba: security upgrade to 4.2.7 (CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-8467). Fixes #5041
(cherry picked from commit 47affed1795cc5ca4cdd4625ea53ba85513f0636)
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5047[3.3] mariadb: Multiple security vulnerabilities (various CVEs)2019-07-23T13:41:37ZAlicha CH[3.3] mariadb: Multiple security vulnerabilities (various CVEs)CVE-2016-2047: MariaDB 10.1.10
CVE-2016-0616: MariaDB 10.1.10
CVE-2016-0610: MariaDB 10.1.9
CVE-2016-0609: MariaDB 10.1.10
CVE-2016-0608: MariaDB 10.1.10
CVE-2016-0606: MariaDB 10.1.10
CVE-2016-0600: MariaDB 10.1.10
CVE-201...CVE-2016-2047: MariaDB 10.1.10
CVE-2016-0616: MariaDB 10.1.10
CVE-2016-0610: MariaDB 10.1.9
CVE-2016-0609: MariaDB 10.1.10
CVE-2016-0608: MariaDB 10.1.10
CVE-2016-0606: MariaDB 10.1.10
CVE-2016-0600: MariaDB 10.1.10
CVE-2016-0598: MariaDB 10.1.10
CVE-2016-0597: MariaDB 10.1.10
CVE-2016-0596: MariaDB 10.1.10
CVE-2016-0546: MariaDB 10.1.10
CVE-2016-0505: MariaDB 10.1.10
CVE-2015-7744: MariaDB 10.1.9
### References:
https://mariadb.com/kb/en/mariadb/mariadb-10110-release-notes/
*(from redmine: issue id 5047, created on 2016-01-26, closed on 2016-02-09)*
* Relations:
* parent #5045
* Changesets:
* Revision f33b0f2cc2ecd60d683e8b5914fb67f38ade23b2 on 2016-02-09T09:02:15Z:
```
main/mariadb: security upgrade to 10.1.11. Fixes #5047 (Multiple CVEs)
CVE-2016-0546
CVE-2016-0505
CVE-2016-0596
CVE-2016-0597
CVE-2016-0616
CVE-2016-0598
CVE-2016-0600
CVE-2016-0606
CVE-2016-0608
CVE-2016-0609
CVE-2016-2047: MDEV-9212
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
(cherry picked from commit 3d14ab3088a6be734caa7e423b16c7b816726b9b)
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5052[3.3] nginx: Mutiples vulnerabilities (CVE-2016-0742, CVE-2016-0746, CVE-201...2019-07-23T13:41:33ZAlicha CH[3.3] nginx: Mutiples vulnerabilities (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)**CVE-2016-0742:** Invalid pointer dereference in resolver
**CVE-2016-0746:** Use-after-free during CNAME response processing in
resolver
**CVE-2016-0747:** Insufficient limits of CNAME resolution in resolver
Vulnerable: 0.6.18-1.9.9
...**CVE-2016-0742:** Invalid pointer dereference in resolver
**CVE-2016-0746:** Use-after-free during CNAME response processing in
resolver
**CVE-2016-0747:** Insufficient limits of CNAME resolution in resolver
Vulnerable: 0.6.18-1.9.9
The problems are fixed in **nginx 1.9.10, 1.8.1**.
### References:
http://nginx.org/en/security\_advisories.html
*(from redmine: issue id 5052, created on 2016-01-27, closed on 2016-02-08)*
* Relations:
* parent #5051
* Changesets:
* Revision 372b38ff6d224156d67ef419b0f4e28a8ae538f6 by Natanael Copa on 2016-02-08T19:32:43Z:
```
main/nginx: security upgrade to 1.8.1
CVE-2016-0742
CVE-2016-0746
CVE-2016-0747
fixes #5052
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/5060[3.3] privoxy: security issues (CVE-2016-1982, CVE-2016-1983)2019-07-23T13:41:29ZAlicha CH[3.3] privoxy: security issues (CVE-2016-1982, CVE-2016-1983)**CVE-2016-1982:** invalid reads in case of corrupt chunk-encoded
content
**CVE-2016-1983:** invalid read via empty host header in client request
### Fixed In Version:
privoxy 3.0.24
### References:
http://seclists.org/oss-sec/2016/...**CVE-2016-1982:** invalid reads in case of corrupt chunk-encoded
content
**CVE-2016-1983:** invalid read via empty host header in client request
### Fixed In Version:
privoxy 3.0.24
### References:
http://seclists.org/oss-sec/2016/q1/179
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-1982
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-1983
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/filters.c?r1=1.196&r2=1.197
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/parsers.c?r1=1.302&r2=1.303
*(from redmine: issue id 5060, created on 2016-02-02, closed on 2016-02-09)*
* Relations:
* parent #5059
* Changesets:
* Revision 51e24c0cf8b4c51e2a63b60ed33ad38c7c5632d2 on 2016-02-09T09:18:38Z:
```
main/privoxy: security upgrade to 3.0.24 (CVE-2016-1982,CVE-2016-1983). Fixes #5060
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5066[3.3] phpmyadmin: Multiple issues (CVE-2015-8669, CVE-2016-2038, CVE-2016-203...2019-07-23T13:41:23ZAlicha CH[3.3] phpmyadmin: Multiple issues (CVE-2015-8669, CVE-2016-2038, CVE-2016-2039, CVE-2016-2040, ...)### CVE-2015-8669: Full path disclosure vulnerability
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.12), 4.4.x (prior to 4.4.15.2) and 4.5.x
(prior to 4.5.3.1) are affected.
Upgrade to phpMyAdmin 4.0.10.12 or newer, 4.4.15.2 ...### CVE-2015-8669: Full path disclosure vulnerability
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.12), 4.4.x (prior to 4.4.15.2) and 4.5.x
(prior to 4.5.3.1) are affected.
Upgrade to phpMyAdmin 4.0.10.12 or newer, 4.4.15.2 or newer, 4.5.3.1 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2015-6/
### CVE-2016-2038: Multiple full path disclosure vulnerabilities.
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-1/
### CVE-2016-2039: Unsafe generation of XSRF/CSRF token.
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-2/
### CVE-2016-2040: Multiple XSS vulnerabilities.
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-3/
### CVE-2016-1927: Insecure password generation in JavaScript.
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-4/
### CVE-2016-2041: Unsafe comparison of XSRF/CSRF token.
### Affected Versions:
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or
newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-5/
### CVE-2016-2042: Multiple full path disclosure vulnerabilities.
### Affected Versions:
Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are
affected.
Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-6/
### CVE-2016-2043: XSS vulnerability in normalization page.
### Affected Versions:
Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are
affected.
Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-7/
### CVE-2016-2044: Full path disclosure vulnerability in SQL parser.
### Affected Versions:
Versions 4.5.x (prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.5.4 or newer.
### References:
https://www.phpmyadmin.net/security/PMASA-2016-8/
### CVE-2016-2045: With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor.
### Affected versions:
Versions 4.5.x (prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.5.4 or newer
### References:
https://www.phpmyadmin.net/security/PMASA-2016-9/
*(from redmine: issue id 5066, created on 2016-02-04, closed on 2016-02-09)*
* Relations:
* parent #5065
* Changesets:
* Revision 6d8a809c5ca56a86b04b7d6f8b987fd16b660ce5 on 2016-02-09T09:36:35Z:
```
main/phpmyadmin: security upgrade to 4.5.4.1 (CVE-2015-8669). Fixes #5066
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5069[3.3] curl: NTLM credentials not-checked for proxy connection re-use (CVE-201...2019-07-23T13:41:19ZAlicha CH[3.3] curl: NTLM credentials not-checked for proxy connection re-use (CVE-2016-0755)A vulnerability was found in a way libcurl uses NTLM-authenticated proxy
connections.
Libcurl will reuse NTLM-authenticated proxy connections without properly
making sure,
that the connection was authenticated with the same credentia...A vulnerability was found in a way libcurl uses NTLM-authenticated proxy
connections.
Libcurl will reuse NTLM-authenticated proxy connections without properly
making sure,
that the connection was authenticated with the same credentials as set
for this transfer.
### Affected versions:
libcurl 7.10.7 to and including 7.46.0
Upgrade curl and libcurl to version 7.47.0
### References:
https://curl.haxx.se/docs/adv\_20160127A.html
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0755
### Patch:
http://curl.haxx.se/CVE-2016-0755.patch
*(from redmine: issue id 5069, created on 2016-02-04, closed on 2016-06-23)*
* Relations:
* parent #5068
* Changesets:
* Revision 13c92a8e15a7eebe1e7a022c31d39aafd7ee8e69 by Natanael Copa on 2016-02-08T20:29:29Z:
```
main/curl: security upgrade to 7.47.0 (CVE-2016-0755)
fixes #5069
```3.3.2Natanael CopaNatanael Copa