aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:51:55Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7445Backport ppc64le patches to 3.6.2 release2019-07-23T11:51:55ZRoberto OliveiraBackport ppc64le patches to 3.6.2 releasePatches that we should backport to release 3.6.2
Bug fixes: (aports)
main/grub: add powerpc-utils as dependency for grub-ieee1275 -
02d4386ee32c954ca299bd440c0fc0a72b5c422e
main/powerpc-utils: add missing dependencies -
1d0d9aded485...Patches that we should backport to release 3.6.2
Bug fixes: (aports)
main/grub: add powerpc-utils as dependency for grub-ieee1275 -
02d4386ee32c954ca299bd440c0fc0a72b5c422e
main/powerpc-utils: add missing dependencies -
1d0d9aded485e650569d95c479574a1ffc6fdb9a
community/go: fix external linker for ppc64le -
80d3e2de0e7ec8f262ab4e39553062a81758f703
Install alpine on disk: (alpine-conf)
setup-disk: add support for ppc64le -
60745ad8694ef21a29b35a28cdd1a3d802c07868
Package enablement: (aports)
community/py-opencl: enable build on ppc64le -
5c7835921d759b8da2f051c4e3e6c6c540cfdfdc
community/xpra: enable build on ppc64le -
b581832d54bbd1596885d3a65987f71a3ee0016f
community/icinga2: enable build on ppc64le -
b13cacb6596d084eef16402b3aac1b41873e4bd3
community/bluefish: update config guess -
775af0126177665a7e5d34030ccd439082caeb9f
community/icingaweb2: enable build on ppc64le -
0e4483164329141a22cc1e8bf56c9a2cfa2a81e8
community/syncthing13: enable build on ppc64le -
557c09644508064269207d77489446d268be81c9
testing/netdata: update config guess -
92363c398f763ef5b6a0ca0b3967f8da7a7dc39d
testing/influxdb: enable build on ppc64le -
0ce1305000032aeef25d06b537f63a7b1c8a3586
testing/easypki: enable build on ppc64le -
3f17c04d23f8e21118d15efc85171b2c8bffc4c0
testing/harminv: enable build on ppc64le -
5de815a43fb3fc967afe20b9a22ce2b07a1252f1
testing/mylg: fix build and enable on ppc64le -
45fafdfa16378b336882cf55cf746b51e1fcf5fe
testing/upx: enable build on ppc64le -
1bee4d7678a0ca95150905281d1f255658d88366
testing/steghide: fix build and enable on ppc64e -
5c5d866fecc5430d7c33472eeb6276281b10f09e
testing/icingaweb2-module-director: enable build on ppc64le -
6fc1fcf9cc5b2e2611a3816922b8abd18f531c92
*(from redmine: issue id 7445, created on 2017-06-16, closed on 2017-06-16)*3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7438[3.6] bind: An error processing RPZ rules can cause named to loop endlessly a...2019-07-23T11:52:03ZAlicha CH[3.6] bind: An error processing RPZ rules can cause named to loop endlessly after handling a query (CVE-2017-3140)If named is configured to use Response Policy Zones (RPZ) an error
processing some rule types can lead to
a condition where BIND will endlessly loop while handling a query.
Impact:
A server is potentially vulnerable to degradation of...If named is configured to use Response Policy Zones (RPZ) an error
processing some rule types can lead to
a condition where BIND will endlessly loop while handling a query.
Impact:
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
Successful exploitation of this condition will cause named to enter a
state where it continues to loop while processing the query without ever
reaching an end state.
While in this state, named repeatedly queries the same sets of
authoritative nameservers and this behavior will usually persist
indefinitely beyond the normal client
query processing timeout. By triggering this condition multiple times,
an attacker could cause a deliberate and substantial degradation in
service.
Operators of servers that meet the above conditions 1. and 2. may also
accidentally encounter this defect during normal operation. It is for
this reason that the decision
was made to issue this advisory despite its low CVSS score.
### Affected versions:
9.9.10, 9.10.5, **9.11.0**->9.11.1, 9.9.10-S1, 9.10.5-S1
### Fixed in:
BIND 9 version **9.11.1-P1**
### Reference:
https://kb.isc.org/article/AA-01495/74/CVE-2017-3140%3A-An-error-processing-RPZ-rules-can-cause-named-to-loop-endlessly-after-handling-a-query.html
*(from redmine: issue id 7438, created on 2017-06-16, closed on 2017-06-29)*
* Relations:
* parent #7436
* Changesets:
* Revision dab0364651fea7158196224398355ee204826bf0 by Natanael Copa on 2017-06-16T14:17:12Z:
```
main/bind: security upgrade to 9.11.1_p1 (CVE-2017-3140)
fixes #7438
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7432[3.6] libgcrypt: Possible timing attack on EdDSA session key (CVE-2017-9526)2019-07-23T11:52:09ZAlicha CH[3.6] libgcrypt: Possible timing attack on EdDSA session key (CVE-2017-9526)An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily recover the
long-term secret key. Storing the session key in secure memory ensures
that constant time point operations ar...An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily recover the
long-term secret key. Storing the session key in secure memory ensures
that constant time point operations are used in the MPI library.
### Fixed In Version:
libgcrypt 1.7.7
### Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9526
### Patches:
1.7.x:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
Curve Ed25519 signing and verification inplemented in 1.6.0 with
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bc5199a02abe428ad377443280b3eda60141a1d6
and following refactorings.
*(from redmine: issue id 7432, created on 2017-06-15, closed on 2017-07-05)*
* Relations:
* parent #7431
* Changesets:
* Revision b95bfcc998819366a8cadce0f079feda32c8c2ab by Natanael Copa on 2017-06-16T12:30:50Z:
```
main/libgcrypt: security upgrade to 1.7.7 (CVE-2017-9526)
fixes #7432
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7427[3.6] graphite2: Multiple vulnerabilities (CVE-2017-7771, CVE-2017-7772, CVE-...2019-07-23T11:52:14ZAlicha CH[3.6] graphite2: Multiple vulnerabilities (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778)A number of security vulnerabilities in the Graphite 2 library including
out-of-bounds reads, buffer overflow reads and writes,
and the use of uninitialized memory. These issues were addressed in
Graphite 2 version 1.3.10.
### Referen...A number of security vulnerabilities in the Graphite 2 library including
out-of-bounds reads, buffer overflow reads and writes,
and the use of uninitialized memory. These issues were addressed in
Graphite 2 version 1.3.10.
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/\#CVE-2017-7778
*(from redmine: issue id 7427, created on 2017-06-15, closed on 2017-08-22)*
* Relations:
* parent #7426
* Changesets:
* Revision 1356d7513d17527593612964798f70bb41d86498 by Natanael Copa on 2017-06-15T13:56:39Z:
```
main/graphite2: security upgrade to 1.3.10
CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774,
CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
fixes #7427
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7425[3.6] firefox-esr: Multiple vulnerabilities (CVE-2017-5470, CVE-2017-5472, CV...2019-07-23T11:52:16ZAlicha CH[3.6] firefox-esr: Multiple vulnerabilities (CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7764, CVE-2017-7778)**CVE-2017-5470**: Memory safety bugs
**CVE-2017-5472**: Use-after-free using destroyed node when regenerating
trees
**CVE-2017-7749**: Use-after-free during docshell reloading
**CVE-2017-7750**: Use-after-free with track elements ...**CVE-2017-5470**: Memory safety bugs
**CVE-2017-5472**: Use-after-free using destroyed node when regenerating
trees
**CVE-2017-7749**: Use-after-free during docshell reloading
**CVE-2017-7750**: Use-after-free with track elements
**CVE-2017-7751**: Use-after-free with content viewer listeners
**CVE-2017-7752**: Use-after-free with IME input
**CVE-2017-7754**: Out-of-bounds read in WebGL with ImageInfo object
**CVE-2017-7756**: Use-after-free and use-after-scope logging XHR header
errors
**CVE-2017-7757**: Use-after-free in IndexedDB
**CVE-2017-7758**: Out-of-bounds read in Opus encoder
**CVE-2017-7764**: Domain spoofing with combination of Canadian
Syllabics and other unicode blocks
**CVE-2017-7778**: Vulnerabilities in the Graphite 2 library
### Fixed in:
Firefox ESR 52.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
*(from redmine: issue id 7425, created on 2017-06-15, closed on 2017-06-15)*
* Changesets:
* Revision c6c27a817956fb07eff80f8a11ccb24d197bd5ac by Natanael Copa on 2017-06-15T13:56:39Z:
```
community/firefox-esr: security upgrade to 52.2.0
fixes #7425
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7422[3.6] webkit2gtk: Several vulnerabilities (Various CVEs)2019-07-23T11:52:18ZAlicha CH[3.6] webkit2gtk: Several vulnerabilities (Various CVEs)**CVE-2016-9643**:The regex code in WebKit allows remote attackers to
cause a denial of service (memory consumption) as demonstrated in a
large number of
($ (open parenthesis and dollar) followed by {-2,16} and a large number
of +) (pl...**CVE-2016-9643**:The regex code in WebKit allows remote attackers to
cause a denial of service (memory consumption) as demonstrated in a
large number of
($ (open parenthesis and dollar) followed by {-2,16} and a large number
of +) (plus close parenthesis).
Versions affected: WebKitGTK+ before 2.14.6
**CVE-2017-2367**: This issue allows remote attackers to bypass the Same
Origin Policy and obtain sensitive information via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2377**: This issue involves the “WebKit Web Inspector”
component. It allows attackers to cause a denial of service (memory
corruption and application crash)
by leveraging a window-close action during a debugger-pause state.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2392**: This issue allows attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted app.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2394**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2415**: This issue allows remote attackers to execute
arbitrary code by leveraging an unspecified “type confusion.”.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2419**: This issue allows remote attackers to bypass a
Content Security Policy protection mechanism via unspecified vectors.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2442**: This issue involves the “WebKit JavaScript Bindings”
component. It allows remote attackers to bypass the Same Origin Policy
and
obtain sensitive information via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2446**: This issue allows remote attackers to execute
arbitrary code via a crafted web site that leverages the mishandling of
strict mode functions.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2454**: This issue allows allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2459**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2460**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2465**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2466**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2468**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2470**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2471**: A use-after-free vulnerability allows remote
attackers to execute arbitrary code via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2475**: This issue allows remote attackers to conduct
Universal XSS (UXSS) attacks via crafted use of frames on a web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2476**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
**CVE-2017-2481**: This issue allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site.
Versions affected: WebKitGTK+ before 2.14.6.
### Reference:
https://webkitgtk.org/security/WSA-2017-0003.html
*(from redmine: issue id 7422, created on 2017-06-13, closed on 2017-06-14)*
* Changesets:
* Revision 52d9e7b149a47445bc334c456fbc736550584b66 by Natanael Copa on 2017-06-14T07:56:46Z:
```
community/webkit2gtk: upgrade to 2.16.3
and enable on ppc64le and aarch64
CVE-2016-9642, CVE-2016-9643, CVE-2017-2364, CVE-2017-2367,
CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392,
CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405,
CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442,
CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454,
CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460,
CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468,
CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475,
CVE-2017-2476, CVE-2017-2481
CVE-2017-2496, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506,
CVE-2017-2508, CVE-2017-2510, CVE-2017-2514, CVE-2017-2515,
CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528,
CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2539,
CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980,
CVE-2017-6984.
fixes #7422
```3.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7417[3.6] gnutls: Crash upon receiving well-formed status_request extension (CVE-...2019-07-23T11:52:22ZAlicha CH[3.6] gnutls: Crash upon receiving well-formed status_request extension (CVE-2017-7507)### Fixed in:
gnutls 3.5.13
### Reference:
https://www.gnutls.org/security.html\#GNUTLS-SA-2017-4
### Patches:
https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b
https://gitlab.com/gnutls/gnutls/commi...### Fixed in:
gnutls 3.5.13
### Reference:
https://www.gnutls.org/security.html\#GNUTLS-SA-2017-4
### Patches:
https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b
https://gitlab.com/gnutls/gnutls/commit/3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03
https://gitlab.com/gnutls/gnutls/commit/e1d6c59a7b0392fb3b8b75035614084a53e2c8c9
*(from redmine: issue id 7417, created on 2017-06-12, closed on 2017-06-14)*
* Relations:
* parent #7416
* Changesets:
* Revision d41da612f88d05e5f3c29088e6303e3bd3804b98 on 2017-06-13T10:19:45Z:
```
main/gnutls: security upgrade to 3.5.13 (CVE-2017-7507). Fixes #7417
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7412su does not work when /bin is before /usr/bin in PATH2019-07-23T11:52:26ZA. Wilcoxsu does not work when /bin is before /usr/bin in PATHThis is a new install of Alpine edge, but I can reproduce this on my
v3.6 VM. If <code>$PATH</code> has <code>/bin</code> before
<code>/usr/bin</code>, <code>su</code> fails:
su: must be suid to work properly
We can see clearly using <...This is a new install of Alpine edge, but I can reproduce this on my
v3.6 VM. If <code>$PATH</code> has <code>/bin</code> before
<code>/usr/bin</code>, <code>su</code> fails:
su: must be suid to work properly
We can see clearly using <code>ls -l</code>:
lrwxrwxrwx 1 root root 12 Jun 11 02:02 /bin/su ->/bin/busybox
lrwxrwxrwx 1 root root 11 Jun 11 02:02 /usr/bin/su ->/bin/bbsuid
And <code>apk info -W</code>:
/bin/su symlink target is owned by busybox-1.26.2-r7
/usr/bin/su symlink target is owned by busybox-suid-1.26.2-r7
Yet, <code>confstr PATH</code>:
/bin:/usr/bin
Either <code>/bin/su</code> should not be installed, or
<code>busybox-suid</code> should be the one to install it.
*(from redmine: issue id 7412, created on 2017-06-11, closed on 2017-06-11)*3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7404TLS negotiation error in OpenJDK 8 JRE u1312019-07-23T11:52:29ZShatil RafiullahTLS negotiation error in OpenJDK 8 JRE u131Attempting to curl an application over HTTPS result in a TLS negotiation
error with OpenSSL when the application is being served from Alpine
Linux 3.6 running openjdk8-jre.
How to reproduce?
1. Launch Alpine Linux 3.6 container runnin...Attempting to curl an application over HTTPS result in a TLS negotiation
error with OpenSSL when the application is being served from Alpine
Linux 3.6 running openjdk8-jre.
How to reproduce?
1. Launch Alpine Linux 3.6 container running a JVM application serving
HTTPS
2. curl the application
<!-- -->
$ curl -Ikv https://172.28.128.14/status
* Hostname was NOT found in DNS cache
* Trying 172.28.128.14...
* Connected to 172.28.128.14 (172.28.128.14) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
What version of Java am I running?
$ sudo docker exec -it docker_svc_1 java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (IcedTea 3.4.0) (Alpine 8.131.11-r1)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
Related bug in the OpenJDK Docker image project, which, according to its
Dockerfile, just installs openjdk8-jre:
https://github.com/docker-library/openjdk/issues/115
curl from macOS Sierra doesn’t complain, and neither does curl on Alpine
Linux 3.6, but older (but supported) OSes like Ubuntu 14.04 are unable
to communicate without issue. The issue does not exist in the same
OpenJDK version running on Debian Jessie.
*(from redmine: issue id 7404, created on 2017-06-09, closed on 2017-06-16)*
* Changesets:
* Revision aba7b091637e95dad55f2f2cc9050b989e12b4d2 on 2017-06-16T12:17:21Z:
```
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
```
* Revision a83deb21e05db11acc1db3112d0ad9d65f521b5f on 2017-06-16T12:21:10Z:
```
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
```
* Revision 0700bbb3d0ba54eb4ed3e747fb3abb1c7ee14b4f on 2018-06-13T21:18:57Z:
```
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
```
* Uploads:
* [icedtea-jdk-tls-nist-curves.patch](/uploads/7177f5f013e465b331179b39dd30e6d6/icedtea-jdk-tls-nist-curves.patch) Configure JVM w/ NSS-supported elliptic curves only3.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7403[3.6] chicken: Unsafe pointer dereference due to incorrect pair? check in Sch...2019-07-23T11:52:30ZAlicha CH[3.6] chicken: Unsafe pointer dereference due to incorrect pair? check in Scheme "length" procedure (CVE-2017-9334)An incorrect “pair?” check in the Scheme “length” procedure results in
an unsafe pointer dereference in all CHICKEN Scheme versions prior to
4.13,
which allows an attacker to cause a denial of service by passing an
improper list to an ...An incorrect “pair?” check in the Scheme “length” procedure results in
an unsafe pointer dereference in all CHICKEN Scheme versions prior to
4.13,
which allows an attacker to cause a denial of service by passing an
improper list to an application that calls “length” on it.
### Fixed In Version:
chicken 4.13
http://openwall.com/lists/oss-security/2017/06/01/2
https://nvd.nist.gov/vuln/detail/CVE-2017-9334
### Patch:
http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/txtR8ZFTRaiUi.txt
*(from redmine: issue id 7403, created on 2017-06-09, closed on 2017-06-15)*
* Relations:
* parent #7401
* Changesets:
* Revision 73556d997143937fe09a607debe5c16f29c989d7 on 2017-06-15T13:51:39Z:
```
community/chicken: security fixes #7403 (CVE-2017-9334)
```3.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7395[3.6] irssi: Multiple vulnerabilities (CVE-2017-9468, CVE-2017-9469)2019-07-23T11:52:35ZAlicha CH[3.6] irssi: Multiple vulnerabilities (CVE-2017-9468, CVE-2017-9469)**CVE-2017-9468**: When receiving a DCC message without source
nick/host, Irssi would
attempt to dereference a NULL pointer.
### Fixed in:
Irssi 1.0.3
### Reference:
https://irssi.org/security/irssi\_sa\_2017\_06.txt
### Patch
ht...**CVE-2017-9468**: When receiving a DCC message without source
nick/host, Irssi would
attempt to dereference a NULL pointer.
### Fixed in:
Irssi 1.0.3
### Reference:
https://irssi.org/security/irssi\_sa\_2017\_06.txt
### Patch
https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55
**CVE-2017-9469**: When receiving certain incorrectly quoted DCC files,
Irssi would
try to find the terminating quote one byte before the allocated memory.
### Fixed in:
Irssi 1.0.3
### Reference:
https://irssi.org/security/irssi\_sa\_2017\_06.txt
### Patch
https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55
*(from redmine: issue id 7395, created on 2017-06-07, closed on 2017-06-15)*
* Relations:
* parent #7393
* Changesets:
* Revision 193541208f498e8907a0a72a35ea442df88b7bfc on 2017-06-15T10:26:54Z:
```
main/irssi: security upgrade to 1.0.3 (CVE-2017-9468, CVE-2017-9469)
Fixes #7395
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7391Grub could be upgraded to the released version of 2.02 (repository currently ...2019-07-23T11:52:39ZalgitbotGrub could be upgraded to the released version of 2.02 (repository currently beta3)Grub could be upgraded to the released version of 2.02, dated 26th April
2017 from the site, ftp://ftp.gnu.org/gnu/grub/
Main Repository is currently 2.02\_beta3, dated 28th Feb 2016, from the
site ftp://alpha.gnu.org/gnu/grub
Unfortu...Grub could be upgraded to the released version of 2.02, dated 26th April
2017 from the site, ftp://ftp.gnu.org/gnu/grub/
Main Repository is currently 2.02\_beta3, dated 28th Feb 2016, from the
site ftp://alpha.gnu.org/gnu/grub
Unfortunately the patches don’t work and I’m sorry I’m not skillful
enough to solve that myself.
For the current grub-2.02\_beta3-r7, I don’t believe the Doc package,
grub-doc-2.02\_beta3-r7, is being build correctly.
*(from redmine: issue id 7391, created on 2017-06-06, closed on 2017-06-16)*
* Changesets:
* Revision 8254d923999f99702a824f8db9d272db2972fa7b by Natanael Copa on 2017-06-09T10:44:26Z:
```
main/grub: upgrade to 2.02
ref #7391
```
* Revision 5c3b89f91d607f29d83e94db8f96aee350905550 by Natanael Copa on 2017-06-16T12:17:59Z:
```
main/grub: upgrade to 2.02
fixes #7391
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7382[3.6] postgresql: Multiple vulnerabilities (CVE-2017-7484, CVE-2017-7485, CVE...2019-07-23T11:52:48ZAlicha CH[3.6] postgresql: Multiple vulnerabilities (CVE-2017-7484, CVE-2017-7485, CVE-2017-7486)CVE-2017-7484: selectivity estimators bypass SELECT privilege checks
--------------------------------------------------------------------
### Fixed In Version:
postgresql 9.4.12, postgresql 9.5.7, **postgresql 9.6.3**
### References:
...CVE-2017-7484: selectivity estimators bypass SELECT privilege checks
--------------------------------------------------------------------
### Fixed In Version:
postgresql 9.4.12, postgresql 9.5.7, **postgresql 9.6.3**
### References:
https://www.postgresql.org/about/news/1746/
https://nvd.nist.gov/vuln/detail/CVE-2017-7484
CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
--------------------------------------------------------------
### Fixed In Version:
postgresql 9.4.12, postgresql 9.5.7, **postgresql 9.6.3**
### References:
https://www.postgresql.org/about/news/1746/
https://nvd.nist.gov/vuln/detail/CVE-2017-7485
CVE-2017-7486: pg\_user\_mappings view discloses foreign server passwords
-------------------------------------------------------------------------
### Fixed In Version:
postgresql 9.2.21, postgresql 9.3.17, postgresql 9.4.12, postgresql
9.5.7, **postgresql 9.6.3**
### References:
https://www.postgresql.org/about/news/1746/
https://nvd.nist.gov/vuln/detail/CVE-2017-7486
*(from redmine: issue id 7382, created on 2017-06-05, closed on 2017-06-13)*
* Relations:
* parent #7381
* Changesets:
* Revision bc37dfd1ae2ed873d08a885a0e9bf2e1e059e28a on 2017-06-13T07:05:53Z:
```
main/postgresql: security upgrade to 9.6.3 (CVE-2017-7484, CVE-2017-7485, CVE-2017-7486)
Fixes #7382
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7377[3.6] wireshark: Multiple vulnerabilities (CVE-2017-9343, CVE-2017-9344, CVE-...2019-07-23T11:52:54ZAlicha CH[3.6] wireshark: Multiple vulnerabilities (CVE-2017-9343, CVE-2017-9344, CVE-2017-9345, CVE-2017-9346, CVE-2017-9347, CVE-2017-9348, CVE-2017-9349, CVE-2017-9350, CVE-2017-9351, CVE-2017-9352, CVE-2017-9353, CVE-2017-9354)CVE-2017-9343: MSNIP dissector crash
------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-30.htm...CVE-2017-9343: MSNIP dissector crash
------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-30.html
CVE-2017-9344: BT L2CAP dissector divide by zero
------------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-29.html
CVE-2017-9345: DNS dissector infinite loop
------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-26.html
CVE-2017-9346: SoulSeek dissector infinite loop
-----------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-25.html
CVE-2017-9347: ROS dissector crash
----------------------------------
**Affected versions**: 2.2.0 to 2.2.12
**Fixed versions**: 2.2.7
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-31.html
CVE-2017-9348: DOF dissector read overflow
------------------------------------------
**Affected versions**: 2.2.0 to 2.2.12
**Fixed versions**: 2.2.7
### References:
https://www.wireshark.org/security/wnpa-sec-2017-23.html
CVE-2017-9349: DICOM dissector infinite loop
--------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-27.html
CVE-2017-9350: openSAFETY dissector memory exhaustion
-----------------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-28.html
**CVE-2017-9351**: DHCP dissector read overflow
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-24.html
CVE-2017-9352: Bazaar dissector infinite loop
---------------------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-22.html
CVE-2017-9353: IPv6 dissector crash
-----------------------------------
**Affected versions**: 2.2.0 to 2.2.6
**Fixed versions**: 2.2.7
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-33.html
CVE-2017-9354: RGMP dissector crash
-----------------------------------
**Affected versions**: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12
**Fixed versions**: 2.2.7, 2.0.13
### Reference:
https://www.wireshark.org/security/wnpa-sec-2017-32.html
*(from redmine: issue id 7377, created on 2017-06-05, closed on 2017-06-15)*
* Relations:
* parent #73753.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7037/init does not correctly handle serial port config from command line2019-07-23T11:57:13ZManuel Mendez/init does not correctly handle serial port config from command lineAccording to kernel docs
https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
and
https://www.kernel.org/doc/Documentation/admin-guide/serial-console.rst
serial port console config supports more options than just sp...According to kernel docs
https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
and
https://www.kernel.org/doc/Documentation/admin-guide/serial-console.rst
serial port console config supports more options than just speed, e.g.:
console=115200n8
`/init` will then configure `/etc/inittab` for getty, but getty does not
understand the kernel syntax and repeatedly prints
getty: bad speed
`/init` should do a better job of parsing the kernel console command
line syntax
*(from redmine: issue id 7037, created on 2017-03-17, closed on 2017-06-16)*
* Changesets:
* Revision c32140e9a21673e7674e686d797cdd9f2efd8a0d by Natanael Copa on 2017-06-16T14:49:04Z:
```
main/mkinitfs: upgrade to 3.1.0
fixes #7037
```3.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7031[3.6] chicken: unchecked size argument in malloc() (CVE-2017-6949)2019-07-23T11:57:19ZAlicha CH[3.6] chicken: unchecked size argument in malloc() (CVE-2017-6949)An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc(...An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc().
With an unexpected size, the impact may have been a segfault or buffer
overflow.
### References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6949
http://openwall.com/lists/oss-security/2017/03/16/10
*(from redmine: issue id 7031, created on 2017-03-17, closed on 2019-05-03)*
* Relations:
* parent #70303.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/6954[3.6] gdk-pixbuf: Multiple vulnerabilities (CVE-2017-6311, CVE-2017-6312, CVE...2019-07-23T11:58:05ZAlicha CH[3.6] gdk-pixbuf: Multiple vulnerabilities (CVE-2017-6311, CVE-2017-6312, CVE-2017-6313, CVE-2017-6314)### CVE-2017-6311: NULL dereference on gdk-pixbuf thumbnailer
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=778204
http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
### CVE-...### CVE-2017-6311: NULL dereference on gdk-pixbuf thumbnailer
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=778204
http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
### CVE-2017-6312: Out-of-bounds read in io-ico.c
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=779012
http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
### CVE-2017-6313: Integer underflow in io-icns.c
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=779016
http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
### CVE-2017-6314: Infinite loop in io-tiff.c
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=779020
http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
*(from redmine: issue id 6954, created on 2017-03-03, closed on 2017-06-29)*
* Relations:
* parent #6953
* Changesets:
* Revision b94677ab61788321ca49525a88ae523c9f0a6bca on 2017-06-16T08:32:52Z:
```
main/gdk-pixbuf: security fixes (CVE-2017-6311, CVE-2017-6312, CVE-2017-6314)
Partially fixes #6954
CVE-2017-6313: fix N/A, https://bugzilla.gnome.org/show_bug.cgi?id=779016
```3.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/6852[3.6] libxml2: null pointer dereference when parsing a xml file using recover...2019-07-23T11:59:20ZAlicha CH[3.6] libxml2: null pointer dereference when parsing a xml file using recover mode (CVE-2017-5969)**CVE-2017-5969**: Null pointer derefence parsing xml file using libxml
### Upstream bug report:
https://bugzilla.gnome.org/show\_bug.cgi?id=778519
### Reference:
http://openwall.com/lists/oss-security/2017/02/13/1
*(from redmine: ...**CVE-2017-5969**: Null pointer derefence parsing xml file using libxml
### Upstream bug report:
https://bugzilla.gnome.org/show\_bug.cgi?id=778519
### Reference:
http://openwall.com/lists/oss-security/2017/02/13/1
*(from redmine: issue id 6852, created on 2017-02-13, closed on 2017-06-29)*
* Relations:
* parent #6851
* Changesets:
* Revision 4e7a6efe3f60338f70ade314e9bc46474c7fff9a by Natanael Copa on 2017-06-16T14:30:51Z:
```
main/libxml2: fix for CVE-2017-5969
fixes #6852
```3.6.2Carlo LandmeterCarlo Landmeter