aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:10:25Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10388[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)2019-07-23T11:10:25ZAlicha CH[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2...**CVE-2019-11494**: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
**CVE-2019-11499**: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
### Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
*(from redmine: issue id 10388, created on 2019-05-02, closed on 2019-05-28)*
* Relations:
* parent #10386
* Changesets:
* Revision f82ad4a4bd0bcfe6c75ff43189ad29dc14c38add on 2019-05-06T09:09:53Z:
```
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10388
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10383[3.9] znc: crash on invalid encoding (CVE-2019-9917)2019-07-23T11:10:29ZAlicha CH[3.9] znc: crash on invalid encoding (CVE-2019-9917)ZNC before 1.7.3-rc1 allows an existing remote user to cause
a Denial of Service (crash) via invalid encoding.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-9917
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925285
...ZNC before 1.7.3-rc1 allows an existing remote user to cause
a Denial of Service (crash) via invalid encoding.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-9917
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925285
### Patch:
https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973
*(from redmine: issue id 10383, created on 2019-05-01, closed on 2019-05-06)*
* Changesets:
* Revision 16956b90ab430f1836112c44807b832d8f520760 by Natanael Copa on 2019-05-06T16:17:54Z:
```
community/znc: security fix for CVE-2019-9917
fixes #10383
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10368[3.9] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)2019-07-23T11:10:38ZAlicha CH[3.9] bind: Multiple vulnerabilities (CVE-2018-5743, CVE-2019-6467)CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The ...CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
---------------------------------------------------------------
By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
CVE-2019-6467: flaw in nxredirect can cause assertion failure
-------------------------------------------------------------
A programming error in the nxdomain-redirect feature can cause an
assertion failure in query.c if the alternate namespace used by
nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in
addition to performing NXDOMAIN redirection for recursive clients, is
also serving a local copy of the root zone or using mirroring
to provide the root zone, although other configurations are also
possible.
### Affected Versions:
BIND 9.12.0->9.12.4, 9.14.0. Also affects all releases in the 9.13
development branch.
### Fixed In Version:
bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2019-6467
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10368, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 06bfe718fd41663cb0f35a441af82a32ca3ec15b by Natanael Copa on 2019-05-02T11:51:29Z:
```
main/bind: security upgrade to 9.12.4_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
fixes #10368
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10362[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:46ZAlicha CH[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10362, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision c6ea56540262710775618c19e90adbe0e1177be3 by Leo Leo on 2019-05-06T07:42:25Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
- Split $pkgname-static
fixes #10362
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10325[3.9] freeradius: Multiple vulnerabilities (CVE-2019-11234, CVE-2019-11235)2019-07-23T11:11:05ZAlicha CH[3.9] freeradius: Multiple vulnerabilities (CVE-2019-11234, CVE-2019-11235)CVE-2019-11234: eap-pwd: fake authentication using reflection
-------------------------------------------------------------
A vulnerability was found in FreeRadius. An attacker can reflect the
received scalar and element from the server...CVE-2019-11234: eap-pwd: fake authentication using reflection
-------------------------------------------------------------
A vulnerability was found in FreeRadius. An attacker can reflect the
received scalar and element from the server in it’s own commit message,
and subsequently reflect the confirm value as well. This causes
the adversary to successfully authenticate as the victim. Fortunately,
the adversary will not posses the negotiated session key, meaning the
adversary cannot actually perform any actions as this user.
### Affected Versions:
freeradius 3.0.0 through 3.0.18
### Fixed In Version:
freeradius 3.0.19
References:
https://freeradius.org/security/
https://freeradius.org/release\_notes/?br=3.0.x&re=3.0.19
Patches:
https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
CVE-2019-11235: eap-pwd: authentication bypass via an invalid curve attack
--------------------------------------------------------------------------
A vulnerability was found in FreeRadius. An invalid curve attack allows
an attacker to authenticate as any user (without knowing the password).
The problem is
that on the reception of an EAP-PWD Commit frame, FreeRADIUS doesn’t
verify whether the received elliptic curve point is valid.
### Fixed In Version:
freeradius 3.0.19
### References:
https://freeradius.org/security/
https://security-tracker.debian.org/tracker/CVE-2019-11235
### Patches:
https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
*(from redmine: issue id 10325, created on 2019-04-25, closed on 2019-04-29)*
* Relations:
* parent #10324
* Changesets:
* Revision 065f2876051f76809327b30c47239ed3b8db0bd5 on 2019-04-25T14:16:50Z:
```
main/freeradius: security fixes (CVE-2019-11234, CVE-2019-11235)
Fixes #10325
```3.9.4Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10322[3.9] wireshark: Multiple vulnerabilities (CVE-2019-10894, CVE-2019-10895, CV...2019-07-23T11:11:07ZAlicha CH[3.9] wireshark: Multiple vulnerabilities (CVE-2019-10894, CVE-2019-10895, CVE-2019-10896, CVE-2019-10899, CVE-2019-10901, CVE-2019-10903)CVE-2019-10894: GSS-API dissector crash
---------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-s...CVE-2019-10894: GSS-API dissector crash
---------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-14.html
CVE-2019-10895: NetScaler file parser crash
-------------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-09.html
CVE-2019-10896: DOF dissector crash
-----------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-15.html
CVE-2019-10899: SRVLOC dissector crash
--------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-10.html
CVE-2019-10901: LDSS dissector crash
------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-17.html
CVE-2019-10903: DCERPC SPOOLSS dissector crash
----------------------------------------------
Affected versions: 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13
Fixed versions: 3.0.1, 2.6.8, 2.4.14
### References:
https://www.wireshark.org/security/wnpa-sec-2019-18.html
*(from redmine: issue id 10322, created on 2019-04-24, closed on 2019-05-01)*
* Changesets:
* Revision ef58f692397187895ac48d0c5645aed9f75cc943 on 2019-04-29T12:18:20Z:
```
community/wireshark: security upgrade to 2.6.8
CVE-2019-10894, CVE-2019-10895, CVE-2019-10896, CVE-2019-10899, CVE-2019-10901, CVE-2019-10903
Fixes #10322
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10304Missing libasan2022-12-20T22:43:30ZSerhii CharykovMissing libasanI use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps t...I use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps to reproduce:
docker run -it —rm alpine
apk add gcc musl-dev
echo “int main() {}” >test.c
gcc test.c -fsanitize=address
Result:
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find libasan\_preinit.o: No such file or directory
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find -lasan
collect2: error: ld returned 1 exit status
*(from redmine: issue id 10304, created on 2019-04-19, closed on 2019-05-06)*3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10287[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-...2019-07-23T11:11:28ZAlicha CH[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequen...CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
### Affected Versions:
Ruby 2.4 series: 2.4.5 and earlier
Ruby 2.5 series: 2.5.3 and earlier
### Reference:
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
### Patches:
https://bugs.ruby-lang.org/attachments/7669 (for Ruby 2.4.5)
https://bugs.ruby-lang.org/attachments/7670 (for Ruby 2.5.3)
*(from redmine: issue id 10287, created on 2019-04-18, closed on 2019-05-06)*
* Relations:
* parent #10286
* Changesets:
* Revision 58244868e7a471ddf96e8d0ece88c240e34bff1c by Natanael Copa on 2019-05-06T17:40:49Z:
```
main/ruby: security upgrade to 2.5.5
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
fixes #10287
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10278[3.9] libxslt: security framework bypass (CVE-2019-11068)2019-07-23T11:11:35ZAlicha CH[3.9] libxslt: security framework bypass (CVE-2019-11068)libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually in...libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually invalid and is subsequently loaded.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068
### Patch:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
*(from redmine: issue id 10278, created on 2019-04-17, closed on 2019-04-18)*
* Relations:
* parent #10276
* Changesets:
* Revision 4281a184d7a2aab9a0f2352a418084cad73ee2dc by Natanael Copa on 2019-04-17T07:22:42Z:
```
main/libxslt: security fix for CVE-2019-11068
fixes #10278
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10275can not encrypt lbu conf anymore with latest openssl2019-12-22T13:45:22ZV Scan not encrypt lbu conf anymore with latest openssltrying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-ciph...trying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-cipher-commands
>Invalid command ‘list-standard-commands’; type “help” for a list.
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
*(from redmine: issue id 10275, created on 2019-04-16, closed on 2019-05-09)*
* Changesets:
* Revision 82448d58fc0232afbaf804bd7e134bd91abddf8e by Richard Mortier on 2019-05-06T16:50:53Z:
```
main/alpine-conf: fix invocation of `openssl` when listing ciphers
openssl.1.1.1b appears to have replaced `list-cipher-commands` with
`enc-ciphers`
fixes #10275
(cherry picked from commit 4992e150a1841363523ae87bffde4c845cbf648e)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10263[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-201...2019-07-23T11:11:43ZAlicha CH[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-2019-1789)**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:...**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1788**: An out-of-bounds heap write condition may occur when
scanning OLE2 files such as
Microsoft Office 97-2003 documents. The invalid write happens when an
invalid pointer is mistakenly
used to initialize a 32bit integer to zero. This is likely to crash the
application.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1789**: An out-of-bounds heap read condition may occur when
scanning PE files (i.e. Windows EXE and DLL files)
that have been packed using Aspack as a result of inadequate
bound-checking.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
*(from redmine: issue id 10263, created on 2019-04-16, closed on 2019-04-18)*
* Relations:
* parent #10261
* Changesets:
* Revision 287dc987d0bfa340aa510b11e2ad691a15b5ea4e on 2019-04-17T13:20:52Z:
```
main/clamav: security upgrade to 0.100.3
CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Fixes #10263
```3.9.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10253[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)2019-07-23T11:11:51ZAlicha CH[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### Referen...Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### References:
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://security-tracker.debian.org/tracker/CVE-2019-6706
*(from redmine: issue id 10253, created on 2019-04-15, closed on 2019-05-06)*
* Relations:
* parent #10251
* Changesets:
* Revision ebd55722b9637f4559c94b13e5e061ffef9fb4a3 by Natanael Copa on 2019-05-06T17:07:51Z:
```
main/lua5.3: security fix for CVE-2019-6706
fixes #10253
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10247[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-...2019-07-23T11:11:56ZAlicha CH[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-3880)Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hiv...Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
### Affected Versions:
All versions of samba since samba 3.2.0
### Fixed In Version:
samba 4.8.11, 4.9.6 and 4.10.2
### References:
https://www.samba.org/samba/security/CVE-2019-3880.html
https://www.samba.org/samba/history/security.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.8.10-security-2019-04-08.patch
*(from redmine: issue id 10247, created on 2019-04-15, closed on 2019-04-18)*
* Relations:
* parent #10246
* Changesets:
* Revision 46d7859df86413549905a72f31b1f89c45fb34aa on 2019-04-15T13:07:20Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```
* Revision 186547c42b833832f85ac23b0d11eef6805258fc on 2019-04-15T14:45:19Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10218Promote amavisd-milter from testing -> main repository2019-07-23T11:12:09ZMiguel Da SilvaPromote amavisd-milter from testing -> main repositoryThe package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 20...The package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 2019-04-08, closed on 2019-05-09)*
* Changesets:
* Revision 05811c2c809d49ffaaa0e3047eee03a90c2a074e by Natanael Copa on 2019-05-06T17:32:31Z:
```
main/amavisd-milter: promote from testing
fixes #10218
```3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10207notify-send not displaying messages2019-07-23T11:12:18Zxrsnotify-send not displaying messagesTest with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*Test with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10166[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-...2019-07-23T11:12:55ZAlicha CH[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages havi...CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
### Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
------------------------------------------------------------------------------------------------------------------------
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
-------------------------------------------------------------------------------
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 ->
9.12.3-P2
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2019-6465
*(from redmine: issue id 10166, created on 2019-03-27, closed on 2019-04-15)*
* Relations:
* parent #10164
* Changesets:
* Revision a72d66cd67f20dec8e4eb3d6f2b387a11a0bfbf8 by Chris Ely on 2019-04-12T06:06:29Z:
```
main/bind: security upgrade to 9.12.3-P4
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
Fixes #10166
```
* Revision f760ea50ec9278664e1aa8c0a5fb9f216770113b by Chris Ely on 2019-04-15T06:43:36Z:
```
main/bind: security upgrade to 9.12.3_p4
https://ftp.isc.org/isc/bind9/9.12.3-P4/RELEASE-NOTES-bind-9.12.3-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
- CVE-2018-5737
- CVE-2018-5736
Fixes #10166
BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
BIND 9.12 will be supported until at least May, 2019.
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10163install of openssl 1.1.1b installs old version of libssl and libcrypto2019-07-23T11:12:58ZMathias Schüpanyinstall of openssl 1.1.1b installs old version of libssl and libcryptoI noticed, that if you install openssl on alpine 3.9 the latest openssl
version (1.1.1b-r1) got installed. But the dependencies libcrypto1.1 and
libssl1.1 are currently on the older version 1.1.1a.
The “openssl version” command to verif...I noticed, that if you install openssl on alpine 3.9 the latest openssl
version (1.1.1b-r1) got installed. But the dependencies libcrypto1.1 and
libssl1.1 are currently on the older version 1.1.1a.
The “openssl version” command to verify the mistake:
# openssl version
OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)
Steps to reproduce and verify:
# docker run -it --rm alpine:3.9 ash
# apk add --no-cache openssl
# openssl version
OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)
# strings /lib/libssl.so.1.1 | grep "OpenSSL 1.1.1"
OpenSSL 1.1.1a 20 Nov 2018
strings /lib/libcrypto.so.1.1 | grep "OpenSSL 1.1.1"
OpenSSL 1.1.1a 20 Nov 2018
This problem does not not happen if you install openssl-dev. Then the
libcrypto1.1 and libssl1.1 libs got installed in the correct version.
*(from redmine: issue id 10163, created on 2019-03-26, closed on 2019-04-09)*3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10147Kernel: include driver for Realtek RTL8822BE2019-07-23T11:13:06ZSteffen NurpmesoKernel: include driver for Realtek RTL8822BEThe rtlwifi package has the firmware, but the driver is missing!
Any idea how i get myself going?
The driver seems to be in staging/ (for several years already).
Help!
*(from redmine: issue id 10147, created on 2019-03-21, closed...The rtlwifi package has the firmware, but the driver is missing!
Any idea how i get myself going?
The driver seems to be in staging/ (for several years already).
Help!
*(from redmine: issue id 10147, created on 2019-03-21, closed on 2019-05-09)*
* Changesets:
* Revision bcc823517a30cc3c742f66bbc8bedf24bf50507b by Natanael Copa on 2019-04-28T14:06:27Z:
```
main/linux-vanilla: enable Realtek RTL8822BE driver
found in Lenovo IdeaPad
ref #10147
```
* Revision bdf5964bf21bf554b1ce01792da21aee74c46e0e by Natanael Copa on 2019-05-06T12:30:12Z:
```
main/linux-vanilla: enable Realtek RTL8822BE driver
found in Lenovo IdeaPad
fixes #10147
(cherry picked from commit bcc823517a30cc3c742f66bbc8bedf24bf50507b)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10120Why is Strongswan built without --enable-aesni support?2019-07-23T11:13:26ZVer friemeltWhy is Strongswan built without --enable-aesni support?Hi,
i have been wondering for some time that Strongswan is built in alpine
linux without —enable-aesni. Is there a special reason for this?
With every new release I build strongswan identical to the apk, only
that I add —enable-aesni.
...Hi,
i have been wondering for some time that Strongswan is built in alpine
linux without —enable-aesni. Is there a special reason for this?
With every new release I build strongswan identical to the apk, only
that I add —enable-aesni.
It would be great if this would be supported by default.
Background information about AESNI support in strongswan:
https://wiki.strongswan.org/versions/56
Many thanks in advance.
*(from redmine: issue id 10120, created on 2019-03-16, closed on 2019-05-09)*
* Changesets:
* Revision 302749e2d5084f8f091e4614d4393b0d98961c7d by Natanael Copa on 2019-05-06T16:44:28Z:
```
main/strongswan: enable aesni on x86_64
ref #10120
```
* Revision ad5880649bfc0d3e16b658d5b8517e86e9b1c260 by Natanael Copa on 2019-05-06T16:46:02Z:
```
main/strongswan: enable aesni on x86_64
fixes #10120
(cherry picked from commit 302749e2d5084f8f091e4614d4393b0d98961c7d)
```3.9.4Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10113[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4437, CVE-2019-6212, CVE...2019-07-23T11:13:29ZAlicha CH[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4437, CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6227, CVE-2019-6229)**CVE-2018-4437**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
### Refe...**CVE-2018-4437**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
### Reference:
https://webkitgtk.org/security/WSA-2018-0009.html
**CVE-2019-6212**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.6
**CVE-2019-6215**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.22.6
**CVE-2019-6216**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
**CVE-2019-6217**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
**CVE-2019-6227**
Versions affected: WebKitGTK+ before 2.22.5
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
**CVE-2019-6229**
Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
2.22.3.
Processing maliciously crafted web content may lead to universal cross
site scripting.
A logic issue was addressed with improved validation.
### Reference:
https://webkitgtk.org/security/WSA-2019-0001.html
*(from redmine: issue id 10113, created on 2019-03-14, closed on 2019-04-15)*
* Relations:
* parent #10111
* Changesets:
* Revision 9333b6b69da075f380935e8a636fb1cd817bf74d on 2019-04-12T08:26:20Z:
```
community/webkit2gtk: security upgrade to 2.22.7
CVE-2018-4437, CVE-2019-6212, CVE-2019-6215, CVE-2019-6216,
CVE-2019-6217, CVE-2019-6227, CVE-2019-6229
Fixes #10113
```3.9.4