aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2023-06-21T10:49:00Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9921dovecot-pigeonhole-plugin (sieve) not functional (on armhf only?)2023-06-21T10:49:00Zalgitbotdovecot-pigeonhole-plugin (sieve) not functional (on armhf only?)As soon as a user logs in, dlopen() complaints with the following
error:
Error relocating /usr/lib/dovecot/lib90\_sieve\_plugin.so:
mail\_deliver\_get\_return\_address: symbol not found
As a result, the client cannot connect. It is ir...As soon as a user logs in, dlopen() complaints with the following
error:
Error relocating /usr/lib/dovecot/lib90\_sieve\_plugin.so:
mail\_deliver\_get\_return\_address: symbol not found
As a result, the client cannot connect. It is irrespective of the client
using sieve or not, in other words, as soon as this plugin is enabled,
dovecot becomes useless because it cannot accept new IMAP connections.
Version 2.3.3-r0
Platform: armhf.
I don’t know if this occurs on other platforms as well.
*(from redmine: issue id 9921, created on 2019-01-26, closed on 2019-05-09)*3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10304Missing libasan2022-12-20T22:43:30ZSerhii CharykovMissing libasanI use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps t...I use docker image and cannot build simple C/C<span
class="underline"></span> program with option: -fsanitize=address
I’ve checked several image version and have not find any package that
resembles libasan or has libasan\*.so.
Steps to reproduce:
docker run -it —rm alpine
apk add gcc musl-dev
echo “int main() {}” >test.c
gcc test.c -fsanitize=address
Result:
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find libasan\_preinit.o: No such file or directory
/usr/lib/gcc/x86\_64-alpine-linux-musl/8.3.0/../../../../x86\_64-alpine-linux-musl/bin/ld:
cannot find -lasan
collect2: error: ld returned 1 exit status
*(from redmine: issue id 10304, created on 2019-04-19, closed on 2019-05-06)*3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10025wpa_supplicant starts slowly when lacking entropy2021-07-18T07:23:52ZMarnix Rijnartwpa_supplicant starts slowly when lacking entropyWhen a Raspberry Pi boots without a keyboard attached the kernel has low
entropy which causes wpa\_supplicant to start slowly, sometimes minutes.
This can be fixed by installing the rng-tools and rng-tools-openrc
packages, and starting ...When a Raspberry Pi boots without a keyboard attached the kernel has low
entropy which causes wpa\_supplicant to start slowly, sometimes minutes.
This can be fixed by installing the rng-tools and rng-tools-openrc
packages, and starting the rngd service, this feeds the kernel with
/dev/hwrng from the Pi’s hardware rng.
However, wpa\_supplicant needs to start AFTER the rngd service (when
it’s available), so wpa\_supplicant.initd in the wpa\_supplicant-openrc
package whould need this change:
- after bootmisc modules
+ after bootmisc modules entropy
*(from redmine: issue id 10025, created on 2019-02-22, closed on 2019-05-09)*3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9960Boot delay/issues because of limited entropy2020-02-11T21:03:42ZCarlo LandmeterBoot delay/issues because of limited entropyIn Alpine Linux 3.9, the booting process may be slowed down by entropy
generation.
This is because RDRAND (entropy gathering that requires trusting the
CPU) is disabled by default.
This decision was made due to a lack of consensus as ...In Alpine Linux 3.9, the booting process may be slowed down by entropy
generation.
This is because RDRAND (entropy gathering that requires trusting the
CPU) is disabled by default.
This decision was made due to a lack of consensus as to whether or not
the hardware can be trusted to perform randomness generation (a
security-critical task).
It is possible to re-enable it through the kernel command line as so:
‘random.trust\_cpu=on’.
If you trust the CPU manufacturer, add ‘random.trust\_cpu=on’ to your
kernel command line using the configuration of your boot manager.
If you do not, but still wish to gain a faster boot speed, you may
consider haveged or similar entropy-generating daemons.
We already discussed on IRC how we could work around this issue by
detecting entropy in the installer but this would not cover users who
are upgrading.
Other ways would be to alarm the user at boot when entropy is too low
and services would be slow or fail to start.
*(from redmine: issue id 9960, created on 2019-02-04, closed on 2019-05-09)*
* Changesets:
* Revision e67c2f8bcb163695a5917e059a2c7ba46726ee89 by Natanael Copa on 2019-04-25T12:31:17Z:
```
main/linux-vanilla: upgrade to 4.19.36
also enable CONFIG_RANDOM_TRUST_CPU
https://askubuntu.com/questions/1070433/will-ubuntu-enable-random-trust-cpu-in-the-kernel-and-what-would-be-the-effect/1071196#1071196
ref #9960
```
* Revision 3dab4b1742164b25f19cb39b91f51762c68f76d5 by Natanael Copa on 2019-05-06T12:30:12Z:
```
main/linux-vanilla: upgrade to 4.19.36
also enable CONFIG_RANDOM_TRUST_CPU
https://askubuntu.com/questions/1070433/will-ubuntu-enable-random-trust-cpu-in-the-kernel-and-what-would-be-the-effect/1071196#1071196
fixes #9960
(cherry picked from commit e67c2f8bcb163695a5917e059a2c7ba46726ee89)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10275can not encrypt lbu conf anymore with latest openssl2019-12-22T13:45:22ZV Scan not encrypt lbu conf anymore with latest openssltrying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-ciph...trying to encrypt my lbu on commit gives the following error:
lbu ci -e -p test
Invalid command ‘list-cipher-commands’; type “help” for a list.
Cipher aes-256-cbc is not supported
The error comes from openssl:
$ openssl list-cipher-commands
>Invalid command ‘list-standard-commands’; type “help” for a list.
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
*(from redmine: issue id 10275, created on 2019-04-16, closed on 2019-05-09)*
* Changesets:
* Revision 82448d58fc0232afbaf804bd7e134bd91abddf8e by Richard Mortier on 2019-05-06T16:50:53Z:
```
main/alpine-conf: fix invocation of `openssl` when listing ciphers
openssl.1.1.1b appears to have replaced `list-cipher-commands` with
`enc-ciphers`
fixes #10275
(cherry picked from commit 4992e150a1841363523ae87bffde4c845cbf648e)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8665shadow-doc package install error2019-07-23T11:34:17Zalgitbotshadow-doc package install errorWhen installing shadow-doc package, I get the following errors:
(1/1) Installing shadow-doc (4.5-r0)
ERROR: shadow-doc-4.5-r0: trying to overwrite
usr/share/man/man1/groups.1.gz owned by coreutils-doc-8.29-r2.
ERROR: shadow-doc-4.5-...When installing shadow-doc package, I get the following errors:
(1/1) Installing shadow-doc (4.5-r0)
ERROR: shadow-doc-4.5-r0: trying to overwrite
usr/share/man/man1/groups.1.gz owned by coreutils-doc-8.29-r2.
ERROR: shadow-doc-4.5-r0: trying to overwrite
usr/share/man/man8/nologin.8.gz owned by util-linux-doc-2.31-r0.
Executing mdocml-apropos-1.14.3-r0.trigger
1 error; 6441 MiB in 784 packages
*(from redmine: issue id 8665, created on 2018-03-18, closed on 2019-05-09)*
* Changesets:
* Revision e2b78d8aaecccd0111a10a016573f3f64c3b381a by Natanael Copa on 2019-05-06T09:18:20Z:
```
community/shadow: fix conflict with util-linux-doc and coreutils-doc
ref #8665
```
* Revision 51b2f7042f969031e9dcc7c557f96645977dbe22 by Natanael Copa on 2019-05-06T09:26:40Z:
```
community/shadow: fix conflict with util-linux-doc and coreutils-doc
fixes #8665
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9549Raspberry Pi 3B+ WiFi - Unable to set region, possible udev issue2019-07-23T11:19:50ZRandy DamronRaspberry Pi 3B+ WiFi - Unable to set region, possible udev issueRaspberry Pi 3B+ on board wifi fails to start.
alpinepi:/\# iwlist wlan0 scan
wlan0 Interface doesn’t support scanning : Interrupted system call
alpinepi:/\# rfkill list
0: phy0: wlan
Soft blocked: no
Hard blocked: no
Some mis...Raspberry Pi 3B+ on board wifi fails to start.
alpinepi:/\# iwlist wlan0 scan
wlan0 Interface doesn’t support scanning : Interrupted system call
alpinepi:/\# rfkill list
0: phy0: wlan
Soft blocked: no
Hard blocked: no
Some misc internet posts suggest that you have to set the regulatory
domain before the interface will come up. Tried to set many ways
including wpa\_supplicant, iw, and setting a modprobe.d config.
alpinepi:/\# cat /etc/modprobe.d/cfg80211.conf
options cfg80211 ieee80211\_regdom=US
At this point i believe its either firmware or possibly a udev issue.
*(from redmine: issue id 9549, created on 2018-10-10, closed on 2019-05-09)*
* Changesets:
* Revision 879ccecb8bae7421243903595a65f25ffb88e69e by Timo Teräs on 2019-02-15T09:22:39Z:
```
community/wireless-regdb: include the new format firmware file
ref #9549
```
* Revision 64c5d7842ff796ab257b1cdef4f996bf04990c97 by Timo Teräs on 2019-02-15T12:18:24Z:
```
main/alpine-conf: include wifi regulatory db in modloop
ref #9549
```
* Revision e48587de6695462214576089efe77370478700aa by Timo Teräs on 2019-02-15T12:42:34Z:
```
scripts/mkimg.base.sh: include wifi regulatory database in modloop
ref #9549
```
* Revision 9d2189d22896aa7e6061d5883f36821546f1f706 by Timo Teräs on 2019-02-22T12:02:12Z:
```
main/alpine-conf: include wifi regulatory db in modloop
ref #9549
(cherry picked from commit 64c5d7842ff796ab257b1cdef4f996bf04990c97)
```
* Revision 166a2ebba50a675bf2ee4ec39d5bb81d8a691275 by Timo Teräs on 2019-02-22T12:03:10Z:
```
community/wireless-regdb: include the new format firmware file
ref #9549
(cherry picked from commit 879ccecb8bae7421243903595a65f25ffb88e69e)
```
* Revision 6d5a5abc5f6e4e823991b64277c60667cfa37482 by Timo Teräs on 2019-02-28T21:09:54Z:
```
scripts/mkimg.base.sh: include wifi regulatory database in modloop
ref #9549
(cherry picked from commit e48587de6695462214576089efe77370478700aa)
```
* Revision 0a01a2870e96c61b8bf6ecb2d98f4acb629c36d8 by Timo Teräs on 2019-03-22T19:26:15Z:
```
main/linux-firmware: upgrade to 20190322, update rpi firmwares
* update rpi wifi firmware, use better source
* update rpi bluetooth firmware
* purge additional source code files
ref #9549
```
* Revision 96bda76be60e16d17e26feb82e7686a865b6695c by Timo Teräs on 2019-03-22T19:26:15Z:
```
main/alpine-conf: include associated firmware files to modloop
ref #9549
```
* Revision 511029415765f681f793c9fe3f6e7cf4862fbcac by Timo Teräs on 2019-04-11T11:03:20Z:
```
main/linux-firmware: upgrade to 20190322, update rpi firmwares
* update rpi wifi firmware, use better source
* update rpi bluetooth firmware
* purge additional source code files
ref #9549
(cherry picked from commit 0a01a2870e96c61b8bf6ecb2d98f4acb629c36d8)
```
* Revision 13a39a8f941e35e76a23bce3750e26f72ad12717 by Timo Teräs on 2019-04-11T11:03:32Z:
```
main/alpine-conf: include associated firmware files to modloop
ref #9549
(cherry picked from commit 96bda76be60e16d17e26feb82e7686a865b6695c)
```
* Revision c786cb5c3cc3c9b1dcfd3ccda7f61abe81ae07da by Timo Teräs on 2019-06-14T12:20:46Z:
```
update-kernel: include associated firmware files to modloop
Some drivers reference only the .bin but require additional
files such as .$board.txt or .clm_blob. Include all files
in modloop that might match. ref #9549
```3.9.4Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10056[3.9] freerdp: Multiple vulnerabilities (CVE-2018-8786, CVE-2018-8787, CVE-20...2019-07-23T11:14:05ZAlicha CH[3.9] freerdp: Multiple vulnerabilities (CVE-2018-8786, CVE-2018-8787, CVE-2018-8788, CVE-2018-8789)**CVE-2018-8786**: FreeRDP prior to version 2.0.0-rc4 contains an
Integer Truncation that leads to a Heap-Based Buffer Overflow in
function update\_read\_bitmap\_update() and results in a memory
corruption and probably even a remote co...**CVE-2018-8786**: FreeRDP prior to version 2.0.0-rc4 contains an
Integer Truncation that leads to a Heap-Based Buffer Overflow in
function update\_read\_bitmap\_update() and results in a memory
corruption and probably even a remote code execution.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-8786
### Patch:
https://github.com/FreeRDP/FreeRDP/commit/445a5a42c500ceb80f8fa7f2c11f3682538033f3
**CVE-2018-8787**: FreeRDP prior to version 2.0.0-rc4 contains an
Integer Overflow that leads to a Heap-Based Buffer Overflow in
function gdi\_Bitmap\_Decompress() and results in a memory corruption
and probably even a remote code execution.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-8787
### Patch:
https://github.com/FreeRDP/FreeRDP/commit/09b9d4f1994a674c4ec85b4947aa656eda1aed8a
**CVE-2018-8788**: FreeRDP prior to version 2.0.0-rc4 contains an
Out-Of-Bounds Write of up to 4 bytes in
function nsc\_rle\_decode() that results in a memory corruption and
possibly even a remote code execution.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-8788
### Patch:
https://github.com/FreeRDP/FreeRDP/commit/d1112c279bd1a327e8e4d0b5f371458bf2579659
**CVE-2018-8789**: FreeRDP prior to version 2.0.0-rc4 contains several
Out-Of-Bounds Reads in the NTLM
Authentication module that results in a Denial of Service (segfault).
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-8789
### Patch:
https://github.com/FreeRDP/FreeRDP/commit/2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6
*(from redmine: issue id 10056, created on 2019-03-05, closed on 2019-04-18)*
* Changesets:
* Revision 0711692c669f13dd536c845cb15cb205c9e88d12 on 2019-04-17T13:12:48Z:
```
community/freerdp: security upgrade to 2.0.0_rc4
CVE-2018-8786, CVE-2018-8787, CVE-2018-8788, CVE-2018-8789
Fixes #10056
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10113[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4437, CVE-2019-6212, CVE...2019-07-23T11:13:29ZAlicha CH[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4437, CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6227, CVE-2019-6229)**CVE-2018-4437**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
### Refe...**CVE-2018-4437**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
### Reference:
https://webkitgtk.org/security/WSA-2018-0009.html
**CVE-2019-6212**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.6
**CVE-2019-6215**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.22.6
**CVE-2019-6216**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
**CVE-2019-6217**
Processing maliciously crafted web content may lead to arbitrary code
execution.
Multiple memory corruption issues were addressed with improved memory
handling.
Versions affected: WebKitGTK+ before 2.22.5
**CVE-2019-6227**
Versions affected: WebKitGTK+ before 2.22.5
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
**CVE-2019-6229**
Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
2.22.3.
Processing maliciously crafted web content may lead to universal cross
site scripting.
A logic issue was addressed with improved validation.
### Reference:
https://webkitgtk.org/security/WSA-2019-0001.html
*(from redmine: issue id 10113, created on 2019-03-14, closed on 2019-04-15)*
* Relations:
* parent #10111
* Changesets:
* Revision 9333b6b69da075f380935e8a636fb1cd817bf74d on 2019-04-12T08:26:20Z:
```
community/webkit2gtk: security upgrade to 2.22.7
CVE-2018-4437, CVE-2019-6212, CVE-2019-6215, CVE-2019-6216,
CVE-2019-6217, CVE-2019-6227, CVE-2019-6229
Fixes #10113
```3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10120Why is Strongswan built without --enable-aesni support?2019-07-23T11:13:26ZVer friemeltWhy is Strongswan built without --enable-aesni support?Hi,
i have been wondering for some time that Strongswan is built in alpine
linux without —enable-aesni. Is there a special reason for this?
With every new release I build strongswan identical to the apk, only
that I add —enable-aesni.
...Hi,
i have been wondering for some time that Strongswan is built in alpine
linux without —enable-aesni. Is there a special reason for this?
With every new release I build strongswan identical to the apk, only
that I add —enable-aesni.
It would be great if this would be supported by default.
Background information about AESNI support in strongswan:
https://wiki.strongswan.org/versions/56
Many thanks in advance.
*(from redmine: issue id 10120, created on 2019-03-16, closed on 2019-05-09)*
* Changesets:
* Revision 302749e2d5084f8f091e4614d4393b0d98961c7d by Natanael Copa on 2019-05-06T16:44:28Z:
```
main/strongswan: enable aesni on x86_64
ref #10120
```
* Revision ad5880649bfc0d3e16b658d5b8517e86e9b1c260 by Natanael Copa on 2019-05-06T16:46:02Z:
```
main/strongswan: enable aesni on x86_64
fixes #10120
(cherry picked from commit 302749e2d5084f8f091e4614d4393b0d98961c7d)
```3.9.4Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10147Kernel: include driver for Realtek RTL8822BE2019-07-23T11:13:06ZSteffen NurpmesoKernel: include driver for Realtek RTL8822BEThe rtlwifi package has the firmware, but the driver is missing!
Any idea how i get myself going?
The driver seems to be in staging/ (for several years already).
Help!
*(from redmine: issue id 10147, created on 2019-03-21, closed...The rtlwifi package has the firmware, but the driver is missing!
Any idea how i get myself going?
The driver seems to be in staging/ (for several years already).
Help!
*(from redmine: issue id 10147, created on 2019-03-21, closed on 2019-05-09)*
* Changesets:
* Revision bcc823517a30cc3c742f66bbc8bedf24bf50507b by Natanael Copa on 2019-04-28T14:06:27Z:
```
main/linux-vanilla: enable Realtek RTL8822BE driver
found in Lenovo IdeaPad
ref #10147
```
* Revision bdf5964bf21bf554b1ce01792da21aee74c46e0e by Natanael Copa on 2019-05-06T12:30:12Z:
```
main/linux-vanilla: enable Realtek RTL8822BE driver
found in Lenovo IdeaPad
fixes #10147
(cherry picked from commit bcc823517a30cc3c742f66bbc8bedf24bf50507b)
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10163install of openssl 1.1.1b installs old version of libssl and libcrypto2019-07-23T11:12:58ZMathias Schüpanyinstall of openssl 1.1.1b installs old version of libssl and libcryptoI noticed, that if you install openssl on alpine 3.9 the latest openssl
version (1.1.1b-r1) got installed. But the dependencies libcrypto1.1 and
libssl1.1 are currently on the older version 1.1.1a.
The “openssl version” command to verif...I noticed, that if you install openssl on alpine 3.9 the latest openssl
version (1.1.1b-r1) got installed. But the dependencies libcrypto1.1 and
libssl1.1 are currently on the older version 1.1.1a.
The “openssl version” command to verify the mistake:
# openssl version
OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)
Steps to reproduce and verify:
# docker run -it --rm alpine:3.9 ash
# apk add --no-cache openssl
# openssl version
OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)
# strings /lib/libssl.so.1.1 | grep "OpenSSL 1.1.1"
OpenSSL 1.1.1a 20 Nov 2018
strings /lib/libcrypto.so.1.1 | grep "OpenSSL 1.1.1"
OpenSSL 1.1.1a 20 Nov 2018
This problem does not not happen if you install openssl-dev. Then the
libcrypto1.1 and libssl1.1 libs got installed in the correct version.
*(from redmine: issue id 10163, created on 2019-03-26, closed on 2019-04-09)*3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10166[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-...2019-07-23T11:12:55ZAlicha CH[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages havi...CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
### Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
------------------------------------------------------------------------------------------------------------------------
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
-------------------------------------------------------------------------------
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 ->
9.12.3-P2
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2019-6465
*(from redmine: issue id 10166, created on 2019-03-27, closed on 2019-04-15)*
* Relations:
* parent #10164
* Changesets:
* Revision a72d66cd67f20dec8e4eb3d6f2b387a11a0bfbf8 by Chris Ely on 2019-04-12T06:06:29Z:
```
main/bind: security upgrade to 9.12.3-P4
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
Fixes #10166
```
* Revision f760ea50ec9278664e1aa8c0a5fb9f216770113b by Chris Ely on 2019-04-15T06:43:36Z:
```
main/bind: security upgrade to 9.12.3_p4
https://ftp.isc.org/isc/bind9/9.12.3-P4/RELEASE-NOTES-bind-9.12.3-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
- CVE-2018-5737
- CVE-2018-5736
Fixes #10166
BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
BIND 9.12 will be supported until at least May, 2019.
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10207notify-send not displaying messages2019-07-23T11:12:18Zxrsnotify-send not displaying messagesTest with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*Test with notify-send:
$ notify-send “hello, world”
No output on display using Xorg-Server.
*(from redmine: issue id 10207, created on 2019-04-07, closed on 2019-05-09)*3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10218Promote amavisd-milter from testing -> main repository2019-07-23T11:12:09ZMiguel Da SilvaPromote amavisd-milter from testing -> main repositoryThe package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 20...The package amavisd-milter is currently in the testing repository.
We have several productive mail servers using this package without any
issue. Please move this package to the main repo.
*(from redmine: issue id 10218, created on 2019-04-08, closed on 2019-05-09)*
* Changesets:
* Revision 05811c2c809d49ffaaa0e3047eee03a90c2a074e by Natanael Copa on 2019-05-06T17:32:31Z:
```
main/amavisd-milter: promote from testing
fixes #10218
```3.9.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/10247[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-...2019-07-23T11:11:56ZAlicha CH[3.9] samba: Save registry file outside share as unprivileged user (CVE-2019-3880)Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hiv...Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
### Affected Versions:
All versions of samba since samba 3.2.0
### Fixed In Version:
samba 4.8.11, 4.9.6 and 4.10.2
### References:
https://www.samba.org/samba/security/CVE-2019-3880.html
https://www.samba.org/samba/history/security.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.8.10-security-2019-04-08.patch
*(from redmine: issue id 10247, created on 2019-04-15, closed on 2019-04-18)*
* Relations:
* parent #10246
* Changesets:
* Revision 46d7859df86413549905a72f31b1f89c45fb34aa on 2019-04-15T13:07:20Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```
* Revision 186547c42b833832f85ac23b0d11eef6805258fc on 2019-04-15T14:45:19Z:
```
main/samba: security upgrade to 4.8.11
CVE-2018-14629, CVE-2019-3880
Fixes #10247
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10253[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)2019-07-23T11:11:51ZAlicha CH[3.9] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### Referen...Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### References:
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://security-tracker.debian.org/tracker/CVE-2019-6706
*(from redmine: issue id 10253, created on 2019-04-15, closed on 2019-05-06)*
* Relations:
* parent #10251
* Changesets:
* Revision ebd55722b9637f4559c94b13e5e061ffef9fb4a3 by Natanael Copa on 2019-05-06T17:07:51Z:
```
main/lua5.3: security fix for CVE-2019-6706
fixes #10253
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10263[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-201...2019-07-23T11:11:43ZAlicha CH[3.9] clamav: Multiple vulnerabilities (CVE-2019-1787, CVE-2019-1788, CVE-2019-1789)**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:...**CVE-2019-1787**: An out-of-bounds heap read condition may occur when
scanning PDF documents. The defect
is a failure to correctly keep track of the number of bytes remaining in
a buffer when indexing file data.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1788**: An out-of-bounds heap write condition may occur when
scanning OLE2 files such as
Microsoft Office 97-2003 documents. The invalid write happens when an
invalid pointer is mistakenly
used to initialize a 32bit integer to zero. This is likely to crash the
application.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
**CVE-2019-1789**: An out-of-bounds heap read condition may occur when
scanning PE files (i.e. Windows EXE and DLL files)
that have been packed using Aspack as a result of inadequate
bound-checking.
### Fixed In Version:
ClamAV 0.100.3
### Reference:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
*(from redmine: issue id 10263, created on 2019-04-16, closed on 2019-04-18)*
* Relations:
* parent #10261
* Changesets:
* Revision 287dc987d0bfa340aa510b11e2ad691a15b5ea4e on 2019-04-17T13:20:52Z:
```
main/clamav: security upgrade to 0.100.3
CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Fixes #10263
```3.9.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10278[3.9] libxslt: security framework bypass (CVE-2019-11068)2019-07-23T11:11:35ZAlicha CH[3.9] libxslt: security framework bypass (CVE-2019-11068)libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually in...libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually invalid and is subsequently loaded.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068
### Patch:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
*(from redmine: issue id 10278, created on 2019-04-17, closed on 2019-04-18)*
* Relations:
* parent #10276
* Changesets:
* Revision 4281a184d7a2aab9a0f2352a418084cad73ee2dc by Natanael Copa on 2019-04-17T07:22:42Z:
```
main/libxslt: security fix for CVE-2019-11068
fixes #10278
```3.9.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10287[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-...2019-07-23T11:11:28ZAlicha CH[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequen...CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
### Affected Versions:
Ruby 2.4 series: 2.4.5 and earlier
Ruby 2.5 series: 2.5.3 and earlier
### Reference:
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
### Patches:
https://bugs.ruby-lang.org/attachments/7669 (for Ruby 2.4.5)
https://bugs.ruby-lang.org/attachments/7670 (for Ruby 2.5.3)
*(from redmine: issue id 10287, created on 2019-04-18, closed on 2019-05-06)*
* Relations:
* parent #10286
* Changesets:
* Revision 58244868e7a471ddf96e8d0ece88c240e34bff1c by Natanael Copa on 2019-05-06T17:40:49Z:
```
main/ruby: security upgrade to 2.5.5
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
fixes #10287
```3.9.4Natanael CopaNatanael Copa