aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T14:12:38Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2675[v2.7] curl: can allow unauthorized disclosure and modification (CVE-2014-0015)2019-07-23T14:12:38ZAlexander Belous[v2.7] curl: can allow unauthorized disclosure and modification (CVE-2014-0015)curl and libcurl 7.10.6 through 7.34.0, when more than one
authentication method is enabled, re-uses NTLM connections, which might
allow context-dependent attackers to authenticate as other users via a
request.
CONFIRM: http://curl.haxx...curl and libcurl 7.10.6 through 7.34.0, when more than one
authentication method is enabled, re-uses NTLM connections, which might
allow context-dependent attackers to authenticate as other users via a
request.
CONFIRM: http://curl.haxx.se/docs/adv\_20140129.html
DSA-2849: http://www.debian.org/security/2014/dsa-2849
SECUNIA: http://secunia.com/advisories/56734;
http://secunia.com/advisories/56728
*(from redmine: issue id 2675, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2671
* Changesets:
* Revision 87695382a0912cb2c7bc8593f3b6fce6c4335334 by Natanael Copa on 2014-02-04T16:34:48Z:
```
main/curl: fix CVE-2014-0015
fixes #2675
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2670[v2.7] augeas: CVE-2012-0786 CVE-2012-0787 CVE-2013-64122019-07-23T14:12:44ZAlexander Belous[v2.7] augeas: CVE-2012-0786 CVE-2012-0787 CVE-2013-6412Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for
example, an application run...Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for
example, an application running as root that is updating files in a
directory owned by a non-root service user) could have been tricked into
overwriting arbitrary files or leaking information via a symbolic link
or mount point attack (CVE-2012-0786, CVE-2012-0787).
A flaw was found in the way Augeas handled certain umask settings when
creating new configuration files. This flaw could result in
configuration files being created as world writable, allowing
unprivileged local users to modify their content (CVE-2013-6412).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
https://rhn.redhat.com/errata/RHSA-2013-1537.html
https://rhn.redhat.com/errata/RHSA-2014-0044.html
*(from redmine: issue id 2670, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2666
* Changesets:
* Revision 364b830649d5e4c6118660c09f94c404a8a0a079 by Natanael Copa on 2014-02-05T13:35:55Z:
```
main/augeas: security fix for CVE-2013-6412
fixes #2670
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2657[v2.7] cups: local leak (CVE-2013-6891)2019-07-23T14:12:59ZAlexander Belous[v2.7] cups: local leak (CVE-2013-6891)lppasswd in CUPS before 1.7.1, when running with setuid privileges,
allows local users to read portions of arbitrary files via a modified
HOME environment variable and a symlink attack involving
.cups/client.conf.
•CONFIRM: http://www.c...lppasswd in CUPS before 1.7.1, when running with setuid privileges,
allows local users to read portions of arbitrary files via a modified
HOME environment variable and a symlink attack involving
.cups/client.conf.
•CONFIRM: http://www.cups.org/blog.php?L704
•CONFIRM: http://www.cups.org/str.php?L4319
•UBUNTU:USN-2082-1
•URL: http://www.ubuntu.com/usn/USN-2082-1
•SECUNIA:56531
•URL: http://secunia.com/advisories/56531
*(from redmine: issue id 2657, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2653
* Changesets:
* Revision 463d66f4cb7fe8b689c0dd463671e28f722f803c by Natanael Copa on 2014-02-05T13:06:33Z:
```
main/cups: security upgrade to 1.7.1 (CVE-2013-6891)
fixes #2657
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2652[v2.7] php: remote DoS (CVE-2013-6712)2019-07-23T14:13:05ZAlexander Belous[v2.7] php: remote DoS (CVE-2013-6712)The scan function in ext/date/lib/parse\_iso\_intervals.c in PHP through
5.5.6 does not properly restrict creation of DateInterval objects, which
might allow remote attackers to cause a denial of service (heap-based
buffer over-read) via...The scan function in ext/date/lib/parse\_iso\_intervals.c in PHP through
5.5.6 does not properly restrict creation of DateInterval objects, which
might allow remote attackers to cause a denial of service (heap-based
buffer over-read) via a crafted interval specification.
•MISC: https://bugs.php.net/bug.php?id=66060
•CONFIRM:
http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071
•SUSE:openSUSE-SU-2013:1963
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.html
•SUSE:openSUSE-SU-2013:1964
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00126.html
*(from redmine: issue id 2652, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2648
* Changesets:
* Revision 430d2e5e023a5bf045ee81ed0f8c745fce900d24 by Natanael Copa on 2014-02-05T12:12:01Z:
```
main/php: security upgrade to 5.5.8 (CVE-2013-6712)
fixes #2652
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2647[v2.7] nss: man-in-the-middle SSL spoofing (CVE-2013-1740)2019-07-23T14:13:11ZAlexander Belous[v2.7] nss: man-in-the-middle SSL spoofing (CVE-2013-1740)The ssl\_Do1stHandshake function in sslsecur.c in libssl in Mozilla
Network Security Services (NSS) before 3.15.4, when the TLS False Start
feature is enabled, allows man-in-the-middle attackers to spoof SSL
servers by using an arbitrary...The ssl\_Do1stHandshake function in sslsecur.c in libssl in Mozilla
Network Security Services (NSS) before 3.15.4, when the TLS False Start
feature is enabled, allows man-in-the-middle attackers to spoof SSL
servers by using an arbitrary X.509 certificate during certain handshake
traffic.
•CONFIRM: https://bugs.gentoo.org/show\_bug.cgi?id=498172
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=919877
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1053725
•CONFIRM:
https://developer.mozilla.org/docs/NSS/NSS\_3.15.4\_release\_notes
•XF:mozilla-nss-cve20131740-info-disc(90394)
•URL: http://xforce.iss.net/xforce/xfdb/90394
*(from redmine: issue id 2647, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2643
* Changesets:
* Revision a70459e37a1d9cb475f2738ed3ceed92439266cc by Natanael Copa on 2014-02-05T12:02:03Z:
```
main/nss: security upgrade to 3.15.4 (CVE-2013-1740)
fixes #2647
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2637[v2.7] libvirt: DoS (CVE-2013-6458 CVE-2014-1447)2019-07-23T14:13:16ZAlexander Belous[v2.7] libvirt: DoS (CVE-2013-6458 CVE-2014-1447)Multiple race conditions in the (1) virDomainBlockStats, (2)
virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4)
virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not
properly verify that the disk is attached, which allo...Multiple race conditions in the (1) virDomainBlockStats, (2)
virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4)
virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not
properly verify that the disk is attached, which allows remote read-only
attackers to cause a denial of service (libvirtd crash) via the
virDomainDetachDeviceFlags command (CVE-2013-6458).
•CONFIRM: http://libvirt.org/news.html
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1043069
•DEBIAN:DSA-2846
•URL: http://www.debian.org/security/2014/dsa-2846
•SECUNIA:56186
•URL: http://secunia.com/advisories/56186
•SECUNIA:56446
•URL: http://secunia.com/advisories/56446
Race condition in the virNetServerClientStartKeepAlive function in
libvirt before 1.2.1 allows remote attackers to cause a denial of
service (libvirtd crash) by closing a connection before a keepalive
response is sent (CVE-2014-1447).
•CONFIRM: http://libvirt.org/news.html
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1047577
•DEBIAN:DSA-2846
•URL: http://www.debian.org/security/2014/dsa-2846
•SECUNIA:56321
•URL: http://secunia.com/advisories/56321
•SECUNIA:56446
•URL: http://secunia.com/advisories/56446
*(from redmine: issue id 2637, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2633
* Changesets:
* Revision b5fc277743e9099821e70da285fdb56d5c9d5e79 on 2014-02-04T16:09:11Z:
```
main/libvirt: security fix (CVE-2013-6458 CVE-2014-1447)
Fixes #2637
```Alpine 2.7.4Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2628[v2.7] memcached: remote DoS (CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2...2019-07-23T14:13:21ZAlexander Belous[v2.7] memcached: remote DoS (CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291)The process\_bin\_delete function in memcached.c in memcached 1.4.4 and
other versions before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (segmentation fault) via a
request to delete a key, ...The process\_bin\_delete function in memcached.c in memcached 1.4.4 and
other versions before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (segmentation fault) via a
request to delete a key, which does not account for the lack of a null
terminator in the key and triggers a buffer over-read when printing to
stderr (CVE-2013-0179).
memcached before 1.4.17 allows remote attackers to bypass authentication
by sending an invalid request with SASL credentials, then sending
another request with incorrect SASL credentials (CVE-2013-7239).
The do\_item\_get function in items.c in memcached 1.4.4 and other
versions before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (segmentation fault) via a
request to delete a key, which does not account for the lack of a null
terminator in the key and triggers a buffer over-read when printing to
stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290).
memcached before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (crash) via a request that
triggers an unbounded key print during logging, related to an issue that
was quickly grepped out of the source tree, a different vulnerability
than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291
https://code.google.com/p/memcached/wiki/ReleaseNotes1417
*(from redmine: issue id 2628, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2624
* Changesets:
* Revision 01c5af01dadb92ad64c468444fcd4b58e00ccdc9 by Natanael Copa on 2014-02-05T10:05:59Z:
```
main/memcached: security upgrade to 1.4.17 (CVE-2013-0179,CVE-2013-7239,CVE-2013-7290,CVE-2013-7291)
fixes #2628
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2622[v2.7] nagios: remote DoS and leak (CVE-2013-7108 CVE-2013-7205)2019-07-23T14:13:26ZAlexander Belous[v2.7] nagios: remote DoS and leak (CVE-2013-7108 CVE-2013-7205)Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow
remote authenticated users to obtain sensitive information from process
memory or cause a denial...Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow
remote authenticated users to obtain sensitive information from process
memory or cause a denial of service (crash) via a long string in the
last key value in the variable list to the process\_cgivars function in
(1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c,
(6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10)
summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer
over-read (CVE-2013-7108).
•MLIST:\[oss-security\] 20131224 Re: CVE request: denial of service in
Nagios (process\_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM:
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•CONFIRM: https://dev.icinga.org/issues/5251
•CONFIRM:
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
•SUSE:openSUSE-SU-2014:0016
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
•SUSE:openSUSE-SU-2014:0039
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
•SUSE:openSUSE-SU-2014:0069
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976
•SECUNIA:56316
•URL: http://secunia.com/advisories/56316
Off-by-one error in the process\_cgivars function in contrib/daemonchk.c
in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated
users to obtain sensitive information from process memory or cause a
denial of service (crash) via a long string in the last key value in the
variable list, which triggers a heap-based buffer over-read
(CVE-2013-7205).
•MLIST:\[oss-security\] 20131224 Re: CVE request: denial of service in
Nagios (process\_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM:
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976
*(from redmine: issue id 2622, created on 2014-02-04, closed on 2014-02-05)*
* Relations:
* parent #2618
* Changesets:
* Revision c9d8a6c05b5f9253252739560fe8d76468e826c0 by Natanael Copa on 2014-02-05T10:01:55Z:
```
main/nagis: security fix for CVE-2013-7108, CVE-2013-7205
fixes #2622
```Alpine 2.7.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2610[v2.7] graphviz: buffer overflow (CVE-2014-0978 CVE-2014-1236)2019-07-23T14:13:36ZAlexander Belous[v2.7] graphviz: buffer overflow (CVE-2014-0978 CVE-2014-1236)CVE-2014-0978
It was discovered that user-supplied input used in the yyerror()
function in lib/cgraph/scan.l is not bound-checked before beeing
copied into an insufficiently sized memory buffer. A
context-dependent attacker could ...CVE-2014-0978
It was discovered that user-supplied input used in the yyerror()
function in lib/cgraph/scan.l is not bound-checked before beeing
copied into an insufficiently sized memory buffer. A
context-dependent attacker could supply a specially crafted input
file containing a long line to cause a stack-based buffer overlow,
resulting in a denial of service (application crash) or potentially
allowing the execution of arbitrary code.
•MLIST:\[oss-security\] 20140107 CVE Request: graphviz: stack-based
buffer overflow in yyerror()
•URL: http://seclists.org/oss-sec/2014/q1/28
•MLIST:\[oss-security\] 20140107 Re: CVE Request: graphviz: stack-based
buffer overflow in yyerror()
•URL: http://seclists.org/oss-sec/2014/q1/38
•MISC: https://bugs.gentoo.org/show\_bug.cgi?id=497274
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1049165
•CONFIRM:
https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a
•BID:64674
•URL: http://www.securityfocus.com/bid/64674
•SECUNIA:55666
•URL: http://secunia.com/advisories/55666
•XF:graphviz-yyerror-bo(90085)
•URL: http://xforce.iss.net/xforce/xfdb/90085
CVE-2014-1236
Sebastian Krahmer reported an overflow condition in the chkNum()
function in lib/cgraph/scan.l that is triggered as the used regular
expression accepts an arbitrary long digit list. With a specially
crafted input file, a context-dependent attacker can cause a
stack-based buffer overflow, resulting in a denial of service
(application crash) or potentially allowing the execution of
arbitrary code.
•MLIST:\[oss-security\] 20140108 Re: CVE Request: graphviz: stack-based
buffer overflow in yyerror()
•URL: http://seclists.org/oss-sec/2014/q1/54
•MLIST:\[oss-security\] 20140108 Re: Re: CVE Request: graphviz:
stack-based buffer overflow in yyerror()
•URL: http://seclists.org/oss-sec/2014/q1/46
•MLIST:\[oss-security\] 20140108 Re: Re: CVE Request: graphviz:
stack-based buffer overflow in yyerror()
•URL: http://seclists.org/oss-sec/2014/q1/51
•CONFIRM:
https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff
•SECUNIA:55666
•URL: http://secunia.com/advisories/55666
*(from redmine: issue id 2610, created on 2014-01-15, closed on 2014-02-05)*
* Relations:
* parent #2609
* Changesets:
* Revision 0881bdc909bd6034308671867df3728563753c05 by Natanael Copa on 2014-02-05T09:27:13Z:
```
main/graphviz: security fixes for CVE-2014-0978, CVE-2014-1235, CVE-2014-1236
fixes #2610
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2608[v2.7] bind: defect in handling queries for NSEC3-signed zones (CVE-2014-0591)2019-07-23T14:13:39ZAlexander Belous[v2.7] bind: defect in handling queries for NSEC3-signed zones (CVE-2014-0591)The query\_findclosestnsec3 function in query.c in named in ISC BIND
9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV
before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of
service (INSIST assertion fai...The query\_findclosestnsec3 function in query.c in named in ISC BIND
9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV
before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of
service (INSIST assertion failure and daemon exit) via a crafted DNS
query to an authoritative nameserver that uses the NSEC3 signing
feature.
CONFIRM: https://kb.isc.org/article/AA-01085
CONFIRM: https://kb.isc.org/article/AA-01078
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1051717
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0591
*(from redmine: issue id 2608, created on 2014-01-15, closed on 2014-02-04)*
* Relations:
* parent #2604
* Changesets:
* Revision b54d719755e8d7368fcce3f0d0ae3597ae5fe78b by Natanael Copa on 2014-01-15T14:16:33Z:
```
main/bind: security upgrade to 9.9.4_p2 (CVE-2014-0591)
fixes #2608
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2589[v2.7] libxfont: Stack buffer overflow in parsing of BDF font files (CVE-2013...2019-07-23T14:13:56ZAlexander Belous[v2.7] libxfont: Stack buffer overflow in parsing of BDF font files (CVE-2013-6462)Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
\[lib/libXfont/src/bitmap/bdfread.c:341\]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this rep...Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
\[lib/libXfont/src/bitmap/bdfread.c:341\]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this report by X.Org developers concluded that a BDF
font
file containing a longer than expected string could overflow the
buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted
font.
As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run
with
root privileges or as setuid-root in order to access hardware, this
bug
may lead to an unprivileged user acquiring root privileges in some
systems.
Affected Versions =
This bug appears to have been introduced in the initial RCS version
1.1
checked in on 1991/05/10, and is thus believed to be present in every
X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
tarballs, but not in those from the X11R4 tarballs.)
Fixes =
A fix is available via the attached patch, which is also included in
libXfont 1.4.7, released today, and available in the libXfont git
repo:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
References:
http://lists.x.org/archives/xorg-announce/2014-January/002389.html
http://seclists.org/bugtraq/2014/Jan/15
*(from redmine: issue id 2589, created on 2014-01-08, closed on 2014-02-04)*
* Relations:
* parent #2585
* Changesets:
* Revision b6bd3fdc031ee5241e3cdf5518a32ed150fed179 by Natanael Copa on 2014-01-14T13:29:53Z:
```
main/libxfont: security upgrade to 1.4.7 (CVE-2013-6462)
fixes #2589
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2580[v2.7] ruby-i18n: CVE-2013-44922019-07-23T14:14:06ZAlexander Belous[v2.7] ruby-i18n: CVE-2013-4492Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n
gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary
web script or HTML via a crafted I18n::MissingTranslationData.new call.
•MLIST:\[ruby-security-a...Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n
gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary
web script or HTML via a crafted I18n::MissingTranslationData.new call.
•MLIST:\[ruby-security-ann\] 20131203 \[CVE-2013-4491\] Reflective XSS
Vulnerability in Ruby on Rails
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k\_EJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•CONFIRM:
https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445
•DEBIAN:DSA-2830
•URL: http://www.debian.org/security/2013/dsa-2830
•SUSE:openSUSE-SU-2013:1930
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html
*(from redmine: issue id 2580, created on 2014-01-08, closed on 2014-02-05)*
* Relations:
* parent #2576
* Changesets:
* Revision d6b97283d88a4acc6804147e9f40a006494045df by Natanael Copa on 2014-02-05T08:26:59Z:
```
main/ruby-i18n: security upgrade to 0.6.6 (CVE-2013-4492)
fixes #2580
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2575[v2.7] nss: Mis-issued ANSSI/DCSSI certificate2019-07-23T14:14:11ZAlexander Belous[v2.7] nss: Mis-issued ANSSI/DCSSI certificateImpact: High
Announced: December 10, 2013
Reporter: Google
Google notified Mozilla that an intermediate certificate, which chains
up to a root included in Mozilla’s root store, was loaded into a
man-in-the-middle (MITM) traffic mana...Impact: High
Announced: December 10, 2013
Reporter: Google
Google notified Mozilla that an intermediate certificate, which chains
up to a root included in Mozilla’s root store, was loaded into a
man-in-the-middle (MITM) traffic management device. This certificate was
issued by Agence nationale de la sécurité des systèmes d’information
(ANSSI), an agency of the French government and a certificate authority
in Mozilla’s root program. A subordinate certificate authority of ANSSI
mis-issued an intermediate certificate that they installed on a network
monitoring device, which enabled the device to act as a MITM proxy
performing traffic management of domain names or IP addresses that the
certificate holder did not own or control.
References:
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
https://hg.mozilla.org/projects/nss/rev/5a7944776645
https://rhn.redhat.com/errata/RHSA-2013-1861.html
*(from redmine: issue id 2575, created on 2014-01-08, closed on 2014-02-05)*
* Relations:
* parent #2571
* Changesets:
* Revision 1bbb01dbd9df5688233ffdba13cec3f04575a3c3 by Natanael Copa on 2014-02-05T08:23:58Z:
```
main/nss: security upgrade to 3.15.3.1
fixes #2575
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2570[v2.7] wireshark: CVE-2013-71132019-07-23T14:14:17ZAlexander Belous[v2.7] wireshark: CVE-2013-7113epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark
1.10.x before 1.10.4 incorrectly relies on a global variable, which
allows remote attackers to cause a denial of service (application crash)
via a crafted packet.
Only A...epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark
1.10.x before 1.10.4 incorrectly relies on a global variable, which
allows remote attackers to cause a denial of service (application crash)
via a crafted packet.
Only Alpine Linux v2.7 is vulnerable.
•CONFIRM:
http://anonsvn.wireshark.org/viewvc/trunk-1.10/epan/dissectors/packet-bssgp.c?r1=53803&r2=53802&pathrev=53803
•CONFIRM:
http://anonsvn.wireshark.org/viewvc?view=revision&revision=53803
•CONFIRM: http://www.wireshark.org/security/wnpa-sec-2013-67.html
•CONFIRM: https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=9488
•DEBIAN:DSA-2825
•URL: http://www.debian.org/security/2013/dsa-2825
•SECUNIA:56052
•URL: http://secunia.com/advisories/56052
*(from redmine: issue id 2570, created on 2014-01-08, closed on 2014-02-05)*Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2569[v2.7] wireshark: CVE-2013-7112 CVE-2013-71142019-07-23T14:14:18ZAlexander Belous[v2.7] wireshark: CVE-2013-7112 CVE-2013-7114The dissect\_sip\_common function in epan/dissectors/packet-sip.c in the
SIP dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4
does not check for empty lines, which allows remote attackers to cause a
denial of service (...The dissect\_sip\_common function in epan/dissectors/packet-sip.c in the
SIP dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4
does not check for empty lines, which allows remote attackers to cause a
denial of service (infinite loop) via a crafted packet (CVE-2013-7112).
Multiple buffer overflows in the create\_ntlmssp\_v2\_key function in
epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in
Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote
attackers to cause a denial of service (application crash) via a long
domain name in a packet (CVE-2013-7114).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7114
http://www.wireshark.org/security/wnpa-sec-2013-66.html
http://www.wireshark.org/security/wnpa-sec-2013-68.html
*(from redmine: issue id 2569, created on 2014-01-08, closed on 2014-02-04)*
* Relations:
* parent #2566
* Changesets:
* Revision 9b3157524ff1b64a3a9f2022928059cb10cf7a68 by Natanael Copa on 2014-01-14T15:07:54Z:
```
main/wireshark: security upgrade to 1.10.4 (CVE-2013-7112,CVE-2013-7114)
fixes #2569
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2565[v2.7] curl: gnutsl backend issue (CVE-2013-6422)2019-07-23T14:14:22ZAlexander Belous[v2.7] curl: gnutsl backend issue (CVE-2013-6422)The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling
digital signature verification (CURLOPT\_SSL\_VERIFYPEER), also disables
the CURLOPT\_SSL\_VERIFYHOST check for CN or SAN host name fields, which
makes it easier for rem...The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling
digital signature verification (CURLOPT\_SSL\_VERIFYPEER), also disables
the CURLOPT\_SSL\_VERIFYHOST check for CN or SAN host name fields, which
makes it easier for remote attackers to spoof servers and conduct
man-in-the-middle (MITM) attacks.
•CONFIRM: http://curl.haxx.se/docs/adv\_20131217.html
•DEBIAN:DSA-2824
•URL: http://www.debian.org/security/2013/dsa-2824
•UBUNTU:USN-2058-1
•URL: http://www.ubuntu.com/usn/USN-2058-1
*(from redmine: issue id 2565, created on 2014-01-08, closed on 2014-01-14)*
* Relations:
* parent #2561Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2676include asterisk speex on the iso image2019-07-23T14:12:37ZNatanael Copainclude asterisk speex on the iso image<fabled> it was split out earlier, and now i have some .iso only
installs that fail due to certain asterisk modules missing.
*(from redmine: issue id 2676, created on 2014-02-05, closed on 2014-02-05)*<fabled> it was split out earlier, and now i have some .iso only
installs that fail due to certain asterisk modules missing.
*(from redmine: issue id 2676, created on 2014-02-05, closed on 2014-02-05)*Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2662[v2.7] net-snmp: remote DoS (CVE-2012-6151)2019-07-23T14:12:53ZAlexander Belous[v2.7] net-snmp: remote DoS (CVE-2012-6151)Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB
and processing GETNEXT requests, allows remote attackers to cause a
denial of service (crash or infinite loop, CPU consumption, and hang) by
causing the AgentX subage...Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB
and processing GETNEXT requests, allows remote attackers to cause a
denial of service (crash or infinite loop, CPU consumption, and hang) by
causing the AgentX subagent to timeout.
•MLIST:\[oss-security\] 20131202 NMPD DoS \#2411 snmpd crashes/hangs
when AgentX subagent times-out
•URL: http://seclists.org/oss-sec/2013/q4/398
•MLIST:\[oss-security\] 20131202 Re: SNMPD DoS \#2411 snmpd
crashes/hangs when AgentX subagent times-out
•URL: http://seclists.org/oss-sec/2013/q4/415
•MISC: http://sourceforge.net/p/net-snmp/bugs/2411/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1038007
•BID:64048
•URL: http://www.securityfocus.com/bid/64048
•XF:netsnmp-cve20126151-dos(89485)
•URL: http://xforce.iss.net/xforce/xfdb/89485
*(from redmine: issue id 2662, created on 2014-02-04, closed on 2014-02-04)*
* Relations:
* parent #2658Alpine 2.7.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2617Freeradius fail to start2019-07-23T14:13:32ZLingbing JiangFreeradius fail to startIn current Alpine linux 2.7, when trying to start freeradius, an error
got out:
localhost:~\# radiusd -X
libssl version mismatch. Built with: 1000105f Linked: 1000106f
It might because the openssl lib, rebuilt might solve the problem...In current Alpine linux 2.7, when trying to start freeradius, an error
got out:
localhost:~\# radiusd -X
libssl version mismatch. Built with: 1000105f Linked: 1000106f
It might because the openssl lib, rebuilt might solve the problem.
*(from redmine: issue id 2617, created on 2014-01-31, closed on 2014-02-05)*
* Changesets:
* Revision 90d8ac4047445c67bbcd65b0796fb6ad14f1b09c by Natanael Copa on 2014-02-04T08:22:50Z:
```
main/freeradius: rebuild to fix libssl version mismatch.
Fixes the following error:
libssl version mismatch. Built with: 1000105f Linked: 1000106f
Fixes #2617
```Alpine 2.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2594xe-guest-utilities: broken symlinks2019-07-23T14:13:53ZNatanael Copaxe-guest-utilities: broken symlinksThe xe-guest-utilities-6.1.0-r0.apk package contains those broken
symlinks:
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-exists -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/...The xe-guest-utilities-6.1.0-r0.apk package contains those broken
symlinks:
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-exists -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-list -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-ls -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-write -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-chmod -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-rm -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
lrwxrwxrwx root/root 0 2013-10-28 16:46:01 usr/bin/xenstore-read -> /home/buildozer/aports/main/xe-guest-utilities/pkg/xe-guest-utilities/usr/bin/xenstore
*(from redmine: issue id 2594, created on 2014-01-13, closed on 2014-02-05)*
* Changesets:
* Revision ec7617bdc408c12343bead5f91ffdf746950d156 by Natanael Copa on 2014-02-05T08:42:11Z:
```
main/xe-guest-utilities: fix symlinks
fixes #2594
```
* Revision 6e5fb0574b15e54f8eb58dc2e6a3222a68e751ca by Natanael Copa on 2014-02-05T08:56:04Z:
```
main/xe-guest-utilities: fix symlinks
fixes #2594
(cherry picked from commit ec7617bdc408c12343bead5f91ffdf746950d156)
```Alpine 2.7.4Natanael CopaNatanael Copa