Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare revisions
  • Issues 669
    • Issues 669
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 287
    • Merge requests 287
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Our ARM infrastructure is unreachable at the moment, so CI jobs will time-out and packages will not be updated until the servers are back.

  • alpinealpine
  • aportsaports
  • Issues
  • #11914
Closed
Open
Issue created Sep 02, 2020 by tomer@tomersnyk184 of 184 checklist items completed184/184 checklist items

CVE's reported to be fixed twice in the secfixes comments/ secdb.alpinelinux.org

Hey @Leo @ncopa 👋!

Following up from our chat on IRC, adding here all the cases we found that have the same CVE for different fixed version for a specific package

  • v3.3 openssl CVE-2017-3738 (fdbb0da2)
  • v3.4 openssl CVE-2017-3738 (29180d09)
  • v3.4 php5 CVE-2018-5712 (da800bdf)
  • v3.5 openssl CVE-2017-3738 (9dd91880)
  • v3.5 php5 CVE-2018-5712 (67c11dd3)
  • v3.5 php7 CVE-2018-5712 (df489246)
  • v3.6 bind CVE-2017-3145 (fa2e4d9e)
  • v3.6 bind CVE-2017-3142 (fa2e4d9e)
  • v3.6 bind CVE-2017-3143 (fa2e4d9e)
  • v3.6 ffmpeg CVE-2017-11665 (60935a48)
  • v3.6 ghostscript CVE-2019-6116 (8202374b)
  • v3.6 openssl CVE-2017-3738 (24a4091d)
  • v3.6 php5 CVE-2018-5712 (3f847fb3)
  • v3.6 php7 CVE-2018-5712 (244815ce)
  • v3.6 wireshark CVE-2018-7335 (bd8ad1d0)
  • v3.6 wireshark CVE-2018-7334 (bd8ad1d0)
  • v3.6 wireshark CVE-2018-7336 (bd8ad1d0)
  • v3.7 bind CVE-2017-3145 (cbc49e4f)
  • v3.7 firefox-esr CVE-2017-7843 (a56ee65a)
  • v3.7 ghostscript CVE-2019-6116 (413d825a)
  • v3.7 lame CVE-2017-9410 (5e0c4c47)
  • v3.7 lame CVE-2017-9411 (5e0c4c47)
  • v3.7 lame CVE-2017-9412 (5e0c4c47)
  • v3.7 lame CVE-2015-9099 (5e0c4c47)
  • v3.7 openssl CVE-2017-3738 (81efcef4)
  • v3.7 php5 CVE-2018-5712 (89054feb)
  • v3.7 php7 CVE-2018-5712 (05c7db62)
  • v3.7 php7 CVE-2018-7584 (05c7db62)
  • v3.7 sdl CVE-2019-7577 (0b9593eb)
  • v3.7 wireshark CVE-2017-15191 (b277839a)
  • v3.7 wireshark CVE-2017-15192 (b277839a)
  • v3.7 wireshark CVE-2017-15193 (b277839a)
  • v3.7 wireshark CVE-2017-13765 (b277839a)
  • v3.7 wireshark CVE-2017-13766 (b277839a)
  • v3.7 wireshark CVE-2017-13767 (b277839a)
  • v3.8 exim CVE-2018-6789 (04e42b67)
  • v3.8 firefox-esr CVE-2017-7843 (268f75ea)
  • v3.8 ghostscript CVE-2019-6116 (5a4b02d3)
  • v3.8 lame CVE-2017-9410 (cd6dbbc5)
  • v3.8 lame CVE-2017-9411 (cd6dbbc5)
  • v3.8 lame CVE-2017-9412 (cd6dbbc5)
  • v3.8 lame CVE-2015-9099 (cd6dbbc5)
  • v3.8 openssl CVE-2017-3738 (90ac76e9)
  • v3.8 php5 CVE-2018-5712 (f86eadb4)
  • v3.8 samba CVE-2018-14629 (1ffd0c4c)
  • v3.8 sdl CVE-2019-7577 (14810256)
  • v3.8 sqlite CVE-2018-20346 (9001046c)
  • v3.8 sqlite CVE-2019-19242 (9001046c)
  • v3.8 wireshark CVE-2017-15191 (7feb5ee1)
  • v3.8 wireshark CVE-2017-15192 (7feb5ee1)
  • v3.8 wireshark CVE-2017-15193 (7feb5ee1)
  • v3.8 wireshark CVE-2017-13765 (7feb5ee1)
  • v3.8 wireshark CVE-2017-13766 (7feb5ee1)
  • v3.8 wireshark CVE-2017-13767 (7feb5ee1)
  • v3.9 exim CVE-2018-6789 (0a5dfd7f)
  • v3.9 firefox-esr CVE-2017-7843 (a2c80d00)
  • v3.9 ghostscript CVE-2019-6116 (038246e3)
  • v3.9 hostapd CVE-2017-13082 (d01d4710)
  • v3.9 lame CVE-2015-9099 (86cfc54b)
  • v3.9 lame CVE-2017-9410 (86cfc54b)
  • v3.9 lame CVE-2017-9411 (86cfc54b)
  • v3.9 lame CVE-2017-9412 (86cfc54b)
  • v3.9 libsndfile CVE-2018-19758 (e831cc1b)
  • v3.9 libvorbis CVE-2018-10393 (f45d0b27)
  • v3.9 samba CVE-2018-14629 (3bac040e)
  • v3.9 sdl CVE-2019-7577 (635f81bc)
  • v3.9 sqlite CVE-2019-19242 (357837f9)
  • v3.9 wireshark CVE-2017-15191 (e8d61b9a)
  • v3.9 wireshark CVE-2017-15192 (e8d61b9a)
  • v3.9 wireshark CVE-2017-15193 (e8d61b9a)
  • v3.9 wireshark CVE-2017-13765 (e8d61b9a)
  • v3.9 wireshark CVE-2017-13766 (e8d61b9a)
  • v3.9 wireshark CVE-2017-13767 (e8d61b9a)
  • v3.9 wpa_supplicant CVE-2017-13077 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13078 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13079 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13080 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13081 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13082 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13086 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13087 (e6b435d7)
  • v3.9 wpa_supplicant CVE-2017-13088 (e6b435d7)
  • v3.9 xen CVE-2019-19579,XSA-306 (bd0c62f6)
  • v3.10 busybox CVE-2019-5747 (cee91fd2)
  • v3.10 exim CVE-2018-6789 (8395de3d)
  • v3.10 firefox-esr CVE-2017-7843 (6b8eb050)
  • v3.10 ghostscript CVE-2019-6116 (174d3dcd)
  • v3.10 hostapd CVE-2017-13082 (74857956)
  • v3.10 lame CVE-2015-9099 (a57b3d9f)
  • v3.10 lame CVE-2017-9410 (a57b3d9f)
  • v3.10 lame CVE-2017-9411 (a57b3d9f)
  • v3.10 lame CVE-2017-9412 (a57b3d9f)
  • v3.10 libsndfile CVE-2018-19758 (d9c76cb0)
  • v3.10 libvorbis CVE-2018-10393 (18b62e40)
  • v3.10 rdesktop CVE-2018-20175 (06cd87d9)
  • v3.10 rdesktop CVE-2018-20176 (06cd87d9)
  • v3.10 samba CVE-2018-14629 (d43122c1)
  • v3.10 sdl CVE-2019-7577 (22f290af)
  • v3.10 sqlite CVE-2019-19242 (b513c7d9)
  • v3.10 unbound CVE-2020-12662 (7de63602)
  • v3.10 unbound CVE-2020-12663 (7de63602)
  • v3.10 wireshark CVE-2017-15191 (0ca6a6f0)
  • v3.10 wireshark CVE-2017-15192 (0ca6a6f0)
  • v3.10 wireshark CVE-2017-15193 (0ca6a6f0)
  • v3.10 wireshark CVE-2017-13765 (0ca6a6f0)
  • v3.10 wireshark CVE-2017-13766 (0ca6a6f0)
  • v3.10 wireshark CVE-2017-13767 (0ca6a6f0)
  • v3.10 wpa_supplicant CVE-2019-11555 (6104fab1)
  • v3.10 wpa_supplicant CVE-2017-13077 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13078 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13079 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13080 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13081 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13082 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13086 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13087 (db21cf64)
  • v3.10 wpa_supplicant CVE-2017-13088 (db21cf64)
  • v3.11 busybox CVE-2019-5747 (5086c803)
  • v3.11 exim CVE-2018-6789 (73d689f0)
  • v3.11 firefox-esr CVE-2017-7843 (235d94b8)
  • v3.11 ghostscript CVE-2019-6116 (a7731895)
  • v3.11 hostapd CVE-2017-13082 (6d852c12)
  • v3.11 lame CVE-2015-9099 (4682ce00)
  • v3.11 lame CVE-2017-9410 (4682ce00)
  • v3.11 lame CVE-2017-9411 (4682ce00)
  • v3.11 lame CVE-2017-9412 (4682ce00)
  • v3.11 libsndfile CVE-2018-19758 (aba083c6)
  • v3.11 libvorbis CVE-2018-10393 (28c3640a)
  • v3.11 rdesktop CVE-2018-20175 (32b2d233)
  • v3.11 rdesktop CVE-2018-20176 (32b2d233)
  • v3.11 samba CVE-2018-14629 (ee1c2d92)
  • v3.11 sdl CVE-2019-7577 (f149d00e)
  • v3.11 sqlite CVE-2019-19242 (71fcdfce)
  • v3.11 tor CVE-2019-8955 (945ddd42)
  • v3.11 wireshark CVE-2017-13765 (062cbfcf)
  • v3.11 wireshark CVE-2017-13766 (062cbfcf)
  • v3.11 wireshark CVE-2017-13767 (062cbfcf)
  • v3.11 wireshark CVE-2017-15191 (062cbfcf)
  • v3.11 wireshark CVE-2017-15192 (062cbfcf)
  • v3.11 wireshark CVE-2017-15193 (062cbfcf)
  • v3.11 wpa_supplicant CVE-2019-11555 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13077 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13078 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13079 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13080 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13081 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13082 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13086 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13087 (e84bb0f6)
  • v3.11 wpa_supplicant CVE-2017-13088 (e84bb0f6)
  • v3.12 busybox CVE-2019-5747 (d674ed89)
  • v3.12 clamav CVE-2020-3123 (d674ed89)
  • v3.12 exim CVE-2018-6789 (8069e74a)
  • v3.12 firefox-esr CVE-2017-7843 (d674ed89)
  • v3.12 ghostscript CVE-2019-6116 (880b8f85)
  • v3.12 hostapd CVE-2017-13082 (d674ed89)
  • v3.12 lame CVE-2015-9099 (d674ed89)
  • v3.12 lame CVE-2017-9410 (d674ed89)
  • v3.12 lame CVE-2017-9411 (d674ed89)
  • v3.12 lame CVE-2017-9412 (d674ed89)
  • v3.12 libsndfile CVE-2018-19758 (d674ed89)
  • v3.12 libvorbis CVE-2018-10393 (d674ed89)
  • v3.12 rdesktop CVE-2018-20175 (d674ed89)
  • v3.12 rdesktop CVE-2018-20176 (d674ed89)
  • v3.12 samba CVE-2018-14629 (eeaffa45)
  • v3.12 sdl CVE-2019-7577 (d674ed89)
  • v3.12 sqlite CVE-2019-19242 (d674ed89)
  • v3.12 tor CVE-2019-8955 (d674ed89)
  • v3.12 wireshark CVE-2017-15191 (12743c84)
  • v3.12 wireshark CVE-2017-15192 (12743c84)
  • v3.12 wireshark CVE-2017-15193 (12743c84)
  • v3.12 wireshark CVE-2017-13765 (12743c84)
  • v3.12 wireshark CVE-2017-13766 (12743c84)
  • v3.12 wireshark CVE-2017-13767 (12743c84)
  • v3.12 wpa_supplicant CVE-2017-13077 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13078 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13079 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13080 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13081 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13082 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13086 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13087 (48fb8266)
  • v3.12 wpa_supplicant CVE-2017-13088 (48fb8266)
  • v3.12 wpa_supplicant CVE-2019-11555 (48fb8266)

For the cases shown above, it isn't well defined which of the versions should be expected as the initial fixed version for the CVE. If you're able to fix those, that's great. Otherwise, if you're able to let us know which one we should treat as the initial fixed version, we can report the correct versions in Snyk.

As @ncopa suggested - #11912 (closed), it will be awesome if we could prevent this cases from happening at all - this would help us have more accurate and correct understanding of the security fixes 🙏

Thanks!

Edited Oct 20, 2020 by Natanael Copa
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking