aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T13:39:28Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5207[3.3] openssl: Multiple vulnerabilities (CVE-2016-0702, CVE-2016-0799, CVE-20...2019-07-23T13:39:28ZAlicha CH[3.3] openssl: Multiple vulnerabilities (CVE-2016-0702, CVE-2016-0799, CVE-2016-0797, CVE-2016-0798, CVE-2016-0705, CVE-2016-0800)### CVE-2016-0702:
A side-channel attack was found which makes use of cache-bank
conflicts
on the Intel Sandy-Bridge microarchitecture which could lead to the
recovery of RSA keys.
The ability to exploit this issue is limited as it ...### CVE-2016-0702:
A side-channel attack was found which makes use of cache-bank
conflicts
on the Intel Sandy-Bridge microarchitecture which could lead to the
recovery of RSA keys.
The ability to exploit this issue is limited as it relies on an attacker
who has control
of code in a thread running on the same hyper-threaded core as the
victim thread which is performing decryptions.
**Fixed in OpenSSL 1.0.1s** (**Affected 1.0.1r**, 1.0.1q, 1.0.1p,
1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l,
1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c,
1.0.1b, 1.0.1a, 1.0.1)
**Fixed in OpenSSL 1.0.2g** (**Affected 1.0.2f**, 1.0.2e, 1.0.2d,
1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
### CVE-2016-0799:
The internal |fmtstr| function used in processing a “%s” format string
in the
BIO\_\*printf functions could overflow while calculating the length of a
string and cause an OOB
read when printing very long strings.
\*
Fixed in OpenSSL 1.0.1s\* (**Affected 1.0.1r**, 1.0.1q, 1.0.1p, 1.0.1o,
1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j,
1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a,
1.0.1)
Fixed in OpenSSL 1.0.2g (**Affected 1.0.2f**, 1.0.2e, 1.0.2d, 1.0.2c,
1.0.2b, 1.0.2a, 1.0.2)
### CVE-2016-0797:
In the BN\_hex2bn function the number of hex digits is calculated using
an int value |i|.
Later |bn\_expand| is called with a value of |i \* 4|. For large values
of |i| this can result in |bn\_expand|
not allocating any memory because |i \* 4| is negative.
\*
Fixed in OpenSSL 1.0.1s\* (**Affected 1.0.1r**, 1.0.1q, 1.0.1p, 1.0.1o,
1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j,
1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a,
1.0.1)
**Fixed in OpenSSL 1.0.2g** (**Affected 1.0.2f**, 1.0.2e, 1.0.2d,
1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
### CVE-2016-0798:
The SRP user database lookup method SRP\_VBASE\_get\_by\_user had
confusing memory management semantics;
the returned pointer was sometimes newly allocated, and sometimes owned
by the callee. The calling code has no way
of distinguishing these two cases. Specifically, SRP servers that
configure a secret seed to hide valid login
information are vulnerable to a memory leak: an attacker connecting with
an invalid username can cause a memory
leak of around 300 bytes per connection.
**Fixed in OpenSSL 1.0.1s** (**Affected 1.0.1r**, 1.0.1q, 1.0.1p,
1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j,
1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a,
1.0.1)
**Fixed in OpenSSL 1.0.2g** (**Affected 1.0.2f**, 1.0.2e, 1.0.2d,
1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
### CVE-2016-0705:
A double free bug was discovered when OpenSSL parses malformed DSA
private keys and could lead to a DoS
attack or memory corruption for applications that receive DSA private
keys from untrusted sources.
**Fixed in OpenSSL 1.0.1s** (**Affected 1.0.1r**, 1.0.1q, 1.0.1p,
1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j,
1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a,
1.0.1)
**Fixed in OpenSSL 1.0.2g** (**Affected 1.0.2f**, 1.0.2e, 1.0.2d,
1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
### CVE-2016-0800:
A cross-protocol attack was discovered that could lead to decryption of
TLS sessions by using
a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher
RSA padding oracle.
Note that traffic between clients and non-vulnerable servers can be
decrypted provided another server
supporting SSLv2 and EXPORT ciphers (even with a different protocol such
as SMTP, IMAP or POP) shares the
RSA keys of the non-vulnerable server.
**Fixed in OpenSSL 1.0.1s** (**Affected 1.0.1r**, 1.0.1q, 1.0.1p,
1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j,
1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a,
1.0.1)
**Fixed in OpenSSL 1.0.2g** (**Affected 1.0.2f**, 1.0.2e, 1.0.2d,
1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
### References:
https://www.openssl.org/news/vulnerabilities.html
*(from redmine: issue id 5207, created on 2016-03-01, closed on 2016-03-02)*
* Relations:
* parent #5206
* Changesets:
* Revision 43684aadc1cdbbb40a2fe87a7ec584684d613b8c by Natanael Copa on 2016-03-01T16:10:21Z:
```
main/openssl: security upgrade to 1.0.2g
CVE-2016-0800 [High severity]
CVE-2016-0705 [Low severity]
CVE-2016-0798 [Low severity]
CVE-2016-0797 [Low severity]
CVE-2016-0799 [Low severity]
CVE-2016-0702 [Low severity]
fixes #5207
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5197[Raspberry Pi 3] Please enable alpine OS support for the newly released RPI 3...2019-07-23T13:39:39ZRay Davis[Raspberry Pi 3] Please enable alpine OS support for the newly released RPI 3 (Arm v8 Architecture) with inbuilt BCM43438 Wi-Fi and BLE 4.1Dear Admin
Request you to please enable alpine OS support for the newly released
Raspberry pi 3 - 64 Bit based on
•Broadcom BCM2837 chipset running at 1.2 GHz
•64-bit quad-core ARM Cortex-A53
•802.11 b/g/n Wireless LAN - BCM43134 ...Dear Admin
Request you to please enable alpine OS support for the newly released
Raspberry pi 3 - 64 Bit based on
•Broadcom BCM2837 chipset running at 1.2 GHz
•64-bit quad-core ARM Cortex-A53
•802.11 b/g/n Wireless LAN - BCM43134
•Bluetooth 4.1 (Classic & Low Energy) - BCM43134
•Dual core Videocore IV® Multimedia co-processor
Thanking you
More details are here
https://www.raspberrypi.org/blog/raspberry-pi-3-on-sale/
*(from redmine: issue id 5197, created on 2016-02-29, closed on 2016-03-18)*
* Changesets:
* Revision 95b531023cb701a838f3f4a58f6b10fe2d54a1ee by Timo Teräs on 2016-03-10T10:01:41Z:
```
main/linux-rpi: upgrade to 4.1.19, refresh rpi patch
includes some support for rpi3, ref #5197
```
* Revision 715d2a3df6ba692482d92b84e227fb309829ea14 by Timo Teräs on 2016-03-15T08:45:35Z:
```
main/linux-rpi: upgrade to 4.1.19, refresh rpi patch
includes some support for rpi3, ref #5197
(cherry picked from commit 95b531023cb701a838f3f4a58f6b10fe2d54a1ee)
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5148[3.3] libreoffice: Multiple out-of-bounds overflows in lwp filter (CVE-2016-0...2019-07-23T13:40:24ZAlicha CH[3.3] libreoffice: Multiple out-of-bounds overflows in lwp filter (CVE-2016-0794, CVE-2016-0795)### (CVE-2016-0794) LotusWordPro Multiple bounds overflows in lwp filter
Multiple offsets in parsing lwp documents were insufficiently checked
for validity.
Documents can be constructed which cause memory corruption by
overflowing var...### (CVE-2016-0794) LotusWordPro Multiple bounds overflows in lwp filter
Multiple offsets in parsing lwp documents were insufficiently checked
for validity.
Documents can be constructed which cause memory corruption by
overflowing various buffer bounds.
### Fixed in:
LibreOffice 5.0.4/5.1.0
### References:
http://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0794
### (CVE-2016-0795) LotusWordPro Bounds overflows in LwpTocSuperLayout processing
Parsing the LwpTocSuperLayout record was insufficiently checked for
validity.
Documents can be constructed which cause memory corruption by
overflowing the LwpTocSuperLayout buffer..
### Fixed in:
LibreOffice 5.0.5/5.1.0
### References:
http://www.libreoffice.org/about-us/security/advisories/cve-2016-0795/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0795
*(from redmine: issue id 5148, created on 2016-02-22, closed on 2017-06-29)*
* Relations:
* parent #5147
* Changesets:
* Revision ff69ce7465b8c9fdca8ef4609ed3dc40dbd63049 on 2016-02-23T14:51:44Z:
```
main/libreoffice: security upgrade to 5.0.5.2 (CVE-2016-0794, CVE-2016-0795). Fixes #5148
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4999nodejs with broken crypto module after upgrading to 4.2.4-r02019-07-23T13:42:22ZAntonio Marquesnodejs with broken crypto module after upgrading to 4.2.4-r0After upgrading the nodejs package to the latest version (4.2.4-r0), the
crypto module throws the following error when calculating a hash:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex...After upgrading the nodejs package to the latest version (4.2.4-r0), the
crypto module throws the following error when calculating a hash:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex'))"
crypto.js:50
this._handle = new binding.Hash(algorithm);
^
Error: error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at [eval]:1:31
at Object.exports.runInThisContext (vm.js:54:17)
at Object.<anonymous> ([eval]-wrapper:6:22)
at Module._compile (module.js:435:26)
at node.js:578:27
at doNTCallback0 (node.js:419:9)
at process._tickCallback (node.js:348:13)
Using the previous version (4.2.3-r0) of the package:
alpine:~$ node -e "console.log(require('crypto').createHash('md5').update('test').digest('hex'))"
098f6bcd4621d373cade4e832627b4f6
The above error is also present when using npm:
alpine:~$ npm install express
Error: error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at getDefaultSessionIdContext (_tls_wrap.js:27:19)
at _tls_wrap.js:17:33
at NativeModule.compile (node.js:954:5)
at NativeModule.require (node.js:902:18)
at tls.js:221:21
at NativeModule.compile (node.js:954:5)
at NativeModule.require (node.js:902:18)
npm ERR! Linux 4.1.15-2-grsec
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install" "express"
npm ERR! node v4.2.4
npm ERR! npm v2.14.12
npm ERR! error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
crypto.js:50
this._handle = new binding.Hash(algorithm);
^
Error: error:2606906E:engine routines:ENGINE_add:internal list error
at Error (native)
at new Hash (crypto.js:50:18)
at Object.Hash (crypto.js:49:12)
at md5hex (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:6:21)
at getTmpname (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:15:27)
at new WriteStream (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:31:22)
at WriteStream (/usr/lib/node_modules/npm/node_modules/fs-write-stream-atomic/index.js:26:12)
at writeLogFile (/usr/lib/node_modules/npm/lib/utils/error-handler.js:394:14)
at exit (/usr/lib/node_modules/npm/lib/utils/error-handler.js:80:28)
at process.errorHandler (/usr/lib/node_modules/npm/lib/utils/error-handler.js:385:3)
*(from redmine: issue id 4999, created on 2016-01-08, closed on 2016-03-18)*
* Changesets:
* Revision 351bd62f71d4ca5138e3d4a33c94852f307cf03c by Timo Teräs on 2016-01-15T06:18:30Z:
```
main/nodejs: fix crypto hash error handling
fixes #4999
Upstream regression. Cherry-pick fix from
https://github.com/nodejs/node/issues/4221
```
* Revision 30beca0f2f1de59e9fc8632d2807da50057217aa by Timo Teräs on 2016-01-15T06:25:04Z:
```
main/nodejs: fix crypto hash error handling
fixes #4999
Upstream regression. Cherry-pick fix from
https://github.com/nodejs/node/issues/4221
(cherry picked from commit 351bd62f71d4ca5138e3d4a33c94852f307cf03c)
```
* Revision 29f1e13e6f54c24c5fac520555da38e763c6c45b by Natanael Copa on 2016-02-04T14:46:16Z:
```
main/openssl: remove padlock autoload patch
it appears they made padlock static upstream again
this fixes nodejs issues
ref #4999
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4949Issue reading a structure from libc (calling function getifaddrs) with python...2019-07-23T13:43:24ZAxel VoitierIssue reading a structure from libc (calling function getifaddrs) with python ctypesHello,
Using Docker containers for Alpine, with versions 3.1, 3.2 or edge, I
have the following issue.
I install python
>apk —update add python
I copy over the following python script:
https://gist.github.com/AxelVoitier/8d74496ad...Hello,
Using Docker containers for Alpine, with versions 3.1, 3.2 or edge, I
have the following issue.
I install python
>apk —update add python
I copy over the following python script:
https://gist.github.com/AxelVoitier/8d74496adb169df28d8b
And execute it:
>python test\_libc.py
I get the following results in Alpine:
Traceback (most recent call last):
File "test_libc.py", line 259, in <module>
pp(get_ifaddrs())
File "test_libc.py", line 200, in get_ifaddrs
si = sockaddr_in.from_address(ifa.ifa_ifu.ifu_broadaddr)
TypeError: integer expected
On any other “big” Linux systems I tried this work fine.
Could it be that musl is not correctly typing the structures returned by
getifaddrs?
Cheers,
Axel
*(from redmine: issue id 4949, created on 2015-12-10, closed on 2016-03-18)*
* Changesets:
* Revision 56101f21b652321e32c4a02139ea042fccf6bebd by Timo Teräs on 2016-01-23T16:13:17Z:
```
main/musl: cherry-pick upstream fixes and improvements
fixes #4621
fixes #4949
(cherry picked from commit 8a4ccf53a605414546a73d39dda24fe95c1bc1b2)
```3.3.2Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4128OpenJDK build creates an empty certificate keystore2019-07-23T13:54:30ZalgitbotOpenJDK build creates an empty certificate keystoreOpenJDK 1.7 build creates an empty trusted certificate authority
keystore. It results in such cryptic errors as:
>Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
I encountered s...OpenJDK 1.7 build creates an empty trusted certificate authority
keystore. It results in such cryptic errors as:
>Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
I encountered such issue trying to start Logstash 1.5 on Alpine Linux.
Here, I am checking the keystore for Alpine Linux:
bash-4.3\# cat /etc/issue
Welcome to Alpine Linux 3.1
bash-4.3\# keytool -list -keystore
/usr/lib/jvm/java-1.7-openjdk/jre/lib/security/cacerts -storepass
changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
Just to compare, I am checking the keystore for Ubuntu Linux:
root@b1c19f12ce4a:/\# cat /etc/issue
Ubuntu 14.04.2 LTS
root@b1c19f12ce4a:/\# keytool -list -keystore
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts -storepass
changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 173 entries
Is that reasonable to supply Alpine with some pre-installed
certificates?
Thank you.
*(from redmine: issue id 4128, created on 2015-04-28, closed on 2016-03-18)*
* Changesets:
* Revision 94969c8a556eedeeafb78a33752ab6b6e6f7f892 by Natanael Copa on 2016-01-14T13:42:23Z:
```
community/openjdk8: fix cacerts
ref #4128
```
* Revision 2445067072ee0b830308575d5d63ce0981a73de3 by Natanael Copa on 2016-01-14T13:59:48Z:
```
community/openjdk8: fix cacerts
fixes #4128
(cherry picked from commit 94969c8a556eedeeafb78a33752ab6b6e6f7f892)
```3.3.2Timo TeräsTimo Teräs