secdb issueshttps://gitlab.alpinelinux.org/alpine/security/secdb/-/issues2021-06-15T15:39:03Zhttps://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/8Typo in 3.12's curl APKBUILD2021-06-15T15:39:03ZShmuel HerzbergTypo in 3.12's curl APKBUILDIn [this commit from 2 weeks ago](https://gitlab.alpinelinux.org/alpine/aports/-/commit/86df50f329bf28baee9a007ed436cec59862ea93), entries were added in secfixes for CVE's. However, the corresponding version was not added to the yaml, so...In [this commit from 2 weeks ago](https://gitlab.alpinelinux.org/alpine/aports/-/commit/86df50f329bf28baee9a007ed436cec59862ea93), entries were added in secfixes for CVE's. However, the corresponding version was not added to the yaml, so the yaml is invalid. Instead of
```
# secfixes:
# - CVE-2021-22897
# - CVE-2021-22898
# - CVE-2021-22901
# 7.76.0-r0:
# - CVE-2021-22876
...
```
It should be
```
# secfixes:
# 7.76.1-r0: #This is the added line
# - CVE-2021-22897
# - CVE-2021-22898
# - CVE-2021-22901
# 7.76.0-r0:
# - CVE-2021-22876
...
```
This is causing secdb.alpinelinux to no longer report on curl CVEs in 3.12.https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/7Add license and README file on the root of secdb.alpinelinux.org2022-03-04T16:03:32ZAriadne Conillariadne@ariadne.spaceAdd license and README file on the root of secdb.alpinelinux.orgI have received a few inquiries about the secdb data lately...
We should publish a license for the secdb data (probably something like [CC0](https://creativecommons.org/publicdomain/zero/1.0/)).
We should also add a README explaining h...I have received a few inquiries about the secdb data lately...
We should publish a license for the secdb data (probably something like [CC0](https://creativecommons.org/publicdomain/zero/1.0/)).
We should also add a README explaining how to use the data (and its license).https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/6Missing CVE for a "fixed version" of heimdal package in release 3.62022-01-29T20:05:34ZtomerMissing CVE for a "fixed version" of heimdal package in release 3.6Hey @ncopa @Leo!
Seems like there is an issue with the secdb data for alpine 3.6 for the package heimdal https://secdb.alpinelinux.org/v3.6/main.json for version 7.4.0-r0, potentially after the changes to use the golang script instead of...Hey @ncopa @Leo!
Seems like there is an issue with the secdb data for alpine 3.6 for the package heimdal https://secdb.alpinelinux.org/v3.6/main.json for version 7.4.0-r0, potentially after the changes to use the golang script instead of the lua one .
The issue seem to be coming from the aports data, you can see on the master branch in aports there is a CVE assigned to the fixed version `7.4.0-r0` https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/heimdal/APKBUILD while for branch 3.6-stable, the CVE is missing and the fixed version does exist https://gitlab.alpinelinux.org/alpine/aports/-/blob/3.6-stable/main/heimdal/APKBUILD
Should the CVE be added for the 3.6 release as well, or the fixed version should be removed?https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/5Alpine secdb has lists CVE-2022-4044 instead of CVE-2020-4044.2021-04-26T18:54:14Znms2140Alpine secdb has lists CVE-2022-4044 instead of CVE-2020-4044.Alpine feed for 3.12 lists the following:
- pkg:
name: xrdp
secfixes:
0.9.13.1-r0:
- CVE-2022-4044
According to https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4, the CVE should ...Alpine feed for 3.12 lists the following:
- pkg:
name: xrdp
secfixes:
0.9.13.1-r0:
- CVE-2022-4044
According to https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4, the CVE should instead be CVE-2020-4044. Please fix.https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/4Add Vulnerability feed for Alpine 3.132021-02-01T16:41:06ZJithu R JacobAdd Vulnerability feed for Alpine 3.13I'm getting stale data error using Anchore to scan postgres:13.1-alpine docker image which uses alpine:3.13. Please add the feed for Alpine 3.13I'm getting stale data error using Anchore to scan postgres:13.1-alpine docker image which uses alpine:3.13. Please add the feed for Alpine 3.13https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/3Unnormalized vulnerability IDs2022-07-14T05:35:45ZTeppei FukudaUnnormalized vulnerability IDs
```
$ wget https://secdb.alpinelinux.org/v3.6/community.json
$ jq . community.json | grep -B4 -A4 regression
"pkg": {
"secfixes": {
"4.2.1-r7": [
"CVE-2016-6252",
"CVE-2017-2616 (+ regr...
```
$ wget https://secdb.alpinelinux.org/v3.6/community.json
$ jq . community.json | grep -B4 -A4 regression
"pkg": {
"secfixes": {
"4.2.1-r7": [
"CVE-2016-6252",
"CVE-2017-2616 (+ regression fix)"
]
},
"name": "shadow"
}
$ wget https://secdb.alpinelinux.org/v3.6/main.json
$ jq . main.json | grep -B3 -A4 XSA-204
"4.7.1-r4": [
"CVE-2016-10024 XSA-202",
"CVE-2016-10025 XSA-203",
"CVE-2016-10013 XSA-204"
]
},
"name": "xen"
}
$ curl --silent https://secdb.alpinelinux.org/v3.11/community.json | jq . | grep -B3 -A1 CVE_2019-2426
"7.211.2.6.17-r0": [
"CVE-2018-11212",
"CVE-2019-2422",
"CVE_2019-2426"
],
```
Is this intentional?https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/2Empty values also should be an array as usual2021-11-20T16:56:36ZTeppei FukudaEmpty values also should be an array as usualHi all, thank you for providing security advisories.
I found some cases where an empty value has a different type than usual. For example,
```
$ wget https://secdb.alpinelinux.org/v3.3/community.json
$ jq . community.json
{
"archs": ...Hi all, thank you for providing security advisories.
I found some cases where an empty value has a different type than usual. For example,
```
$ wget https://secdb.alpinelinux.org/v3.3/community.json
$ jq . community.json
{
"archs": [
"x86_64",
"x86",
"armhf"
],
"packages": {},
"urlprefix": "http://dl-cdn.alpinelinux.org/alpine",
"distroversion": "v3.3",
"apkurl": "{{urlprefix}}/{{distroversion}}/{{reponame}}/{{arch}}/{{pkg.name}}-{{pkg.ver}}.apk",
"reponame": "community"
}
```
As shown above, "packages" is an object, even though it is usually an array. It causes an unmarshal error in Go.
```
json: cannot unmarshal object into Go value of type []alpine.packages
```
The same issue exists in `pkg` as well.
```
{
"pkg": {
"name": "heimdal",
"secfixes": {
"7.1.0-r1": [
"CVE-2017-11103"
],
"7.1.0-r2": [
"CVE-2017-17439"
],
"7.4.0-r0": {}
}
}
},
```
It is possible to fix it?https://gitlab.alpinelinux.org/alpine/security/secdb/-/issues/1secdb script misses some security fixes2022-03-21T06:22:05Zsherzberg-1secdb script misses some security fixes[The lua script](https://gitlab.alpinelinux.org/alpine/infra/docker/secdb/-/blob/master/scripts/secfixes.lua) for updating the secdb index checks for a line that begins with `"# secfixes"`. However, a handful of CVE reports begin with `...[The lua script](https://gitlab.alpinelinux.org/alpine/infra/docker/secdb/-/blob/master/scripts/secfixes.lua) for updating the secdb index checks for a line that begins with `"# secfixes"`. However, a handful of CVE reports begin with `"# security fixes"` instead of `"secfixes"`. See, for example [security fixes on master](https://gitlab.alpinelinux.org/search?utf8=%E2%9C%93&snippets=false&scope=&repository_ref=master&search=security+fix&group_id=2&project_id=1), or [security fixes on 3.12](https://gitlab.alpinelinux.org/search?utf8=%E2%9C%93&snippets=false&scope=&repository_ref=3.12-stable&search=security%20fix&group_id=2&project_id=1).
Two options for fixes for this, that I see, are
1. Updating all instances of `security fixes`, and changing it to `secfixes`. However, instances of `security fixes` go back to [as early as 3.2](https://gitlab.alpinelinux.org/search?utf8=%E2%9C%93&snippets=false&scope=&repository_ref=3.2-stable&search=security%20fix&group_id=2&project_id=1), and I imagine you wouldn't want to patch released Alpine versions.
1. Have the lua script also check for `# security fixes`. It would mean some inconsistency remains in the codebase, but seems like a fine solution.
Happy to make a PR with the lua fix if we agree on the solution.