alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2020-03-08T14:10:46Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11276perl-net-dns-zonefile-fast is obsolete2020-03-08T14:10:46ZTimothy Leggeperl-net-dns-zonefile-fast is obsolete@fcolista according to https://metacpan.org/pod/release/HARDAKER/Net-DNS-ZoneFile-Fast-1.27/Fast.pm
Should this module be removed? No other packages seem to depend on it.
NAME
Net::DNS::ZoneFile::Fast -- Obsolete module
OBSOLETE
Ple...@fcolista according to https://metacpan.org/pod/release/HARDAKER/Net-DNS-ZoneFile-Fast-1.27/Fast.pm
Should this module be removed? No other packages seem to depend on it.
NAME
Net::DNS::ZoneFile::Fast -- Obsolete module
OBSOLETE
Please use the Net::DNS::ZoneFile module instead, whos speed has been improved, making this module no longer necessary.https://gitlab.alpinelinux.org/alpine/aports/-/issues/11277iptables: init.d script for ebtables got lost2020-03-17T00:25:56ZThomas Liskeliske@ibh.deiptables: init.d script for ebtables got lostWith the integration of *ebtables* into *iptables* the init.d script for *ebtables* got lost. !5143 restores those missing files.
Affects alpine `v3.10` and `v3.11`.With the integration of *ebtables* into *iptables* the init.d script for *ebtables* got lost. !5143 restores those missing files.
Affects alpine `v3.10` and `v3.11`.https://gitlab.alpinelinux.org/alpine/aports/-/issues/11278rpi4 usb doesnt work in Alpine Edge2020-10-12T14:23:04Zshumrpi4 usb doesnt work in Alpine Edge`Alpine Edge, aarch64, rpi4`
After upgrading `linux-rpi4` to `5.4.23-r0` and rebooting the system, usb ports doesnt work anymore.`Alpine Edge, aarch64, rpi4`
After upgrading `linux-rpi4` to `5.4.23-r0` and rebooting the system, usb ports doesnt work anymore.3.12.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/11282Busybox udhcpc config file missing2021-10-20T14:22:35ZKévin GuignardBusybox udhcpc config file missingThe file `/etc/udhcpc/udhcpc.conf` is not in busybox[^1] package.
Without wiki[^2] I'll always be searching *where* to configure udhcpc.
Maybe the package should have this file with the default values ?
[^1]: https://pkgs.alpinelinux.o...The file `/etc/udhcpc/udhcpc.conf` is not in busybox[^1] package.
Without wiki[^2] I'll always be searching *where* to configure udhcpc.
Maybe the package should have this file with the default values ?
[^1]: https://pkgs.alpinelinux.org/contents?file=&path=%2Fetc&name=busybox&branch=edge&arch=x86_64
[^2]: https://wiki.alpinelinux.org/wiki/Udhcpchttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11283wireshark: Multiple vulnerabilities (CVE-2020-9428, CVE-2020-9430, CVE-2020-9...2020-05-09T20:19:55ZAlicha CHwireshark: Multiple vulnerabilities (CVE-2020-9428, CVE-2020-9430, CVE-2020-9431)### CVE-2020-9428: EAP dissector crash
* Affected versions: 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, 2.6.0 to 2.6.14
* Fixed versions: 3.2.2, 3.0.9, 2.6.15
#### References:
* https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397
* https:...### CVE-2020-9428: EAP dissector crash
* Affected versions: 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, 2.6.0 to 2.6.14
* Fixed versions: 3.2.2, 3.0.9, 2.6.15
#### References:
* https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397
* https://www.wireshark.org/security/wnpa-sec-2020-05.html
### CVE-2020-9430: WiMax DLMAP dissector crash
* Affected versions: 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, 2.6.0 to 2.6.14
* Fixed versions: 3.2.2, 3.0.9, 2.6.15
#### References:
* https://www.wireshark.org/security/wnpa-sec-2020-04.html
* https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368
### CVE-2020-9431: LTE RRC dissector memory leak
* Affected versions: 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, 2.6.0 to 2.6.14
* Fixed versions: 3.2.2, 3.0.9, 2.6.15
#### References:
* https://www.wireshark.org/security/wnpa-sec-2020-03.html
* https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16341
### Affected branches:
* [x] master (a28da2c16744dcb826c788a38055ec097dc138e7)
* [x] 3.11-stable (ab830b3f447d2a610a5b4af655787e7c1a2a1a27)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11284squid: Multiple vulnerabilities (CVE-2020-8449, CVE-2020-8450, CVE-2020-8517,...2020-04-02T15:49:36ZAlicha CHsquid: Multiple vulnerabilities (CVE-2020-8449, CVE-2020-8450, CVE-2020-8517, CVE-2019-12528)### CVE-2020-8449: Improper input validation issues in HTTP Request processing
* Affected versions: Squid 2.x -> 2.7.STABLE9, Squid 3.x -> 3.5.28, Squid 4.x -> 4.9.
* Fixed in version: Squid 4.10
#### Reference:
http://www.squid-...### CVE-2020-8449: Improper input validation issues in HTTP Request processing
* Affected versions: Squid 2.x -> 2.7.STABLE9, Squid 3.x -> 3.5.28, Squid 4.x -> 4.9.
* Fixed in version: Squid 4.10
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
### CVE-2020-8450: Buffer overflow in a Squid acting as reverse-proxy
* Affected versions: Squid 2.x -> 2.7.STABLE9, Squid 3.x -> 3.5.28, Squid 4.x -> 4.9.
* Fixed in version: Squid 4.10
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2020_1.txt
### CVE-2020-8517: Buffer Overflow issue in ext_lm_group_acl helper.
* Affected versions: Squid 2.x -> 2.7.STABLE9, Squid 3.x -> 3.5.28, Squid 4.x -> 4.9.
* Fixed in version: Squid 4.10
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt
### CVE-2019-12528: Information Disclosure issue in FTP Gateway
* Affected versions: Squid 2.x -> 2.7.STABLE9, Squid 3.x -> 3.5.28, Squid 4.x -> 4.9.
* Fixed in version: Squid 4.10
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2020_2.txt
### Affected branches:
* [x] master (a4301166888c0e2c8a72be8e5d3ec1747a6ab6bf)
* [x] 3.11-stable (04e707dce3ab5d71feecb123c8bbffd3b2b42985)
* [x] 3.10-stable (a03c8d1518674fd14946096bb8a7db67ad565315)
* [x] 3.9-stable (cca1978fca0677250ca84f4bdcb86b395a64b6e9)
* [x] 3.8-stable (3db264c1978654cc19d61a5feaf1b0ee54e0a85b)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11285Error starting gnome-session in kvm and real hardware (alpine edge upgrade 3...2020-03-11T17:11:19ZDarmonError starting gnome-session in kvm and real hardware (alpine edge upgrade 3.36)preparing for the new version of gnome 3.36 the following errors appear.
[greeter.log](/uploads/803a66d46fe5e71058697ccc53e33cca/greeter.log)[messages](/uploads/9962c836f996948e3b729af2b647c1fd/messages)
[debug-gnome-session.txt](/upload...preparing for the new version of gnome 3.36 the following errors appear.
[greeter.log](/uploads/803a66d46fe5e71058697ccc53e33cca/greeter.log)[messages](/uploads/9962c836f996948e3b729af2b647c1fd/messages)
[debug-gnome-session.txt](/uploads/987906f1aa01f2f7b404bfa77b475280/debug-gnome-session.txt)![image](/uploads/2938a3a443db90cb85e1df3215f04f36/image.png)https://gitlab.alpinelinux.org/alpine/aports/-/issues/11287cacti URGENT broken due error in 2.1.10 not happened in older versions2020-03-18T00:52:46ZPICCORO Lenz McKAYcacti URGENT broken due error in 2.1.10 not happened in older versions**catci 2.1.10 are a BROKEN RELEASE:**
**reported at https://github.com/Cacti/cacti/issues/3330**
must be apply the patch from https://github.com/Cacti/cacti/commit/8e687065b7f456f969cccad97e2c55e5609638cd to able to install corretly.
...**catci 2.1.10 are a BROKEN RELEASE:**
**reported at https://github.com/Cacti/cacti/issues/3330**
must be apply the patch from https://github.com/Cacti/cacti/commit/8e687065b7f456f969cccad97e2c55e5609638cd to able to install corretly.
please apply urgent this!
![image](/uploads/65447cbeaf9af19f4bc4c12e6c1587aa/image.png)https://gitlab.alpinelinux.org/alpine/aports/-/issues/11288py-django: Potential SQL injection via tolerance parameter in GIS functions a...2020-05-09T20:19:55ZAlicha CHpy-django: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle (CVE-2020-9402)A flaw was found in Django in a way that GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.
#### Fixed In Version:
Django 1.11.29
#### References:
* https://www.djangoproject.c...A flaw was found in Django in a way that GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.
#### Fixed In Version:
Django 1.11.29
#### References:
* https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
* https://www.openwall.com/lists/oss-security/2020/03/04/1
### Affected branches:
* [x] master (5625fb449efe16648b2ed8607e52e667b2bb5731)
* [x] 3.11-stable (0301b076d7141df079a9815a6fc9e7cde6b9cc31)
* [x] 3.10-stable (de8f6b009ad388a047a6b85ec224d599ad583676)
* [x] 3.9-stable (032abeb0cb17ff90166fdbce07c4a921c9147e45)
* [x] 3.8-stable (ec2cb0ea688e8d4c4ccf31b7434ab4b5cb111e66)LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11289py3-ansi2html 1.5.2-r3 - ModuleNotFoundError: No module named 'pkg_resources'2020-03-10T20:58:44ZTBKpy3-ansi2html 1.5.2-r3 - ModuleNotFoundError: No module named 'pkg_resources'@fab I am getting the error below when using ansi2html
```sh
$ ansi2html
Traceback (most recent call last):
File "/usr/bin/ansi2html", line 6, in <module>
from pkg_resources import load_entry_point
ModuleNotFoundError: No module ...@fab I am getting the error below when using ansi2html
```sh
$ ansi2html
Traceback (most recent call last):
File "/usr/bin/ansi2html", line 6, in <module>
from pkg_resources import load_entry_point
ModuleNotFoundError: No module named 'pkg_resources'
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/11290'py-pip' and 'fish' filesystem clash (/usr/share/fish/completions/pip.fish)2020-03-11T10:43:33ZTomáš Mládek'py-pip' and 'fish' filesystem clash (/usr/share/fish/completions/pip.fish)In edge, after installing `py-pip` and `fish`, I get the following error:
ERROR: py3-pip-fish-completion-20.0.2-r1: trying to overwrite usr/share/fish/completions/pip.fish owned by fish-3.1.0-r1.
Opening and tagging @Leo as advised...In edge, after installing `py-pip` and `fish`, I get the following error:
ERROR: py3-pip-fish-completion-20.0.2-r1: trying to overwrite usr/share/fish/completions/pip.fish owned by fish-3.1.0-r1.
Opening and tagging @Leo as advised on IRC.
Thanks in advance!https://gitlab.alpinelinux.org/alpine/aports/-/issues/11291libarchive: Multiple vulnerabilities (CVE-2019-19221, 2020-9308)2020-03-12T21:36:45ZAlicha CHlibarchive: Multiple vulnerabilities (CVE-2019-19221, 2020-9308)### CVE-2019-19221: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c
A vulnerability was found in Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an inc...### CVE-2019-19221: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c
A vulnerability was found in Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.
#### References:
* https://github.com/libarchive/libarchive/issues/1276
* https://nvd.nist.gov/vuln/detail/CVE-2019-19221
#### Patch:
https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41
### CVE-2020-9308: attempts to unpack a RAR5 file with an invalid or corrupted header leads to a SIGSEGV
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
#### References:
* https://github.com/libarchive/libarchive/pull/1326
* https://nvd.nist.gov/vuln/detail/CVE-2020-9308
#### Patch:
https://github.com/libarchive/libarchive/commit/94821008d6eea81e315c5881cdf739202961040a
### Affected branches:
* [x] master (98a20682f4336788dac336ff23e25571663137de)
* [x] 3.11-stable
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11292py-waitress: Multiple vulnerabilities (CVE-2019-16785, CVE-2019-16786, CVE-20...2020-03-11T15:17:04ZAlicha CHpy-waitress: Multiple vulnerabilities (CVE-2019-16785, CVE-2019-16786, CVE-2019-16789)### CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequen...### CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message.
Fixed In Version: py-waitress 1.4.0
#### References:
* https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
* https://nvd.nist.gov/vuln/detail/CVE-2019-16785
#### Patch:
https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba
### CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining.
Fixed In Version: py-waitress 1.4.0
#### References:
* https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
* https://nvd.nist.gov/vuln/detail/CVE-2019-16786
#### Patch:
https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3
### CVE-2019-16789: HTTP Request Smuggling through Invalid whitespace characters in headers
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. Affected Versions: py-waitress<1.4.0.
Fixed In Version: py-waitress 1.4.1
#### References:
* https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
* https://nvd.nist.gov/vuln/detail/CVE-2019-16789
#### Patch:
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
### Affected branches:
* [x] master (1dae7c4d762d8e0200654ad847bb2eec6d033599)
* [x] 3.11-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11293audit-2.8.5-r0: daemon start and configuration paths error (edge)2020-05-30T10:16:08ZDarmonaudit-2.8.5-r0: daemon start and configuration paths error (edge)establishing an audit, the following errors are presented.
the auditd daemon are not on the build paths
![audit-ok](/uploads/51c2df6c563533ab3c87fae2de4dd667/audit-ok.jpg)
Transitional solution:
[posible-solucion.txt](/uploads/112cf...establishing an audit, the following errors are presented.
the auditd daemon are not on the build paths
![audit-ok](/uploads/51c2df6c563533ab3c87fae2de4dd667/audit-ok.jpg)
Transitional solution:
[posible-solucion.txt](/uploads/112cf93b7a4a7117f1ce0c7362923a2a/posible-solucion.txt)https://gitlab.alpinelinux.org/alpine/aports/-/issues/11294wc -c has 32 bit counter2020-03-13T12:10:43Zandrdenwc -c has 32 bit counterI'm trying to count 5 Gbyte bytes, and the counter is reset at 4Gbyte (32 bits)
```
podman run -it alpine /bin/sh
/ # dd if=/dev/zero bs=1M count=5000 | wc -c
5000+0 records in
5000+0 records out
**947912704**
/ # busybox
Bus...I'm trying to count 5 Gbyte bytes, and the counter is reset at 4Gbyte (32 bits)
```
podman run -it alpine /bin/sh
/ # dd if=/dev/zero bs=1M count=5000 | wc -c
5000+0 records in
5000+0 records out
**947912704**
/ # busybox
BusyBox v1.31.1 () multi-call binary.
```
It's not exactly a problem with busybox, because on Fedora 31 busybox counts correctly:
```
dd if=/dev/zero bs=1M count=5000 | busybox wc -c
5000+0 records in
5000+0 records out
5242880000 bytes (5.2 GB, 4.9 GiB) copied, 23.6317 s, 222 MB/s
**5242880000**
[andrii@localhost ~]$ cat /etc/os-release
NAME=Fedora
VERSION="31 (Workstation Edition)"
busybox
BusyBox v1.30.1 (2019-05-13 12:12:51 UTC) multi-call binary.
```
The busybox versions are a little different though, so maybe it is still a problem with busybox, but also could be a problem with the way it is built for the Alpine Linuxhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11295glances-3.1.4-r0 - ModuleNotFoundError: No module named 'pkg_resources'2020-03-13T18:38:05Zcrondriftglances-3.1.4-r0 - ModuleNotFoundError: No module named 'pkg_resources'alpine:~# glances
Traceback (most recent call last):
File "/usr/bin/glances", line 6, in <module>
from pkg_resources import load_entry_point
**ModuleNotFoundError: No module named 'pkg_resources'**
After adding "py3-setuptools" it w...alpine:~# glances
Traceback (most recent call last):
File "/usr/bin/glances", line 6, in <module>
from pkg_resources import load_entry_point
**ModuleNotFoundError: No module named 'pkg_resources'**
After adding "py3-setuptools" it works.
Greetings, crondrifthttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11296firefox-esr: Multiple vulnerabilities (CVE-2020-6796, CVE-2020-6798, CVE-2020...2020-03-13T10:36:47ZAlicha CHfirefox-esr: Multiple vulnerabilities (CVE-2020-6796, CVE-2020-6798, CVE-2020-6800, CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6811, CVE-2020-6812, CVE-2020-6814, CVE-2019-20503)* CVE-2020-6796: Missing bounds check on shared memory read in the parent process
* CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6800: Memory safety bugs
#### Fixed In Version:
Fi...* CVE-2020-6796: Missing bounds check on shared memory read in the parent process
* CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6800: Memory safety bugs
#### Fixed In Version:
Firefox ESR 68.5
#### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/
* CVE-2020-6805: Use-after-free when removing data about origins
* CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
* CVE-2020-6807: Use-after-free in cubeb during stream destruction
* CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
* CVE-2020-6814: Memory safety bugs
#### Fixed In Version:
Firefox ESR 68.6
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6811
### Affected branches:
* [x] master
* [x] 3.11-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11297Postgresql ordering is broken in Alpine Docker images2021-09-27T17:02:22ZRasmus Thomsenoss@cogitri.devPostgresql ordering is broken in Alpine Docker imagesHello,
we've recently tried switching from Debian based postgres images to Alpine based ones, but apparently the sorting in Alpine postgres is different than in the Debian based images (possibly due to musl locale support?).
On Debian ...Hello,
we've recently tried switching from Debian based postgres images to Alpine based ones, but apparently the sorting in Alpine postgres is different than in the Debian based images (possibly due to musl locale support?).
On Debian this query: `SELECT unnest(array['a','o','ä_kl', 'ö', 'oe', 'od', 'of', 'A', 'Ä_gr', 'O', 'Ö', 'ä', 'Ä', 'Müll', 'Muzin', 'Münze', 'e', 'é', 'f', 'ß', 'ss', 's', 'st' ]) ORDER BY 1;` returns this:
```
a
A
ä
Ä
Ä_gr
ä_kl
e
é
f
Müll
Münze
Muzin
o
O
ö
Ö
od
oe
of
s
ss
ß
st
(23 rows)
```
On Alpine it returns this:
```
A
Muzin
Müll
Münze
O
a
e
f
o
od
oe
of
s
ss
st
Ä
Ä_gr
Ö
ß
ä
ä_kl
é
ö
(23 rows)
```
Both databases are set up with `de_DE.utf-8` as Collate and Ctype.https://gitlab.alpinelinux.org/alpine/aports/-/issues/11298py-bleach: mutation XSS vulnerability (CVE-2020-6802)2020-03-13T18:33:01ZAlicha CHpy-bleach: mutation XSS vulnerability (CVE-2020-6802)A mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
#### Affected Versions:
py-bleach <=3.1.0
#### Fixed In Vesion:
py-bleach 3.1.1
#### References:
* https://githu...A mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
#### Affected Versions:
py-bleach <=3.1.0
#### Fixed In Vesion:
py-bleach 3.1.1
#### References:
* https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r
* https://security-tracker.debian.org/tracker/CVE-2020-6802
#### Patch:
https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd
### Affected branches:
* [x] master
* [x] 3.11-stableLeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11299sleuthkit: Multiple vulnerabilities (CVE-2020-10232, CVE-2020-10233)2020-03-13T18:41:44ZAlicha CHsleuthkit: Multiple vulnerabilities (CVE-2020-10232, CVE-2020-10233)#### CVE-2020-10232: Stack buffer overflow vulnerability in yaffsfs_istat() in fs/yaffs.c.
In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack buffer overflow vulnerability in the YAFFS file timestamp parsing logic in...#### CVE-2020-10232: Stack buffer overflow vulnerability in yaffsfs_istat() in fs/yaffs.c.
In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack buffer overflow vulnerability in the YAFFS file timestamp parsing logic in yaffsfs_istat() in fs/yaffs.c.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-10232
* https://bugs.gentoo.org/show_bug.cgi?id=CVE-2020-10232
#### Patch:
https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1
### CVE-2020-10233: Heap based buffer overead in ntfs_dinode_lookup() in fs/ntfs.c
In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap-based buffer over-read in ntfs_dinode_lookup in fs/ntfs.c.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-10233
* https://github.com/sleuthkit/sleuthkit/issues/1829
### Affected branches:
* [x] master (9aefdaee560b79c75c429b0f4fcd98b7735c15e7)
* [x] 3.11-stable (3a7fc5cf68858dd0bd7efa8892337847a197f872)LeoLeo