alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T11:57:22Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7028[3.4] wireshark: Multiple issues (CVE-2017-6467, CVE-2017-6468, CVE-2017-6469...2019-07-23T11:57:22ZAlicha CH[3.4] wireshark: Multiple issues (CVE-2017-6467, CVE-2017-6468, CVE-2017-6469, CVE-2017-6470, CVE-2017-6471, CVE-2017-6472, CVE-2017-6473, CVE-2017-6474)### CVE-2017-6467: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-11.html
### CVE-2017-64...### CVE-2017-6467: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-11.html
### CVE-2017-6468: NetScaler file parser crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-08.html
### CVE-2017-6469: LDSS dissector crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed In Version**: wireshark 2.2.5, wireshark 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-03.html
### CVE-2017-6470: IAX2 infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed In Version**: wireshark 2.2.5, wireshark 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-10.html
### CVE-2017-6471: WSP infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-05.html
### CVE-2017-6472: RTMPT dissector infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-04.html
### CVE-2017-6473: K12 file parser crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-09.html
### CVE-2017-6474: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-07.html
### wnpa-sec-2017-06: STANAG 4607 file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-06.html
*(from redmine: issue id 7028, created on 2017-03-17, closed on 2017-03-28)*
* Relations:
* parent #7025
* Changesets:
* Revision 5ef9a224ec901396be2e487a7a81b32b0bcef9e0 on 2017-03-27T14:19:03Z:
```
main/wireshark: security fixes #7028
CVE-2017-6467: NetScaler file parser infinite loop
CVE-2017-6468: NetScaler file parser crash
CVE-2017-6469: LDSS dissector crash
CVE-2017-6470: IAX2 infinite loop
CVE-2017-6471: WSP infinite loop
CVE-2017-6472: RTMPT dissector infinite loop
CVE-2017-6473: K12 file parser crash
CVE-2017-6474: NetScaler file parser infinite loop
wnpa-sec-2017-06: STANAG 4607 file parser infinite loop
```3.4.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7029[3.3]wireshark: Multiple issues (CVE-2017-6467, CVE-2017-6468, CVE-2017-6469,...2019-07-23T11:57:21ZAlicha CH[3.3]wireshark: Multiple issues (CVE-2017-6467, CVE-2017-6468, CVE-2017-6469, CVE-2017-6470, CVE-2017-6471, CVE-2017-6472, CVE-2017-6473, CVE-2017-6474)### CVE-2017-6467: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-11.html
### CVE-2017-64...### CVE-2017-6467: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-11.html
### CVE-2017-6468: NetScaler file parser crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-08.html
### CVE-2017-6469: LDSS dissector crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed In Version**: wireshark 2.2.5, wireshark 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-03.html
### CVE-2017-6470: IAX2 infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed In Version**: wireshark 2.2.5, wireshark 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-10.html
### CVE-2017-6471: WSP infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-05.html
### CVE-2017-6472: RTMPT dissector infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-04.html
### CVE-2017-6473: K12 file parser crash
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-09.html
### CVE-2017-6474: NetScaler file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-07.html
### wnpa-sec-2017-06: STANAG 4607 file parser infinite loop
**Affected versions**: 2.2.0 to 2.2.4, 2.0.0 to 2.0.10
**Fixed versions**: 2.2.5, 2.0.11
### References:
https://www.wireshark.org/security/wnpa-sec-2017-06.html
*(from redmine: issue id 7029, created on 2017-03-17, closed on 2017-03-28)*
* Relations:
* parent #7025
* Changesets:
* Revision a651332cfe10a56fbb9a40df8cedfc15e9b7d7bb on 2017-03-27T14:41:46Z:
```
main/wireshark: security fixes #7029
CVE-2017-6467: NetScaler file parser infinite loop
CVE-2017-6468: NetScaler file parser crash
CVE-2017-6469: LDSS dissector crash
CVE-2017-6470: IAX2 infinite loop
CVE-2017-6471: WSP infinite loop
CVE-2017-6472: RTMPT dissector infinite loop
CVE-2017-6473: K12 file parser crash
CVE-2017-6474: NetScaler file parser infinite loop
wnpa-sec-2017-06: STANAG 4607 file parser infinite loop
```3.3.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7031[3.6] chicken: unchecked size argument in malloc() (CVE-2017-6949)2019-07-23T11:57:19ZAlicha CH[3.6] chicken: unchecked size argument in malloc() (CVE-2017-6949)An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc(...An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc().
With an unexpected size, the impact may have been a segfault or buffer
overflow.
### References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6949
http://openwall.com/lists/oss-security/2017/03/16/10
*(from redmine: issue id 7031, created on 2017-03-17, closed on 2019-05-03)*
* Relations:
* parent #70303.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7032[3.5] chicken: unchecked size argument in malloc() (CVE-2017-6949)2019-07-23T11:57:18ZAlicha CH[3.5] chicken: unchecked size argument in malloc() (CVE-2017-6949)An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc(...An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
nonstandard CHICKEN-specific extension to
allocate an SRFI-4 vector in unmanaged memory, the vector size would be
used in unsanitised form as an argument to malloc().
With an unexpected size, the impact may have been a segfault or buffer
overflow.
### References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6949
http://openwall.com/lists/oss-security/2017/03/16/10
*(from redmine: issue id 7032, created on 2017-03-17, closed on 2019-05-04)*
* Relations:
* parent #70303.5.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/7033gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)2019-07-23T11:57:18ZAlicha CHgtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the...### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the src x, y coordinates in a crafted (1)
rre, (2) hextile, or (3) copyrect tile.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5884
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178
### CVE-2017-5885: Integer overflow when processing SetColorMapEntries
Multiple integer overflows in the (1) vnc\_connection\_server\_message
and (2) vnc\_color\_map\_set functions in gtk-vnc before 0.7.0 allow
remote servers to cause a denial of service (crash) or possibly execute
arbitrary code via vectors involving SetColorMapEntries, which triggers
a buffer overflow.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5885
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=c8583fd3783c5b811590
*(from redmine: issue id 7033, created on 2017-03-17, closed on 2017-03-20)*
* Relations:
* child #7034
* child #7035Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7034[3.6] gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)2019-07-23T11:57:17ZAlicha CH[3.6] gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the...### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the src x, y coordinates in a crafted (1)
rre, (2) hextile, or (3) copyrect tile.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5884
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178
### CVE-2017-5885: Integer overflow when processing SetColorMapEntries
Multiple integer overflows in the (1) vnc\_connection\_server\_message
and (2) vnc\_color\_map\_set functions in gtk-vnc before 0.7.0 allow
remote servers to cause a denial of service (crash) or possibly execute
arbitrary code via vectors involving SetColorMapEntries, which triggers
a buffer overflow.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5885
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=c8583fd3783c5b811590
*(from redmine: issue id 7034, created on 2017-03-17, closed on 2017-03-20)*
* Relations:
* parent #7033
* Changesets:
* Revision d065be83c388f73c3ec32b0cf07194a5000fdc39 by Sergei Lukin on 2017-03-17T15:05:51Z:
```
community/gtk-vnc: security upgrade to 0.7.0 - fixes #7034
CVE-2017-5884
CVE-2017-5885
https://security-tracker.debian.org/tracker/CVE-2017-5884
https://security-tracker.debian.org/tracker/CVE-2017-5885
```3.6.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7035[3.5] gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)2019-07-23T11:57:15ZAlicha CH[3.5] gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the...### CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the src x, y coordinates in a crafted (1)
rre, (2) hextile, or (3) copyrect tile.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5884
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178
### CVE-2017-5885: Integer overflow when processing SetColorMapEntries
Multiple integer overflows in the (1) vnc\_connection\_server\_message
and (2) vnc\_color\_map\_set functions in gtk-vnc before 0.7.0 allow
remote servers to cause a denial of service (crash) or possibly execute
arbitrary code via vectors involving SetColorMapEntries, which triggers
a buffer overflow.
### References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5885
### Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=c8583fd3783c5b811590
*(from redmine: issue id 7035, created on 2017-03-17, closed on 2017-03-20)*
* Relations:
* parent #7033
* Changesets:
* Revision d7ba0e189fccc1057d2f2de3022b723e8a58a528 by Sergei Lukin on 2017-03-20T11:37:17Z:
```
community/gtk-vnc: security upgrade to 0.7.0 - fixes #7035
CVE-2017-5884
CVE-2017-5885
https://security-tracker.debian.org/tracker/CVE-2017-5884
https://security-tracker.debian.org/tracker/CVE-2017-5885
```3.5.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7036new mirror2019-07-23T11:57:14ZDan Schwarznew mirrorHello
Do you accept new mirrors?
Sorry if the contact method is not the proper one.
Thank you
*(from redmine: issue id 7036, created on 2017-03-17, closed on 2019-06-19)*Hello
Do you accept new mirrors?
Sorry if the contact method is not the proper one.
Thank you
*(from redmine: issue id 7036, created on 2017-03-17, closed on 2019-06-19)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/7037/init does not correctly handle serial port config from command line2019-07-23T11:57:13ZManuel Mendez/init does not correctly handle serial port config from command lineAccording to kernel docs
https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
and
https://www.kernel.org/doc/Documentation/admin-guide/serial-console.rst
serial port console config supports more options than just sp...According to kernel docs
https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
and
https://www.kernel.org/doc/Documentation/admin-guide/serial-console.rst
serial port console config supports more options than just speed, e.g.:
console=115200n8
`/init` will then configure `/etc/inittab` for getty, but getty does not
understand the kernel syntax and repeatedly prints
getty: bad speed
`/init` should do a better job of parsing the kernel console command
line syntax
*(from redmine: issue id 7037, created on 2017-03-17, closed on 2017-06-16)*
* Changesets:
* Revision c32140e9a21673e7674e686d797cdd9f2efd8a0d by Natanael Copa on 2017-06-16T14:49:04Z:
```
main/mkinitfs: upgrade to 3.1.0
fixes #7037
```3.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/7039Can't install nginx : BAD signature2019-07-23T11:57:12ZWonder FallCan't install nginx : BAD signature`# apk -U add nginx
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/1) Installing nginx (1.10.3-r0)
ERROR: nginx-1.10.3-r0: B...`# apk -U add nginx
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/1) Installing nginx (1.10.3-r0)
ERROR: nginx-1.10.3-r0: BAD signature`
*(from redmine: issue id 7039, created on 2017-03-18, closed on 2017-05-22)*
* Changesets:
* Revision 6db213afeec807b06d5acbe5877d0d43d776e5a6 on 2017-03-23T10:18:41Z:
```
main/nginx: force rebuild nginx pkg. Fixes #7039
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/7041main/tirpc doesn't provide 'key_secretkey_is_set' function.2019-07-23T11:57:12ZValery Kartelmain/tirpc doesn't provide 'key_secretkey_is_set' function.I have a linker error while build a new package:
@
.libs/nis\_callback.o: In function \`\_\_nis\_create\_callback’:
nis\_callback.c:(.text+0x51d): undefined reference to
\`key\_secretkey\_is\_set’
collect2: error: ld returned 1 ex...I have a linker error while build a new package:
@
.libs/nis\_callback.o: In function \`\_\_nis\_create\_callback’:
nis\_callback.c:(.text+0x51d): undefined reference to
\`key\_secretkey\_is\_set’
collect2: error: ld returned 1 exit status
@
function ‘key\_secretkey\_is\_set’ described in tirpc/rpc/auth.h as
external
`extern int key_secretkey_is_set(void);`
But it does not in exists in exported symbols list:
`$ nm -D libtirpc.so.3.0.0 | grep key_
000000000022be20 B __getpublickey_LOCAL
000000000022be10 B __key_decryptsession_pk_LOCAL
000000000022be18 B __key_encryptsession_pk_LOCAL
000000000022be08 B __key_gendes_LOCAL
000000000001f160 T key_decryptsession
000000000001f022 T key_decryptsession_pk
000000000001f0c5 T key_encryptsession
000000000001ef7f T key_encryptsession_pk
000000000001f1fb T key_gendes
000000000001f2aa T key_get_conv
000000000001f228 T key_setnet
000000000001ef00 T key_setsecret
U pthread_key_create
U pthread_key_delete
000000000001f4ac T xdr_key_netstarg
000000000001f4ed T xdr_key_netstres
`
Have no any idea how to fix it ((
*(from redmine: issue id 7041, created on 2017-03-19, closed on 2017-04-27)*
* Changesets:
* Revision 9edb53cea056101c4963a04b747bf102de23f919 by Valery Kartel on 2017-04-27T06:02:09Z:
```
main/libtirpc: fix exported symbols map
fixes #7041
```Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7042Edge: root filesystem mounted as readonly after openrc update to 0.24.12019-07-23T11:57:11ZAvi HalachmiEdge: root filesystem mounted as readonly after openrc update to 0.24.1System: alpine edge x86-64 installed to HDD in virtualbox without guest
additions or any other vbox modules. The system has been running and
updating fine for some months prior to this issue.
After updating openrc and booting, \`/\` is ...System: alpine edge x86-64 installed to HDD in virtualbox without guest
additions or any other vbox modules. The system has been running and
updating fine for some months prior to this issue.
After updating openrc and booting, \`/\` is mounted as readonly, and the
same happens with further boots. Executing \`mount -o remount,rw /\`
after logging in seem to make it usable again.
It *seems* the offending commit is
75beafaab9382148ffdd85d7c1444775b29b44d7 , and specifically the update
of \`0002-force-root-be-rw-before-localmount.patch\` .
This is how this patch looked with openrc 0.23.2:
http://git.alpinelinux.org/cgit/aports/tree/main/openrc/0002-force-root-be-rw-before-localmount.patch?id=e65aa032e89545870845918ca05d4943e0ec10f0
And this is how this patch looks now with openrc 0.24.1:
http://git.alpinelinux.org/cgit/aports/tree/main/openrc/0002-force-root-be-rw-before-localmount.patch?id=75beafaab9382148ffdd85d7c1444775b29b44d7
It seems the patch removes \`root\` and doesn’t add one like the
previous patch did.
I first attempted to just disable the new patch as if it didn’t exist. I
directly edited the file \`/etc/init.d/localmount\` (i.e. restore
\`root\` to both the \`use\` and \`after\` lines of \`depend()\`) -
which didn’t fix the issue - the system still booted with \`/\`
readonly.
I then re-applied the new patch (i.e. removed \`root\` from the
use/after lines) and also applied the old patch on top (changed \`need
fsck\` to \`need fsck root\`) - which seems to have fixed the issue. The
system now boots correctly with \`/\` mounted as read/write.
However, I don’t know why the new patch removes \`root\` to begin with,
and so I don’t know if my fix is correct.
*(from redmine: issue id 7042, created on 2017-03-19, closed on 2017-05-22)*
* Changesets:
* Revision e600c084bdf6736681e1e14d66b77c1558eb5835 by Kaarle Ritvanen on 2017-03-20T20:17:27Z:
```
main/openrc: fix re-mounting root file system
fixes #7042
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/7044[3.5] pdns: Multiple vulnerabilities (CVE-2016-2120, CVE-2016-7068, CVE-2016-...2019-07-23T11:57:10ZAlicha CH[3.5] pdns: Multiple vulnerabilities (CVE-2016-2120, CVE-2016-7068, CVE-2016-7072, CVE-2016-7073, CVE-2016-7074)### CVE-2016-2120: Crafted zone record can cause a denial of service
Affects: PowerDNS Authoritative Server up to and including 3.4.10,
**4.0.1**
Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
### Reference:
https://doc.p...### CVE-2016-2120: Crafted zone record can cause a denial of service
Affects: PowerDNS Authoritative Server up to and including 3.4.10,
**4.0.1**
Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/
### Patches:
https://downloads.powerdns.com/patches/2016-05/
### CVE-2016-7068: Crafted queries can cause abnormal CPU usage
Affects: PowerDNS Authoritative Server up to and including 3.4.10,
**4.0.1**
Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
### Patches:
https://downloads.powerdns.com/patches/2016-02/
### CVE-2016-7072: Denial of service via the web server
Affects: PowerDNS Authoritative Server up to and including 3.4.10,
**4.0.1**
Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/
### Patches:
https://downloads.powerdns.com/patches/2016-03/
### CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
Affects: PowerDNS Authoritative Server up to and including 3.4.10,
**4.0.1**
Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
### Patches:
https://downloads.powerdns.com/patches/2016-04/
*(from redmine: issue id 7044, created on 2017-03-21, closed on 2017-04-06)*
* Changesets:
* Revision 3a479b103eb9d61f344de80e8293bbc27403ce40 by Sergei Lukin on 2017-04-03T12:33:49Z:
```
community/pdns: security upgrade to 4.0.3 - fixes #7044
CVE-2016-2120: Crafted zone record can cause a denial of service
CVE-2016-7068: Crafted queries can cause abnormal CPU usage
CVE-2016-7072: Denial of service via the web server
CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
```3.5.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/7045[3.5] pdns-recursor: Multiple vulnerabilities (CVE-2016-7068, CVE-2016-7073, ...2019-07-23T11:57:08ZAlicha CH[3.5] pdns-recursor: Multiple vulnerabilities (CVE-2016-7068, CVE-2016-7073, CVE-2016-7074)### CVE-2016-7068: Crafted queries can cause abnormal CPU usage
Affects: PowerDNS Recursor up to and including 3.7.3, **4.0.3**
Not affected: PowerDNS Recursor 3.7.4, 4.0.4
### Reference:
https://doc.powerdns.com/md/security/powerdn...### CVE-2016-7068: Crafted queries can cause abnormal CPU usage
Affects: PowerDNS Recursor up to and including 3.7.3, **4.0.3**
Not affected: PowerDNS Recursor 3.7.4, 4.0.4
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
### Patches:
https://downloads.powerdns.com/patches/2016-02/
### CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
Affects: PowerDNS Recursor from 4.0.0 and up to and including
**4.0.3**
Not affected: PowerDNS Recursor < 4.0.0, 4.0.4
### Reference:
https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
### Patches:
https://downloads.powerdns.com/patches/2016-04/
*(from redmine: issue id 7045, created on 2017-03-21, closed on 2017-04-06)*
* Changesets:
* Revision e98a3138ba6fb05dfcce66ffb9974e77777486ad by Sergei Lukin on 2017-04-03T10:06:31Z:
```
community/pdns-recursor: security upgrade to 4.0.4 - fixes #7045
CVE-2016-7068: Crafted queries can cause abnormal CPU usage
CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
https://doc.powerdns.com/md/changelog/#powerdns-recursor-404
```3.5.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/7046Problem is php7-pdo_mysql (PHP Startup: Unable to load dynamic library)2019-07-23T11:57:08ZNicolas CARPiProblem is php7-pdo_mysql (PHP Startup: Unable to load dynamic library)Hello,
I’m trying to build something from edge with php, and I get this error:
@
PHP Warning: PHP Startup: Unable to load dynamic library
‘/usr/lib/php7/modules/pdo\_mysql.so’ - Error relocating
/usr/lib/php7/modules/pdo\_mysql.so: p...Hello,
I’m trying to build something from edge with php, and I get this error:
@
PHP Warning: PHP Startup: Unable to load dynamic library
‘/usr/lib/php7/modules/pdo\_mysql.so’ - Error relocating
/usr/lib/php7/modules/pdo\_mysql.so: pdo\_raise\_impl\_error: symbol not
found in Unknown on line 0@
I also got the same error with php-gd but this could be fixed by doing
“apk upgrade -U -a” before using php.
Here is how to reproduce it:
`docker run --rm -it alpine:edge sh -c "apk add -q -U php7 php7-pdo_mysql && php7 -r 'echo true;'"`
*(from redmine: issue id 7046, created on 2017-03-22, closed on 2017-04-14)*3.6.0Valery KartelValery Kartelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7047v4l2-ctl segfaults when setting control values2019-07-23T11:57:06ZHannes Gustafssonv4l2-ctl segfaults when setting control valuesRunning Alpine in Docker on Ubuntu LTS segfaults
/ # v4l2-ctl -c exposure_auto=0
Segmentation fault (core dumped)
Several options fail too
/ # v4l2-ctl -c exposure_auto=0,white_balance_temperature_auto=1
Segmentatio...Running Alpine in Docker on Ubuntu LTS segfaults
/ # v4l2-ctl -c exposure_auto=0
Segmentation fault (core dumped)
Several options fail too
/ # v4l2-ctl -c exposure_auto=0,white_balance_temperature_auto=1
Segmentation fault (core dumped)
Video device is mounted into container
docker run --device /dev/video0 -it alpine:3.5 /bin/sh
Getting camera info from within container works fine
/ # v4l2-ctl --all
Driver Info (not using libv4l2):
Driver name : uvcvideo
Card type : See3CAM_CU30
Bus info : usb-0000:00:14.0-2
Driver version: 4.4.49
Capabilities : 0x84200001
Video Capture
Streaming
Extended Pix Format
Device Capabilities
Device Caps : 0x04200001
Video Capture
Streaming
Extended Pix Format
Priority: 2
Video input : 0 (Camera 1: ok)
Format Video Capture:
Width/Height : 640/480
Pixel Format : 'UYVY'
Field : None
Bytes per Line : 1280
Size Image : 614400
Colorspace : Default
Transfer Function : Default
YCbCr Encoding : Default
Quantization : Default
Flags :
Crop Capability Video Capture:
Bounds : Left 0, Top 0, Width 640, Height 480
Default : Left 0, Top 0, Width 640, Height 480
Pixel Aspect: 1/1
Selection: crop_default, Left 0, Top 0, Width 640, Height 480
Selection: crop_bounds, Left 0, Top 0, Width 640, Height 480
Streaming Parameters Video Capture:
Capabilities : timeperframe
Frames per second: 30.000 (30/1)
Read buffers : 0
brightness (int) : min=-15 max=15 step=1 default=0 value=0
contrast (int) : min=0 max=60 step=1 default=10 value=10
saturation (int) : min=0 max=98 step=1 default=16 value=16
white_balance_temperature_auto (bool) : default=0 value=1
gamma (int) : min=16 max=125 step=1 default=40 value=40
gain (int) : min=0 max=100 step=1 default=0 value=1
white_balance_temperature (int) : min=11 max=50 step=1 default=17 value=17 flags=inactive
sharpness (int) : min=1 max=7 step=1 default=1 value=1
exposure_auto (menu) : min=0 max=3 default=1 value=0
exposure_absolute (int) : min=0 max=10000 step=1 default=312 value=312 flags=inactive
zoom_absolute (int) : min=100 max=800 step=1 default=100 value=100
Trying to rebuild v4l-utils with debug info (DEBUG=1) and running in GDB
yields the following backtrace:
(gdb) run -c exposure_auto=0
Starting program: /usr/bin/v4l2-ctl -c exposure_auto=0
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7dc0f2e in strchrnul () from /lib/ld-musl-x86_64.so.1
(gdb) bt
#0 0x00007ffff7dc0f2e in strchrnul () from /lib/ld-musl-x86_64.so.1
#1 0x000000000000003d in ?? ()
#2 0x00007ffff7dc0ed0 in strchr () from /lib/ld-musl-x86_64.so.1
#3 0x0000000000000000 in ?? ()
(gdb)
Other people have reported similar errors on IRC:
http://dev.alpinelinux.org/irclogs/%23alpine-linux-2017-02.log
>2017-02-02 15:20:50 <dnb_> Trying to run v4l2-ctl from v4l-utils,
and it segfaults running any control operation… Wondering what the
process should be to find out why? My devops guy tried compiling it on
alpine, but having a hard time with musl and include paths, etc….
>2017-02-02 22:01:33 <drewlover> v4l2-utils
>2017-02-02 22:02:08 <drewlover> the package in alpine segfaults,
and we don’t have time to wait for upstream fixes, nor can we find out
exactly wtf is going on with it… so… my devops guy is trying to build it
himself, and failing miserably
>2017-02-02 22:02:29 <Shiz> ah, right
>2017-02-02 22:02:46 <Shiz>
http://git.alpinelinux.org/cgit/aports/tree/main/v4l-utils?h=3.5-stable
>2017-02-02 22:02:48 <drewlover> none of us have any understanding
of musl and all that, and I haven’t messed with C in like 10 years, so
it’s reallllly rusty to me
>2017-02-02 22:02:54 <Shiz> well you can at least use the .patch
here
>2017-02-02 22:02:59 <Shiz> that should ostensibly make it compile
>2017-02-02 22:04:30 <drewlover> I assume these are patches made
simply to make it compile, but not tested for runtime
>2017-02-02 22:05:16 <Shiz> well, usually the packages alpine ships
are tested, but it should at least give you a base
>2017-02-02 22:05:28 <Shiz> the patch isn’t very special anyway,
nothing that can induce a segfault
>2017-02-02 22:06:06 <Shiz> that isnt /w 30
Versions:
# uname -a
Linux host 4.4.0-67-generic #88-Ubuntu SMP Wed Mar 8 16:34:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
docker version
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.4
Git commit: 78d1802
Built: Tue Jan 10 20:38:45 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.4
Git commit: 78d1802
Built: Tue Jan 10 20:38:45 2017
OS/Arch: linux/amd64
*(from redmine: issue id 7047, created on 2017-03-22, closed on 2017-06-01)*
* Changesets:
* Revision bf732f20e9c9a8dfd0010618908bd458961f3ba4 by Natanael Copa on 2017-05-31T19:28:03Z:
```
main/v4l-utils: fix segfault due to undefined behavior in getsubopt
ref #7047
```
* Revision dfa7d220828b373c8d45ea627ea5b37dee28fcb7 by Natanael Copa on 2017-06-01T08:15:07Z:
```
main/v4l-utils: fix segfault due to undefined behavior in getsubopt
fixes #7047
```3.6.1Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7048Have the PHP7.1 packages been deprecated?2019-07-23T11:57:05ZJacob SanfordHave the PHP7.1 packages been deprecated?It seems the PHP7.1\* packages have been removed from upstream. Ref:
https://pkgs.alpinelinux.org/packages?name=php7.1\*&branch=&repo=&arch=&maintainer=
Is this intentional?
Additionally, the packages marked PHP7 on edge now install 7...It seems the PHP7.1\* packages have been removed from upstream. Ref:
https://pkgs.alpinelinux.org/packages?name=php7.1\*&branch=&repo=&arch=&maintainer=
Is this intentional?
Additionally, the packages marked PHP7 on edge now install 7.1.x
(previously : 7.0.x) and are installing into paths named ‘php7’ but the
packages appear to be referencing paths named ‘php7.1’.
Please advise on how to proceed - was using php7.1\* erroneous?
*(from redmine: issue id 7048, created on 2017-03-22, closed on 2017-05-22)*Valery KartelValery Kartelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7049samba: Symlink race allows access outside share definition (CVE-2017-2619)2019-07-23T11:57:04ZAlicha CHsamba: Symlink race allows access outside share definition (CVE-2017-2619)All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() syst...All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() system call to ensure when a client requests
access to a pathname that it is under the exported share path on the
server file system.
### References:
https://www.samba.org/samba/security/CVE-2017-2619.html
https://www.samba.org/samba/history/security.html
*(from redmine: issue id 7049, created on 2017-03-24, closed on 2017-05-02)*
* Relations:
* child #7050
* child #7051
* child #7052
* child #7053
* child #7054Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7050[3.6] samba: Symlink race allows access outside share definition (CVE-2017-2619)2019-07-23T11:57:03ZAlicha CH[3.6] samba: Symlink race allows access outside share definition (CVE-2017-2619)All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() syst...All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() system call to ensure when a client requests
access to a pathname that it is under the exported share path on the
server file system.
### References:
https://www.samba.org/samba/security/CVE-2017-2619.html
https://www.samba.org/samba/history/security.html
*(from redmine: issue id 7050, created on 2017-03-24, closed on 2017-05-02)*
* Relations:
* parent #7049
* Changesets:
* Revision ab23f833069706c83824652d90547768eaebaa71 on 2017-03-27T07:50:23Z:
```
main/samba: security fix (CVE-2017-2619)
Fixes #7050
```3.6.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7051[3.5] samba: Symlink race allows access outside share definition (CVE-2017-2619)2019-07-23T11:57:02ZAlicha CH[3.5] samba: Symlink race allows access outside share definition (CVE-2017-2619)All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() syst...All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() system call to ensure when a client requests
access to a pathname that it is under the exported share path on the
server file system.
### References:
https://www.samba.org/samba/security/CVE-2017-2619.html
https://www.samba.org/samba/history/security.html
*(from redmine: issue id 7051, created on 2017-03-24, closed on 2017-05-02)*
* Relations:
* parent #7049
* Changesets:
* Revision 2e74ac78acdfec2d3dde9cd15f16bf0067cdbcb2 on 2017-03-27T14:43:56Z:
```
main/samba: security upgrade to 4.5.7 (CVE-2017-2619). Fixes #7051
```3.5.3Natanael CopaNatanael Copa