alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T14:01:18Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3450[v2.6] dbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CV...2019-07-23T14:01:18ZAlexander Belous[v2.6] dbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-3638, CVE-2014-3639)Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploite...Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploited to alter data or executable code; the rest are
denial-of-service issues.
For the stable branch these are fixed in dbus 1.8.8.
For the old stable branch, these are fixed in dbus 1.6.24.
References:
http://seclists.org/oss-sec/2014/q3/616
https://bugs.freedesktop.org/show\_bug.cgi?id=83622
https://bugs.freedesktop.org/show\_bug.cgi?id=82820
https://bugs.freedesktop.org/show\_bug.cgi?id=80559
https://bugs.freedesktop.org/show\_bug.cgi?id=81053
https://bugs.freedesktop.org/show\_bug.cgi?id=80919
*(from redmine: issue id 3450, created on 2014-10-17, closed on 2014-10-23)*
* Relations:
* parent #3448
* Changesets:
* Revision d02e78275a3bb690d9d8099bf31ff92e3a9e68fe by Natanael Copa on 2014-10-22T14:55:10Z:
```
main/dbus: security upgrade to 1.6.24 (CVE-2014-3635,CVE-2014-3636,CVE-2014-3637,CVE-2014-3638,CVE-2014-3639)
fixes #3450
```Alpine 2.6.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3449[v2.5] dbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CV...2019-07-23T14:01:20ZAlexander Belous[v2.5] dbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-3638, CVE-2014-3639)Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploite...Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploited to alter data or executable code; the rest are
denial-of-service issues.
For the stable branch these are fixed in dbus 1.8.8.
For the old stable branch, these are fixed in dbus 1.6.24.
References:
http://seclists.org/oss-sec/2014/q3/616
https://bugs.freedesktop.org/show\_bug.cgi?id=83622
https://bugs.freedesktop.org/show\_bug.cgi?id=82820
https://bugs.freedesktop.org/show\_bug.cgi?id=80559
https://bugs.freedesktop.org/show\_bug.cgi?id=81053
https://bugs.freedesktop.org/show\_bug.cgi?id=80919
*(from redmine: issue id 3449, created on 2014-10-17, closed on 2014-10-23)*
* Relations:
* parent #3448
* Changesets:
* Revision 256f4e7e9f920e61c9a0f213d108851dd6eee97c by Natanael Copa on 2014-10-22T14:56:04Z:
```
main/dbus: security upgrade to 1.6.24 (CVE-2014-3635,CVE-2014-3636,CVE-2014-3637,CVE-2014-3638,CVE-2014-3639)
fixes #3449
```Alpine 2.5.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3448dbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-...2019-07-23T13:59:06ZAlexander Belousdbus: security issues (CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-3638, CVE-2014-3639)Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploite...Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of dbus-daemon,
the D-Bus message bus daemon. fd.o \#83622 is a heap overflow and could
potentially be exploited to alter data or executable code; the rest are
denial-of-service issues.
For the stable branch these are fixed in dbus 1.8.8.
For the old stable branch, these are fixed in dbus 1.6.24.
References:
http://seclists.org/oss-sec/2014/q3/616
https://bugs.freedesktop.org/show\_bug.cgi?id=83622
https://bugs.freedesktop.org/show\_bug.cgi?id=82820
https://bugs.freedesktop.org/show\_bug.cgi?id=80559
https://bugs.freedesktop.org/show\_bug.cgi?id=81053
https://bugs.freedesktop.org/show\_bug.cgi?id=80919
*(from redmine: issue id 3448, created on 2014-10-17, closed on 2014-10-23)*
* Relations:
* relates #3652
* child #3449
* child #3450
* child #3451
* child #3452https://gitlab.alpinelinux.org/alpine/aports/-/issues/3447[v3.0] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, ...2019-07-23T14:01:21ZAlexander Belous[v3.0] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, CVE-2014-6417, CVE-2014-6418)CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a...CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a long unencrypted auth ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly consider the possibility of kmalloc failure, which
allows remote attackers to cause a denial of service (system crash) or
possibly have unspecified other impact via a long unencrypted auth
ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly validate auth replies, which allows remote attackers
to cause a denial of service (system crash) or possibly have unspecified
other impact via crafted data from the IP address of a Ceph Monitor.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/604
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6416
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6417
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6418
COMMIT (upstream):
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8
COMMIT (linux-3.14.y):
https://github.com/torvalds/linux/commit/9956752afa398ea6e0c9c69b258be6afd73da4b1
COMMIT (linux-3.10.y):
https://github.com/torvalds/linux/commit/9c38ff707bbe0635121f8fb6f108ee376cff90fe
*(from redmine: issue id 3447, created on 2014-10-17, closed on 2017-05-17)*
* Relations:
* parent #34443.0.6Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3446[v2.7] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, ...2019-07-12T14:51:19ZAlexander Belous[v2.7] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, CVE-2014-6417, CVE-2014-6418)CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a...CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a long unencrypted auth ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly consider the possibility of kmalloc failure, which
allows remote attackers to cause a denial of service (system crash) or
possibly have unspecified other impact via a long unencrypted auth
ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly validate auth replies, which allows remote attackers
to cause a denial of service (system crash) or possibly have unspecified
other impact via crafted data from the IP address of a Ceph Monitor.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/604
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6416
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6417
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6418
COMMIT (upstream):
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8
COMMIT (linux-3.14.y):
https://github.com/torvalds/linux/commit/9956752afa398ea6e0c9c69b258be6afd73da4b1
COMMIT (linux-3.10.y):
https://github.com/torvalds/linux/commit/9c38ff707bbe0635121f8fb6f108ee376cff90fe
*(from redmine: issue id 3446, created on 2014-10-17, closed on 2017-09-05)*
* Relations:
* parent #3444Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3445[v2.6] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, ...2019-07-12T14:51:18ZAlexander Belous[v2.6] kernel: libceph: do not hard code max auth ticket len (CVE-2014-6416, CVE-2014-6417, CVE-2014-6418)CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a...CVE-2014-6416:
Buffer overflow in net/ceph/auth\_x.c in Ceph, as used in the Linux
kernel before 3.16.3, allows remote attackers to cause a denial of
service (memory corruption and panic) or possibly have unspecified other
impact via a long unencrypted auth ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly consider the possibility of kmalloc failure, which
allows remote attackers to cause a denial of service (system crash) or
possibly have unspecified other impact via a long unencrypted auth
ticket.
CVE-2014-6416:
net/ceph/auth\_x.c in Ceph, as used in the Linux kernel before 3.16.3,
does not properly validate auth replies, which allows remote attackers
to cause a denial of service (system crash) or possibly have unspecified
other impact via crafted data from the IP address of a Ceph Monitor.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/604
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6416
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6417
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6418
COMMIT (upstream):
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8
COMMIT (linux-3.14.y):
https://github.com/torvalds/linux/commit/9956752afa398ea6e0c9c69b258be6afd73da4b1
COMMIT (linux-3.10.y):
https://github.com/torvalds/linux/commit/9c38ff707bbe0635121f8fb6f108ee376cff90fe
*(from redmine: issue id 3445, created on 2014-10-17, closed on 2017-09-05)*
* Relations:
* parent #3444Alpine 2.6.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3443Package Request: YADIFA2019-07-23T14:01:21ZDennis PrzytarskiPackage Request: YADIFAYADIFA (Yet Another DNS Implementation For All)
YADIFA is written from scratch in C and supports DNSSEC, TSIG, DNS
notify, DNS update, IPv6.
http://www.yadifa.eu/
*(from redmine: issue id 3443, created on 2014-10-16, closed on 2014-1...YADIFA (Yet Another DNS Implementation For All)
YADIFA is written from scratch in C and supports DNSSEC, TSIG, DNS
notify, DNS update, IPv6.
http://www.yadifa.eu/
*(from redmine: issue id 3443, created on 2014-10-16, closed on 2014-11-05)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/3442Package request: gammu2019-07-23T14:01:22ZV KrishnPackage request: gammuFind gnokii ok, but could not dial USSD code to fetch useful info.
Don’t know if it can be done in other way in gnokii, like
gammu getussd <ussd code>
Would be nice to have gammu.
Thanks
*(from redmine: issue id 3442, created on...Find gnokii ok, but could not dial USSD code to fetch useful info.
Don’t know if it can be done in other way in gnokii, like
gammu getussd <ussd code>
Would be nice to have gammu.
Thanks
*(from redmine: issue id 3442, created on 2014-10-16, closed on 2015-12-17)*Scrumpy JackScrumpy Jackhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3441Segmentation fault when LogLevel set to debug in apache2-ssl module2019-07-23T14:01:23ZW FleischSegmentation fault when LogLevel set to debug in apache2-ssl moduleWhen on an Apache server the LogLevel in the ssl module is set to debug,
the RADIUS authentication process causes a segmentation fault:
Sep 15 10:20:20 alpine kern.alert kernel: [ 755.423413] grsec: From x.x.x.x: Segmentation fault...When on an Apache server the LogLevel in the ssl module is set to debug,
the RADIUS authentication process causes a segmentation fault:
Sep 15 10:20:20 alpine kern.alert kernel: [ 755.423413] grsec: From x.x.x.x: Segmentation fault occurred at 00000051000009c6 in /usr/sbin/httpd[httpd:2502] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/httpd[httpd:2497] uid/euid:0/0 gid/egid:0/0
To error can be reproduced as follows:
1. Add some packages:
`apk add freeradius apache2-ssl apache-mod-auth-radius`
2. Start radius: `radiusd -X`
3. Stop the program then start it as a service:
`rc-service radiusd start`
4. Modify the following settings in
**/etc/apache2/conf.d/mod-auth-radius.conf**:
AddRadiusAuth localhost:1812 test123 5
#AuthRadiusCookieValid 60
<Directory /var/www/localhost/htdocs>
5. Modify the following settings in **/etc/apache2/conf.d/ssl.conf**:
#SSLMutex default
LogLevel debug
6. Start Apache: `rc-service apache2 start`
7. Now browse to https://Your\_IP\_address
8. Check **/var/log/messages**
*(from redmine: issue id 3441, created on 2014-10-16, closed on 2019-06-11)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/3440Feature request for setup-disk to provide option for disk encryption2021-05-09T17:57:23ZChris SpillaneFeature request for setup-disk to provide option for disk encryptionIt would be awesome if the setup-disk script provided the option for
disk encryption when using the ‘sys’ installation type.
There would presumably have to be some discussion over exactly how this
is done and what encryption method to ...It would be awesome if the setup-disk script provided the option for
disk encryption when using the ‘sys’ installation type.
There would presumably have to be some discussion over exactly how this
is done and what encryption method to use etc, and I would advise of
course overwriting the disk with random data before this is done; since
this is done at install and presumably on a new server, there is the
possibility of low system entropy at this time, so it may also be a good
idea to have the system attempt to generate at least some further
entropy through disk churn and perhaps use of the haveged package, since
poor entropy at this stage would defeat the purpose of disk encryption.
As usual, please let me know if you need anything further from me.
*(from redmine: issue id 3440, created on 2014-10-16)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/3438Feature request for setup-disk to provide option for GPT partitioning2020-01-20T08:05:42ZChris SpillaneFeature request for setup-disk to provide option for GPT partitioningAs a huge fan of the alpine setup scripts to minimize administrative
overhead when building a new server, it would be beneficial in my
opinion for the setup-disk script to add an option to use GPT
partitioning instead of MBR partitioning...As a huge fan of the alpine setup scripts to minimize administrative
overhead when building a new server, it would be beneficial in my
opinion for the setup-disk script to add an option to use GPT
partitioning instead of MBR partitioning.
Presumably this would also need the gptfdisk package (or similar).
I don’t think this would require many other changes, there’s still the
need for a bootable partition (/boot) and so forth, according to
http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/doc/gpt.txt?id=HEAD
Let me know if I can be of further assistance or provide further
information.
*(from redmine: issue id 3438, created on 2014-10-16)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/3437[v3.0] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567...2019-07-23T14:01:24ZNatanael Copa[v3.0] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL t...OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL\_NO\_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an
original
issue and patch developed by the LibreSSL project. Further analysis of
the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===
Severity: Medium
OpenSSL has added support for TLS\_FALLBACK\_SCSV to allow
applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS\_FALLBACK\_SCSV was developed by Adam Langley and Bodo
Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==
Severity: Low
When OpenSSL is configured with “no-ssl3” as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th
October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv\_20141015.txt
Note: the online version of the advisory may be updated with
additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*(from redmine: issue id 3437, created on 2014-10-16, closed on 2014-10-17)*
* Relations:
* copied_to #3436
* parent #3433
* Changesets:
* Revision 4dc9b437132ccb0949aa179ce0b3cbeb14fad028 by Natanael Copa on 2014-10-16T08:40:04Z:
```
main/openssl: security upgrade to 1.0.1j (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)
fixes #3437
```3.0.6https://gitlab.alpinelinux.org/alpine/aports/-/issues/3436[v2.7] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567...2019-07-23T14:01:25ZNatanael Copa[v2.7] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL t...OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL\_NO\_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an
original
issue and patch developed by the LibreSSL project. Further analysis of
the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===
Severity: Medium
OpenSSL has added support for TLS\_FALLBACK\_SCSV to allow
applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS\_FALLBACK\_SCSV was developed by Adam Langley and Bodo
Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==
Severity: Low
When OpenSSL is configured with “no-ssl3” as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th
October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv\_20141015.txt
Note: the online version of the advisory may be updated with
additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*(from redmine: issue id 3436, created on 2014-10-16, closed on 2014-10-17)*
* Relations:
* copied_to #3435
* copied_to #3437
* parent #3433
* Changesets:
* Revision 4c5cc5515933595f9aabe78a9b98d28ea24a3a92 by Natanael Copa on 2014-10-16T08:54:22Z:
```
main/openssl: security upgrade to 1.0.1j (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)
fixes #3436
```Alpine 2.7.10https://gitlab.alpinelinux.org/alpine/aports/-/issues/3435[v2.6] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567...2019-07-23T14:01:26ZNatanael Copa[v2.6] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL t...OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL\_NO\_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an
original
issue and patch developed by the LibreSSL project. Further analysis of
the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===
Severity: Medium
OpenSSL has added support for TLS\_FALLBACK\_SCSV to allow
applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS\_FALLBACK\_SCSV was developed by Adam Langley and Bodo
Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==
Severity: Low
When OpenSSL is configured with “no-ssl3” as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th
October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv\_20141015.txt
Note: the online version of the advisory may be updated with
additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*(from redmine: issue id 3435, created on 2014-10-16, closed on 2014-10-17)*
* Relations:
* copied_to #3434
* copied_to #3436
* parent #3433
* Changesets:
* Revision 6dba1238f59654c63719462c31fc13056eec4974 by Natanael Copa on 2014-10-16T09:12:18Z:
```
main/openssl: security upgrade to 1.0.1j (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)
fixes #3435
```Alpine 2.6.7https://gitlab.alpinelinux.org/alpine/aports/-/issues/3434[v2.5] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567...2019-07-23T14:01:27ZNatanael Copa[v2.5] openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL t...OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL\_NO\_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an
original
issue and patch developed by the LibreSSL project. Further analysis of
the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===
Severity: Medium
OpenSSL has added support for TLS\_FALLBACK\_SCSV to allow
applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS\_FALLBACK\_SCSV was developed by Adam Langley and Bodo
Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==
Severity: Low
When OpenSSL is configured with “no-ssl3” as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th
October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv\_20141015.txt
Note: the online version of the advisory may be updated with
additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*(from redmine: issue id 3434, created on 2014-10-16, closed on 2014-10-17)*
* Relations:
* copied_to #3435
* parent #3433
* Changesets:
* Revision f09cdaa244ef0d0d6f7357ab368810ceaa7a1083 by Natanael Copa on 2014-10-16T09:21:12Z:
```
main/openssl: security upgrade to 1.0.1j (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)
fixes #3434
```Alpine 2.5.5https://gitlab.alpinelinux.org/alpine/aports/-/issues/3433openssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-20...2019-07-23T14:01:28ZNatanael Copaopenssl: Security Advisory [15 Oct 2014] (CVE-2014-3513,CVE-2014-3567,CVE-2014-3568)OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL t...OpenSSL Security Advisory \[15 Oct 2014\]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL\_NO\_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an
original
issue and patch developed by the LibreSSL project. Further analysis of
the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===
Severity: Medium
OpenSSL has added support for TLS\_FALLBACK\_SCSV to allow
applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS\_FALLBACK\_SCSV was developed by Adam Langley and Bodo
Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==
Severity: Low
When OpenSSL is configured with “no-ssl3” as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th
October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv\_20141015.txt
Note: the online version of the advisory may be updated with
additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*(from redmine: issue id 3433, created on 2014-10-16, closed on 2014-10-17)*
* Relations:
* child #3434
* child #3435
* child #3436
* child #3437https://gitlab.alpinelinux.org/alpine/aports/-/issues/3432[v3.0] kernel: udf: avoid infinite loop when processing indirect ICBs (CVE-20...2019-07-23T14:01:29ZAlexander Belous[v3.0] kernel: udf: avoid infinite loop when processing indirect ICBs (CVE-2014-6410)The \_\_udf\_read\_inode function in fs/udf/inode.c in the Linux kernel
does not restrict the amount of ICB indirection, which allows physically
proximate attackers to cause a denial of service (infinite loop or stack
consumption) via a ...The \_\_udf\_read\_inode function in fs/udf/inode.c in the Linux kernel
does not restrict the amount of ICB indirection, which allows physically
proximate attackers to cause a denial of service (infinite loop or stack
consumption) via a UDF filesystem with a crafted inode.
Fixed upstream in v3.17-rc5~32^2~6. The upstream commit is:
•http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c03aa9f6e1f938618e6db2e23afef0574efeeb65
Patches for Alpine Linux current kernels:
v3.0 (linux-3.14.y):
https://github.com/torvalds/linux/commit/82335226733fdf82ee3f231c08269a17fd62a3fc
(fixed in v3.14.21~37)
v2.7 (linux-3.10.y):
not backported at the moment
References:
http://www.openwall.com/lists/oss-security/2014/09/15/9
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c03aa9f6e1f938618e6db2e23afef0574efeeb65
https://bugzilla.redhat.com/show\_bug.cgi?id=1141809
https://github.com/torvalds/linux/commit/c03aa9f6e1f938618e6db2e23afef0574efeeb65
http://www.securityfocus.com/bid/69799
*(from redmine: issue id 3432, created on 2014-10-15, closed on 2017-05-17)*
* Relations:
* parent #3430
* Changesets:
* Revision ebc41438e9938ff790f1d3e291667692f16dc089 by Natanael Copa on 2014-10-23T11:11:18Z:
```
main/linux-grsec: upgrade to 3.14.22
fixes #3432
```3.0.6Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3431[v2.7] kernel: udf: avoid infinite loop when processing indirect ICBs (CVE-20...2019-07-12T14:51:12ZAlexander Belous[v2.7] kernel: udf: avoid infinite loop when processing indirect ICBs (CVE-2014-6410)The \_\_udf\_read\_inode function in fs/udf/inode.c in the Linux kernel
does not restrict the amount of ICB indirection, which allows physically
proximate attackers to cause a denial of service (infinite loop or stack
consumption) via a ...The \_\_udf\_read\_inode function in fs/udf/inode.c in the Linux kernel
does not restrict the amount of ICB indirection, which allows physically
proximate attackers to cause a denial of service (infinite loop or stack
consumption) via a UDF filesystem with a crafted inode.
Fixed upstream in v3.17-rc5~32^2~6. The upstream commit is:
•http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c03aa9f6e1f938618e6db2e23afef0574efeeb65
Patches for Alpine Linux current kernels:
v3.0 (linux-3.14.y):
https://github.com/torvalds/linux/commit/82335226733fdf82ee3f231c08269a17fd62a3fc
(fixed in v3.14.21~37)
v2.7 (linux-3.10.y):
not backported at the moment
References:
http://www.openwall.com/lists/oss-security/2014/09/15/9
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c03aa9f6e1f938618e6db2e23afef0574efeeb65
https://bugzilla.redhat.com/show\_bug.cgi?id=1141809
https://github.com/torvalds/linux/commit/c03aa9f6e1f938618e6db2e23afef0574efeeb65
http://www.securityfocus.com/bid/69799
*(from redmine: issue id 3431, created on 2014-10-15, closed on 2017-09-05)*
* Relations:
* parent #3430Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3429[v3.0] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)2019-07-23T14:01:30ZAlexander Belous[v3.0] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible
to perform remote code execution and in some cases, create a root
accoun...CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible
to perform remote code execution and in some cases, create a root
account due to a DOM based XSS vulnerability in the micro history
feature.
phpMyAdmin Team considers this vulnerability to be critical.
Affected Versions: 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4)
and 4.2.x (prior to 4.2.8.1)
Solution: upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer,
or 4.2.8.1 or newer, or apply the patches published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-10.php
CVE-2014-7217 (PMASA-2014-11): XSS vulnerabilities in table search and
table structure pages
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages. This vulnerability can be triggered
only by someone who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the required
pages.
Affected Versions: 4.0.x (prior to 4.0.10.4), 4.1.x (prior to 4.1.14.5)
and 4.2.x (prior to 4.2.9.1)
Solution: upgrade to phpMyAdmin 4.0.10.4 or newer, or 4.1.14.5 or newer,
or 4.2.9.1 or newer, or apply the patch published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-11.php
*(from redmine: issue id 3429, created on 2014-10-15, closed on 2014-10-23)*
* Relations:
* parent #3426
* Changesets:
* Revision 7020a1c2bfa9ac120579c6b20fa179713087a228 by Natanael Copa on 2014-10-21T09:53:27Z:
```
main/phpmyadmin: security upgrade to 4.2.10 (CVE-2014-6300,CVE-2014-7217)
fixes #3429
```3.0.6Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3428[v2.7] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)2019-07-23T14:01:31ZAlexander Belous[v2.7] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible
to perform remote code execution and in some cases, create a root
accoun...CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible
to perform remote code execution and in some cases, create a root
account due to a DOM based XSS vulnerability in the micro history
feature.
phpMyAdmin Team considers this vulnerability to be critical.
Affected Versions: 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4)
and 4.2.x (prior to 4.2.8.1)
Solution: upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer,
or 4.2.8.1 or newer, or apply the patches published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-10.php
CVE-2014-7217 (PMASA-2014-11): XSS vulnerabilities in table search and
table structure pages
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages. This vulnerability can be triggered
only by someone who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the required
pages.
Affected Versions: 4.0.x (prior to 4.0.10.4), 4.1.x (prior to 4.1.14.5)
and 4.2.x (prior to 4.2.9.1)
Solution: upgrade to phpMyAdmin 4.0.10.4 or newer, or 4.1.14.5 or newer,
or 4.2.9.1 or newer, or apply the patch published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-11.php
*(from redmine: issue id 3428, created on 2014-10-15, closed on 2014-10-23)*
* Relations:
* parent #3426
* Changesets:
* Revision 64da0afb50317fe16892a0a912a169aa7facd1de by Natanael Copa on 2014-10-21T10:37:13Z:
```
main/phpmyadmin: security upgrade to 4.0.10.4 (CVE-2014-6300,CVE-2014-7217)
fixes #3428
```Alpine 2.7.10Natanael CopaNatanael Copa