alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T13:44:31Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4863nlplug-findfs doesn't find luks on lvm devices2019-07-23T13:44:31ZJohannes Matheisnlplug-findfs doesn't find luks on lvm devicesBooting fails if kernel parameter cryptroot=/dev/somevg/somelv isn’t set
to /dev/dm-0
% ls -l /dev/somevg/somelv
lrwxrwxrwx 1 root root 21 Oct 31 03:52 somelv -> /dev/mapper/somevg-somelv
% ls -l /dev/mapper/somevg-somelv...Booting fails if kernel parameter cryptroot=/dev/somevg/somelv isn’t set
to /dev/dm-0
% ls -l /dev/somevg/somelv
lrwxrwxrwx 1 root root 21 Oct 31 03:52 somelv -> /dev/mapper/somevg-somelv
% ls -l /dev/mapper/somevg-somelv
brw------- 1 root root 253, 0 Oct 31 03:52 /dev/mapper/somevg-somelv
% ls -l /dev/dm-0
brw-rw---- 1 root disk 253, 0 Oct 31 03:53 /dev/dm-0
All those devices are the same, but only the following works as
expected:
nlplug-findfs -c /dev/dm-0 UUID=ae5dc0c5-0455-423c-9980-b6196ab76487
*(from redmine: issue id 4863, created on 2015-11-13, closed on 2017-05-17)*
* Changesets:
* Revision b75724ce4b0e79df48994f42ebf31b861b2a3a33 by Natanael Copa on 2015-11-25T12:40:47Z:
```
main/mkinitfs: fix cryptsetup on lvm
fixes #4863
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/4862Describe dhcp6 error code if no text present2019-07-23T13:44:32ZalgitbotDescribe dhcp6 error code if no text presentPatch from upstream, will be included in dhcpcd-6.9.4
*(from redmine: issue id 4862, created on 2015-11-13, closed on 2017-04-07)*
* Uploads:
* [dhcpcd-6.9.3-r2.patch](/uploads/97dead5481751df0348f93946ae34b2d/dhcpcd-6.9.3-r2.patch)...Patch from upstream, will be included in dhcpcd-6.9.4
*(from redmine: issue id 4862, created on 2015-11-13, closed on 2017-04-07)*
* Uploads:
* [dhcpcd-6.9.3-r2.patch](/uploads/97dead5481751df0348f93946ae34b2d/dhcpcd-6.9.3-r2.patch)
* [describe_dhcp6_error_code.patch](/uploads/4ec0263c203692c7fd3d57d28f864c65/describe_dhcp6_error_code.patch)https://gitlab.alpinelinux.org/alpine/aports/-/issues/4861[2.7] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)2019-07-23T13:44:34ZAlicha CH[2.7] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a...An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a wildcard is
used twice (e.g. /home/\*/\*/file.txt),
allowing a malicious user to replace the file.txt real file with a
symbolic link to a different location
(e.g. /etc/shadow), which results into unauthorized access. Affected
versions are <= 1.8.14.
### References:
https://www.sudo.ws/stable.html\#1.8.15
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5602
### Upstream patch:
http://www.sudo.ws/repos/sudo/rev/9636fd256325
*(from redmine: issue id 4861, created on 2015-11-12, closed on 2015-11-30)*
* Relations:
* parent #4857
* Changesets:
* Revision c7dbb7e2966b00bf670a3ab905dfe251914426a9 by Natanael Copa on 2015-11-20T08:23:12Z:
```
main/sudo: security upgrade to 1.8.15 (CVE-2015-5602)
fixes #4861
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4860[3.0] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)2019-07-23T13:44:35ZAlicha CH[3.0] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a...An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a wildcard is
used twice (e.g. /home/\*/\*/file.txt),
allowing a malicious user to replace the file.txt real file with a
symbolic link to a different location
(e.g. /etc/shadow), which results into unauthorized access. Affected
versions are <= 1.8.14.
### References:
https://www.sudo.ws/stable.html\#1.8.15
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5602
### Upstream patch:
http://www.sudo.ws/repos/sudo/rev/9636fd256325
*(from redmine: issue id 4860, created on 2015-11-12, closed on 2015-11-30)*
* Relations:
* parent #4857
* Changesets:
* Revision 31a086dacff2bf902e509022f3645d00a5d7fe4d by Natanael Copa on 2015-11-20T07:45:46Z:
```
main/sudo: security upgrade to 1.8.15 (CVE-2015-5602)
fixes #4860
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4859[3.1] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)2019-07-23T13:44:36ZAlicha CH[3.1] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a...An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a wildcard is
used twice (e.g. /home/\*/\*/file.txt),
allowing a malicious user to replace the file.txt real file with a
symbolic link to a different location
(e.g. /etc/shadow), which results into unauthorized access. Affected
versions are <= 1.8.14.
### References:
https://www.sudo.ws/stable.html\#1.8.15
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5602
### Upstream patch:
http://www.sudo.ws/repos/sudo/rev/9636fd256325
*(from redmine: issue id 4859, created on 2015-11-12, closed on 2015-11-30)*
* Relations:
* parent #4857
* Changesets:
* Revision fba7fa3110d1f8d8dc31ef68a5c7d2f0e2cd2886 by Natanael Copa on 2015-11-13T14:30:36Z:
```
main/sudo: security upgrade to 1.8.15 (CVE-2015-5602)
fixes #4859
```3.1.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4858[3.2] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)2019-07-23T13:44:37ZAlicha CH[3.2] sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a...An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a wildcard is
used twice (e.g. /home/\*/\*/file.txt),
allowing a malicious user to replace the file.txt real file with a
symbolic link to a different location
(e.g. /etc/shadow), which results into unauthorized access. Affected
versions are <= 1.8.14.
### References:
https://www.sudo.ws/stable.html\#1.8.15
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5602
### Upstream patch:
http://www.sudo.ws/repos/sudo/rev/9636fd256325
*(from redmine: issue id 4858, created on 2015-11-12, closed on 2015-11-30)*
* Relations:
* parent #4857
* Changesets:
* Revision 838b3e30f36bfa34a3e0d1fc23ee65723f32ef8b by Natanael Copa on 2015-11-13T14:28:45Z:
```
main/sudo: security upgrade to 1.8.15 (CVE-2015-5602)
fixes #4858
```3.2.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4857sudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)2019-07-23T13:44:38ZAlicha CHsudo: Unauthorized privilege escalation in sudoedit (CVE-2015-5602)An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a...An unauthorized privilege escalation was found in sudoedit when a user
is granted with
root access to modify a particular file that could be located in a
subset of directories.
It seems that sudoedit does not check the full path if a wildcard is
used twice (e.g. /home/\*/\*/file.txt),
allowing a malicious user to replace the file.txt real file with a
symbolic link to a different location
(e.g. /etc/shadow), which results into unauthorized access. Affected
versions are <= 1.8.14.
### References:
https://www.sudo.ws/stable.html\#1.8.15
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5602
### Upstream patch:
http://www.sudo.ws/repos/sudo/rev/9636fd256325
*(from redmine: issue id 4857, created on 2015-11-12, closed on 2015-11-30)*
* Relations:
* child #4858
* child #4859
* child #4860
* child #4861Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4856opensmtpd cannot be installed by apk2019-07-23T13:44:39Zalgitbotopensmtpd cannot be installed by apkHello,
There is opensmtpd package inside the repo:
https://pkgs.alpinelinux.org/package/main/x86\_64/opensmtpd
until yesterday it was testing and can be installed by apk add
opensmtpd@testing, but for now it cannot be installed any...Hello,
There is opensmtpd package inside the repo:
https://pkgs.alpinelinux.org/package/main/x86\_64/opensmtpd
until yesterday it was testing and can be installed by apk add
opensmtpd@testing, but for now it cannot be installed anyhow:
/ \# apk add opensmtpd
ERROR: unsatisfiable constraints:
opensmtpd (missing):
required by: world\[opensmtpd\]
/ \# apk add opensmtpd@testing
ERROR: unsatisfiable constraints:
opensmtpd (missing):
required by: world\[opensmtpd\]
/ \#
*(from redmine: issue id 4856, created on 2015-11-12, closed on 2017-05-17)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/4855dhclient: execve (/sbin/dhclient-script, ...): No such file or directory2020-01-18T21:09:40Zalgitbotdhclient: execve (/sbin/dhclient-script, ...): No such file or directoryIt seems this file is missing in the AlpineLinux package. It does seem
to get installed in
[net-misc/dhcp-4.3.3-r1](http://www.portagefilelist.de/site/query/listPackageFiles/?category=net-misc&package=dhcp&version=4.3.3-r1&do#result)
Wh...It seems this file is missing in the AlpineLinux package. It does seem
to get installed in
[net-misc/dhcp-4.3.3-r1](http://www.portagefilelist.de/site/query/listPackageFiles/?category=net-misc&package=dhcp&version=4.3.3-r1&do#result)
When I run:
dhclient -6
I see in my logs:
dhclient: execve (/sbin/dhclient-script, ...): No such file or directory
The script can be found in dhcp-4.3.3/client/scripts/linux of the
[source tarball](https://www.isc.org/downloads/file/dhcp-4-3-3/)
*(from redmine: issue id 4855, created on 2015-11-11)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/4854dhclient no init script2019-07-23T13:44:41Zalgitbotdhclient no init scriptI have been attempting to implement [IPv6 on my home
network](http://vk5tu.livejournal.com/37206.html) and have discovered
there’s no init script to start dhclient on boot.
Gentoo starts this with [Netifrc](https://wiki.gentoo.org/wiki/...I have been attempting to implement [IPv6 on my home
network](http://vk5tu.livejournal.com/37206.html) and have discovered
there’s no init script to start dhclient on boot.
Gentoo starts this with [Netifrc](https://wiki.gentoo.org/wiki/Netifrc)
so there is no init script provided upstream for us to use.
*(from redmine: issue id 4854, created on 2015-11-11, closed on 2016-01-06)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/4853Missing py-psycopg22019-07-23T13:44:42ZalgitbotMissing py-psycopg2Hi,
When attempting to install py-psycopg2 by executing \`apk add —update
py-psycopg2\` I encounter the following error message:
ERROR: unsatisfiable constraints:
py-psycopg2 (missing):
required by: world\[py-psycopg2\]
however it...Hi,
When attempting to install py-psycopg2 by executing \`apk add —update
py-psycopg2\` I encounter the following error message:
ERROR: unsatisfiable constraints:
py-psycopg2 (missing):
required by: world\[py-psycopg2\]
however it is a valid package:
https://pkgs.alpinelinux.org/package/testing/x86/py-psycopg2
*(from redmine: issue id 4853, created on 2015-11-11, closed on 2015-11-19)*3.2.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/4852dhclient include PPP patch2020-01-18T21:09:32Zalgitbotdhclient include PPP patchThere was a request for wide-dhcpv6 in \#564 however it was closed and
the user was told to use to use the ISC DHCP client.
I have been following [this
guide](http://vk5tu.livejournal.com/37206.html) to implement IPv6 on my
network.
I ...There was a request for wide-dhcpv6 in \#564 however it was closed and
the user was told to use to use the ISC DHCP client.
I have been following [this
guide](http://vk5tu.livejournal.com/37206.html) to implement IPv6 on my
network.
I noticed under the “ISP prefix delegation for the interior interfaces”
section it says **The ISC DHCPv6 client doesn’t work over PPP links, due
to a long-standing bug.**
Having a look at [Bug 432652 - net-misc/dhcp - dhclient (ipv6) not
enabled for ppp devices](https://bugs.gentoo.org/show_bug.cgi?id=432652)
I discovered there is a patch to fix this problem.
More background can be found [PATCH DHCPv6/PPP \[Was: DHCP over PPP - or
how to use sockets instead of
BPF?\]](https://lists.isc.org/pipermail/dhcp-users/2010-April/011624.html)
The patch has been [patch adapted for
dhcp-4.3.1](https://432652.bugs.gentoo.org/attachment.cgi?id=389858) in
that Gentoo bug.
*(from redmine: issue id 4852, created on 2015-11-11)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/4851[2.7] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)2019-07-23T13:44:43ZAlicha CH[2.7] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x bef...Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x before 38.4 and other products,
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via unspecified
vectors.
The problem has been fixed upstream in version 4.10.10
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7183
### Upstream commits:
http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
*(from redmine: issue id 4851, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4847
* Changesets:
* Revision 9ac33818d81877a371c90f9e93d3ebc162fffd6f by Natanael Copa on 2015-11-30T14:33:52Z:
```
main/nspr: security upgrade to 4.10.10 (CVE-2015-7183)
fixes #4851
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4850[3.0] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)2019-07-23T13:44:44ZAlicha CH[3.0] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x bef...Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x before 38.4 and other products,
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via unspecified
vectors.
The problem has been fixed upstream in version 4.10.10
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7183
### Upstream commits:
http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
*(from redmine: issue id 4850, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4847
* Changesets:
* Revision ade89daaa06e20736c57d7cdaa74338ab93ff0d8 by Natanael Copa on 2015-11-30T14:33:29Z:
```
main/nspr: security upgrade to 4.10.10 (CVE-2015-7183)
fixes #4850
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4849[3.1] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)2019-07-23T13:44:45ZAlicha CH[3.1] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x bef...Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x before 38.4 and other products,
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via unspecified
vectors.
The problem has been fixed upstream in version 4.10.10
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7183
### Upstream commits:
http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
*(from redmine: issue id 4849, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4847
* Changesets:
* Revision 7df429e6fc6fd00eced7c89389178a5092fcceb8 by Natanael Copa on 2015-11-30T14:32:42Z:
```
main/nspr: security upgrade to 4.10.10 (CVE-2015-7183)
fixes #4849
```3.1.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4848[3.2] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)2019-07-23T13:44:45ZAlicha CH[3.2] nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x bef...Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x before 38.4 and other products,
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via unspecified
vectors.
The problem has been fixed upstream in version 4.10.10
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7183
### Upstream commits:
http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
*(from redmine: issue id 4848, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4847
* Changesets:
* Revision 69fb0e1f20c39292fcd4d5bad5085a96e33cb6c3 by Natanael Copa on 2015-11-30T14:30:15Z:
```
main/nspr: security upgrade to 4.10.10 (CVE-2015-7183)
fixes #4848
```3.2.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4847nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)2019-07-23T13:44:46ZAlicha CHnspr: heap-buffer overflow in PL_ARENA_ALLOCATE (CVE-2015-7183)Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x bef...Integer overflow in the PL\_ARENA\_ALLOCATE implementation in Netscape
Portable Runtime (NSPR) in Mozilla Network Security Services (NSS)
before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0
and Firefox ESR 38.x before 38.4 and other products,
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via unspecified
vectors.
The problem has been fixed upstream in version 4.10.10
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7183
### Upstream commits:
http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
*(from redmine: issue id 4847, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* child #4848
* child #4849
* child #4850
* child #4851Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4846[2.7] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Netwo...2019-07-23T13:44:47ZAlicha CH[2.7] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (CVE-2015-7181, CVE-2015-7182)**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap ove...**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap overflow when decoding constructed
OCTET STRING that mixes indefinite and definite length encodings
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/4dc247276e58
http://hg.mozilla.org/projects/nss/rev/534aca7a5bca
http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6
These issues were fixed in:
NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR,
respectively, as well as NSS 3.20.1.
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.2.1\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.4\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.20.1\_release\_notes
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7181
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7182
Consolidated fix with all about changes as applied to 3.20 branch:
http://hg.mozilla.org/projects/nss/rev/685d45ec4723
http://hg.mozilla.org/projects/nss/rev/f47d00c2732a
*(from redmine: issue id 4846, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4842
* Changesets:
* Revision 957beb3583c3290dcbecfd0bf3f75886221da7e2 by Natanael Copa on 2015-11-30T15:31:07Z:
```
main/nss: security upgrade to 3.19.2.1
CVE-2015-2721
CVE-2015-2730
CVE-2015-7181
CVE-2015-7182
fixes #4721
fixes #4846
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4845[3.0] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Netwo...2019-07-23T13:44:48ZAlicha CH[3.0] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (CVE-2015-7181, CVE-2015-7182)**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap ove...**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap overflow when decoding constructed
OCTET STRING that mixes indefinite and definite length encodings
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/4dc247276e58
http://hg.mozilla.org/projects/nss/rev/534aca7a5bca
http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6
These issues were fixed in:
NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR,
respectively, as well as NSS 3.20.1.
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.2.1\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.4\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.20.1\_release\_notes
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7181
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7182
Consolidated fix with all about changes as applied to 3.20 branch:
http://hg.mozilla.org/projects/nss/rev/685d45ec4723
http://hg.mozilla.org/projects/nss/rev/f47d00c2732a
*(from redmine: issue id 4845, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4842
* Changesets:
* Revision fca898ae25cccf6e280ea20cf96c2bb32843deca by Natanael Copa on 2015-11-30T15:24:21Z:
```
main/nss: security upgrade to 3.19.2.1
CVE-2015-2721
CVE-2015-2730
CVE-2015-7181
CVE-2015-7182
fixes #4720
fixes #4845
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4844[3.1] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Netwo...2019-07-23T13:44:49ZAlicha CH[3.1] nss: use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (CVE-2015-7181, CVE-2015-7182)**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap ove...**CVE-2015-7181:** use-after-poison in sec\_asn1d\_parse\_leaf()
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
http://hg.mozilla.org/projects/nss/rev/25cb033147fd
**CVE-2015-7182:** ASN.1 decoder heap overflow when decoding constructed
OCTET STRING that mixes indefinite and definite length encodings
### Upstream commits:
http://hg.mozilla.org/projects/nss/rev/4dc247276e58
http://hg.mozilla.org/projects/nss/rev/534aca7a5bca
http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6
These issues were fixed in:
NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR,
respectively, as well as NSS 3.20.1.
### References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.2.1\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.19.4\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.20.1\_release\_notes
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7181
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-7182
Consolidated fix with all about changes as applied to 3.20 branch:
http://hg.mozilla.org/projects/nss/rev/685d45ec4723
http://hg.mozilla.org/projects/nss/rev/f47d00c2732a
*(from redmine: issue id 4844, created on 2015-11-11, closed on 2015-12-01)*
* Relations:
* parent #4842
* Changesets:
* Revision 2c4f954c6d8ab46b27a00333cdd3802cdef9834d by Natanael Copa on 2015-11-30T14:44:08Z:
```
main/nss: security upgrade to 3.19.2.1
CVE-2015-2721
CVE-2015-2730
CVE-2015-7181
CVE-2015-7182
fixes #4719
fixes #4844
```3.1.5Natanael CopaNatanael Copa