alpine issues
https://gitlab.alpinelinux.org/groups/alpine/-/issues
2019-07-23T14:05:34Z
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3147
[v2.7] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
2019-07-23T14:05:34Z
Alexander Belous
[v2.7] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
See the parent task for details.
*(from redmine: issue id 3147, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision 968233f148132175322ec689fa706fd3a31d6baa by Natanael Copa on 2014-0...
See the parent task for details.
*(from redmine: issue id 3147, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision 968233f148132175322ec689fa706fd3a31d6baa by Natanael Copa on 2014-07-07T13:36:26Z:
```
main/dbus: security upgrade to 1.6.22 (CVE-2014-3532,CVE-2014-3533)
fixes #3147
```
Alpine 2.7.10
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3146
[v2.6] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
2019-07-23T14:05:34Z
Alexander Belous
[v2.6] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
See the parent task for details.
*(from redmine: issue id 3146, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision a43405afb7de0724dcd016bbd586c634e6b9c8f0 by Natanael Copa on 2014-0...
See the parent task for details.
*(from redmine: issue id 3146, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision a43405afb7de0724dcd016bbd586c634e6b9c8f0 by Natanael Copa on 2014-07-07T13:38:16Z:
```
main/dbus: security upgrade to 1.6.22 (CVE-2014-3532,CVE-2014-3533)
fixes #3146
```
Alpine 2.6.7
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3145
[v2.5] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
2019-07-23T14:05:36Z
Alexander Belous
[v2.5] dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
See the parent task for details.
*(from redmine: issue id 3145, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision 4e5e63df910cb96a0b785a70b1bb7f1c19c6d37b by Natanael Copa on 2014-0...
See the parent task for details.
*(from redmine: issue id 3145, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* parent #3144
* Changesets:
* Revision 4e5e63df910cb96a0b785a70b1bb7f1c19c6d37b by Natanael Copa on 2014-07-07T14:18:59Z:
```
main/dbus: security upgrade to 1.6.22 (CVE-2014-3532,CVE-2014-3533)
fixes #3145
```
Alpine 2.5.5
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3144
dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
2019-07-23T14:05:37Z
Alexander Belous
dbus: bugs in file descriptor passing (CVE-2014-3532 CVE-2014-3533)
Impact: denial of service (force system services to exit)
Access required: local
Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >=
2.6.37-rc4
Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix
platfo...
Impact: denial of service (force system services to exit)
Access required: local
Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >=
2.6.37-rc4
Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix
platforms
Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon’s
support
for file descriptor passing. A malicious process could force system
services or user applications to be disconnected from the D-Bus system
bus by sending them a message containing a file descriptor, then
causing
that file descriptor to exceed the kernel’s maximum recursion depth
(itself introduced to fix a DoS) before dbus-daemon forwards the
message
to the victim process. Most services and applications exit when
disconnected from the system bus, leading to a denial of service. This
is tracked as fd.o\#80163 and CVE-2014-3532.
Additionally, Alban discovered that bug fd.o\#79694, a bug previously
reported by Alejandro Martínez Suárez which was not believed to be a
security flaw, could be used for a similar denial of service, by
causing
dbus-daemon to attempt to forward invalid file descriptors to a victim
process when file descriptors become associated with the wrong
message.
Its security implications are tracked as fd.o\#80469 and CVE-2014-3533.
For the 1.8.x stable branch, these vulnerabilities are fixed in
version
1.8.6. For the 1.6.x old-stable branch, these vulnerabilities are
fixed
in version 1.6.22.
All earlier versions of dbus with the file descriptor passing feature
(1.3.0 and up) are believed to be vulnerable. Distributions that
backport security fixes should backport git commits
07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e and
9ca90648fc870c24d852ce6d7ce9387a9fc9a94a, attached.
References:
http://seclists.org/oss-sec/2014/q3/4
https://security-tracker.debian.org/tracker/CVE-2014-3532
https://security-tracker.debian.org/tracker/CVE-2014-3533
*(from redmine: issue id 3144, created on 2014-07-03, closed on 2014-07-07)*
* Relations:
* child #3145
* child #3146
* child #3147
* child #3148
* Uploads:
* [0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch](/uploads/a63da7042c932ccc4cc5ee933141305f/0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch)
* [0002-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch](/uploads/ab93006970ca5d453dce100780931d8a/0002-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch)
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3143
[v3.0] ansible: remote data checking code fixes (CVE-2014-4678 and related)
2019-07-23T14:05:38Z
Alexander Belous
[v3.0] ansible: remote data checking code fixes (CVE-2014-4678 and related)
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However...
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However the additional ones do not have CVE assigned yet.
Update to Ansible 1.6.6 is recommended.
References:
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ
CONFIRM: http://seclists.org/oss-sec/2014/q3/2
COMMIT:
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
(not fully fix all the issues)
*(from redmine: issue id 3143, created on 2014-07-03, closed on 2014-07-17)*
* Relations:
* parent #3141
* Changesets:
* Revision 2d23babfbd5686723a226613b31ca2cd5ba2e4e9 by Natanael Copa on 2014-07-16T09:55:44Z:
```
main/ansible: security upgrade to 1.6.6 (CVE-2014-4678)
fixes #3143
```
3.0.2
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3142
[v2.7] ansible: remote data checking code fixes (CVE-2014-4678 and related)
2019-07-23T14:05:39Z
Alexander Belous
[v2.7] ansible: remote data checking code fixes (CVE-2014-4678 and related)
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However...
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However the additional ones do not have CVE assigned yet.
Update to Ansible 1.6.6 is recommended.
References:
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ
CONFIRM: http://seclists.org/oss-sec/2014/q3/2
COMMIT:
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
(not fully fix all the issues)
*(from redmine: issue id 3142, created on 2014-07-03, closed on 2014-07-17)*
* Relations:
* parent #3141
* Changesets:
* Revision 87ec1c872a344b27d101746eb221bf32a8208cf4 by Natanael Copa on 2014-07-16T09:59:52Z:
```
main/ansible: security upgrade to 1.6.6 (CVE-2014-4678)
fixes #3142
```
Alpine 2.7.10
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3141
ansible: remote data checking code fixes (CVE-2014-4678 and related)
2019-07-23T14:05:40Z
Alexander Belous
ansible: remote data checking code fixes (CVE-2014-4678 and related)
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However...
Ansible remote data checking code was updated to lock down some security
items related to deal with untrusted data from pre-compromised remote
hosts. It was a series of changes made. Some of the issues was assigned
CVE-2014-4678. However the additional ones do not have CVE assigned yet.
Update to Ansible 1.6.6 is recommended.
References:
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ
https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ
CONFIRM: http://seclists.org/oss-sec/2014/q3/2
COMMIT:
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
(not fully fix all the issues)
*(from redmine: issue id 3141, created on 2014-07-03, closed on 2014-07-17)*
* Relations:
* child #3142
* child #3143
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3140
alpine-vanilla will install grsec kernel
2019-07-23T14:05:41Z
Carlo Landmeter
alpine-vanilla will install grsec kernel
When booting from alpine-vanilla and using setup-alpine, the kernel will
be grsec.
setup-alpine should know its running/boot vanilla and default to that on
install.
*(from redmine: issue id 3140, created on 2014-07-03, closed on 2014...
When booting from alpine-vanilla and using setup-alpine, the kernel will
be grsec.
setup-alpine should know its running/boot vanilla and default to that on
install.
*(from redmine: issue id 3140, created on 2014-07-03, closed on 2014-07-03)*
* Relations:
* duplicates #3060
3.0.2
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3139
3.x/edge does not boot grsec kernel on vmware
2019-07-23T14:05:42Z
Carlo Landmeter
3.x/edge does not boot grsec kernel on vmware
It will crash and reboot.
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.14.8-1-grsec (buil...
It will crash and reboot.
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.14.8-1-grsec (buildozer@build-3-0-x86_64) (gcc version 4.8.2 (Alpine 4.8.2) ) #2-Alpine SMP Tue Jun 24 12:16:20 GMT 2014
[ 0.000000] Command line: BOOT_IMAGE=vmlinuz-grsec root=UUID=dd957d32-16b2-4ccc-9c87-7cc690891b01 modules=sd-mod,usb-storage,ext4 pax_nouderef initrd=initramfs-grsec console=ttyS0,57600
[ 0.000000] Disabled fast string operations
[ 0.000000] e820: BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009f7ff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009f800-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000dc000-0x00000000000e3fff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000e8000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000003feeffff] usable
[ 0.000000] BIOS-e820: [mem 0x000000003fef0000-0x000000003fefefff] ACPI data
[ 0.000000] BIOS-e820: [mem 0x000000003feff000-0x000000003fefffff] ACPI NVS
[ 0.000000] BIOS-e820: [mem 0x000000003ff00000-0x000000003fffffff] usable
[ 0.000000] BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec0ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fffe0000-0x00000000ffffffff] reserved
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] SMBIOS 2.4 present.
[ 0.000000] Hypervisor detected: VMware
[ 0.000000] No AGP bridge found
[ 0.000000] e820: last_pfn = 0x40000 max_arch_pfn = 0x400000000
[ 0.000000] x86 PAT enabled: cpu 0, old 0x0, new 0x7010600070106
[ 0.000000] found SMP MP-table at [mem 0x000f69b0-0x000f69bf] mapped at [ffff8800000f69b0]
[ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff]
[ 0.000000] init_memory_mapping: [mem 0x3f600000-0x3f7fffff]
[ 0.000000] init_memory_mapping: [mem 0x3c000000-0x3f5fffff]
[ 0.000000] init_memory_mapping: [mem 0x00100000-0x3bffffff]
[ 0.000000] init_memory_mapping: [mem 0x3f800000-0x3feeffff]
[ 0.000000] init_memory_mapping: [mem 0x3ff00000-0x3fffffff]
[ 0.000000] RAMDISK: [mem 0x3f8c4000-0x3feeffff]
[ 0.000000] ACPI: RSDP 00000000000f6940 000024 (v02 PTLTD )
[ 0.000000] ACPI: XSDT 000000003fef059d 00004C (v01 INTEL 440BX 06040000 VMW 01324272)
[ 0.000000] ACPI: FACP 000000003fefee98 0000F4 (v04 INTEL 440BX 06040000 PTL 000F4240)
[ 0.000000] ACPI: DSDT 000000003fef07b7 00E6E1 (v01 PTLTD Custom 06040000 MSFT 03000001)
[ 0.000000] ACPI: FACS 000000003fefffc0 000040
[ 0.000000] ACPI: BOOT 000000003fef078f 000028 (v01 PTLTD $SBFTBL$ 06040000 LTP 00000001)
[ 0.000000] ACPI: APIC 000000003fef06dd 0000B2 (v01 PTLTD ? APIC 06040000 LTP 00000000)
[ 0.000000] ACPI: MCFG 000000003fef06a1 00003C (v01 PTLTD $PCITBL$ 06040000 LTP 00000001)
[ 0.000000] ACPI: SRAT 000000003fef0621 000080 (v02 VMWARE MEMPLUG 06040000 VMW 00000001)
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x00001000-0x00ffffff]
[ 0.000000] DMA32 [mem 0x01000000-0xffffffff]
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00001000-0x0009efff]
[ 0.000000] node 0: [mem 0x00100000-0x3feeffff]
[ 0.000000] node 0: [mem 0x3ff00000-0x3fffffff]
[ 0.000000] ACPI: PM-Timer IO Port: 0x1008
[ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x03] lapic_id[0x03] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x04] lapic_id[0x04] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x05] lapic_id[0x05] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x06] lapic_id[0x06] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x07] lapic_id[0x07] enabled)
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x01] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x02] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x03] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x04] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x05] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x06] high edge lint[0x1])
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x07] high edge lint[0x1])
[ 0.000000] ACPI: IOAPIC (id[0x08] address[0xfec00000] gsi_base[0])
[ 0.000000] IOAPIC[0]: apic_id 8, version 17, address 0xfec00000, GSI 0-23
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 high edge)
[ 0.000000] Using ACPI (MADT) for SMP configuration information
[ 0.000000] smpboot: Allowing 8 CPUs, 0 hotplug CPUs
[ 0.000000] e820: [mem 0x40000000-0xdfffffff] available for PCI devices
[ 0.000000] Booting paravirtualized kernel on bare hardware
[ 0.000000] setup_percpu: NR_CPUS:32 nr_cpumask_bits:32 nr_cpu_ids:8 nr_node_ids:1
[ 0.000000] PERCPU: Embedded 23 pages/cpu @ffff88003f600000 s65536 r8192 d20480 u262144
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 257913
[ 0.000000] Kernel command line: BOOT_IMAGE=vmlinuz-grsec root=UUID=dd957d32-16b2-4ccc-9c87-7cc690891b01 modules=sd-mod,usb-storage,ext4 pax_nouderef initrd=initramfs-grsec console=ttyS0,57600
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)
[ 0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000] Checking aperture...
[ 0.000000] No AGP bridge found
[ 0.000000] Memory: 1015280K/1048120K available (3333K kernel code, 635K rwdata, 1948K rodata, 904K init, 788K bss, 32840K reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=8, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] CONFIG_RCU_FANOUT set to non-default value of 32
[ 0.000000] RCU dyntick-idle grace-period acceleration is enabled.
[ 0.000000] RCU restricting CPUs from NR_CPUS=32 to nr_cpu_ids=8.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=8
[ 0.000000] NR_IRQS:4352 nr_irqs:744 16
[ 0.000000] Console: colour VGA+ 80x25
[ 0.000000] console [ttyS0] enabled
[ 0.000000] TSC freq read from hypervisor : 1995.000 MHz
[ 0.000000] tsc: Detected 1995.000 MHz processor
[ 0.000039] Calibrating delay loop (skipped) preset value.. 3991.25 BogoMIPS (lpj=6650000)
[ 0.002238] pid_max: default: 32768 minimum: 501
[ 0.003444] ACPI: Core revision 20131218
[ 0.013858] ACPI: All ACPI Tables successfully acquired
[ 0.026378] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.028157] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.030604] Initializing cgroup subsys devices
[ 0.031792] Initializing cgroup subsys freezer
[ 0.032943] Initializing cgroup subsys net_cls
[ 0.034111] Initializing cgroup subsys blkio
[ 0.035324] Disabled fast string operations
[ 0.036574] Last level iTLB entries: 4KB 128, 2MB 4, 4MB 4
[ 0.036574] Last level dTLB entries: 4KB 256, 2MB 0, 4MB 32, 1GB 0
[ 0.036574] tlb_flushall_shift: -1
[ 0.040754] Freeing SMP alternatives memory: 24K (ffffffff816b5000 - ffffffff816bb000)
[ 0.050008] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.084591] smpboot: CPU0: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (fam: 06, model: 0f, stepping: 0b)
[ 0.190756] Performance Events: 4-deep LBR, Core2 events, Broken PMU hardware detected, using software events only.
[ 0.193561] Failed to access perfctr msr (MSR c1 is 0)
[ 0.195730] NMI watchdog: disabled (cpu0): hardware events not enabled
[ 0.197614] x86: Booting SMP configuration:
[ 0.198689] .... node #0, CPUs: #1
[ 0.212647] Disabled fast string operations
[ 0.214738] #2
[ 0.227763] Disabled fast string operations
[ 0.229738] #3
[ 0.242637] Disabled fast string operations
[ 0.244519] #4
[ 0.257435] Disabled fast string operations
[ 0.259289] #5
[ 0.272431] Disabled fast string operations
[ 0.274354] #6
[ 0.287211] Disabled fast string operations
[ 0.289087] #7
[ 0.302217] Disabled fast string operations
[ 0.303681] Skipped synchronization checks as TSC is reliable.
[ 0.305424] x86: Booted up 1 node, 8 CPUs
[ 0.306479] ----------------
[ 0.307238] | NMI testsuite:
[ 0.308027] --------------------
[ 0.308858] remote IPI:
[ 0.309665] BUG: unable to handle kernel paging request at 00000000ffffff11
[ 0.311639] IP: [<ffffffff81335ac9>] nmi_handle.isra.2+0x58/0xe3
[ 0.313326] PGD 0
[ 0.313928] Oops: 0000 [#1] SMP
[ 0.314853] Modules linked in:
[ 0.315701] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 3.14.8-1-grsec #2-Alpine
[ 0.317578] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/15/2011
[ 0.320313] task: ffff88003f141860 ti: ffff88003f141ea0 task.ti: ffff88003f141ea0
[ 0.322239] RIP: 0010:[<ffffffff81335ac9>] [<ffffffff81335ac9>] nmi_handle.isra.2+0x58/0xe3
[ 0.324445] RSP: 0000:ffff88003f7c6e80 EFLAGS: 00010017
[ 0.325804] RAX: 0000000012748387 RBX: 00000000ffffff01 RCX: ffff88003f7cea18
[ 0.327639] RDX: 0000000000000000 RSI: ffff88003f7c6ef8 RDI: 0000000000000000
[ 0.329465] RBP: ffff88003f7c6ec0 R08: 0000000000000000 R09: 0000000000000000
[ 0.331287] R10: 000000013f7cf2c0 R11: 0000000000004709 R12: 0000000000000001
[ 0.333122] R13: 0000000000000000 R14: 00000000000029fd R15: 0000000012748387
[ 0.334967] FS: 0000000000000000(0000) GS:ffff88003f7c0000(0000) knlGS:0000000000000000
[ 0.337048] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.338681] CR2: 00000000ffffff11 CR3: 000000000134b000 CR4: 00000000000006b0
[ 0.340580] Stack:
[ 0.341122] ffffffff81544008 ffff88003f7c6ef8 00000000ffffff01 ffff88003f7c6ef8
[ 0.343160] ffff88003f141ea0 0000000000000000 ffff88003f141ea0 0000000000000000
[ 0.345216] ffff88003f7c6ee8 ffffffff81335bf5 0000000000000001 ffff88003f141ea0
[ 0.347268] Call Trace:
[ 0.347932] <NMI>
[ 0.348466] [<ffffffff81335bf5>] do_nmi+0xa1/0x2a0
[ 0.349851] [<ffffffff813352d4>] end_repeat_nmi+0x1e/0x32
[ 0.351292] [<ffffffff81031388>] ? native_safe_halt+0x6/0x8
[ 0.352766] [<ffffffff81031388>] ? native_safe_halt+0x6/0x8
[ 0.354229] [<ffffffff81031388>] ? native_safe_halt+0x6/0x8
[ 0.355673] <<EOE>>
[ 0.356246] Code: 31 e4 48 89 45 d0 48 8d 42 08 48 8b 5d d0 48 89 45 c0 48 3b 5d c0 0f 84 88 00 00 00 e8 05 af cd ff 48 8b 75 c8 49 89 c7 44 89 ef <ff> 53 10 41 01 c4 e8 f0 ae cd ff 49 89 c6 4d 29 fe 4c 3b 35 0f
[ 0.363629] RIP [<ffffffff81335ac9>] nmi_handle.isra.2+0x58/0xe3
[ 0.365266] RSP <ffff88003f7c6e80>
[ 0.366183] CR2: 00000000ffffff11
[ 0.367069] ---[ end trace 034685449afc5d73 ]---
[ 0.368280] Kernel panic - not syncing: Fatal exception in interrupt
*(from redmine: issue id 3139, created on 2014-07-03, closed on 2019-06-11)*
3.0.7
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3138
upgrading kernel will break extlinux.conf
2019-07-23T14:05:43Z
Carlo Landmeter
upgrading kernel will break extlinux.conf
Extlinux.conf gets wrong default entry like below. Also wrong label for
vanilla kernel.
--- extlinux.conf.old
+++ extlinux.conf
@@ -6,15 +6,17 @@
MENU AUTOBOOT Alpine will be booted automatically in # seconds.
TIME...
Extlinux.conf gets wrong default entry like below. Also wrong label for
vanilla kernel.
--- extlinux.conf.old
+++ extlinux.conf
@@ -6,15 +6,17 @@
MENU AUTOBOOT Alpine will be booted automatically in # seconds.
TIMEOUT 30
LABEL grsec
+ MENU DEFAULT
MENU LABEL Linux grsec
LINUX vmlinuz-grsec
INITRD initramfs-grsec
- APPEND root=UUID=dd957d32-16b2-4ccc-9c87-7cc690891b01 modules=sd-mod,usb-storage,ext4 pax_nouderef=1 quiet
+ APPEND root=UUID=dd957d32-16b2-4ccc-9c87-7cc690891b01 modules=sd-mod,usb-storage,ext4 pax_nouderef quiet
-LABEL vanilla
- MENU DEFAULT
+LABEL 1
MENU LABEL Linux vanilla
LINUX vmlinuz
INITRD initramfs-vanilla
APPEND root=UUID=dd957d32-16b2-4ccc-9c87-7cc690891b01 modules=sd-mod,usb-storage,ext4 pax_nouderef quiet
+
+MENU SEPARATOR
*(from redmine: issue id 3138, created on 2014-07-03, closed on 2014-07-30)*
* Changesets:
* Revision 0a1f08c3f58db5447f272f64ec5305f14910d1c9 by Natanael Copa on 2014-07-18T14:24:24Z:
```
main/syslinux: update-extlinux use 'vanilla' as label in menu
fixes #3138
(cherry picked from commit fbeef61a9ce524ecd64990f8a36470600cf52ba7)
```
3.0.2
Natanael Copa
Natanael Copa
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3137
setup-bootable produce unreadable syslinux.cfg and other files
2019-07-23T14:05:44Z
Adis S.
setup-bootable produce unreadable syslinux.cfg and other files
It seems setup-bootable do some compression or weird stuff when creating
an bootable SD/USB. The files on SD/USB are unreadable, see below:
5ž�…d5©êûˆøX\\��Œ�kÆD
I\*P;rT£ÅEŽ%\*\]�2Ô‘ƒ!ý8j�AQk’9�ë±ô¾�ßc-�K˜�/cqE4•
�6iy�‹ý6�?e¼M† ...
It seems setup-bootable do some compression or weird stuff when creating
an bootable SD/USB. The files on SD/USB are unreadable, see below:
5ž�…d5©êûˆøX\\��Œ�kÆD
I\*P;rT£ÅEŽ%\*\]�2Ô‘ƒ!ý8j�AQk’9�ë±ô¾�ßc-�K˜�/cqE4•
�6iy�‹ý6�?e¼M† �\]üØ�Ô½‹üX,�™¤E��s�ûe\_h·ìÙz$+�Íøp?´rRÕ.¨‘ÊM��¹³�÷+‘
“4=›�ú»�ý�2¼A¼\*ƒúÇxU~�«�ÙðÖ
Doing it manual like described in wiki works just fine.
*(from redmine: issue id 3137, created on 2014-07-03, closed on 2014-07-30)*
* Changesets:
* Revision 83897f40b280e7949b2c3b95512903d61b114edb by Natanael Copa on 2014-07-17T16:19:16Z:
```
main/alpine-conf: upgrade to 3.0.4
ref #3137
```
* Revision 310b57993f31bf9bea202506f9d7395e3483b61d by Natanael Copa on 2014-07-28T14:19:20Z:
```
main/alpine-conf: upgrade to 3.0.4
fixes #3137
(cherry picked from commit 83897f40b280e7949b2c3b95512903d61b114edb)
```
* Uploads:
* ![Screen_Shot_2014-07-11_at_19.29.40](/uploads/828926e70a9a7ba30016489f249db483/Screen_Shot_2014-07-11_at_19.29.40.png)
3.0.2
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3136
upgrade to gcc-4.9
2019-07-23T14:05:45Z
Natanael Copa
upgrade to gcc-4.9
And consider switch to -fstack-protector-strong
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
*(from redmine: issue id 3136, created on 2014-07-03, closed on 2015-05-21)*
And consider switch to -fstack-protector-strong
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
*(from redmine: issue id 3136, created on 2014-07-03, closed on 2015-05-21)*
3.2.0
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3134
[v3.0] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4...
2019-07-23T14:05:46Z
Alexander Belous
[v3.0] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4703)
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerabili...
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerability to read any INI format config files owned by root and
potentially extract some sensitive information.”
Malicious user that has local access to a system where check\_dhcp
plugin is installed with SUID could exploit this vulnerability to read
any INI format config files owned by root and potentially extract some
sensitive information.
Affected:
————————————-
Systems with check\_dhcp SUID binary installed as a part of Nagios
Plugins 2.0.1 or older are vulnerable.
Solution:
————————————-
Remove SETUID permission bit from the check\_dhcp binary file if the
plugin is not used. Vendor has been informed about the vulnerability
prior to release of this advisory. Install a newer version of the plugin
when released by vendor.
Fixed in:
————————————-
Nagios Plugins 2.0.2
References:
————————————-
http://seclists.org/fulldisclosure/2014/May/74
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-2-released/
CVE-2014-4703:
check\_dhcp plugin (part of the official Nagios Plugins package)
contained a vulnerability that allowed a malicious attacker to read
parts of INI config files belonging to root on a local system. It
allowed an attacker to obtain sensitive information like passwords that
should only be accessible by root user (see above).
The vulnerability was quickly patched by vendor in the release of nagios
plugins version 2.0.2 however the security measures in the patch are not
sufficient and the code is vulnerable to Race Condition attack. Race
Condition makes it possible for an arbitrary user to read parts of a
root-owned file despite the checks.
Affected:
————————————-
Nagios Plugins 2.0.2
Fixed in:
————————————-
Nagios Plugins 2.0.3
References:
————————————-
http://seclists.org/fulldisclosure/2014/Jun/141
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
*(from redmine: issue id 3134, created on 2014-07-02, closed on 2017-05-17)*
* Relations:
* parent #3130
* Changesets:
* Revision e5d5393c403555c37e4a36861821a0dceab2316a by Natanael Copa on 2014-07-25T09:06:28Z:
```
main/nagios-plugins: security upgrade to 2.0.3 (CVE-2014-4701,CVE-2014-4702,CVE-2014-4703)
fixes #3134
```
3.0.2
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3133
[v2.7] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4...
2019-07-12T14:48:33Z
Alexander Belous
[v2.7] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4703)
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerabili...
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerability to read any INI format config files owned by root and
potentially extract some sensitive information.”
Malicious user that has local access to a system where check\_dhcp
plugin is installed with SUID could exploit this vulnerability to read
any INI format config files owned by root and potentially extract some
sensitive information.
Affected:
————————————-
Systems with check\_dhcp SUID binary installed as a part of Nagios
Plugins 2.0.1 or older are vulnerable.
Solution:
————————————-
Remove SETUID permission bit from the check\_dhcp binary file if the
plugin is not used. Vendor has been informed about the vulnerability
prior to release of this advisory. Install a newer version of the plugin
when released by vendor.
Fixed in:
————————————-
Nagios Plugins 2.0.2
References:
————————————-
http://seclists.org/fulldisclosure/2014/May/74
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-2-released/
CVE-2014-4703:
check\_dhcp plugin (part of the official Nagios Plugins package)
contained a vulnerability that allowed a malicious attacker to read
parts of INI config files belonging to root on a local system. It
allowed an attacker to obtain sensitive information like passwords that
should only be accessible by root user (see above).
The vulnerability was quickly patched by vendor in the release of nagios
plugins version 2.0.2 however the security measures in the patch are not
sufficient and the code is vulnerable to Race Condition attack. Race
Condition makes it possible for an arbitrary user to read parts of a
root-owned file despite the checks.
Affected:
————————————-
Nagios Plugins 2.0.2
Fixed in:
————————————-
Nagios Plugins 2.0.3
References:
————————————-
http://seclists.org/fulldisclosure/2014/Jun/141
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
*(from redmine: issue id 3133, created on 2014-07-02, closed on 2017-09-05)*
* Relations:
* parent #3130
Alpine 2.7.10
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3132
[v2.6] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4...
2019-07-12T14:48:32Z
Alexander Belous
[v2.6] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4703)
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerabili...
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerability to read any INI format config files owned by root and
potentially extract some sensitive information.”
Malicious user that has local access to a system where check\_dhcp
plugin is installed with SUID could exploit this vulnerability to read
any INI format config files owned by root and potentially extract some
sensitive information.
Affected:
————————————-
Systems with check\_dhcp SUID binary installed as a part of Nagios
Plugins 2.0.1 or older are vulnerable.
Solution:
————————————-
Remove SETUID permission bit from the check\_dhcp binary file if the
plugin is not used. Vendor has been informed about the vulnerability
prior to release of this advisory. Install a newer version of the plugin
when released by vendor.
Fixed in:
————————————-
Nagios Plugins 2.0.2
References:
————————————-
http://seclists.org/fulldisclosure/2014/May/74
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-2-released/
CVE-2014-4703:
check\_dhcp plugin (part of the official Nagios Plugins package)
contained a vulnerability that allowed a malicious attacker to read
parts of INI config files belonging to root on a local system. It
allowed an attacker to obtain sensitive information like passwords that
should only be accessible by root user (see above).
The vulnerability was quickly patched by vendor in the release of nagios
plugins version 2.0.2 however the security measures in the patch are not
sufficient and the code is vulnerable to Race Condition attack. Race
Condition makes it possible for an arbitrary user to read parts of a
root-owned file despite the checks.
Affected:
————————————-
Nagios Plugins 2.0.2
Fixed in:
————————————-
Nagios Plugins 2.0.3
References:
————————————-
http://seclists.org/fulldisclosure/2014/Jun/141
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
*(from redmine: issue id 3132, created on 2014-07-02, closed on 2017-09-05)*
* Relations:
* parent #3130
Alpine 2.6.7
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3131
[v2.5] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4...
2019-07-23T14:05:47Z
Alexander Belous
[v2.5] nagios-plugins: multiple fixes (CVE-2014-4701 CVE-2014-4702 CVE-2014-4703)
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerabili...
CVE-2014-4701/CVE-2014-4701:
Dawid Golunski discovered a flaw in the Nagios check\_dhcp plugin that
allows “Malicious user that has local access to a system where
check\_dhcp plugin is installed with SUID could exploit this
vulnerability to read any INI format config files owned by root and
potentially extract some sensitive information.”
Malicious user that has local access to a system where check\_dhcp
plugin is installed with SUID could exploit this vulnerability to read
any INI format config files owned by root and potentially extract some
sensitive information.
Affected:
————————————-
Systems with check\_dhcp SUID binary installed as a part of Nagios
Plugins 2.0.1 or older are vulnerable.
Solution:
————————————-
Remove SETUID permission bit from the check\_dhcp binary file if the
plugin is not used. Vendor has been informed about the vulnerability
prior to release of this advisory. Install a newer version of the plugin
when released by vendor.
Fixed in:
————————————-
Nagios Plugins 2.0.2
References:
————————————-
http://seclists.org/fulldisclosure/2014/May/74
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-2-released/
CVE-2014-4703:
check\_dhcp plugin (part of the official Nagios Plugins package)
contained a vulnerability that allowed a malicious attacker to read
parts of INI config files belonging to root on a local system. It
allowed an attacker to obtain sensitive information like passwords that
should only be accessible by root user (see above).
The vulnerability was quickly patched by vendor in the release of nagios
plugins version 2.0.2 however the security measures in the patch are not
sufficient and the code is vulnerable to Race Condition attack. Race
Condition makes it possible for an arbitrary user to read parts of a
root-owned file despite the checks.
Affected:
————————————-
Nagios Plugins 2.0.2
Fixed in:
————————————-
Nagios Plugins 2.0.3
References:
————————————-
http://seclists.org/fulldisclosure/2014/Jun/141
http://seclists.org/oss-sec/2014/q2/709
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
*(from redmine: issue id 3131, created on 2014-07-02, closed on 2015-05-07)*
* Relations:
* parent #3130
Alpine 2.5.5
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3129
[v3.0] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2...
2019-07-23T14:05:48Z
Alexander Belous
[v3.0] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002)
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL I...
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
CONFIRM: http://www.cacti.net/download\_patches.php
PATCHES: http://www.cacti.net/downloads/patches/0.8.8b/security.patch
Additional issues not yet fixed in the stable branch:
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b,
and earlier allows remote attackers to hijack the authentication of
users for unspecified commands, as demonstrated by requests that (1)
modify binary files, (2) modify configurations, or (3) add arbitrary
users.
URL: http://www.securityfocus.com/archive/1/531588
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
URL: http://www.securityfocus.com/bid/66392
CONFIRM: http://bugs.cacti.net/view.php?id=2432 (CVE-2014-2327, not yet
resolved by vendor in the stable branch)
CVE-2014-4002:
Cross-Site Scripting Vulnerability.
Architecture: source all
Urgency: high
Maintainer: Cacti Maintainer
<pkg-cacti-maint@lists.alioth.debian.org>
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752573
http://seclists.org/bugtraq/2014/Jun/166
SVN CHECKOUT: http://www.cacti.net/svn.php
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7451 (unstable
branch only yet)
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7452 (unstable
branch only yet)
*(from redmine: issue id 3129, created on 2014-07-02, closed on 2014-07-07)*
* Relations:
* parent #3125
* Changesets:
* Revision 7d61b62ed69fe440d13e93d31379be350aeab52d by Natanael Copa on 2014-07-07T09:45:09Z:
```
main/cacti: security fix for various CVEs
CVE-2014-2326
CVE-2014-2327
CVE-2014-2328
CVE-2014-2708
CVE-2014-2709
CVE-2014-4002
fixes #3129
(cherry picked from commit fa2998fd037f72a85b53903b13a23d50a22aa3c9)
```
3.0.2
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3128
[v2.7] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2...
2019-07-23T14:05:49Z
Alexander Belous
[v2.7] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002)
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL I...
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
CONFIRM: http://www.cacti.net/download\_patches.php
PATCHES: http://www.cacti.net/downloads/patches/0.8.8b/security.patch
Additional issues not yet fixed in the stable branch:
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b,
and earlier allows remote attackers to hijack the authentication of
users for unspecified commands, as demonstrated by requests that (1)
modify binary files, (2) modify configurations, or (3) add arbitrary
users.
URL: http://www.securityfocus.com/archive/1/531588
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
URL: http://www.securityfocus.com/bid/66392
CONFIRM: http://bugs.cacti.net/view.php?id=2432 (CVE-2014-2327, not yet
resolved by vendor in the stable branch)
CVE-2014-4002:
Cross-Site Scripting Vulnerability.
Architecture: source all
Urgency: high
Maintainer: Cacti Maintainer
<pkg-cacti-maint@lists.alioth.debian.org>
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752573
http://seclists.org/bugtraq/2014/Jun/166
SVN CHECKOUT: http://www.cacti.net/svn.php
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7451 (unstable
branch only yet)
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7452 (unstable
branch only yet)
*(from redmine: issue id 3128, created on 2014-07-02, closed on 2014-07-07)*
* Relations:
* parent #3125
* Changesets:
* Revision 800d90ec78ce5fe9082835f112b870575fb4dd30 by Natanael Copa on 2014-07-07T09:46:26Z:
```
main/cacti: security fix for various CVEs
CVE-2014-2326
CVE-2014-2327
CVE-2014-2328
CVE-2014-2708
CVE-2014-2709
CVE-2014-4002
fixes #3128
(cherry picked from commit fa2998fd037f72a85b53903b13a23d50a22aa3c9)
```
Alpine 2.7.10
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3127
[v2.6] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2...
2019-07-23T14:05:50Z
Alexander Belous
[v2.6] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002)
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL I...
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
CONFIRM: http://www.cacti.net/download\_patches.php
PATCHES: http://www.cacti.net/downloads/patches/0.8.8b/security.patch
Additional issues not yet fixed in the stable branch:
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b,
and earlier allows remote attackers to hijack the authentication of
users for unspecified commands, as demonstrated by requests that (1)
modify binary files, (2) modify configurations, or (3) add arbitrary
users.
URL: http://www.securityfocus.com/archive/1/531588
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
URL: http://www.securityfocus.com/bid/66392
CONFIRM: http://bugs.cacti.net/view.php?id=2432 (CVE-2014-2327, not yet
resolved by vendor in the stable branch)
CVE-2014-4002:
Cross-Site Scripting Vulnerability.
Architecture: source all
Urgency: high
Maintainer: Cacti Maintainer
<pkg-cacti-maint@lists.alioth.debian.org>
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752573
http://seclists.org/bugtraq/2014/Jun/166
SVN CHECKOUT: http://www.cacti.net/svn.php
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7451 (unstable
branch only yet)
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7452 (unstable
branch only yet)
*(from redmine: issue id 3127, created on 2014-07-02, closed on 2014-07-07)*
* Relations:
* parent #3125
* Changesets:
* Revision 151b7f5b135aace48e29a362401b4e4c4ac79e8f by Natanael Copa on 2014-07-07T09:48:46Z:
```
main/cacti: security fix for various CVEs
CVE-2014-2326
CVE-2014-2327
CVE-2014-2328
CVE-2014-2708
CVE-2014-2709
CVE-2014-4002
fixes #3127
(cherry picked from commit fa2998fd037f72a85b53903b13a23d50a22aa3c9)
```
Alpine 2.6.7
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com
https://gitlab.alpinelinux.org/alpine/aports/-/issues/3126
[v2.5] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2...
2019-07-23T14:05:51Z
Alexander Belous
[v2.5] cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002)
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL I...
Multiple issues have been fixed by vendor in the stable branch for cacti
0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
CONFIRM: http://www.cacti.net/download\_patches.php
PATCHES: http://www.cacti.net/downloads/patches/0.8.8b/security.patch
Additional issues not yet fixed in the stable branch:
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b,
and earlier allows remote attackers to hijack the authentication of
users for unspecified commands, as demonstrated by requests that (1)
modify binary files, (2) modify configurations, or (3) add arbitrary
users.
URL: http://www.securityfocus.com/archive/1/531588
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
URL: http://www.securityfocus.com/bid/66392
CONFIRM: http://bugs.cacti.net/view.php?id=2432 (CVE-2014-2327, not yet
resolved by vendor in the stable branch)
CVE-2014-4002:
Cross-Site Scripting Vulnerability.
Architecture: source all
Urgency: high
Maintainer: Cacti Maintainer
<pkg-cacti-maint@lists.alioth.debian.org>
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752573
http://seclists.org/bugtraq/2014/Jun/166
SVN CHECKOUT: http://www.cacti.net/svn.php
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7451 (unstable
branch only yet)
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7452 (unstable
branch only yet)
*(from redmine: issue id 3126, created on 2014-07-02, closed on 2014-07-07)*
* Relations:
* parent #3125
* Changesets:
* Revision f6419b1a7cbefbbe6569f989cc148e07ddd54ca8 by Natanael Copa on 2014-07-07T09:51:47Z:
```
main/cacti: security fix for various CVEs
CVE-2014-2326
CVE-2014-2327
CVE-2014-2328
CVE-2014-2708
CVE-2014-2709
CVE-2014-4002
fixes #3126
(cherry picked from commit 151b7f5b135aace48e29a362401b4e4c4ac79e8f)
```
Alpine 2.5.5
Jeff Bilyk
jbilyk@gmail.com
Jeff Bilyk
jbilyk@gmail.com