alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T11:47:22Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7607linux-virthardened has no graphics drivers2019-07-23T11:47:22Zalgitbotlinux-virthardened has no graphics driversCurrently there’s no graphics drivers in the virthardened kernel, so we
can’t have a higher resolution console.
Could we get the qxl and vmwgfx drivers added? If package size is a
concern, it should only add roughly another 5MB.
*(fr...Currently there’s no graphics drivers in the virthardened kernel, so we
can’t have a higher resolution console.
Could we get the qxl and vmwgfx drivers added? If package size is a
concern, it should only add roughly another 5MB.
*(from redmine: issue id 7607, created on 2017-07-26, closed on 2017-11-29)*
* Changesets:
* Revision 08ffe8f18862b11422291bb9f74a74a736cff48d by Natanael Copa on 2017-09-22T19:26:48Z:
```
main/linux-hardened: enable graphics drivers for virthardened
fixes #7607
```3.7.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/7608[ncurses] Relocation error in tic2019-07-23T11:47:21ZAndrej Utz[ncurses] Relocation error in ticAfter last update (ncurses-6.0\_p20170701-r0) tic has been failing to
run.
alpine-edge:~$ ldd /usr/bin/tic
/lib/ld-musl-x86_64.so.1 (0x56165e69a000)
libncursesw.so.6 => /usr/lib/libncursesw.so.6 (0x7fd7fecb3000)
...After last update (ncurses-6.0\_p20170701-r0) tic has been failing to
run.
alpine-edge:~$ ldd /usr/bin/tic
/lib/ld-musl-x86_64.so.1 (0x56165e69a000)
libncursesw.so.6 => /usr/lib/libncursesw.so.6 (0x7fd7fecb3000)
libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x56165e69a000)
Error relocating /usr/bin/tic: _nc_write_object: symbol not found
Since building ncurses depends on the previous version of itself, this
also makes packaging new versions impossible.
*(from redmine: issue id 7608, created on 2017-07-27, closed on 2017-07-27)*3.6.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7609py-scipy: Not have support for Python32019-07-23T11:47:20ZSharon Goldpy-scipy: Not have support for Python3py-scipy package not have Python3 support.
Only working for Python27
Please add support for Python3.
*(from redmine: issue id 7609, created on 2017-07-29, closed on 2018-09-11)*
* Changesets:
* Revision f2f0284b5678202e5cdf3fe2ae...py-scipy package not have Python3 support.
Only working for Python27
Please add support for Python3.
*(from redmine: issue id 7609, created on 2017-07-29, closed on 2018-09-11)*
* Changesets:
* Revision f2f0284b5678202e5cdf3fe2aef8a0eee4495f3a on 2017-07-29T11:32:06Z:
```
testing/py-scipy: upgrade to 0.19.1, fixes #7609
```3.6.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/7610SpamAssassin's sa-update requires GNU wget2019-07-23T11:47:19ZJohn LongeSpamAssassin's sa-update requires GNU wgetRunning sa-update without having the wget package installed returns the
following:
/usr/bin/wget: unrecognized option: max-redirect=2
BusyBox v1.26.2 (2017-06-11 06:38:32 GMT) multi-call binary.
Usage: wget [-c|--continue] ...Running sa-update without having the wget package installed returns the
following:
/usr/bin/wget: unrecognized option: max-redirect=2
BusyBox v1.26.2 (2017-06-11 06:38:32 GMT) multi-call binary.
Usage: wget [-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[-U|--user-agent AGENT] [-T SEC] URL...
Retrieve files via HTTP or FTP
--spider Spider mode - only check file existence
-c Continue retrieval of aborted transfer
-q Quiet
-P DIR Save to DIR (default .)
-T SEC Network read timeout is SEC seconds
-O FILE Save to FILE ('-' for stdout)
-U STR Use STR for User-Agent header
-Y on/off Use proxy
error: no mirror data available for channel updates.spamassassin.org
channel: MIRRORED.BY file contents were missing, channel failed
sa-update is a perl script which uses GNU wget’s `--max-redirect`
option, which BusyBox wget doesn’t recognize. Maybe SpamAssassin should
depend on the wget package then?
*(from redmine: issue id 7610, created on 2017-07-29, closed on 2019-05-03)*
* Changesets:
* Revision c2adebbb218825c3f942cdd5dffcff9895fcaba0 by Francesco Colista on 2017-08-09T15:37:51Z:
```
main/spamassassin: sa-update needs curl or gnu wget. Fixes #7610
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/7611mkinitfs: features.d/ext4 needs to depend on crc322019-07-23T11:47:18ZMax Reesmkinitfs: features.d/ext4 needs to depend on crc32Tried setting up a new alpine instance today. When I rebooted, it could
not mount the root ext4 filesystem. dmesg complained about crc32c being
missing. The fix was to add the following two lines to
/etc/mkinitfs/features.d/ext4.modules:...Tried setting up a new alpine instance today. When I rebooted, it could
not mount the root ext4 filesystem. dmesg complained about crc32c being
missing. The fix was to add the following two lines to
/etc/mkinitfs/features.d/ext4.modules:
kernel/arch/\*/crypto/crc32\*
kernel/crypto/crc32\*
*(from redmine: issue id 7611, created on 2017-07-30, closed on 2018-08-09)*
* Changesets:
* Revision 32dd6f16bf1645ffdf1f6019575fc130702fa047 by Natanael Copa on 2017-08-03T13:03:24Z:
```
main/mkinitfs: fix crc32 module deps for ext4
ref #7611
```
* Revision a94e12d836ae8feda91ec2ca1c19eecb2491e97d by Natanael Copa on 2017-08-14T14:58:00Z:
```
main/mkinitfs: fix crc32 module deps for ext4
fixes #7611
(cherry picked from commit 32dd6f16bf1645ffdf1f6019575fc130702fa047)
```3.6.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/7614atop create many logs and processes2019-07-23T11:47:16Zalgitbotatop create many logs and processesMy disk was 100% full because atop created many logs and processes:
# cat /etc/alpine-release
3.6.2
# ps | grep atop
1054 root 0:11 /usr/bin/atop -a -R -w /var/log/atop/atop_20170730 600
2332 root 0:06...My disk was 100% full because atop created many logs and processes:
# cat /etc/alpine-release
3.6.2
# ps | grep atop
1054 root 0:11 /usr/bin/atop -a -R -w /var/log/atop/atop_20170730 600
2332 root 0:06 /usr/bin/atop -a -R -w /var/log/atop/atop_20170731 600
3078 root 1:22 /usr/bin/atop -a -R -w /var/log/atop/atop_20170712 600
3656 root 0:02 /usr/bin/atop -a -R -w /var/log/atop/atop_20170801 600
4458 root 0:00 grep atop
5091 root 1:08 /usr/bin/atop -a -R -w /var/log/atop/atop_20170713 600
6614 root 1:09 /usr/bin/atop -a -R -w /var/log/atop/atop_20170714 600
8145 root 1:02 /usr/bin/atop -a -R -w /var/log/atop/atop_20170715 600
9663 root 1:01 /usr/bin/atop -a -R -w /var/log/atop/atop_20170716 600
11166 root 0:54 /usr/bin/atop -a -R -w /var/log/atop/atop_20170717 600
12777 root 0:52 /usr/bin/atop -a -R -w /var/log/atop/atop_20170718 600
14299 root 0:48 /usr/bin/atop -a -R -w /var/log/atop/atop_20170719 600
15911 root 0:49 /usr/bin/atop -a -R -w /var/log/atop/atop_20170720 600
17313 root 0:46 /usr/bin/atop -a -R -w /var/log/atop/atop_20170721 600
19036 root 0:46 /usr/bin/atop -a -R -w /var/log/atop/atop_20170722 600
20568 root 0:38 /usr/bin/atop -a -R -w /var/log/atop/atop_20170723 600
23096 root 0:34 /usr/bin/atop -a -R -w /var/log/atop/atop_20170724 600
25102 root 0:36 /usr/bin/atop -a -R -w /var/log/atop/atop_20170725 600
27002 root 0:27 /usr/bin/atop -a -R -w /var/log/atop/atop_20170726 600
28699 root 0:22 /usr/bin/atop -a -R -w /var/log/atop/atop_20170727 600
30537 root 0:17 /usr/bin/atop -a -R -w /var/log/atop/atop_20170728 600
31854 root 0:13 /usr/bin/atop -a -R -w /var/log/atop/atop_20170729 600
Then I’ve found problem in script /etc/periodic/daily/atop.
The command **ps -p \`cat $PIDFILE\`** is used at lines 11 and 17 in
this script. But **ps** command in alpine linux hasn’t got **-p**
parameter. That is why script doesn’t work properly.
I’ve made some changes and now script is working properly:
# diff -u /etc/periodic/daily/atop ~/atop
--- /etc/periodic/daily/atop
+++ /root/atop
@@ -8,13 +8,13 @@
# verify if atop still runs for daily logging
#
-if [ -e $PIDFILE ] && ps -p `cat $PIDFILE` | grep 'atop$' > /dev/null
+if [ -e $PIDFILE ] && ps | grep `cat $PIDFILE` > /dev/null
then
kill -USR2 `cat $PIDFILE` # final sample and terminate
CNT=0
- while ps -p `cat $PIDFILE` > /dev/null
+ while ps | grep `cat $PIDFILE` > /dev/null
do
let CNT+=1
*(from redmine: issue id 7614, created on 2017-08-01, closed on 2018-09-11)*
* Changesets:
* Revision f9398bb0531c18b2bce1922fa17157528fd820ee by Francesco Colista on 2017-09-06T12:22:37Z:
```
main/atop: removed dependency to procps in daily script. Fixes #7614
```
* Uploads:
* [atop.diff](/uploads/5f7352116c1785a4ce006229584bb94c/atop.diff) patch3.6.3https://gitlab.alpinelinux.org/alpine/aports/-/issues/7615py3-scipy has broken depends2019-07-23T11:47:15ZToni Kaijapy3-scipy has broken dependsCurrently, when trying to install py3-scipy from edge/testing, it
attempts to pull a non-existing depend:
/ # apk add py3-scipy
ERROR: unsatisfiable constraints:
py3-numpy3-f2py (missing):
required by: py3-scipy-0....Currently, when trying to install py3-scipy from edge/testing, it
attempts to pull a non-existing depend:
/ # apk add py3-scipy
ERROR: unsatisfiable constraints:
py3-numpy3-f2py (missing):
required by: py3-scipy-0.19.1-r0[py3-numpy3-f2py]
This is likely caused by how support for Python 3 was added (\#7609,
commit
https://git.alpinelinux.org/cgit/aports/commit/?id=f2f0284b5678202e5cdf3fe2aef8a0eee4495f3a)
_py3() {
depends="${depends//py-/py3-}"
_py python3
}
The sed-like syntax unfortunately also catches ‘numpy<s>’ along with the
intended target (’py</s>’).
If the sed-like syntax supports regexes ‘depends//^py-/py3-’ might fix
it.
*(from redmine: issue id 7615, created on 2017-08-03, closed on 2019-05-03)*
* Changesets:
* Revision 9b1159bce3b23f424796b7669be482af4bb0bf96 on 2017-08-03T12:16:16Z:
```
testing/py-scipy: fixed regexp to avoid wrong py dependency. Fixes #7615
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/7616Docker Volume plugin local-persist as a new package?2019-07-23T11:47:14ZMichal MičkoDocker Volume plugin local-persist as a new package?Could you add a new package?
Docker Volume plugin local-persist
https://github.com/CWSpear/local-persist
https://github.com/CWSpear/local-persist/releases
*(from redmine: issue id 7616, created on 2017-08-03, closed on 2017-11-29)...Could you add a new package?
Docker Volume plugin local-persist
https://github.com/CWSpear/local-persist
https://github.com/CWSpear/local-persist/releases
*(from redmine: issue id 7616, created on 2017-08-03, closed on 2017-11-29)*
* Changesets:
* Revision b4d83a4728d6a19d766ab0ab1f53e27aef2d6407 by Natanael Copa on 2017-08-14T14:55:25Z:
```
testing/docker-volume-local-persist: new aport
Local Persist Volume Plugin for Docker
https://github.com/CWSpear/local-persist
fixes #7616
```3.7.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7617Maven package is clobbering the MAVEN_OPTS environment variable2019-07-23T11:47:13ZLeonardo BMaven package is clobbering the MAVEN_OPTS environment variableThe APKBUILD for maven contains the following:
cat > "$pkgdir"/etc/mavenrc <<-EOF
M2_HOME="$m2_home"
MAVEN_OPTS=-Xmx512m
EOF
Which seems problematic (the MAVEN\_OPTS line) as it has the net resul...The APKBUILD for maven contains the following:
cat > "$pkgdir"/etc/mavenrc <<-EOF
M2_HOME="$m2_home"
MAVEN_OPTS=-Xmx512m
EOF
Which seems problematic (the MAVEN\_OPTS line) as it has the net result
of making the /usr/bin/mvn wrapper completely ignore the value set for
MAVEN\_OPTS in the environment. I kept hitting this problem with an
alpine Docker image I prepared to be a continuous integration
environment, until I finally traced the problem back to this. I think
maybe something like this would be more appropriate:
MAVEN_OPTS="$MAVEN_OPTS -Xmx512m"
Thanks.
*(from redmine: issue id 7617, created on 2017-08-04, closed on 2019-05-03)*Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7624Add "nginx-cache-purge" module to nginx builds2019-07-23T11:47:12ZPeter HaseAdd "nginx-cache-purge" module to nginx buildsHi maintainers,
adding the module nginx-cache-purge to the builds would unlock a great
feature for nginx, which is beneficial when it’s for example used for
wordpress installations.
There are quite a few docker containers building ngin...Hi maintainers,
adding the module nginx-cache-purge to the builds would unlock a great
feature for nginx, which is beneficial when it’s for example used for
wordpress installations.
There are quite a few docker containers building nginx from source on
top of alpine just to add this feature.
Would this be possible?
*(from redmine: issue id 7624, created on 2017-08-04, closed on 2019-05-03)*Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7625lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, ...2019-07-23T11:47:11ZAlicha CHlame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7625, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* child #7626
* child #7627
* child #7628
* child #7629
* child #7630Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7626[3.7] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-...2019-07-23T11:47:10ZAlicha CH[3.7] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7626, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* parent #7625
* Changesets:
* Revision 2c851aafb18a59c7927ff1db648b5b4767d7e300 by Francesco Colista on 2017-08-07T08:55:32Z:
```
main/lame: security fixes:
* CVE-2015-9099
* CVE-2015-9100
* CVE-2017-9410
* CVE-2017-9411
* CVE-2017-9412
* CVE-2017-11720
Fixes #7626
```3.7.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7627[3.6] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-...2019-07-23T11:47:09ZAlicha CH[3.6] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7627, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* parent #7625
* Changesets:
* Revision 1900edcab539a7ab32e3ad868597f7358fa798ad by Francesco Colista on 2017-08-07T08:52:34Z:
```
main/lame: security fixes:
* CVE-2015-9099
* CVE-2015-9100
* CVE-2017-9410
* CVE-2017-9411
* CVE-2017-9412
* CVE-2017-11720
Fixes #7627
```3.6.3Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7628[3.5] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-...2019-07-23T11:47:07ZAlicha CH[3.5] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7628, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* parent #76253.5.3Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7629[3.4] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-...2019-07-23T11:47:06ZAlicha CH[3.4] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7629, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* parent #7625
* Changesets:
* Revision 22711d8124dcf1724b3b0ae900bf89567c5b979a by Francesco Colista on 2017-08-07T08:49:36Z:
```
main/lame: security fixes:
* CVE-2015-9099
* CVE-2015-9100
* CVE-2017-9410
* CVE-2017-9411
* CVE-2017-9412
* CVE-2017-11720
Fixes #7629
```
* Revision c6826747b05fd69a8385c80f7ba19d2260dd32ba by Francesco Colista on 2017-08-07T08:51:31Z:
```
main/lame: security fixes:
* CVE-2015-9099
* CVE-2015-9100
* CVE-2017-9410
* CVE-2017-9411
* CVE-2017-9412
* CVE-2017-11720
Fixes #7629
```3.4.7Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7630[3.3] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-...2019-07-23T11:47:05ZAlicha CH[3.3] lame: Multiple vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412, CVE-2017-11720)**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate....**CVE-2015-9099**: The lame\_init\_params function in lame.c in
libmp3lame.a in LAME 3.99.5 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file with a negative sample rate.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9099
**CVE-2015-9100**: The fill\_buffer\_resample function in util.c in
libmp3lame.a in LAME 3.99.5 allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted audio file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2015-9100
**CVE-2017-9410**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted wav file.
References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9411**: The fill\_buffer\_resample function in
libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a
denial of
service (invalid memory read and application crash) via a crafted wav
file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-9412**: The unpack\_read\_samples function in
frontend/get\_audio.c in LAME 3.99.5 allows remote attackers
to cause a denial of service (invalid memory read and application crash)
via a crafted wav file.
### References:
http://seclists.org/fulldisclosure/2017/Jul/63
**CVE-2017-11720**: There is a division-by-zero vulnerability in LAME
3.99.5, caused by a malformed input file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
*(from redmine: issue id 7630, created on 2017-08-04, closed on 2017-08-07)*
* Relations:
* parent #7625
* Changesets:
* Revision 7f60893b079de3f360f2d63a76079f32a019f042 by Francesco Colista on 2017-08-07T08:47:52Z:
```
main/lame: security fixes:
* CVE-2015-9099
* CVE-2015-9100
* CVE-2017-9410
* CVE-2017-9411
* CVE-2017-9412
* CVE-2017-11720
Fixes #7630
```3.3.4Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7631Varnish CVE-2017-12425 / VSV00001 DoS vulnerability2019-07-23T11:47:04ZFelix BünemannVarnish CVE-2017-12425 / VSV00001 DoS vulnerabilityA wrong if statement in the varnishd source code means that particular
invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing
the cached contents in the process.
An...A wrong if statement in the varnishd source code means that particular
invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing
the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand
and effectively keep it from serving content - a Denial-of-Service
attack.
Package-Versions affected (Alpine Release):
- 4.1.2-r1 (v3.3)
- 4.1.2-r3 (v3.4)
- 4.1.3-r0 (v3.5)
- 4.1.3-r0 (v3.6)
- 5.1.2-r1 (edge, already flagged)
This might affect older releases, if they use Varnish 4.0.1 or later,
but they are not listed in alpine package search.
Problem could be fixed by either upgrading to Varnish 4.1.8 / 5.1.3 or
by applying the following one-line patch:
https://github.com/varnishcache/varnish-cache/commit/c37821ddd539a23845ae8e9a7a9cc958358c1541.patch
Details: https://varnish-cache.org/security/VSV00001.html
*(from redmine: issue id 7631, created on 2017-08-06, closed on 2017-08-07)*Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7633tcpdump: heap-based buffer over-read and application crash (CVE-2017-11108)2019-07-23T11:47:03ZAlicha CHtcpdump: heap-based buffer over-read and application crash (CVE-2017-11108)tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for t...tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for the Spanning Tree Protocol.
### Fixed in:
Tcpdump 4.9.1
### References:
http://www.tcpdump.org/tcpdump-changes.txt
*(from redmine: issue id 7633, created on 2017-08-07, closed on 2017-08-07)*
* Relations:
* child #7634
* child #7635
* child #7636
* child #7637
* Changesets:
* Revision 463c720cae55a3f0c45d5b52bc6da81e2fbe307e by Francesco Colista on 2017-08-07T10:22:35Z:
```
main/tcpdump: security update to 4.9.1. Fixes #7633
```Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7634[3.6] tcpdump: heap-based buffer over-read and application crash (CVE-2017-11...2019-07-23T11:47:02ZAlicha CH[3.6] tcpdump: heap-based buffer over-read and application crash (CVE-2017-11108)tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for t...tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for the Spanning Tree Protocol.
### Fixed in:
Tcpdump 4.9.1
### References:
http://www.tcpdump.org/tcpdump-changes.txt
*(from redmine: issue id 7634, created on 2017-08-07, closed on 2017-08-07)*
* Relations:
* parent #7633
* Changesets:
* Revision a9f20ceec7434edc3b6efaaf3d9117504437d0d0 by Francesco Colista on 2017-08-07T10:20:22Z:
```
main/tcpdump: security update to 4.9.1. Fixes #7634
```3.6.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7635[3.5] tcpdump: heap-based buffer over-read and application crash (CVE-2017-11...2019-07-23T11:47:01ZAlicha CH[3.5] tcpdump: heap-based buffer over-read and application crash (CVE-2017-11108)tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for t...tcpdump 4.9.0 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via crafted packet
data.
The crash occurs in the EXTRACT\_16BITS function, called from the
stp\_print function for the Spanning Tree Protocol.
### Fixed in:
Tcpdump 4.9.1
### References:
http://www.tcpdump.org/tcpdump-changes.txt
*(from redmine: issue id 7635, created on 2017-08-07, closed on 2017-08-07)*
* Relations:
* parent #7633
* Changesets:
* Revision d663ed834ba5f4b06ea39a034880ace2ccd4a237 by Francesco Colista on 2017-08-07T10:17:00Z:
```
main/tcpdump: security update to 4.9.1. Fixes #7635
```3.5.3Natanael CopaNatanael Copa