alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2021-03-24T08:56:53Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12514openssh: double-free memory corruption may lead to arbitrary code execution (...2021-03-24T08:56:53ZAlicha CHopenssh: double-free memory corruption may lead to arbitrary code execution (CVE-2021-28041)A double-free memory corruption, introduced in OpenSSH 8.2, that could be reached by an attacker with access to the agent socket. Exploitable by a user forwarding an agent either to an account shared with a malicious user or to a host wi...A double-free memory corruption, introduced in OpenSSH 8.2, that could be reached by an attacker with access to the agent socket. Exploitable by a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.
#### Fixed In Version:
openssh 8.5
#### References:
* https://www.openssh.com/txt/release-8.5
* https://nvd.nist.gov/vuln/detail/CVE-2021-28041
#### Patch:
https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
### Affected branches:
* [x] master
* [x] 3.13-stable (5627e6e88d0ed5f43c7f1c4d8130c22e6289dccb)
* [x] 3.12-stable (548780934cd17a38c845008479f636f02458b43a)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12512Unable to install php7-pecl-imagick=3.4.4-r7 with alpine:202102122021-06-04T10:08:15ZHetshUnable to install php7-pecl-imagick=3.4.4-r7 with alpine:20210212Hi, I am using the `edge` docker image (20210212 at this time) and cannot install the `php7-pecl-imagick=3.4.4-r7` package. It reports the following error:
```
$ docker run --rm -it library/alpine:20210212
# apk update
fetch https://dl-c...Hi, I am using the `edge` docker image (20210212 at this time) and cannot install the `php7-pecl-imagick=3.4.4-r7` package. It reports the following error:
```
$ docker run --rm -it library/alpine:20210212
# apk update
fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
v20210212-1342-g2a719c4765 [https://dl-cdn.alpinelinux.org/alpine/edge/main]
v20210212-1342-g2a719c4765 [https://dl-cdn.alpinelinux.org/alpine/edge/community]
OK: 14157 distinct packages available
# apk add php7-pecl-imagick=3.4.4-r7
ERROR: unable to select packages:
so:libMagickCore-7.Q16HDRI.so.8 (no such package):
required by: php7-pecl-imagick-3.4.4-r7[so:libMagickCore-7.Q16HDRI.so.8]
so:libMagickWand-7.Q16HDRI.so.8 (no such package):
required by: php7-pecl-imagick-3.4.4-r7[so:libMagickWand-7.Q16HDRI.so.8]
```
Can anybody shed some light on what happens here and how to circumvent this? I cannot reproduce this issue when i use the `latest` docker image (3.13.2 at this time).https://gitlab.alpinelinux.org/alpine/aports/-/issues/12511git: remote code execution during clone on case-insensitive file systems (CVE...2021-03-10T06:22:44ZKevin Daudtgit: remote code execution during clone on case-insensitive file systems (CVE-2021-21300)On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.
## Affected vers...On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.
## Affected versions
* edge / v3.13: v2.30.1
* v3.12: v2.26.2
* v3.11: v2.24.3
* v3.10: v2.22.4
## References
* https://github.blog/2021-03-09-git-clone-vulnerability-announced/
* https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/T/#u
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300
## Fixed in version
* [x] master git-2.30.2 (4547b8d38ae70f82a95cbe7bff5811097fbe3b3a)
* [x] 3.13-stable git-2.30.2 (3837863e5e12bf820ff5b74e827b280accdf246e)
* [x] 3.12-stable git-2.26.3 (8834ac5fa1de39fb8a9b163d8dc3f0b80429078d)
* [x] 3.11-stable git-2.24.4 (1ba1be5ddcd467b41613b94f0bd24a2d38c32e33)
* [x] 3.10-stable git-2.22.5 (228e3796b7a8d06a7a12ca0c9e55d4549bf603d8)https://gitlab.alpinelinux.org/alpine/aports/-/issues/12510Unsatisfiable constraints when adding g++62023-02-07T13:21:36ZercUnsatisfiable constraints when adding g++6It seems, for me, that the recipe for g++6 is broken. Here is how I reproduced.
Starting from a clean docker environment, when I try to `apk add g++6` it throws me the following error:
```
ERROR: unsatisfiable constraints:
libstdc++-9...It seems, for me, that the recipe for g++6 is broken. Here is how I reproduced.
Starting from a clean docker environment, when I try to `apk add g++6` it throws me the following error:
```
ERROR: unsatisfiable constraints:
libstdc++-9.3.0-r2:
breaks: g++6-6.4.0-r11[libstdc++=6.4.0-r11]
satisfies: gcc-9.3.0-r2[so:libstdc++.so.6] binutils-2.34-r1[so:libstdc++.so.6]
gcc-9.3.0-r2:
breaks: g++6-6.4.0-r11[gcc=6.4.0-r11]
```
Trying to understand what's happening, I've run the `apk dot g++6 gcc6` which gaves me the following graph:
![20210309155654_1047x707_scrot](/uploads/06facf3ce903fb9d70c59e292d261d47/20210309155654_1047x707_scrot.png)
The dependency line from `gcc6` to `binutils` to `libstdc++-10` caught my attention. As we can see, g++6 depends on libstdc++6, but `binutils` wants the latest version. Maybe `gcc6` should not depend on `binutils`?
Unfortunately I could not find the recipe of g++6, so I couldn't go any further. I'm still trying, if anyone wants to show me the right direction it would be very welcoming :)
Edit: I did find the recibe, it's the same of gcc6. But still, I could not find how to test it without a whole ready environment. Unfortunately I can't help much for now. I'll move on with another distro, but I'll keep an eye on this to try again later.Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12498community/scribus-1.5.6.1-r3: SlaOutputDev::tilingPatternFill maked 'override...2021-03-06T18:53:15ZKevin Daudtcommunity/scribus-1.5.6.1-r3: SlaOutputDev::tilingPatternFill maked 'override', bus does not overrideIt fails to build on all arches with the error:
```
[ 90%] Building CXX object scribus/plugins/export/pixmapexport/CMakeFiles/scribusexportpixmap.dir/export.cpp.o
In file included from /home/buildozer/aports/community/scribus/src/scribu...It fails to build on all arches with the error:
```
[ 90%] Building CXX object scribus/plugins/export/pixmapexport/CMakeFiles/scribusexportpixmap.dir/export.cpp.o
In file included from /home/buildozer/aports/community/scribus/src/scribus-1.5.6.1/scribus/plugins/import/pdf/importpdf.cpp:33:
/home/buildozer/aports/community/scribus/src/scribus-1.5.6.1/scribus/plugins/import/pdf/slaoutput.h:199:8: error: 'bool SlaOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, const double*, int, int, Dict*, const double*, const double*, int, int, int, int, double, double)' marked 'override', but does not override
199 | GBool tilingPatternFill(GfxState *state, Gfx *gfx, Catalog *cat, Object *str, POPPLER_CONST_070 double *pmat, int paintType, int tilingType, Dict *resDict, POPPLER_CONST_070 double *mat, POPPLER_CONST_070 double *bbox, int x0, int y0, int x1, int y1, double xStep, double yStep) override;
| ^~~~~~~~~~~~~~~~~
```
See: https://build.alpinelinux.org/buildlogs/build-edge-x86_64/community/scribus/scribus-1.5.6.1-r3.logLeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12496grub: Multiple vulnerabilities (CVE-2020-14372, CVE-2020-25632, CVE-2020-2564...2022-12-20T13:48:19ZAlicha CHgrub: Multiple vulnerabilities (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233)### CVE-2020-14372: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure ...### CVE-2020-14372: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
#### References:
* https://www.openwall.com/lists/oss-security/2021/03/02/3
* https://www.openwall.com/lists/oss-security/2021/03/02/3
### CVE-2020-25632: Use-after-free in rmmod command
A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-25632
* https://www.openwall.com/lists/oss-security/2021/03/02/3
### CVE-2020-25647: Out-of-bound write in grub_usb_device_initialize()
A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-25647
* https://www.openwall.com/lists/oss-security/2021/03/02/3
### CVE-2020-27749: Stack buffer overflow in grub_parser_split_cmdline
A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### References:
* https://www.openwall.com/lists/oss-security/2021/03/02/3
* https://nvd.nist.gov/vuln/detail/CVE-2020-27749
#### CVE-2020-27779: The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled
A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2020-27779
### CVE-2021-3418: GRUB 2.05 reintroduced CVE-2020-15705
This flaw only affects upstream and distributions using the shim_lock verifier.
#### References:
* https://www.openwall.com/lists/oss-security/2021/03/02/3
* https://bugzilla.redhat.com/show_bug.cgi?id=1933757
### CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2021-20225
* https://www.openwall.com/lists/oss-security/2021/03/02/3
### CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of space required for quoting
A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2021-20233
* https://www.openwall.com/lists/oss-security/2021/03/02/3
### Affected branches:
* [x] master
* [ ] 3.13-stable
* [ ] 3.12-stable
* [ ] 3.11-stable
* [ ] 3.10-stableTimo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12489jabberd: missing dependency packages2022-07-15T23:38:25ZNico Schotteliusjabberd: missing dependency packagesFrom edge:
```
alpine:~# apk add ejabberd
ERROR: unable to select packages:
erlang-asn1 (no such package):
required by: ejabberd-17.09-r5[erlang-asn1]
erlang-crypto (no such package):
required by: ejabberd-17.09-r5[erlang-cr...From edge:
```
alpine:~# apk add ejabberd
ERROR: unable to select packages:
erlang-asn1 (no such package):
required by: ejabberd-17.09-r5[erlang-asn1]
erlang-crypto (no such package):
required by: ejabberd-17.09-r5[erlang-crypto]
erlang-eldap (no such package):
required by: ejabberd-17.09-r5[erlang-eldap]
erlang-mnesia (no such package):
required by: ejabberd-17.09-r5[erlang-mnesia]
erlang-public-key (no such package):
required by: ejabberd-17.09-r5[erlang-public-key]
erlang-sasl (no such package):
required by: ejabberd-17.09-r5[erlang-sasl]
erlang-ssl (no such package):
required by: ejabberd-17.09-r5[erlang-ssl]
erlang-syntax-tools (no such package):
required by: ejabberd-17.09-r5[erlang-syntax-tools]
alpine:~#
alpine:~# cat /etc/apk/repositories
http://dl-2.alpinelinux.org/alpine/edge/main
http://dl-2.alpinelinux.org/alpine/edge/community
http://dl-2.alpinelinux.org/alpine/edge/testing
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/12470firefox-esr: Multiple vulnerabilities (CVE-2021-23968, CVE-2021-23969, CVE-20...2021-03-16T08:08:57ZAlicha CHfirefox-esr: Multiple vulnerabilities (CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978)* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973:...* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs
#### Fixed In Version:
Firefox ESR 78.8
#### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
### Affected branches:
* [x] master
* [x] 3.13-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12466postgres: Partition constraint violation errors leak values of denied columns...2021-02-23T19:38:15ZKevin Daudtpostgres: Partition constraint violation errors leak values of denied columns (CVE-2021-3393)## CVE-2021-3393 Partition constraint violation errors leak values of denied columns
A security issue was found in PostgreSQL 11 to 13 before version 13.2. A user having an UPDATE privilege on a partitioned table but lacking the SELECT ...## CVE-2021-3393 Partition constraint violation errors leak values of denied columns
A security issue was found in PostgreSQL 11 to 13 before version 13.2. A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare.
## Affects
* edge: postgres-13.1-r2
* v3.13: postgres-13.1-r2
* v3.12: postgres-12.5-r0
* v3.11: postgres-12.5-r0
* v3.10: postgres-11.10-r0
## References
* https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
## Fixed in
* Postgres 13.2
* Postgres 12.6
* Postgres 11.11
## Branches
* [x] master: postgres-3.12-r0 (de44e327d46ea44425f83cbf8c0d3368ecf74399)
* [x] 3.13-stable: postgres-13.2-r0 (87ef3a18fd31dcdb5a100656f41792899105eb76)
* [x] 3.12-stable: postgres-12.6-r0 (e04ed3a2193bc362cadea9bb8b1911ea83e77b6a)
* [x] 3.11-stable: postgres-12.6-r0 (29681ecc8547bee9af8e9c4a2aa0c707717013b6)
* [x] 3.10-stable: posttgres-11.11-r0 (2ac5b2e57e4f1cab9571f0d467b1da99baa8c11b)
* [x] 3.9-stable: posttgres-11.11-r0 (c729312a3e9d40ea50e135c021624c4a2edfafa0)Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12465postgres: Single-column SELECT privilege enables reading all columns (CVE-202...2021-02-23T19:25:09ZKevin Daudtpostgres: Single-column SELECT privilege enables reading all columns (CVE-2021-20229)A security issue was found in PostgreSQL 13 before version 13.2. A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-leve...A security issue was found in PostgreSQL 13 before version 13.2. A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed.
## Affects
* edge: postgres-13.1-r2
* v3.13: postgres-13.1-r2
## References
* https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
## Fixed in
* Postgres 13.2
### Branches
* [x] master: 13.2-r0 (de44e327d46ea44425f83cbf8c0d3368ecf74399)
* [x] 3.13-stable: postgres-13.2-r0 (87ef3a18fd31dcdb5a100656f41792899105eb76)https://gitlab.alpinelinux.org/alpine/aports/-/issues/12449community/ntpsec: python based client tools not working2021-02-21T15:34:52ZMY-Rcommunity/ntpsec: python based client tools not working```
# ntpq -p
Traceback (most recent call last):
File "/usr/bin/ntpq", line 26, in <module>
import ntp.ntpc
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 52, in <module>
_ntpc = _importado()
File "/usr/lib/pytho...```
# ntpq -p
Traceback (most recent call last):
File "/usr/bin/ntpq", line 26, in <module>
import ntp.ntpc
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 52, in <module>
_ntpc = _importado()
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 38, in _importado
return _dlo(ntpc_paths)
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 49, in _dlo
raise OSError("Can't find %s library" % LIB)
OSError: Can't find ntpc library
# ntpdig
Traceback (most recent call last):
File "/usr/bin/ntpdig", line 19, in <module>
import ntp.packet
File "/usr/lib/python3.8/site-packages/ntp/packet.py", line 219, in <module>
import ntp.ntpc
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 52, in <module>
_ntpc = _importado()
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 38, in _importado
return _dlo(ntpc_paths)
File "/usr/lib/python3.8/site-packages/ntp/ntpc.py", line 49, in _dlo
raise OSError("Can't find %s library" % LIB)
OSError: Can't find ntpc library
```
Above commands started to work after moving these files from default ``/usr/lib/ntp`` to ``/usr/lib``:
```
# ls -l /usr/lib/ntp
total 48
lrwxrwxrwx 1 root root 16 Feb 18 23:17 libntpc.so -> libntpc.so.1.1.0
lrwxrwxrwx 1 root root 16 Feb 18 23:17 libntpc.so.1 -> libntpc.so.1.1.0
-rwxr-xr-x 1 root root 46928 Oct 12 01:12 libntpc.so.1.1.0
```
Affected are at least Alpine ``edge`` and ``3.13-stable``https://gitlab.alpinelinux.org/alpine/aports/-/issues/12448python3: ctypes double representation BoF (CVE-2021-3177)2021-02-19T15:33:23ZMichał Polańskipython3: ctypes double representation BoF (CVE-2021-3177)sources:
* https://nvd.nist.gov/vuln/detail/CVE-2021-3177
* https://bugs.python.org/issue42938
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Pytho...sources:
* https://nvd.nist.gov/vuln/detail/CVE-2021-3177
* https://bugs.python.org/issue42938
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
# Affected aports with active support
* [x] master: python3 3.8.7-r1
* [x] 3.13-stable: python3 3.8.7-r0
* [x] 3.12-stable: python3 3.8.5-r0
* [x] 3.11-stable: python3 3.8.2-r1
* [x] 3.10-stable: python3 3.7.7-r1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12447nodejs, nodejs-current: security release on February 23th, 20212021-03-31T18:38:02ZMichał Polańskinodejs, nodejs-current: security release on February 23th, 2021Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critica...Source: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
# Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 23th, 2021.
One Critical severity issue
One High severity issue
One Low severity issue
# Impact
The 15.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 14.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 12.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
The 10.x release line of Node.js is vulnerable to one critical severity issue, one high severity issue, and one low severity issue.
# Affected aports with active support
* [x] master: nodejs 14.15.5-r0 (main)
* [x] master: nodejs-current 15.8.0-r1 (community)
* [x] 3.13-stable: nodejs 14.15.5-r0 (main)
* [x] 3.13-stable: nodejs-current 15.5.1-r0 (community)
* [x] 3.12-stable: nodejs 12.20.1-r0 (main)
* [x] 3.11-stable: nodejs 12.20.1-r0 (main)
* [x] 3.10-stable: nodejs 10.19.0-r0 (main)2021-02-23https://gitlab.alpinelinux.org/alpine/aports/-/issues/12437webkit2gtk: use-after-free may lead to arbitrary code execution via crafted w...2021-02-16T18:35:23ZAlicha CHwebkit2gtk: use-after-free may lead to arbitrary code execution via crafted web content (CVE-2020-13558)* Processing maliciously crafted web content may lead to arbitrary code execution.
* A use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management.
* Versions affected: WebKitGTK before 2...* Processing maliciously crafted web content may lead to arbitrary code execution.
* A use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management.
* Versions affected: WebKitGTK before 2.30.5 and WPE WebKit before 2.30.5.
#### Reference:
https://webkitgtk.org/security/WSA-2021-0001.html
### Affected branches:
* [x] master
* [x] 3.13-stableRasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.devhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12428CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads2021-02-14T15:13:56ZMichał PolańskiCVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloadssource: https://seclists.org/oss-sec/2021/q1/140
fixed in Apache Thrift 0.14.0
currently `testing/thrift` is at version 0.13.0, needs upgradingsource: https://seclists.org/oss-sec/2021/q1/140
fixed in Apache Thrift 0.14.0
currently `testing/thrift` is at version 0.13.0, needs upgradinghttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12426libusb: 1.0.24 have issues on docker2021-02-15T09:18:55ZPascal Vizelilibusb: 1.0.24 have issues on dockerWith alpine 3.13 we have issues with libusb on some of our containers: `libusb: error [get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/001/004, errno=1`
But if we use alpine 3.12, everything works fine. The only difference is...With alpine 3.13 we have issues with libusb on some of our containers: `libusb: error [get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/001/004, errno=1`
But if we use alpine 3.12, everything works fine. The only difference is that Alpine 3.13 use 1.0.24 and Alpine 3.12 is running with 1.0.23
Or in another container:
```
[20:03:58] INFO: Starting the UPS drivers...
Network UPS Tools - UPS driver controller 2.7.4
Network UPS Tools - Generic HID driver 0.41 (2.7.4)
USB communication driver 0.33
No matching HID UPS found
Driver failed to start (exit status=1)
```
which works perfectly with Alpine 3.12
Are there somethings new which we need to care about?https://gitlab.alpinelinux.org/alpine/aports/-/issues/12424screen: crash when processing combining chars (CVE-2021-26937)2021-02-11T14:20:22ZAlicha CHscreen: crash when processing combining chars (CVE-2021-26937)encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
#### References:...encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
#### References:
* https://www.openwall.com/lists/oss-security/2021/02/09/3
* https://nvd.nist.gov/vuln/detail/CVE-2021-26937
### Affected branches:
* [x] master
* [x] 3.13-stable
* [x] 3.12-stable
* [x] 3.11-stable
* [x] 3.10-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12423GHSL-2021-045: integer overflow in g_bytes_new/g_memdup2021-11-26T07:23:27ZRasmus Thomsenoss@cogitri.devGHSL-2021-045: integer overflow in g_bytes_new/g_memdupGlib > 2.66.6 offers a new g_memdup2 function which fixes a vulnerability g_memdup has, see https://gitlab.gnome.org/GNOME/glib/-/issues/2319 for more details.
Unfortunately upstream won't backport the fix to anything other than the 2.6...Glib > 2.66.6 offers a new g_memdup2 function which fixes a vulnerability g_memdup has, see https://gitlab.gnome.org/GNOME/glib/-/issues/2319 for more details.
Unfortunately upstream won't backport the fix to anything other than the 2.66 branch (but applications on stable branches which use glib older than 2.66 probably couldn't be switched over to the new API anyway).
- [X] Update glib to >= 2.66.6 in edge 45e7a61b487b089e4e0ddac129fa402c4e805f18
- [X] Update glib to >= 2.66.6 in 3.13 13c57372be26b818fe182627f19bbb93506165f5
- [ ] Once a new Vala release is made which emits C code that uses g_memdup2 instead of g_memdup, rebuild all Vala packages
CC @LeoRasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.devhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12422openvswitch: limitation in the OVS packet parsing in userspace leads to DoS (...2021-02-11T11:43:37ZAlicha CHopenvswitch: limitation in the OVS packet parsing in userspace leads to DoS (CVE-2020-35498)Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.
Both kernel and u...Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.
Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.
The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet padding length above 255 bytes. This causes the packet sanity
check to abort parsing header fields after layer 2.
When that situation happens, the classifier will use an unexpected set
of header fields. This could cause the packet lookup to either match
on unintended flows or return the default table miss action 'drop'.
As a consequence, the datapath can be instructed to match on an
incorrect range of packets with an action to drop them, for example.
Further legit traffic could hit the cached flow preventing it to
expire extending the situation.
#### Fixed In Version:
openvswitch 2.14.2, 2.13.3, 2.12.3, 2.11.6, 2.10.7, 2.9.9, 2.8.11, 2.7.13, 2.6.10, 2.5.12
#### Reference:
https://www.openwall.com/lists/oss-security/2021/02/10/4
#### Patch:
https://github.com/openvswitch/ovs/commit/53c1b8b166f3dd217bc391d707885f789e9ecc49 (2.12)
### Affected branches:
* [x] master
* [x] 3.13-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12420libmaxminddb 1.5 does not generate its conf file2021-03-06T22:45:55Zaptalcalibmaxminddb 1.5 does not generate its conf fileCurrent libmaxmindb 1.5 package in alpine 3.13 doesn't create its conf file at `/etc/conf.d/libmaxminddb`
Here's a basic test:
```
$ docker run --rm -it alpine:3.13 /bin/sh -c 'apk add --no-cache libmaxminddb && ls -al /etc/conf.d'
fetc...Current libmaxmindb 1.5 package in alpine 3.13 doesn't create its conf file at `/etc/conf.d/libmaxminddb`
Here's a basic test:
```
$ docker run --rm -it alpine:3.13 /bin/sh -c 'apk add --no-cache libmaxminddb && ls -al /etc/conf.d'
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gzfetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
(1/6) Installing ca-certificates (20191127-r5)
(2/6) Installing brotli-libs (1.0.9-r3)
(3/6) Installing nghttp2-libs (1.42.0-r1)
(4/6) Installing libcurl (7.74.0-r0)
(5/6) Installing curl (7.74.0-r0)
(6/6) Installing libmaxminddb (1.5.0-r0)
Executing busybox-1.32.1-r2.trigger
Executing ca-certificates-20191127-r5.trigger
OK: 8 MiB in 20 packages
total 12
drwxr-xr-x 2 root root 4096 Jan 28 21:51 .
drwxr-xr-x 1 root root 4096 Feb 11 04:24 ..
```
Its cron file is successfully copied to the periodic weekly folder, though.
Previous version package on 3.12 does generate its conf file properly.
Same test as above but with 3.12:
```
$ docker run --rm -it alpine:3.12 /bin/sh -c 'apk add --no-cache libmaxminddb && ls -al /etc/conf.d'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
(1/5) Installing ca-certificates (20191127-r4)
(2/5) Installing nghttp2-libs (1.41.0-r0)
(3/5) Installing libcurl (7.69.1-r3)
(4/5) Installing curl (7.69.1-r3)
(5/5) Installing libmaxminddb (1.4.3-r0)
Executing busybox-1.31.1-r19.trigger
Executing ca-certificates-20191127-r4.trigger
OK: 7 MiB in 19 packages
total 16
drwxr-xr-x 1 root root 4096 Feb 11 04:29 .
drwxr-xr-x 1 root root 4096 Feb 11 04:29 ..
-rwxr-xr-x 1 root root 351 Dec 29 12:00 libmaxminddb
```