|
Services | PunBB Issue | Security Issue | Medium | Low | Forum Spammers on PunBB | Closed | |
Task Description
We’ve received a large number of bots registering lately, and once they find you they tend to multiply. We should block the bad ones quickly to avoid spam flooding.
There are several options available, but most seem outdated.
- Stop Forum Spam works very well, but may also block legitimate users, and the PunBB plugin seems to be corrupt for the latest version
- JS/Captchas, work OK, annoying for users, no updated plugins.
- Basic Question Captchas, not too invasive, blocks majority of bots for a season. Possibly outdated. http://punbb.informer.com/wiki/punbb13/extensions/pun_stop_bots
|
|
Packages | Any | Implementation Request | Low | Low | [codecrypt] add new package | Closed | |
Task Description
This is a GnuPG-like unix program for encryption and signing that uses only quantum-computer-resistant algorithms:
McEliece cryptosystem (compact QC-MDPC variant) for encryption
Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures
Codecrypt is free software. The code is licensed under terms of LGPL3 in a good hope that it will make combinations with other tools easier.
|
|
Packages | Any | Security Issue | Very High | Critical | [linux-libre-lts*] Meltdown & Spectre Vulnerability | Closed | |
Task Description
Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.
|
|
Packages | Any | Bug Report | Medium | Low | firejail: mpv.profile fails to work | Closed | |
Task Description
Users trying to use firejail against mpv experience errors such as:
[ytdl_hook] AVideo failed, trying to play URL directly ... [ffmpeg] tls: The TLS connection was non-properly terminated. Failed to recognize file format.
The error is caused by not having avideo whitelisted in firejail.
|
|
Packages | Any | Feature Request | Medium | Low | [cinnamon] add elogind support | Closed | |
Task Description
Cinnamon currently does not support elogind, and depends on systemd. A patch is needed to fix this issue.
|
|
Packages | Any | Security Issue | High | Critical | [python2] heap-overflow vulnerability CVE-2018-1000030 | Closed | |
Task Description
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3→Malloc→Thread1→Free’s→Thread2-Re-uses-Free’d Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
https://security-tracker.debian.org/tracker/CVE-2018-1000030
|
|
Packages | Any | Feature Request | Medium | Medium | [pybitmessage] Package Request | Closed | |
Task Description
PyBitmessage is a secure p2p e-mail alternative. It could be useful to package it.
https://github.com/Bitmessage/PyBitmessage/releases https://aur.archlinux.org/packages/pybitmessage/ https://aur.archlinux.org/packages/pybitmessage-git/ (contains a firejail profile)
|
|
Packages | Any | Privacy Issue | High | Critical | [deepin-desktop-base] Check for CNZZ Spyware | Closed | |
Task Description
As per a recent discovery, we should check if our deepin is affected by the CNZZ spyware in the AppStore. https://www.youtube.com/watch?v=v25Dy66AtNI
We also shouldn’t use the AppStore if it exists, due to non-free apps.
Known files: > usr/share/dbus-1/system-services/com.deepin.daemon.Apps.service > etc/appstore.json
|
|
Packages | Any | Security Issue | Very High | Critical | [xen] multiple security issues: CVE-2018-10472, CVE-201 ... | Closed | |
Task Description
http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu devicemodel process. (The virtual CDROM device is read-only, so no data can be written.)
http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host.
http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time.
http://openwall.com/lists/oss-security/2018/05/11/2
[critical] A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded.
Patches provided by upstream.
|
|
Packages | Any | Security Issue | Medium | Critical | [glusterfs] CVE-2018-1088: Privilege escalation via gl ... | Closed | |
Task Description
https://security-tracker.debian.org/tracker/CVE-2018-1088
http://openwall.com/lists/oss-security/2018/04/18/1
https://bugs.debian.org/896128
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
Upstream patches: https://review.gluster.org/#/c/19899/1..2
Fixed in: https://github.com/gluster/glusterfs/releases/tag/v4.0.2
|
|
Packages | Any | Security Issue | Very High | Critical | [wget] - GNU Wget Cookie Injection CVE-2018-0494 | Closed | |
Task Description
An external attacker is able to inject arbitrary cookie values cookie jar file, adding new or replacing existing cookie values. http://openwall.com/lists/oss-security/2018/05/06/1
Fixed in GNU Wget 1.19.5 or later.
|
|
Packages | Any | Freedom Issue | Very High | Critical | [rust][cargo] trademark agreement affects user freedom | Closed | |
Task Description
Uses that require explicit approval
Distributing a modified version of the Rust programming language or the Cargo package manager and calling it Rust or Cargo requires explicit, written permission from the Rust core team. We will usually allow these uses as long as the modifications are (1) relatively small and (2) very clearly communicated to end-users.
Selling t-shirts, hats, and other artwork or merchandise requires explicit, written permission from the Rust core team. We will usually allow these uses as long as (1) it is clearly communicated that the merchandise is not in any way an official part of the Rust project and (2) it is clearly communicated whether profits benefit the Rust project.
Using the Rust trademarks within another trademark requires written permission from the Rust core team except as described above.
Since it violates the freedom to redistribute without “explicit” approval, this is a freedom issue.
|
|
Packages | Any | Privacy Issue | Medium | Medium | [meta] Investigate DuckDuckGo links for privacy | Closed | |
Task Description
As per a user report (https://forums.hyperbola.info/viewtopic.php?id=92), DDG is USA based search engine and is blocking Tor users (https://trac.torproject.org/projects/tor/ticket/23648). They are also using non-free JS on the default search.
It seems the best way to solve this is to use their “html” hidden service since it conceals the user IP, doesn’t block Tor users by default, and doesn’t need JS. https://3g2upl4pq6kufc4m.onion/html/
This will affect multiple applications that are currently using DuckDuckGo. The alternative is to remove it completely, but it still is a better option than Google et. all for privacy...
|
|
Packages | Any | Feature Request | Low | Low | [npapi-vlc] package from git source | Closed | |
Task Description
Description: As mentioned in Bug #18, our VLC plugin was not maintained in some time and the deprecated addon was removed. However, upstream is actively working on the plugin as per: https://code.videolan.org/videolan/npapi-vlc/tree/master
We should build this from source and re-package.
|
|
Packages | Any | Security Issue | Medium | High | [toxcore] vulnerability affecting versions < 0.2.3 | Closed | |
Task Description
Per toxcore official blog, there is a security issue that affects all versions prior to 0.2.3. Users IP will leak if they have public ToxID. https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release/
|
|
Packages | Any | Security Issue | Very High | Critical | [dropbear] CVE-2018-15599 | Closed | |
Task Description
User enumeration in Dropbear 2018.76 and earlier http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00
|
|
Packages | Any | Security Issue | Medium | Medium | [openssh] CVE-2018-15919 | Closed | |
Task Description
Remotely observable behavior in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration (or “oracle”) as a vulnerability.’ https://security-tracker.debian.org/tracker/CVE-2018-15919
|
|
Packages | Any | Security Issue | Very High | Critical | [mutt] CVE-2018-14354 | Closed | |
Task Description
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
https://security-tracker.debian.org/tracker/CVE-2018-14354
|
|
Packages | Any | Bug Report | Low | Low | [usbutils] lsusb does not list device names | Closed | |
Task Description
Description:
lsusb does not resolve device names from /var/lib/usbutils/usb.ids
The same thing as described here: https://unix.stackexchange.com/questions/220759/lsusb-doesnt-list-device-names
|
|
Packages | Any | Bug Report | Medium | Medium | [linux-libre-lts] enable CONFIG_USER_NS | Closed | |
Task Description
Currently it’s not possible to enable “noroot” in firejail due to missing CONFIG_USER_NS in the kernel. This is a bug also in Arch. https://github.com/netblue30/firejail/issues/1069
|
|
Packages | Testing | Implementation Request | Medium | Medium | linux-libre-lts-hypersec: New package with extra securi ... | Closed | |
Task Description
Description: Per a user request and to better secure the kernel, we can embed the cryptsetup and ciphers in the kernel. This would mean rather than exposed modules, they are built-in to the kernel and ready to use even without an intramfs.
To be embedded: ciphers aes, twofish, serpent; sha256, sha512 - and the necessary modules (don’t forget the block modes xts, lvm and cryptsetup …)
Additionally, we could include USB Guard and any other features that meet our social contract and security outlook.
|
|
Packages | Testing | Bug Report | Medium | Medium | [qtcreator] requires libsystemd.so | Closed | |
Task Description
Description: The currently packaged version of QtCreator is built with SystemD support, and on v0.3 no longer works.
Steps to reproduce:
Cannot load plugin because dependency failed to load: ProjectExplorer(4.2.2) Reason: /usr/lib/qtcreator/plugins/libProjectExplorer.so: Cannot load library /usr/lib/qtcreator/plugins/libProjectExplorer.so: (libsystemd.so.0: cannot open shared object file: No such file or directory)
We need to see if it is possible to build binary without libsystemd.so or remove the package.
|
|
Packages | Any | Implementation Request | Low | Low | [opmsg] add new package | Closed | |
Task Description
Description: opmsg is a replacement for gpg which can encrypt/sign/verify your mails or create/verify detached signatures of local files. Even though the opmsg output looks similar, the concept is entirely different.
Additional info: https://aur.archlinux.org/packages/opmsg/
|
|
Packages | Any | Bug Report | Low | Low | [xdg-utils] doesn't work with -uxp applications and has ... | Closed | |
Task Description
As per the source code, xdg-utils is meant to work with firefox, google-chrome, and other browsers. It is missing support for -uxp applications.
|