All Projects

ProjectCategoryTask TypePrioritySeveritySummaryStatusProgress  desc
PackagesAnyImplementation RequestVery LowMedium[gitea] self-hosted git service Assigned
0%
Task Description

Description:

A nice Git service would be welcomed in our pacman.

- https://github.com/go-gitea/gitea

- https://www.archlinux.org/packages/community/x86_64/gitea/

PackagesAnyImplementation RequestVery LowLow[exifread] add packageUnconfirmed
0%
Task Description

Hello,

Could it be possible to add this package :

exifread

“Python library to extract EXIF data from tiff and jpeg files”

https://aur.archlinux.org/packages/exifread/

Thanks

Software DevelopmentIceweasel-UXPImplementation RequestDeferLowSwiftweasel-UXP theme for Iceweasel-UXPUnconfirmed
0%
Task Description

Description:
Historically, Swiftweasel was a Firefox-based application built on XUL platform around 2007 and abandoned in 2010. It was optimized for several architectures using the following methods such as the Profile-Guided Optimization (PGO) and binary code optimization for computers with limited resources.

Since there are users encouraging us develop a Palemoon-based application , and Swiftweasel contains non-trademarked graphics and logos, we could port Swiftweasel to UXP platform as theme for Iceweasel-UXP.

Software DevelopmentIcedove-UXPImplementation RequestDeferLowSwiftdove-UXP theme for Icedove-UXPUnconfirmed
0%
Task Description

Description:
Historically, Swiftdove was a Thunderbird-based application built on XUL platform around 2007 and abandoned in 2010. It was optimized for several architectures using the following methods such as the Profile-Guided Optimization (PGO) and binary code optimization for computers with limited resources.

Since FossaMail may potentially be revived on UXP in the future [0] and Swiftdove contains non-trademarked graphics and logos, we could port Swiftdove to UXP platform as theme for Icedove-UXP.

PackagesAnyImplementation RequestVery LowLow[obmenu-generator] add packageUnconfirmed
0%
Task Description

Could it be possible to add :

obmenu-generator

A fast pipe/static menu generator for the Openbox Window Manager (with icons support)

License : GPL3

https://github.com/trizen/obmenu-generator https://www.parabola.nu/packages/pcr/x86_64/obmenu-generator/

Thanks

PackagesAnyImplementation RequestVery LowLow[sayonara] add packageUnconfirmed
0%
Task Description

Hello,

I stumbled upon this music player recently, it is very promising and fully free (GPL3)

“Sayonara is a small, clear and fast audio player for Linux written in C++, supported by the Qt framework. It uses GStreamer as audio backend. Sayonara is open source and uses the GPLv3 license. One of Sayonara’s goals is intuitive and easy usablility. Currently, it is only available for Linux and BSD.

Although Sayonara can be considered as a lightweight player, it holds a lot of features in order to organize even big music collections.”

Latest version is 1.1.1 and it is very stable on my hyperbola system. I think it would be a great addition to Hyperbola repo.

https://sayonara-player.com/

A PKGBUILD is available here :

https://sayonara-player.com/sw/arch_linux/PKGBUILD

PackagesAnyImplementation RequestVery HighHigh[murmur-headless] add a Murmur package capable of worki...In Progress
0%
Task Description

Description:

  • Add new a Murmur package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

  • based on murmur 1.2.19-5

Steps to reproduce:

  • none
PackagesAnyImplementation RequestVery HighHigh[asterisk-headless] add an Asterisk package capable of ...In Progress
0%
Task Description

Description:

  • Add an Asterisk package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

  • based on asterisk 14.4.0-1

Steps to reproduce:

  • none
PackagesAnyImplementation RequestVery HighMedium[coturn] add new packageUnconfirmed
0%
Task Description

Description:

  • add new package

Additional info:

Steps to reproduce:

  • none
PackagesAnyImplementation RequestVery HighMedium[mediagoblin] add GNU MediaGoblin packageUnconfirmed
0%
Task Description

Description:

  • add GNU MediaGoblin package

Additional info:

  • none

Steps to reproduce:

  • none
PackagesAnyImplementation RequestVery LowMedium[foxtrotgps] please add package to reposUnconfirmed
0%
Task Description

Unlike other mapping software (gnome-maps, emerillon) it does not depend on geoclue/geoclue2 (or on kde packages like marble). The package was added to Arch’s official repos over a year ago. Their PKGBUILD builds fine.

PackagesAnyImplementation RequestVery LowMedium[peertube] Add new PackageUnconfirmed
0%
Task Description

Description:

Hi guys. Could they add PeerTube to Hyperbola?

It’s on AUR.

Under the AGPLv3 license

Additional info:

I see that the PeerTube help configuration with an init.d

PackagesAnyImplementation RequestVery LowMedium[purple-matrix] Please add packageUnconfirmed
0%
Task Description

Package is a libpurple plugin for the Matrix protocol which is consistent with Hyperbola’s social contract as Matrix is a federated protocol.

Source code can be found here licensed under GPLv2:

https://github.com/matrix-org/purple-matrix

PKGBUILD for git version is available here (last stable release is from two years ago so git version is probably the best version to use):

https://aur.archlinux.org/packages/purple-matrix-git/

PackagesAnyImplementation RequestVery LowLow[mkv-extractor-qt] add packageUnconfirmed
0%
Task Description

Could it be possible to add :

mkv-extractor-qt

“Graphical MKV demultiplexer”

https://aur.archlinux.org/packages/mkv-extractor-qt/

License: GPL3

Thanks

ServicesHyperWiki/DokuWikiImplementation RequestVery LowMediumProvide binaries for the Ice*-UXP applications in their...Unconfirmed
0%
Task Description

This would ease their usage on other distros.

PackagesAnyImplementation RequestVery LowLow[vidcutter] add packageUnconfirmed
0%
Task Description

Could it be possible to add :

vidcutter

“A modern, simple to use, constantly evolving and hella fast MEDIA CUTTER + JOINER w/ frame-accurate SmartCut technology + Qt5, libmpv, FFmpeg and MediaInfo powering the backend.”

License : GPL3

https://aur.archlinux.org/packages/vidcutter/

https://vidcutter.ozmartians.com/

PackagesAnyImplementation RequestVery LowMediumPrivacy Settings for IceapeUnconfirmed
0%
Task Description

This addon works for any firefox based browser but not seamonkey based or this.

I wondered if you could implement the iceweasel one for Iceape.

Software DevelopmentGeneralImplementation RequestVery HighCriticalPOWER (ppc64le) portingDeferred
0%
Task Description

The unfortunate reality is that x86 computers come encumbered with built-in low-level backdoors like the Intel Management Engine , as well as nonfree boot firmware. This means that users can’t gain full control over their computers, even if they install a free operating system such as Hyperbola GNU/Linux-libre .

Hyperbola is working hard to fix these issues and getting closer every day, but for the time being, this is why many current Respects Your Freedom (RYF) offerings are refurbished older devices.

For the future of free computing, we need support architectures that do not come with such malware pre-installed, and the Power9-based Talos II promises to be a great architecture example for workstations and servers environments where Hyperbola is focused since is a fully free long-term support distribution.

Devices like this are the future of computing that Respects Your Freedom and for that reason it’s a high priority for Hyperbola port all packages for the POWER architecture (power64le).

NOTE: POWER porting is focused only for Hyperbola GNU/Linux-libre .

Software DevelopmentGeneralImplementation RequestVery HighCriticalARM (aarch and armv7h) portingDeferred
0%
Task Description

The unfortunate reality is that x86 computers come encumbered with built-in low-level backdoors like the Intel Management Engine , as well as nonfree boot firmware. This means that users can’t gain full control over their computers, even if they install a free operating system such as Hyperbola GNU/Linux-libre .

Hyperbola is working hard to fix these issues and getting closer every day, but for the time being, this is why many current Respects Your Freedom (RYF) offerings are refurbished older devices.

For the future of free computing, we need support architectures that do not come with such malware pre-installed, and ARM A7/A53 promises to be a great architecture example for low-power computers, laptops and embedded systems.

NOTE: ARM porting is focused only for HyperbolaBSD .

Software DevelopmentGeneralImplementation RequestDeferCriticalRISC-V (riscv64) porting + multilib supportDeferred
0%
Task Description

The unfortunate reality is that x86 computers come encumbered with built-in low-level backdoors like the Intel Management Engine , as well as nonfree boot firmware. This means that users can’t gain full control over their computers, even if they install a free operating system such as Hyperbola GNU/Linux-libre .

Hyperbola is working hard to fix these issues and getting closer every day, but for the time being, this is why many current Respects Your Freedom (RYF) offerings are refurbished older devices.

For the future of free computing, we need support architectures that do not come with such malware pre-installed, and RISC-V promises to be a great architecture example for low-power computers, laptops and embedded systems, also as ARM architecture replacement.

Devices like this are the future of computing that Respects Your Freedom and for that reason it’s a high priority for Hyperbola port all packages for the RISC-V architecture (riscv64) with multilib support.

NOTE: RISC-V porting is focused only for Hyperbola GNU/Linux-libre .

PackagesTestingImplementation RequestMediumMediumlinux-libre-lts-hypersec: New package with extra securi...Deferred
0%
Task Description

Description: Per a user request and to better secure the kernel, we can embed the cryptsetup and ciphers in the kernel. This would mean rather than exposed modules, they are built-in to the kernel and ready to use even without an intramfs.

To be embedded: ciphers aes, twofish, serpent; sha256, sha512 - and the necessary modules (don’t forget the block modes xts, lvm and cryptsetup ...)

Additionally, we could include USB Guard and any other features that meet our social contract and security outlook.

PackagesAnyImplementation RequestVery LowMedium[midori] please re-add new releasesUnconfirmed
0%
Task Description

The security issues regarding the package which led to the package’s removal from Hyperbola (old WebKit and Vala dependency) have apparently been resolved in recent releases, see the new comment in this bug report and the latest PKGBUILD in Arch’s repo.

https://launchpad.net/bugs/1698483

https://www.archlinux.org/packages/community/x86_64/midori/

PackagesAnyImplementation RequestVery LowLow[qarte] add packageUnconfirmed
0%
Task Description

Request for :

qarte

“Allow you to browse into the archive of arte+7 & arteLiveWeb sites and to record your prefered videos.”

https://aur.archlinux.org/packages/qarte

License : GPL3

PackagesAnyImplementation RequestVery LowMedium[nnn] package requestUnconfirmed
0%
Task Description

This is a request to package nnn - a full-featured terminal file manager for low-end devices and the regular desktop.

nnn is available on Debian, Ubuntu (and family), Fedora, OpenSUSE and Arch Linux.

Homepage: https://github.com/jarun/nnn License: BSD 2-Clause

I would highly appreciate if nnn can be added to the repository.

PackagesAnyImplementation RequestVery LowMediumSupport of MPTCP (Multipath TCP) on HyperbolaUnconfirmed
0%
Task Description

Patch for 4.9 : https://multipath-tcp.org/patches/mptcp-v4.9-c88d1d56809e.patch

AUR : https://aur.archlinux.org/packages/linux-mptcp/

PackagesAnyImplementation RequestVery LowHighAdd MPTCP (MultiPath TCP) to HyperbolaUnconfirmed
0%
Task Description

https://aur.archlinux.org/packages/linux-mptcp/

Kernel Patch for 4.9 :
http://multipath-tcp.org/patches/mptcp-v4.9-c88d1d56809e.patch

Compile :
https://multipath-tcp.org/pmwiki.php/Users/DoItYourself

PackagesAnyImplementation RequestLowLow[opmsg] add new packageResearching
0%
Task Description

Description: opmsg is a replacement for gpg which can encrypt/sign/verify your mails or create/verify detached signatures of local files. Even though the opmsg output looks similar, the concept is entirely different.

Additional info:
https://aur.archlinux.org/packages/opmsg/

PackagesAnyImplementation RequestVery LowLow[xfce4-alsa-plugin] add packageUnconfirmed
0%
Task Description

Please add xfce4-alsa-plugin (to get rid of pulseaudio plugin on xfce)

License: GPL3

https://aur.archlinux.org/packages/xfce4-alsa-plugin/ https://github.com/equeim/xfce4-alsa-plugin

PackagesAnyImplementation RequestVery LowMedium[SPF][postfix] implement pypolicyd-spf and postfix-poli...Unconfirmed
0%
Task Description

Description:
Hyperbola has the following SPF implementations:
* libspf2
* perl-mail-spf
* perl-mail-spf-query

However, none of them work out of the box with postfix. There’s postfix-policyd-spf-perl, which uses one the current perl implementations (perl-mail-spf), takes no time to build and all the dependencies are already satisfied with Hyperbola’s packages

Here I made a PKGBUILD that’s compliant with the packaging standards:

pkgname=postfix-policyd-spf-perl
pkgver=2.011
pkgrel=1
pkgdesc='Postfix SPF policy engine, written in Perl'
arch=(i686 x86_64)
url='https://launchpad.net/postfix-policyd-spf-perl/'
license=(GPL)
depends=(perl-mail-spf perl-netaddr-ip perl-sys-hostname-long)
source=("https://launchpad.net/postfix-policyd-spf-perl/trunk/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"{,.asc})
sha512sums=('22fc00bf74912056a67e937a460ac1fd878f1cb1a3bfa7b19bc5f1e6bc1c36d815dcf8c945e818d242ed5e72a6295bb0e1569446e06b09aefb2842993b8016ba'
            'SKIP')
validpgpkeys=(E7729BFFBE85400FEEEE23B178D7DEFB9AD59AF1) # Scott Kitterman

package() {
  cd "${pkgname}-${pkgver}"

  install -Dm755 "${pkgname}" "${pkgdir}/usr/libexec/postfix/${pkgname}"
  install -Dm644 CHANGES INSTALL README -t "${pkgdir}/usr/share/doc/${pkgname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}

in the other hand, to give users the possibility of having more options, we could add pypolicyd-spf (AUR), which depends in pyspf (AUR) and other packages that Hyperbola has. In fact, ArchWiki talks about this implementation, but this might not be relevant.

PackagesAnyImplementation RequestVery LowLow[SafeEyes] add new packageAssigned
0%
Task Description

Safe Eyes is a program to manage breaks in front of the computer. It has many features that help us adapt it to our needs.

PackagesStableImplementation RequestVery LowMedium[gcc] Renew to version 8 or 9, including multilibDeferred
0%
Task Description

As even the support for GCC 7 is now ending with the release of version 7.5 (https://gcc.gnu.org/ml/gcc/2019-11/msg00099.html) I’d like to propose a renewal of the building-stack - which I think is also needed in time. Also a renewal of the glibc would be good at all!

PackagesStableImplementation RequestVery LowLow[codelite] Adding new packageUnconfirmed
0%
Task Description

The IDE codelite is an excellent development environment, continuously updated, has a clear vision and active support.
Would be nice to have this one within the repositories in upcoming releases, perhaps 0.5?

PackagesAnyImplementation RequestVery LowMedium[chdkptp] please add package to control Canon camerasUnconfirmed
0%
Task Description

CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer.

Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp.

Code is available via svn:

$ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp

Copy chdkptp.sh and config.mk files to source tree then compile via make. chdkptp requires root privileges to connect to a camera.

PackagesAnyImplementation RequestVery LowLow[chdkptp] please add package to reposUnconfirmed
0%
Task Description

CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer.

Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp.

Code is available via svn:

$ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp

Copy chdkptp.sh and config.mk files to source tree then compile via make. Requires root privileges to connect to a camera.

PackagesTestingImplementation RequestVery LowLow[Hyperbola GNU/Linux-libre 0.4] [polygen{,-data}] Add p...Unconfirmed
0%
Task Description

Is that package worth using to generate every sentence of any kind?

Polygen:

PackagesAnyPrivacy IssueVery LowMedium[avahi] avahi publishes the hostname by defaultUnconfirmed
0%
Task Description

By default, the ‘disable-publishing’ parameter in the [publish] section of avahi-daemon.conf is set to ‘no’, which can be seen in my opinion as a privacy issue as avahi broadcasts the hostname without the user’s consent even though this has been explicitly disabled in the settings of networkmanager.

PackagesAnyPrivacy IssueVery LowLow[purple-plugin-pack] Provides Napster support which is ...Unconfirmed
0%
Task Description

purple-plugin-pack provides access to Napster which is only useful with a single company and sever (as far as I could tell).

PackagesAnyPrivacy IssueVery LowLow[github] check github-related packagesResearching
0%
Task Description

We should check if the following packages run any non-free JS (like youtube-dl) or access a proprietary API:

- hub
- python-pygithub
- python2-pygithub

I haven’t check them, but they look fishy. Take it as a reminder, this is far from being urgent IMO.

PackagesAnyReplace RequestLowLow[appmenu-qt4] replace with appmenu-qt (qt5)Deferred
0%
Task Description

“appmenu-qt4”[0][2] is a deprecated package (release in 2012)[1] and use qt4 unsupported/non-lts software[3], but “appmenu-qt5” not contains any release source code[2]

$ pacman -Si appmenu-qt4
Repository : community
Name : appmenu-qt4
Version : 0.2.6-1
Description : Export Qt4 applications menus over D-Bus
Architecture : x86_64
URL : https://launchpad.net/appmenu-qt Licenses : GPL Groups : None
Provides : None
Depends On : libdbusmenu-qt4
Optional Deps : None
Conflicts With : appmenu-qt
Replaces : appmenu-qt
Download Size : 16.55 KiB
Installed Size : 48.00 KiB
Packager : Antonio Rojas arojas@archlinux.org Build Date : Tue 28 Feb 2017 05:59:31 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://launchpad.net/appmenu-qt (qt4)
[1]:https://launchpad.net/appmenu-qt/+download [2]:https://launchpad.net/appmenu-qt5 [3]:https://en.wikipedia.org/wiki/Qt_5.6_LTS

PackagesAnyReplace RequestDeferCritical[bzr] replace deprecated GNU Bazaar to BrezyDeferred
0%
Task Description

Description:

  • replace deprecated GNU Bazaar to Brezy for Canis Major

Additional info:

Note: It needs a provide: bazaar and brezy

Steps to reproduce:

  • broken package
PackagesStableReplace RequestVery LowMediumPackage ossp has got systemd dependenciesUnconfirmed
0%
Task Description

Description: Concurrent package ossp in version 1.3.2-15 has got dependencies to systemd, which is contradicting the whole distribution and the used INIT-system. Therefore my request to port this to OpenRC!

Additional info:
* package version(s) 1.3.2-15

PackagesTestingReplace RequestVery LowMedium replace request: NetworkManager with wpa_cuteUnconfirmed
0%
Task Description

https://github.com/loh-tar/wpa-cute/releases

I know there are plans to remove NetworkManager. I wondered if we could replace it in 0.4 with Wpa_Cute. seen in the above link.

I haven’t been able to compile it, but it has been updated as recent as 2018 december (stable)

or 2019 january. :)

WPA_GUI doesn’t seem to work well for me, it runs into weird errors when I start it. Long story short, I run into this issue with wpa_supplicant when i do it manually:

https://wiki.archlinux.org/index.php/Wpa_supplicant:

Password-related problems

wpa_supplicant may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as failed 4-way WPA handshake, PSK may be wrong when launching wpa_supplicant.

In order to solve this try using here strings wpa_passphrase <MYSSID> «< “<passphrase>” or passing a file to the -c flag instead:

# wpa_supplicant -i <interface> -c /etc/wpa_supplicant/example.conf

In some instances it was found that storing the passphrase cleartext in the psk key of the wpa_supplicant.conf network block gave positive results (see [2]). However, this approach is rather insecure. Using wpa_cli to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.
Problems with eduroam and other MSCHAPv2 connections

This is my issue with wpa_supplicant sadly... and I do not know how to workaround that without a GUI.

but Wpa_Supplicant_gui does not fix it either, it doesn’t even load properly on my other laptop.

It says it cannot get the status of wpa_supplicant when I load it.

This could be an issue if you get rid of NetworkManager for some users.

So yeah, please take a look at my request okay? Wait for 0.3 to be released to add this if possible. I know you guys are overworked, etc... and it doesn’t need to be done now anyhow. ;)

PackagesAnySecurity IssueMediumMedium[openssh] CVE-2018-15919Researching
0%
Task Description

Remotely observable behavior in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration (or “oracle”) as a vulnerability.’ https://security-tracker.debian.org/tracker/CVE-2018-15919

PackagesAnySecurity IssueVery LowHigh[octopi] requires suUnconfirmed
0%
Task Description

would it be possible to make it use sudo instead?

From what I know, sudo is safer. Let me know if you agree this is a problem.

PackagesAnySecurity IssueVery LowMedium[qemu] Multiple CVEUnconfirmed
0%
Task Description

CVE-2018-20123 QEMU: pvrdma: memory leakage in device hotplug
https://www.openwall.com/lists/oss-security/2018/12/13/4

CVE-2018-16872 Qemu: usb-mtp: path traversal by host filesystem
manipulation in Media Transfer Protocol (MTP)
https://www.openwall.com/lists/oss-security/2018/12/13/11

Patches included at above URLs.

PackagesAnySecurity IssueMediumCritical[libjpeg-turbo] CVE-2019-2201Researching
0%
Task Description

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation

https://security-tracker.debian.org/tracker/CVE-2019-2201

Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388

PackagesAnySecurity IssueVery LowMediumDownload debian-fixes instead of relying on external so...Unconfirmed
0%
Task Description

It happened already with minetest and again with prosody: When trying to build own packages with makepkg there are patches downloaded from the Debian-project. But the given HTTP(S)-sources are no longer available, concrete example within prosody to be found: https://deb.debian.org/debian/pool/main/p/prosody/prosody_0.10.2-1~bpo9+1.debian.tar.xz (not available)

Please don’t rely on those external sources when creating PKGBUILD-files or just give users the possibility for a secure and granted download. Therefore I cannot build prosody on my own now!

PackagesStableSecurity IssueVery LowCritical[lts-kernel][sec] filter /dev/mem access & restrict acc...Unconfirmed
0%
Task Description

These two options could be enabled :

Kernel hacking → [*] Filter access to /dev/mem
[*] Filter I/O access to /dev/mem

Security options → [*] Restrict unprivileged access to the kernel syslog

PackagesAnySecurity IssueVery LowHigh[tigervnc] Multiple CVEResearching
0%
Task Description

https://www.openwall.com/lists/oss-security/2019/12/20/2

“This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.”

PackagesAnySecurity IssueVery LowCritical[opensmtpd] CVE-2020-8794Unconfirmed
0%
Task Description

Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

Contents

Summary
Analysis
...
Acknowledgments

Summary

We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This
vulnerability, an out-of-bounds read introduced in December 2015 (commit
80c6a60c, “when peer outputs a multi-line response ...”), is exploitable
remotely and leads to the execution of arbitrary shell commands: either
as root, after May 2018 (commit a8e22235, “switch smtpd to new
grammar”); or as any non-root user, before May 2018.

Because this vulnerability resides in OpenSMTPD’s client-side code
(which delivers mail to remote SMTP servers), we must consider two
different scenarios:

- Client-side exploitation: This vulnerability is remotely exploitable

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

- Server-side exploitation: First, the attacker must connect to the

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

We developed a simple exploit for this vulnerability and successfully
tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
Fedora 31.

The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”

Showing tasks 451 - 500 of 512 Page 10 of 11<<First - 7 - 8 - 9 - 10 - 11 -

Available keyboard shortcuts

Tasklist

Task Details

Task Editing