All Projects

ProjectCategoryTask TypePrioritySeverity  ascSummaryStatusProgress
PackagesAnySecurity IssueVery HighCritical[avahi] blacklist package since it's a zeroconf impleme...In Progress
0%
Task Description

Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]

Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.

PackagesAnyPrivacy IssueVery LowCritical[bleachbit] needs to be adapted to UXP applicationsAssigned
0%
Task Description

The current version of BleachBit needs to be adapted so it can clean the new .cache/hyperbola/ directory.

PackagesAnyReplace RequestDeferCritical[bzr] replace deprecated GNU Bazaar to BrezyDeferred
0%
Task Description

Description:

  • replace deprecated GNU Bazaar to Brezy for Canis Major

Additional info:

Note: It needs a provide: bazaar and brezy

Steps to reproduce:

  • broken package
PackagesStableFreedom IssueVery LowCritical[conky] Some serious issuesAssigned
90%
Task Description

I’m writing here about the package Conky. It is the useful widget of system monitor into your desktop, but there are some serious issues:

Config variables

  • distribution outputs the string “Arch Linux” instead of “Hyperbola GNU/Linux-libre”.
  • eve requires users to use API for non-libre/free video game EVE Online, and should be removed.
  • All Beep Media Player (BMPx) related variables (including bmpx_album, bmpx_artist, bmpx_bitrate, bmpx_title, bmpx_track and bmpx_uri) are obselete and useless, and should be removed because the package BMPx isn’t present on Arch and Hyperbola official repositories but Arch User Repository (AUR).
  • [For Milky Way version 0.4.x only] All PulseAudio related variables (including if_pa_sink_muted, pa_sink_volume, pa_sink_volumebar, pa_sink_description, pa_card_name and pa_card_active_profile) are no longer used, and should be removed due replaced the default audio server with sndio.

Manual

  • Contains non-FDSG compliant distros.
  • Contains vague terminology.
  • Requires users to use API for non-libre/free weather network service(s) (including The Weather Channel).
PackagesStableFreedom IssueVery LowCritical[elementary-icon-theme] Contains non-FSDG compliant dis...Assigned
0%
Task Description

About that distro, Elementary OS is semi-libre/free, Ubuntu based, long term support, but does not comply with the GNU Free System Distributibution Guidelines (FSDG). To either rebrand or remove existing non-FSDG compliant distro icon files.

The following affected files are present in this list:

  • /usr/share/icons/elementary/places/16/distributor-logo.svg
  • /usr/share/icons/elementary/places/24/distributor-logo.svg
  • /usr/share/icons/elementary/places/32/distributor-logo.svg
  • /usr/share/icons/elementary/places/48/distributor-logo.svg
  • /usr/share/icons/elementary/places/64/distributor-logo.svg
  • /usr/share/icons/elementary/places/128/distributor-logo.svg
  • /usr/share/icons/elementary/places/symbolic/distributor-logo-symbolic.svg
PackagesAnySecurity IssueVery HighCritical[grub2] UEFI SecureBoot vulnerability + multiple flaws ...Unconfirmed
0%
Task Description

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now

PackagesStableBug ReportVery LowCritical[gtk-2] Severe problems with GTK2-applicationsUnconfirmed
0%
Task Description

Description: Since the migration to xenocara there seems to be a bug with applications using GTK-2. From time to time there are crashes with assertion `!xcb_xlib_threads_sequence_lost’.

Looking into this a little bit more deep there are also other distributions affected and this is an upstream-bug. But the concrete situation is not that easy, while it could be also part of the library libX11 itself. Looking therefore here: https://bugs.launchpad.net/ubuntu/+source/pcmanfm/+bug/1782984

Affected are for example LXDE in general, icedove, iceweasel and many more!

PackagesStableFreedom IssueVery LowCritical[keybase] Complete removal of toolUnconfirmed
0%
Task Description

There is only the source code of the client available and since years nothing more happened. With keybase joining “Zoom” nothing more seems to happen. Look also here in the forum: https://forums.hyperbola.info/viewtopic.php?id=368

PackagesAnySecurity IssueMediumCritical[libjpeg-turbo] CVE-2019-2201Researching
0%
Task Description

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation

https://security-tracker.debian.org/tracker/CVE-2019-2201

Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388

PackagesStableSecurity IssueVery LowCritical[lts-kernel][sec] filter /dev/mem access & restrict acc...Unconfirmed
0%
Task Description

These two options could be enabled :

Kernel hacking → [*] Filter access to /dev/mem
[*] Filter I/O access to /dev/mem

Security options → [*] Restrict unprivileged access to the kernel syslog

PackagesAnySecurity IssueVery LowCritical[opensmtpd] CVE-2020-8794Unconfirmed
0%
Task Description

Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

Contents

Summary
Analysis
...
Acknowledgments

Summary

We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This
vulnerability, an out-of-bounds read introduced in December 2015 (commit
80c6a60c, “when peer outputs a multi-line response ...”), is exploitable
remotely and leads to the execution of arbitrary shell commands: either
as root, after May 2018 (commit a8e22235, “switch smtpd to new
grammar”); or as any non-root user, before May 2018.

Because this vulnerability resides in OpenSMTPD’s client-side code
(which delivers mail to remote SMTP servers), we must consider two
different scenarios:

- Client-side exploitation: This vulnerability is remotely exploitable

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

- Server-side exploitation: First, the attacker must connect to the

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

We developed a simple exploit for this vulnerability and successfully
tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
Fedora 31.

The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”

PackagesStableDrop RequestVery LowCritical[osdbattery] Unmaintained and unsupportableUnconfirmed
0%
Task Description

osdbattery is (probably) useless and broken so Conky did compete because It is still unmaintained and unsupported over 14 years ago (last released version 1.4 on August 23, 2005), and should be removed per anti-abandonware rule at the packaging guidelines.

Also, the default config file contains non-libre/free Microsoft font Verdana as X11 font format property in font variable.

PackagesStableBug ReportVery LowCritical[smartmontools] update-smart-drivedb fails to updateAssigned
0%
Task Description

smartmontools 6.5-1.hyperbola1

Error while trying to update smart-drivedb :

anon@test[~] update-smart-drivedb

External Link/usr/bin/update-smart-drivedb: download from branches/RELEASE_6_5_DRIVEDB failed (curl: exit 23) /usr/bin/update-smart-drivedb: download from trunk failed (curl: exit 23)

PackagesAnyBug ReportVery LowCritical[system-config-printer] Impossible to print some pdfs (...Assigned
0%
Task Description

Hello,

I’m unable to print some pdfs on my Hyperbola 3.0 system.
Some background :

cups is installed, service enabled and working
system-config-printer is installed and my printer has been correctly added.

I can print most pdfs and text files but recently with a pdf, it fails to print it.* And system-config-printer returned the following error (see capture) :

Printer "EPSON XP-620-Series" requires the '/usr/lib/cups/filters/epson-escpr-wrapper' but it is not currently installed.

Currently, “epson-escpr-wrapper” is installed but it is in :

/usr/libexec/cups/filters/epson-escpr-wrapper

Looking at source code of system-config-printer, it expects that wrapper to be installed in “/usr/lib/” so I tried to symlink that “epson-escpr-wrapper” to “/usr/lib/cups/filters” but it doesn’t work..

*With a Debian system and the exact same configuration, the “problematic” pdf prints just fine so it is not an issue with the pdf.

PackagesStableBug ReportMediumCritical[torsocks] which: no getcapRequires Testing
90%
Task Description

Current torsocks version is broken.
It returns the following error when attempting to torify application :

which: no getcap
PackagesAnySecurity IssueVery LowCritical[unbound] Multiple CVEsAssigned
0%
Task Description

https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934

Showing tasks 501 - 516 of 516 Page 11 of 11<<First - 7 - 8 - 9 - 10 - 11

Available keyboard shortcuts

Tasklist

Task Details

Task Editing