Packages

Description:

• “net_veth” and “net_macsec” initscripts contains some issues.

Additional info:

• netifrc 0.6.0-2.backports1

/etc/conf.d/net_veth

-# Source Interface (host)
-IFSRC=interface_host
+# Source Interface (host), example: IFSRC=veh0
+IFSRC=veh0
 # Set custom parameters on Source Interface
 IFCTS=
-# Destination Interface (guest)
-IFDST=interface_guest
+# Destination Interface (guest), example: IFDST=veg0
+IFDST=veg0
 # Set custom parameters on Destination Interface
 IFCTD=

/etc/conf.d/net_macsec

-# Source Interface (host)
-IFSRC=interface_host
-# Network init service dependency from Source Interface
-#IFDEP=net.interface_host
-# Destination Interface (macsec/guest)
-IFDST=interface_macsec
+# Source Interface (host), example: IFSRC=eth0
+IFSRC=eth0
+# Network init service dependency from Source Interface, example: IFDEP=net.eth0
+IFDEP=
+# Destination Interface (macsec/guest), example: IFDST=macsec0
+IFDST=macsec0
 # Set custom parameters on MACsec Interface
 IFCTD=

---

 IFPAR="cipher gcm-aes-128
        icvlen 16
        encrypt on
        protect off
        replay off
        send_sci on
-       validate strict"
+       validate disabled"

---

-# Add receive channels and/or receive association keys (RXSC), examples:
-#
-# [sci_<0..ffffffffffffffff(hex)>|port_<1..65535(dec)>_address_<00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>][_<on/off>]
-#
-# sci_0
-# sci_ffffffffffffffff_on
-# port_1_address_00:00:00:00:00:00
-# port_2_address_ff:ff:ff:ff:ff:ff_off
-#
-# [sci_<0..ffffffffffffffff(hex)>_|port_<1..65535(dec)>_address_<00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>_]sa_<0..3(dec)>_[pn_<1..4294967295(dec)>_][<on/off>_]key_<00..ff(hex)>_<00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>
-#
-# sa_0_key_00_00000000000000000000000000000000
-# sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0
-# sa_2_key_on_32_de_de00de00de00de00de00de00de00de00
-# sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1
-# sci_0_sa_0_key_00_00000000000000000000000000000000
-# sci_32_sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0
-# sci_451_sa_2_key_on_32_de_de00de00de00de00de00de00de00de00
-# sci_7438f_sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1
-# port_1_address_00:00:00:00:00:00_sa_0_key_00_00000000000000000000000000000000
-# port_2_address_ff:ff:ff:ff:ff:ff_sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0
-# port_3_address_00:00:00:ff:ff:ff_sa_2_key_on_32_de_de00de00de00de00de00de00de00de00
-# port_4_address_ff:ff:ff:00:00:00_sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1
+# Add receive channels and/or receive association keys (RXSC), examples:
+#
+# "[sci <0..ffffffffffffffff(hex)>|port <1..65535(dec)> address <00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>][ <on/off>]"
+#
+# "sci 0"
+# "sci ffffffffffffffff on"
+# "port 1 address 00:00:00:00:00:00"
+# "port 2 address ff:ff:ff:ff:ff:ff off"
+#
+# "[sci <0..ffffffffffffffff(hex)> |port <1..65535(dec)> address <00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)> ]sa <0..3(dec)> [pn <1..4294967295(dec)> ][<on/off> ]key <00..ff(hex)> <00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>"
+#
+# "sci 0 sa 0 key 00 00000000000000000000000000000000"
+# "sci 32 sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0"
+# "sci 451 sa 2 on key de de00de00de00de00de00de00de00de00"
+# "sci 7438f sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1"
+# "port 1 address 00:00:00:00:00:00 sa 0 key 00 00000000000000000000000000000000"
+# "port 2 address ff:ff:ff:ff:ff:ff sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0"
+# "port 3 address 00:00:00:ff:ff:ff sa 2 on key de de00de00de00de00de00de00de00de00"
+# "port 4 address ff:ff:ff:00:00:00 sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1"
+#
+# IFRSC=("port 1 address 00:00:00:00:00:00 on"
+#        "port 1 address 00:00:00:00:00:00 sa 0 pn 1 on key 00 00000000000000000000000000000000"
+#        "sci ffffffffffff0001 on"
+#        "sci ffffffffffff0001 sa 0 pn 1 on key 00 ffffffffffffffffffffffffffffffff")
 IFRSC=()

-# Add trasmition association keys (TXSC) , examples:
-# sa_<0..3(dec)>_[pn_<1..4294967295(dec)>_][<on/off>_]key_<00..ff(hex)>_<00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>
-#
-# sa_0_key_00_00000000000000000000000000000000
-# sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0
-# sa_2_key_on_32_de_de00de00de00de00de00de00de00de00
-# sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1
+# Add trasmition association keys (TXSC) , examples:
+# "sa <0..3(dec)> [pn <1..4294967295(dec)> ][<on/off> ]key <00..ff(hex)> <00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>"
+#
+# "sa 0 key 00 00000000000000000000000000000000"
+# "sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0"
+# "sa 2 on key de de00de00de00de00de00de00de00de00"
+# "sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1"
+#
+# IFTSC=("sa 0 pn 1 on key 00 00000000000000000000000000000000")
 IFTSC=()

/etc/init.d/net_macsec

                         if [[ $IFRSC ]]; then
-                                for mac_rxsc in ${IFRSC[@]}; do
-                                        ip macsec add $IFDST rx ${mac_rxsc/_/ }
+                                for mac_rxsc in "${IFRSC[@]}"; do
+                                        ip macsec add $IFDST rx $mac_rxsc
                                 done
                         fi
                         if [[ $IFTSC ]]; then
-                                for mac_txsc in ${IFTSC[@]}; do
-                                        ip macsec add $IFDST tx ${mac_txsc/_/ }
+                                for mac_txsc in "${IFTSC[@]}"; do
+                                        ip macsec add $IFDST tx $mac_txsc
                                 done
                         fi

$ pacman -Si netifrc
Repository      : core
Name            : netifrc
Version         : 0.6.0-2.backports1
Description     : Network interface management scripts
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Netifrc
Licenses        : BSD2
Groups          : base
Provides        : None
Depends On      : eudev
Optional Deps   : iproute2: for interface handler, VPN, bridging and tunneling support (recommended)
                  net-tools: for interface handler support
                  bridge-utils: for bridging support
                  linux-atm: for CLIP and RFC 2684 bridge support
                  wpa_supplicant: for wireless networking support (recommended)
                  wireless_tools: for wireless networking support
                  dhcpcd: for DHCP support (recommended)
                  dhclient: for DHCP support
                  busybox: for DHCP support
                  iputils: for APIPA support
                  ifenslave: for bonding interfaces
                  ppp: for PPP and ADSL support (recommended)
                  rp-pppoe: for ADSL support
                  macchanger: for changing MAC addresses
                  ifplugd: for cable in/out detection
Conflicts With  : None
Replaces        : None
Download Size   : 66.18 KiB
Installed Size  : 373.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Tue 03 Jul 2018 12:16:13 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Boot “openrc” and/or start “net_{veth,macsec}” initscripts.

Description:

• “net.lo” initscript is forced to load in “boot” runlevel by default.
• “loopback” interface doesn’t need changes.
• “net.lo” initscript conflicts with another network services, like: NetworkManager.
• “net.lo” initscript takes extra processor and memory resources when is useless.

Additional info:

• netifrc 0.6.0-2.backports1

This file needs be removed:
* /etc/runlevels/boot/net.lo

$ pacman -Si netifrc
Repository      : core
Name            : netifrc
Version         : 0.6.0-2.backports1
Description     : Network interface management scripts
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Netifrc
Licenses        : BSD2
Groups          : base
Provides        : None
Depends On      : eudev
Optional Deps   : iproute2: for interface handler, VPN, bridging and tunneling support (recommended)
                  net-tools: for interface handler support
                  bridge-utils: for bridging support
                  linux-atm: for CLIP and RFC 2684 bridge support
                  wpa_supplicant: for wireless networking support (recommended)
                  wireless_tools: for wireless networking support
                  dhcpcd: for DHCP support (recommended)
                  dhclient: for DHCP support
                  busybox: for DHCP support
                  iputils: for APIPA support
                  ifenslave: for bonding interfaces
                  ppp: for PPP and ADSL support (recommended)
                  rp-pppoe: for ADSL support
                  macchanger: for changing MAC addresses
                  ifplugd: for cable in/out detection
Conflicts With  : None
Replaces        : None
Download Size   : 66.18 KiB
Installed Size  : 373.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Tue 03 Jul 2018 12:16:13 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Boot “openrc”.
• Install and update [netifrc] package.

Description:

• “udev” initscript is loaded by “udev-trigger”.
• “udev-trigger” is needed load on “boot” runlevel, not”sysinit” one.
• “udev-trigger” initscript is forced to be added in the sysinit runlevel through upgrading package process
• It avoids use “eudev” side-by-side with “vdev”.

Additional info:

• eudev 3.2.5-2

This file need be removed:
* /etc/runlevels/sysinit/udev

This file needs to be changed in "boot" runlevel, not "sysinit" runlevel;
This file needs be included only in the installing process not updating one.
- /etc/runlevels/sysinit/udev-trigger
+ /etc/runlevels/boot/udev-trigger

$ pacman -Si eudev
Repository      : core
Name            : eudev
Version         : 3.2.5-2
Description     : The userspace dev tools (udev) forked by Gentoo, with OpenRC support
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Project:Eudev
Licenses        : GPL
Groups          : None
Provides        : udev
Depends On      : libeudev  kbd  kmod  hwids  util-linux
Optional Deps   : None
Conflicts With  : udev
Replaces        : udev
Download Size   : 931.20 KiB
Installed Size  : 7072.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 01 Jul 2018 01:26:17 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Boot “openrc”.
• Install and update [eudev] package.

Description:

• “sysctl” initscript doesn’t set sysctl parameters on network interfaces.
• “sysctl” initscript needs run “sysctl” initscript after “net” initscript.

Additional info:

• openrc 0.28-18

/etc/init.d/sysctl

-        after clock
+        after clock net

$ pacman -Si openrc
Repository      : core
Name            : openrc
Version         : 0.28-18
Description     : A dependency based init system that works with the system provided init program
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Project:OpenRC
Licenses        : BSD2
Groups          : None
Provides        : None
Depends On      : psmisc  pam
Optional Deps   : netifrc: network interface management scripts
                  networkmanager: network connection manager and user applications
Conflicts With  : None
Replaces        : None
Download Size   : 193.18 KiB
Installed Size  : 1720.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 08 Jul 2018 01:28:16 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Boot “openrc”

Description:

Hi dear developers of Hyperbola. I work in the field of web development. I use a lot of javascript and nodejs to compile.
Could they do the nodejs update?. I also mention this because Hyperbola works with LTS packages.

Additional info:

* package version(s)

$ sudo pacman -Si nodejs
Repositorio               : community
Nombre                    : nodejs
Versión                   : 7.10.0-1
Descripción               : Evented I/O for V8 javascript
Arquitectura              : x86_64
URL                       : http://nodejs.org/
Licencias                 : MIT
Grupos                    : Nada
Provee                    : Nada
Depende de                : openssl-1.0  zlib  icu  libuv  http-parser  c-ares
Dependencias opcionales   : npm: nodejs package manager
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 4,55 MiB
Tamaño de la instalación  : 18,49 MiB
Encargado                 : Felix Yan <felixonmars@archlinux.org>
Fecha de creación         : mié 03 may 2017 09:50:26 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

$ sudo pacman -Si npm
Repositorio               : community
Nombre                    : npm
Versión                   : 4.5.0-1
Descripción               : A package manager for javascript
Arquitectura              : any
URL                       : https://www.npmjs.com/
Licencias                 : custom:Artistic
Grupos                    : Nada
Provee                    : nodejs-node-gyp
Depende de                : nodejs  semver
Dependencias opcionales   : python2: for node-gyp
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 2,72 MiB
Tamaño de la instalación  : 13,98 MiB
Encargado                 : Felix Yan <felixonmars@archlinux.org>
Fecha de creación         : mié 12 abr 2017 22:08:06 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

- NodeJS LTS (includes npm 5.6.0):

* https://nodejs.org/dist/v8.11.3/node-v8.11.3.tar.gz

* https://nodejs.org/dist/v8.11.3/SHASUMS256.txt.asc

Some errors that I suffer when compiling:
- https://stackoverflow.com/questions/46476741/nodejs-util-promisify-is-not-a-function

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

https://security-tracker.debian.org/tracker/CVE-2018-15473

Patch: https://salsa.debian.org/ssh-team/openssh/commit/4641c58a3279f6b118f9562babaa0ee050a38619

Technical analysis: https://blog.nviso.be/2018/08/21/openssh-user-enumeration-vulnerability-a-close-look/

Description:

The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repositorio               : community
Nombre                    : netdata
Versión                   : 1.6.0-3
Descripción               : Real-time performance monitoring, in the greatest possible detail, over the web.
Arquitectura              : x86_64
URL                       : https://github.com/firehol/netdata/wiki
Licencias                 : GPL
Grupos                    : Nada
Provee                    : Nada
Depende de                : libmnl  libnetfilter_acct  zlib
Dependencias opcionales   : nodejs: Webbox plugin
                            lm_sensors: sensors module
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 1778,98 KiB
Tamaño de la instalación  : 6515,00 KiB
Encargado                 : Sven-Hendrik Haase <sh@lutzhaase.com>
Fecha de creación         : dom 23 abr 2017 16:24:38 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

community/netdata	/usr/lib/systemd/
community/netdata	/usr/lib/systemd/system/
community/netdata	/usr/lib/systemd/system/netdata.service

Steps to reproduce:

• Install package

Description:

Since Hyperbola follows the Init Freedom Campaign, systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)

community/backuppc 4.1.2-1 [installed]

   Enterprise-grade system for backing up Linux, Windows and MacOS PCs

* config and/or log files etc.

Additional info:

Steps to reproduce: install it

Since Hyperbola follows the Init Freedom Campaign, systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)

extra/gpsd 3.16-3 [installed]

   GPS daemon and library to support USB/serial GPS devices

* config and/or log files etc.

Additional info:

Steps to reproduce: install it

User enumeration in Dropbear 2018.76 and earlier
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.

https://security-tracker.debian.org/tracker/CVE-2018-14354

Description:

NoScript zero-day allows script execution even with scripts blocked by default.

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

https://twitter.com/ma1/status/1039163003034324992

Additional info:
* package version(s) < 5.1.8.7

Steps to reproduce:
Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”

Description:
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

Description:

• needs OpenRC init script and contains systemd files

Additional info:

• dovecot 2.2.29.1-1

dovecot /usr/lib/systemd/system/dovecot.service
dovecot /usr/lib/systemd/system/dovecot.socket
dovecot /usr/lib/tmpfiles.d/dovecot.conf

Steps to reproduce:

• none

Description:

• needs OpenRC init script

Additional info:

• onioncat 0.2.2.r578-1

Steps to reproduce:

• none

Description:

• needs OpenRC init script and contains systemd file

Additional info:

• umurmur 0.2.16_a-6

umurmur /usr/lib/systemd/system/umurmur.service

Steps to reproduce:

• none

Description:

• needs OpenRC init script and contains systemd files

Additional info:

• prosody 1:0.10.r7198+.2fd20f372cb1+-2

prosody /usr/lib/systemd/system/prosody.service
prosody /usr/lib/sysusers.d/prosody.conf
prosody /usr/lib/tmpfiles.d/prosody.conf

Steps to reproduce:

• none

Description:

• needs OpenRC init script and contains systemd files

Additional info:

• unrealircd 4.0.11-2

unrealircd /usr/lib/systemd/system/unrealircd.service
unrealircd /usr/lib/tmpfiles.d/unrealircd.conf

Steps to reproduce:

• none

Description:

• needs OpenRC init script and contains systemd file

Additional info:

• mcelog 1:148-1

mcelog /usr/lib/systemd/system/mcelog.service

Steps to reproduce:

• none

Description:

• OpenRC needs a minor fix (remount proc)

Additional info:

• openrc 0.28-19

openrc /usr/lib/rc/sh/init.sh

—

-        mount -n -t proc -o noexec,nosuid,nodev,gid=proc,hidepid=2 proc /proc
+        mount -n -t proc -o noexec,nosuid,nodev proc /proc
+        mount -n /proc -o remount,gid=26,hidepid=2

Steps to reproduce:

• Boot OpenRC in chroot with unshare

Description:

• needs OpenRC init script (bzr serve), like [git] (git-daemon) and [subversion] (svnserve)

Additional info:

• bzr 2.7.0-2

Note: needs a provide: bazaar

Steps to reproduce:

• none

Description:

• needs OpenRC init scripts (hg serve and chg server), like [git] (git-daemon) and [subversion] (svnserve)

Additional info:

• mercurial 4.2-1

Note: needs a provide: hg

Steps to reproduce:

• none

Description:

• Add new a Murmur package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

• based on murmur 1.2.19-5

Steps to reproduce:

• none

Description:

• Add an Asterisk package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

• based on asterisk 14.4.0-1

Steps to reproduce:

• none

Description:

• add new package

Additional info:

• https://github.com/coturn/coturn

Steps to reproduce:

• none