|
Any | Security Issue | Very High | Critical | [mutt] CVE-2018-14354 | Closed | |
Task Description
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
https://security-tracker.debian.org/tracker/CVE-2018-14354
|
|
Any | Security Issue | Very High | Critical | [iceweasel-uxp-noscript] Zero-day bypass and script exe ... | Closed | |
Task Description
Description:
NoScript zero-day allows script execution even with scripts blocked by default.
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/
https://twitter.com/ma1/status/1039163003034324992
Additional info: * package version(s) < 5.1.8.7
Steps to reproduce: Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”
|
|
Any | Security Issue | Very High | Critical | [util-linux] CVE-2018-7738 | Closed | |
Task Description
Description: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
|
|
Any | Replace Request | Defer | Critical | [bzr] replace deprecated GNU Bazaar to Brezy | Closed | |
Task Description
Description:
replace deprecated GNU Bazaar to Brezy for Canis Major
Additional info:
bzr 2.7.0-2
GNU Bazaar will be unmaintained (for now, there are only bug fixes)
GNU Bazaar only supports Python 2.
-
-
-
Note: It needs a provide: bazaar and brezy
Steps to reproduce:
|
|
Any | Replace Request | High | Critical | [python2] replace deprecated Python 2 to Tauthon | Closed | |
Task Description
Description:
replace deprecated Python 2 to Tauthon for Canis Major
Additional info:
Steps to reproduce:
|
|
Any | Bug Report | High | Critical | [zathura-ps] needs to be recompiled | Closed | |
Task Description
Description: Since the update to 0.3.9 (or the update of girara to 0.2.9), zathura-pdf-poppler returns the following error:
error: Could not load plugin '/usr/lib/zathura/ps.so' (libgirara-gtk3.so.2: cannot open shared object file: No such file or directory).
|
|
Any | Bug Report | High | Critical | [links][elinks] segmentation fault after start by termi ... | Closed | |
Task Description
Description:
Additional info: * package version(s)
links 2.14-2
elinks 0.13-18
* config and/or log files etc.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4295e43 in strchrnul () from /usr/lib/libc.so.6
[New Thread 0x7ffff4dfb700 (LWP 8393)]
Thread 1 "elinks" received signal SIGSEGV, Segmentation fault.
0x00007ffff5fa3e43 in strchrnul () from /usr/lib/libc.so.6
Steps to reproduce:
|
|
Any | Bug Report | Very Low | Critical | [apache]: cannot start if NetworkManager is not started | Closed | |
Task Description
Description:
Apache web server shall be running with or without the external network, and without NetworkManager.
rc-service httpd start
will give the message that NetworkManager must be started first, and will not start apache web server. I cannot find in which file is that written.
Steps to reproduce:
1. Disconnect network. Start computer.
2. Try to start apache with above command.
That makes no sense, as Apache can run on local network without NetworkManager and it is not written in the description.
|
|
Any | Security Issue | Very High | Critical | [schroedinger] unmaintained and unsupportable | Closed | |
Task Description
Description:
Remove Schrödinger in Hyperbola because it’s unmaintained and unsupportable. [0] [1]
Additional info:
$ pacman -Si schroedinger
Repository : extra
Name : schroedinger
Version : 1.0.11-3
Description : An implemenation of the Dirac video codec in ANSI C code
Architecture : x86_64
URL : https://launchpad.net/schroedinger
Licenses : GPL2 LGPL2.1 MPL MIT
Groups : None
Provides : None
Depends On : orc gcc-libs
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 331.64 KiB
Installed Size : 1676.00 KiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Sat 05 Dec 2015 12:28:01 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2017-17670 | Closed | |
Task Description
Description:
In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2018-11529 | Closed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | High | Critical | [octopi] uploads system logs to ptpb.pw without confirm ... | Closed | |
Task Description
Octopi 0.9.0 is uploading system logs to ptpb.pw without confirmation through :
Tools → SysInfo → ptpb.pw
I think it should be either disabled or add at least a patch to ask for a confirmation. An other way could be to patch this :
src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255: QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- https://ptpb.pw/?u=1", tempFile->fileName());
256: return ptpb;
to :
src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255: QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- **https://ptpb.pw/", tempFile->fileName());
256: return ptpb;
This way, you can at least ask for log deletion with the help of log uuid as explained here : https://ptpb.pw/#id10
|
|
Any | Security Issue | Very High | Critical | [qtpass] Insecure Password Generation prior to 1.2.1 | Closed | |
Task Description
Description: As stated on the home page of the project (https://qtpass.org/): <quote> All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers. </quote>
|
|
Any | Freedom Issue | Very High | Critical | [qtemu] package recommends installing non-free OSes | Closed | |
Task Description
When running QtEmu for the first time and running the new machine wizard, the software lists non-free operating systems and refers to GNU/Linux as Linux.
It would be nice to list LibertyBSD in the list of distros in this software in addition to GNU/Linux and GNU/Hurd (which are listed in aqemu).
|
|
Any | Security Issue | Very High | Critical | [toxcore] Memory leak - Remote DDoS vunerability | Closed | |
Task Description
Description:
A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.
Additional info: * package version(s): < 2.8
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
|
|
Any | Security Issue | Very Low | Critical | [toxcore] Memory leak bug | Closed | |
Task Description
Description: https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
The bug is fixed in TokTok c-toxcore v0.2.8. The bug is also fixed in the master branch of irungentoo’s toxcore, in commit bf69b54f64003d160d759068f4816b2d9b2e1e21. As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained.
|
|
Any | Security Issue | Very High | Critical | [libssh] CVE-2018-10933 | Closed | |
Task Description
Description: libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
Additional info: * package version(s) : extra/libssh 0.7.5-1
CVE
|
|
Any | Security Issue | Very High | Critical | [openldap] 2.4.44 multiple security issues | Closed | |
Task Description
Description: Changelog
2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)
Additional info: * package version(s) : 2.4.44
|
|
Any | Security Issue | Very High | Critical | [php] CVE-2017-9120 | Closed | |
Task Description
Description:
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
Additional info: * package version(s)
$ pacman -Si php
Repositorio : extra
Nombre : php
Versión : 7.1.4-3.hyperbola3
Descripción : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura : x86_64
URL : http://www.php.net
Licencias : PHP
Grupos : Nada
Provee : php-ldap=7.1.4
Depende de : libxml2 curl libzip pcre
Dependencias opcionales : Nada
En conflicto con : php-ldap
Remplaza a : php-ldap
Tamaño de la descarga : 3,02 MiB
Tamaño de la instalación : 15,94 MiB
Encargado : André Silva <emulatorman@hyperbola.info>
Fecha de creación : mié 27 dic 2017 19:15:03 -05
Validado por : Suma MD5 Suma SHA-256 Firma
* config and/or log files etc.
Last update of php be v7.1.x is v7.1.23:
- https://secure.php.net/ChangeLog-7.php#7.1.23
Patch availabble from v7.1.5 https://bugs.php.net/bug.php?id=74544
Steps to reproduce:
- Install php
|
|
Any | Freedom Issue | Very High | Critical | [python-pip][python2-pip] Pip recommends proprietary so ... | Closed | |
Task Description
Description: pip allows the user to search and install packages from the PyPi repository, which contains proprietary software.
Additional info: * example of proprietary package in PyPi repository: https://pypi.org/project/snaplogic * Trisquel’s solution was to remove python-pip: https://trisquel.info/en/issues/3741
Steps to reproduce: $ sudo pacman -S python-pip $ pip search snaplogic # prints information about proprietary package $ pip install snaplogic # installs proprietary package
|
|
Any | Freedom Issue | Very High | Critical | [purple-skypeweb] Plugin only useful with Skype | Closed | |
Task Description
Please remove as plugin is only useful with Skype hosted by a single company on a single server as far as I can tell (unlike pidgin-sipe).
|
|
Any | Freedom Issue | Very High | Critical | [man-pages] contains nonfree POSIX manual pages | Closed | |
Task Description
Description:
Arch distributes a version of man-pages with manual pages from the POSIX standard. The man-pages project is permitted to distribute them and Andries Brouwer assumes that re-distribution by vendors is permitted as well. However, modification is definitively not allowed, hence this contribution by The Institute of Electrical and Electronics Engineers and The Open Group render the entire man-pages package nonfree. The way to solve it is remove all nonfree POSIX manual pages from man-pages package.
Additional info: * package version(s)
* config and/or log files etc.
The Institute of Electrical and Electronics Engineers (IEEE) and
The Open Group, have given us permission to reprint portions of
their documentation.
In the following statement, the phrase ``this text'' refers to
portions of the system documentation.
Portions of this text are reprinted and reproduced in electronic form
from IEEE Std 1003.1, 2013 Edition, Standard for Information Technology
-- Portable Operating System Interface (POSIX), The Open Group Base
Specifications Issue 7, Copyright (C) 2013 by the Institute of Electri-
cal and Electronics Engineers, Inc and The Open Group. (This is
POSIX.1-2008 with the 2013 Technical Corrigendum 1 applied.) In the
event of any discrepancy between this version and the original IEEE and
The Open Group Standard, the original IEEE and The Open Group Standard
is the referee document. The original Standard can be obtained online
at http://www.unix.org/online.html .
This notice shall appear on any product containing this material.
Redistribution of this material is permitted so long as this notice and
the corresponding notices within each POSIX manual page are retained on
any distribution, and the nroff source is included. Modifications to
the text are permitted so long as any conflicts with the standard
are clearly marked as such in the text.
Steps to reproduce:
|
|
Any | Bug Report | Very High | Critical | [linux-libre-lts] spinlock not released on kernel by i9 ... | Closed | |
Task Description
Description:
With the latest release of the kernel, xwindow does not start anymore. I had to revert to 4.9.143.
Additional info: * package version(s): linux-libre-lts-4.9.150_gnu-0-x86_64.pkg.tar.xz
Steps to reproduce:
Upgrade to the following: - linux-libre-lts-4.9.150_gnu-0-x86_64.pkg.tar.xz - linux-libre-lts-headers-4.9.150_gnu-0-x86_64.pkg.tar.xz - acpi_call-lts-1.1.0-42.hyperbola34.6-x86_64.pkg.tar.xz
And try to start xwindow
|
|
Any | Security Issue | Very Low | Critical | [dokuwiki] CVEs | Closed | |
Task Description
Our current dokuwiki 20170219_b-1 has two serious CVE.
Error message attached after the first installation
|
|
Any | Security Issue | Very Low | Critical | [tcpreplay] CVEs | Closed | |
Task Description
A huge number of CVEs have been fixed on 4.3.1 :
CVE-2018-20552 CVE-2018-20553 CVE-2018-18408 CVE-2018-18407 CVE-2018-17974 CVE-2018-17580 CVE-2018-17582 CVE-2018-13112
Current Hyperbola version is 4.2.6
|
|
Any | Bug Report | Very High | Critical | [electrum] package no longer works | Closed | |
|
|
Any | Bug Report | High | Critical | [electrum] updated package still does not work | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [supertuxkart] remove nonfree Ubuntu Font Family fonts | Closed | |
|
|
Any | Freedom Issue | Very Low | Critical | [flatpak] Access to proprietary applications | Closed | |
|
|
Any | Bug Report | Very Low | Critical | [msmtp] needs libressl | Closed | |
|
|
Any | Bug Report | Very High | Critical | [cups] [cups-filters] ServerBin directory inconsistency | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [clementine] using non-free services and interfaces | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [gens] contains nonfree Starscream code | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [gens-gs] contains nonfree Starscream code and the Poor ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [dgen-sdl] contains nonfree CZ80, dZ80, DrZ80, Multi-Z8 ... | Closed | |
|
|
Any | Bug Report | Very Low | Critical | [system-config-printer] Impossible to print some pdfs ( ... | Closed | |
|
|
Any | Freedom Issue | Very Low | Critical | [conky] Some serious issues | Closed | |
|
|
Any | Security Issue | Very High | Critical | [libarchive] CVE-2019-18408 | Closed | |
|
|
Any | Security Issue | Medium | Critical | [libjpeg-turbo] CVE-2019-2201 | Closed | |
|
|
Any | Privacy Issue | Very Low | Critical | [bleachbit] needs to be adapted to UXP applications | Closed | |
|
|
Any | Security Issue | Very Low | Critical | [unbound] Multiple CVEs | Closed | |
|
|
Any | Security Issue | Very Low | Critical | [opensmtpd] CVE-2020-8794 | Closed | |
|
|
Any | Security Issue | Very High | Critical | [grub2] UEFI SecureBoot vulnerability + multiple flaws ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [ath9k-htc-firmware]: not work | Closed | |
|
|
Any | Security Issue | High | High | [npapi-sdk] remove unsecure/deprecated package | Closed | |
|
|
Any | Security Issue | High | High | [npapi-vlc] remove unsecured package | Closed | |
|
|
Any | Security Issue | High | High | [nspluginwrapper] remove unsecure/deprecated package | Closed | |
|
|
Any | Security Issue | High | High | [x2goplugin] remove unsecure package | Closed | |
|
|
Any | Security Issue | High | High | [djview] remove unsecure "nsdejavu.so" | Closed | |
|
|
Any | Security Issue | High | High | [icedtea-web] remove unsecure "IcedTeaPlugin.so" | Closed | |
|