Packages

Description:

NoScript zero-day allows script execution even with scripts blocked by default.

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

https://twitter.com/ma1/status/1039163003034324992

Additional info:
* package version(s) < 5.1.8.7

Steps to reproduce:
Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”

Description:
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

Description:

• Remove Schrödinger in Hyperbola because it’s unmaintained and unsupportable. [0] [1]

• Note: It requires [ffmpeg], [ffmpeg2.8] and [gst-plugins-bad] rebuilding

Additional info:

• schroedinger 1.0.11-3

$ pacman -Si schroedinger
Repository      : extra
Name            : schroedinger
Version         : 1.0.11-3
Description     : An implemenation of the Dirac video codec in ANSI C code
Architecture    : x86_64
URL             : https://launchpad.net/schroedinger
Licenses        : GPL2  LGPL2.1  MPL  MIT
Groups          : None
Provides        : None
Depends On      : orc  gcc-libs
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 331.64 KiB
Installed Size  : 1676.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Sat 05 Dec 2015 12:28:01 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Contains security holes.

Description:

• In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

Additional info:
* package version(s)

• 2.2.6-1.hyperbola1

* config and/or log files etc.

• None

Steps to reproduce:

• Run VLC

Description:

• VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Additional info:
* package version(s)

• 2.2.6-1.hyperbola1

* config and/or log files etc.

• None

Steps to reproduce:

• Run VLC

Description:
As stated on the home page of the project (https://qtpass.org/):
<quote>
All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers.
</quote>

Description:

A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.

Additional info:
* package version(s): < 2.8

https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

Description:
libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Additional info:
* package version(s) : extra/libssh 0.7.5-1

CVE

Description:
Changelog

2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)

Additional info:
* package version(s) : 2.4.44

Description:

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.

Additional info:
* package version(s)

$ pacman -Si php
Repositorio               : extra
Nombre                    : php
Versión                   : 7.1.4-3.hyperbola3
Descripción               : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura              : x86_64
URL                       : http://www.php.net
Licencias                 : PHP
Grupos                    : Nada
Provee                    : php-ldap=7.1.4
Depende de                : libxml2  curl  libzip  pcre
Dependencias opcionales   : Nada
En conflicto con          : php-ldap
Remplaza a                : php-ldap
Tamaño de la descarga     : 3,02 MiB
Tamaño de la instalación  : 15,94 MiB
Encargado                 : André Silva <emulatorman@hyperbola.info>
Fecha de creación         : mié 27 dic 2017 19:15:03 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

* config and/or log files etc.

Last update of php be v7.1.x is v7.1.23:

- https://secure.php.net/ChangeLog-7.php#7.1.23

Patch availabble from v7.1.5
https://bugs.php.net/bug.php?id=74544

Steps to reproduce:

- Install php

Description: There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

https://www.openwall.com/lists/oss-security/2019/06/06/1

https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/

https://security-tracker.debian.org/tracker/CVE-2019-18408

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now

Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.

Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.

These are the actual packages versions from Hyperbola and Arch:

• certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
• python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
• python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
• python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
• python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
• python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
• python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
• python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]

NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.

The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:

• certbot-dns-cloudflare
• certbot-dns-cloudxns
• certbot-dns-digitalocean
• certbot-dns-dnsimple
• certbot-dns-dnsmadeeasy
• certbot-dns-luadns
• certbot-dns-nsone
• certbot-dns-rfc2136
• certbot-dns-route53

I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.

[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061
[1] https://packages.debian.org/search?keywords=certbot

Description:

update package to v0.1.50 version

Note: Update [gegl] or Backport [gegl] and [gimp]
      https://issues.hyperbola.info/index.php?do=details&task_id=1052
      https://issues.hyperbola.info/index.php?do=details&task_id=1053
      https://issues.hyperbola.info/index.php?do=details&task_id=1054

Additional info:

babl 0.1.38-1.hyperbola1

$ pacman -Si babl
Repository      : extra
Name            : babl
Version         : 0.1.38-1.hyperbola1
Description     : Dynamic, any to any, pixel format conversion library
Architecture    : x86_64
URL             : http://gegl.org/babl/
Licenses        : LGPL3
Groups          : None
Provides        : None
Depends On      : glibc
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 237.72 KiB
Installed Size  : 734.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 31 Dec 2017 05:31:32 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

none

Description:

Update package to 0.3.34 version

Note: Update package to 0.3.34 version
      or update package to 0.4.2 backport and GIMP 2.10.2 backport
      Update [babl] package
      https://issues.hyperbola.info/index.php?do=details&task_id=1051
      https://issues.hyperbola.info/index.php?do=details&task_id=1053
      https://issues.hyperbola.info/index.php?do=details&task_id=1054

Additional info:

gegl 0.3.26-2.hyperbola1

$ pacman -Si gegl
Repository      : extra
Name            : gegl
Version         : 0.3.26-2.hyperbola1
Description     : Graph based image processing framework
Architecture    : x86_64
URL             : http://www.gegl.org/
Licenses        : GPL3  LGPL3
Groups          : None
Provides        : None
Depends On      : babl  libspiro  json-glib
Optional Deps   : libraw: raw plugin
                  openexr: openexr plugin
                  ffmpeg: ffmpeg plugin
                  suitesparse: matting-levin plugin
                  librsvg: svg plugin
                  jasper: jasper plugin
                  libtiff: tiff plugin
                  lua: lua plugin
                  lensfun: lens-correct plugin
Conflicts With  : gegl02
Replaces        : gegl02
Download Size   : 1347.15 KiB
Installed Size  : 6823.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 31 Dec 2017 05:37:41 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

none

Description:

Update to 3.1.4 version

Additional info:

krita 3.1.3

$ pacman -Qi krita
Name            : krita
Version         : 3.1.3-1
Description     : Edit and paint images
Architecture    : x86_64
URL             : http://krita.org
Licenses        : LGPL
Groups          : None
Provides        : None
Depends On      : kio  kitemmodels  gsl  libraw  exiv2  openexr  fftw  curl  boost-libs  hicolor-icon-theme
Optional Deps   : poppler-qt5: PDF filter [installed]
                  ffmpeg: to save animations [installed]
                  opencolorio: for the LUT docker [installed]
Required By     : None
Optional For    : None
Conflicts With  : calligra-krita  krita-l10n
Replaces        : calligra-krita  krita-l10n
Installed Size  : 112.43 MiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 28 Apr 2017 07:57:59 AM -03
Install Date    : Tue 12 Sep 2017 03:28:32 AM -03
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Steps to reproduce:
contains some bugs