|
Any | Security Issue | Very High | Critical | [iceweasel-uxp-noscript] Zero-day bypass and script exe ... | Closed | |
Task Description
Description:
NoScript zero-day allows script execution even with scripts blocked by default.
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/
https://twitter.com/ma1/status/1039163003034324992
Additional info: * package version(s) < 5.1.8.7
Steps to reproduce: Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”
|
|
Any | Security Issue | Very High | Critical | [util-linux] CVE-2018-7738 | Closed | |
Task Description
Description: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
|
|
Any | Security Issue | Very High | Critical | [schroedinger] unmaintained and unsupportable | Closed | |
Task Description
Description:
Remove Schrödinger in Hyperbola because it’s unmaintained and unsupportable. [0] [1]
Additional info:
$ pacman -Si schroedinger
Repository : extra
Name : schroedinger
Version : 1.0.11-3
Description : An implemenation of the Dirac video codec in ANSI C code
Architecture : x86_64
URL : https://launchpad.net/schroedinger
Licenses : GPL2 LGPL2.1 MPL MIT
Groups : None
Provides : None
Depends On : orc gcc-libs
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 331.64 KiB
Installed Size : 1676.00 KiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Sat 05 Dec 2015 12:28:01 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2017-17670 | Closed | |
Task Description
Description:
In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2018-11529 | Closed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [qtpass] Insecure Password Generation prior to 1.2.1 | Closed | |
Task Description
Description: As stated on the home page of the project (https://qtpass.org/): <quote> All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers. </quote>
|
|
Any | Security Issue | Very High | Critical | [toxcore] Memory leak - Remote DDoS vunerability | Closed | |
Task Description
Description:
A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.
Additional info: * package version(s): < 2.8
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
|
|
Any | Security Issue | Very High | Critical | [libssh] CVE-2018-10933 | Closed | |
Task Description
Description: libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
Additional info: * package version(s) : extra/libssh 0.7.5-1
CVE
|
|
Any | Security Issue | Very High | Critical | [openldap] 2.4.44 multiple security issues | Closed | |
Task Description
Description: Changelog
2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)
Additional info: * package version(s) : 2.4.44
|
|
Any | Security Issue | Very High | Critical | [php] CVE-2017-9120 | Closed | |
Task Description
Description:
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
Additional info: * package version(s)
$ pacman -Si php
Repositorio : extra
Nombre : php
Versión : 7.1.4-3.hyperbola3
Descripción : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura : x86_64
URL : http://www.php.net
Licencias : PHP
Grupos : Nada
Provee : php-ldap=7.1.4
Depende de : libxml2 curl libzip pcre
Dependencias opcionales : Nada
En conflicto con : php-ldap
Remplaza a : php-ldap
Tamaño de la descarga : 3,02 MiB
Tamaño de la instalación : 15,94 MiB
Encargado : André Silva <emulatorman@hyperbola.info>
Fecha de creación : mié 27 dic 2017 19:15:03 -05
Validado por : Suma MD5 Suma SHA-256 Firma
* config and/or log files etc.
Last update of php be v7.1.x is v7.1.23:
- https://secure.php.net/ChangeLog-7.php#7.1.23
Patch availabble from v7.1.5 https://bugs.php.net/bug.php?id=74544
Steps to reproduce:
- Install php
|
|
Stable | Security Issue | Very High | Critical | [exim] CVE-2019-10149 | Closed | |
Task Description
Description: There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
https://www.openwall.com/lists/oss-security/2019/06/06/1
|
|
Any | Security Issue | Very High | Critical | [libarchive] CVE-2019-18408 | Closed | |
Task Description
https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/
https://security-tracker.debian.org/tracker/CVE-2019-18408
|
|
Any | Security Issue | Very High | Critical | [grub2] UEFI SecureBoot vulnerability + multiple flaws ... | Closed | |
Task Description
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/
https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now
|
|
Any | Update Request | Very High | Critical | [certbot] update package to support ACMEv2 and Wildcard | Closed | |
Task Description
Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.
Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.
These are the actual packages versions from Hyperbola and Arch:
certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]
NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.
The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.
[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061 [1] https://packages.debian.org/search?keywords=certbot
|
|
Any | Update Request | Very High | High | [babl] update package to v0.1.50 | Closed | |
Task Description
Description:
update package to v0.1.50 version
Note: Update [gegl] or Backport [gegl] and [gimp]
https://issues.hyperbola.info/index.php?do=details&task_id=1052
https://issues.hyperbola.info/index.php?do=details&task_id=1053
https://issues.hyperbola.info/index.php?do=details&task_id=1054
Additional info:
babl 0.1.38-1.hyperbola1
$ pacman -Si babl
Repository : extra
Name : babl
Version : 0.1.38-1.hyperbola1
Description : Dynamic, any to any, pixel format conversion library
Architecture : x86_64
URL : http://gegl.org/babl/
Licenses : LGPL3
Groups : None
Provides : None
Depends On : glibc
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 237.72 KiB
Installed Size : 734.00 KiB
Packager : André Silva <emulatorman@hyperbola.info>
Build Date : Sun 31 Dec 2017 05:31:32 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
none
|
|
Any | Update Request | Very High | High | [gegl] update package to 0.3.34 | Closed | |
Task Description
Description:
Update package to 0.3.34 version
Note: Update package to 0.3.34 version
or update package to 0.4.2 backport and GIMP 2.10.2 backport
Update [babl] package
https://issues.hyperbola.info/index.php?do=details&task_id=1051
https://issues.hyperbola.info/index.php?do=details&task_id=1053
https://issues.hyperbola.info/index.php?do=details&task_id=1054
Additional info:
gegl 0.3.26-2.hyperbola1
$ pacman -Si gegl
Repository : extra
Name : gegl
Version : 0.3.26-2.hyperbola1
Description : Graph based image processing framework
Architecture : x86_64
URL : http://www.gegl.org/
Licenses : GPL3 LGPL3
Groups : None
Provides : None
Depends On : babl libspiro json-glib
Optional Deps : libraw: raw plugin
openexr: openexr plugin
ffmpeg: ffmpeg plugin
suitesparse: matting-levin plugin
librsvg: svg plugin
jasper: jasper plugin
libtiff: tiff plugin
lua: lua plugin
lensfun: lens-correct plugin
Conflicts With : gegl02
Replaces : gegl02
Download Size : 1347.15 KiB
Installed Size : 6823.00 KiB
Packager : André Silva <emulatorman@hyperbola.info>
Build Date : Sun 31 Dec 2017 05:37:41 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
none
|
|
Any | Update Request | Very High | High | [krita] update to 3.1.4 version | Closed | |
Task Description
Description:
Update to 3.1.4 version
Additional info:
krita 3.1.3
$ pacman -Qi krita
Name : krita
Version : 3.1.3-1
Description : Edit and paint images
Architecture : x86_64
URL : http://krita.org
Licenses : LGPL
Groups : None
Provides : None
Depends On : kio kitemmodels gsl libraw exiv2 openexr fftw curl boost-libs hicolor-icon-theme
Optional Deps : poppler-qt5: PDF filter [installed]
ffmpeg: to save animations [installed]
opencolorio: for the LUT docker [installed]
Required By : None
Optional For : None
Conflicts With : calligra-krita krita-l10n
Replaces : calligra-krita krita-l10n
Installed Size : 112.43 MiB
Packager : Antonio Rojas <arojas@archlinux.org>
Build Date : Fri 28 Apr 2017 07:57:59 AM -03
Install Date : Tue 12 Sep 2017 03:28:32 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
Steps to reproduce: contains some bugs
|