|
Any | Security Issue | Very Low | Medium | [qemu] Multiple CVE | Closed | |
Task Description
CVE-2018-20123 QEMU: pvrdma: memory leakage in device hotplug https://www.openwall.com/lists/oss-security/2018/12/13/4
CVE-2018-16872 Qemu: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP) https://www.openwall.com/lists/oss-security/2018/12/13/11
Patches included at above URLs.
|
|
Any | Security Issue | Very Low | Critical | [dokuwiki] CVEs | Closed | |
Task Description
Our current dokuwiki 20170219_b-1 has two serious CVE.
Error message attached after the first installation
|
|
Any | Security Issue | Very Low | Critical | [tcpreplay] CVEs | Closed | |
Task Description
A huge number of CVEs have been fixed on 4.3.1 :
CVE-2018-20552 CVE-2018-20553 CVE-2018-18408 CVE-2018-18407 CVE-2018-17974 CVE-2018-17580 CVE-2018-17582 CVE-2018-13112
Current Hyperbola version is 4.2.6
|
|
Any | Security Issue | Very Low | Medium | Download debian-fixes instead of relying on external so ... | Closed | |
Task Description
It happened already with minetest and again with prosody: When trying to build own packages with makepkg there are patches downloaded from the Debian-project. But the given HTTP(S)-sources are no longer available, concrete example within prosody to be found: https://deb.debian.org/debian/pool/main/p/prosody/prosody_0.10.2-1~bpo9+1.debian.tar.xz (not available)
Please don’t rely on those external sources when creating PKGBUILD-files or just give users the possibility for a secure and granted download. Therefore I cannot build prosody on my own now!
|
|
Any | Security Issue | Very Low | Critical | [unbound] Multiple CVEs | Closed | |
Task Description
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934
|
|
Stable | Security Issue | Very Low | Critical | [lts-kernel][sec] filter /dev/mem access & restrict acc ... | Closed | |
Task Description
These two options could be enabled :
Kernel hacking → [*] Filter access to /dev/mem [*] Filter I/O access to /dev/mem
Security options → [*] Restrict unprivileged access to the kernel syslog
|
|
Any | Security Issue | Very Low | High | [tigervnc] Multiple CVE | Closed | |
Task Description
https://www.openwall.com/lists/oss-security/2019/12/20/2
“This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.”
|
|
Any | Security Issue | Very Low | Critical | [opensmtpd] CVE-2020-8794 | Closed | |
Task Description
Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/
Qualys Security Advisory
LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)
Summary Analysis ... Acknowledgments
We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response ...”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018.
Because this vulnerability resides in OpenSMTPD’s client-side code (which delivers mail to remote SMTP servers), we must consider two different scenarios:
- Client-side exploitation: This vulnerability is remotely exploitable
in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.
- Server-side exploitation: First, the attacker must connect to the
OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).
We developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”
|
|
Stable | Security Issue | Very Low | Medium | [git] Multiple CVEs | Closed | |
Task Description
CVE-2020-5260 has been fixed very recently in Debian, so I thought I would apply this patch. However, I found out that security patches have not been applied for quite a while (I could account for at least 6 CVEs).
Considering that the version in Debian stretch (2.11.0) is the nearest version with security patches released by Debian and that git project oldest supported version is 2.17, I have used patches from Debian stretch to apply on 2.12.2 currently in Milky Way.
But I have the following error on check():
| *** prove ***
|
| Test Summary Report
| -------------------
| t5570-git-daemon.sh (Wstat: 256 Tests: 20 Failed: 10)
| Failed tests: 3-7, 15-19
| Non-zero exit status: 1
| t5811-proto-disable-git.sh (Wstat: 256 Tests: 26 Failed: 16)
| Failed tests: 2-6, 9-11, 15-19, 21-23
| Non-zero exit status: 1
| Files=769, Tests=14137, 1101 wallclock secs ( 8.08 usr 1.12 sys + 144.48 cusr 63.42 csys = 217.10 CPU)
| Result: FAIL
| make[1]: *** [Makefile:45: prove] Error 1
| make[1]: Leaving directory '/build/git/src/git-2.12.2/t'
| make: *** [Makefile:2291: test] Error 2
| ==> ERROR: A failure occurred in check().
| Aborting...
This does not seem to be related to my change as the current version in Milky Way produces the same error (IOW the package currently in Milky Way is not rebuidable).
|
|
Any | Security Issue | Very Low | Medium | mount.davfs: unknown file system davfs due to paths cha ... | Closed | |
Task Description
This is same issue as on: https://bugzilla.redhat.com/show_bug.cgi?id=1151273
The paths changed and trying to mount davfs file system defined in /etc/fstab fails with error: unknown file system davfs
To remedy, I made symlink in /sbin to mount.davfs
The transition of paths had to take that in account as many mounted remote disks failed after upgrade.
|
|
Any | Update Request | Very Low | Medium | [mesa] needs update | Closed | |
Task Description
mesa package is outdated on version 17.0.5. speaking with some Sway dev and trying to compile wlroots fails because it relies on mesa 17.2.3
|
|
Any | Update Request | Very Low | High | ufw update/ufw bug | Closed | |
Task Description
There appears to be a bug with the current version of ufw, 0.35-2
Dunno if updating it would fix it, but it is kind of annoying and possibly security issue.
it says ufw is inactive when I reboot despite it being installed in the runlevel.
|
|
Any | Update Request | Very Low | High | [proj]: please update to latest version | Closed | |
Task Description
Description:
https://proj4.org/index.html
This package have valuable geodetic applications, and I intend to present Hyperbola GNU/Linux-libre soon in universities and schools in East Africa.
The coordinate system there is not WGS84 and this package only in new version is providing the conversion from East African geographic coordinates to WGS84, and will be very usable in many industrial and private applications.
|
|
Stable | Update Request | Very Low | Medium | [minetest] update package to 0.4.17.1 | Closed | |
Task Description
In the latest version fixes some bugs and a crash, and small features[1].
[1]: https://dev.minetest.net/Changelog (see section 0.4.17 and 0.4.17.1 for more details)
|
|
Any | Update Request | Very Low | Medium | Update addon random agent spoofer | Closed | |
Task Description
The useragents in random agent spoofer are detected as old apart from, firefox 60 for win7 and win10.*
I recommend focusing on the ones most people still use of each os type and scrapping the rest.
aka, for each section, such as winbugs, mac, gnu/linux... unix, android, etc...
Keep the most used ones, and update them often.
I only suggest this, because it is less work for your team.
*Of all the firefox ones, those are the only ones that work...
|
|
Stable | Update Request | Very Low | Medium | [xfe] update package to 1.43.1 | Closed | |
Task Description
In the latest version fixes several minor bugs and search file function issue[1].
[1]: http://roland65.free.fr/xfe/ (see 1.43 and 1.43.1 in the news section)
|
|
Any | Update Request | Very Low | Medium | [grafx2] update package to 2.6 | Closed | |
Task Description
In the latest version was released on 11th of January 2019, with several new features, improvements and fixes[1].
[1]: http://grafx2.chez.com/index.php?article9/2010s (see version 2.6 for more details in update log)
|
|
Stable | Update Request | Very Low | Medium | [cantarell-fonts] update package version to 0.111 | Closed | |
Task Description
Prior version 0.0.25 and below are outdated.
Since version 0.100 and later, there are some changes being redesigned from scratch, added three new weights (including extra bold, light and thin) but not italic or oblique styles, AppStream metadata translations from contributors, and more.
See the version history releases for more details: https://gitlab.gnome.org/GNOME/cantarell-fonts/raw/master/NEWS
|
|
Any | Update Request | Very Low | Very Low | [youtube-viewer] minor fix: function API name | Closed | |
Task Description
Description:
Fixes[0] a small error in the name API function extract.
Replaced name `indivious` to `invidious`
Attached[1] patch update
- [0]:https://github.com/arankaren/youtube-viewer/commit/a464c878579f22c1cf7e5e54897c5ecaf27e333e
- [1]:https://paste.debian.net/plain/1091395
|
|
Any | Update Request | Very Low | Medium | [minetest] update package version to 5.0.1 | Closed | |
Task Description
In version 5.0.0 and 5.0.1, there are several added and changed (new or existing) features and functions, and fixed bug, crash and other issues.
See those two sections in the version history releases for more details: https://dev.minetest.net/Changelog
|
|
Any | Update Request | Very Low | High | [php] update to old stable PHP 7.1.32 | Closed | |
Task Description
Description:
Version 7.1.32
29 Aug 2019
mbstring: * Fixed CVE-2019-13224 (don’t allow different encodings for onig_new_deluxe) (stas) * pcre: Fixed bug #75457 (heap use-after-free in pcrelib) (cmb)
|
|
Testing | Update Request | Very Low | Medium | [lmms] update package version to 1.2.0 | Closed | |
Task Description
In the latest version, it has many more changes with new and improvement features, and fixes function issues since released as preview stage in every eight times per three years ago[1]. And also it is possible to rebuild package with sndio.
[1]: https://github.com/LMMS/lmms/releases/ (see all sections below from 1.2.0-RC1 to 1.2.0 in the version history releases)
|
|
Stable | Update Request | Very Low | Critical | [qt5] request for upgrade | Closed | |
Task Description
I know that upgrading Qt is not a trivial task, but would it be possible to do this anyway? Qt 5.8 has issues that other versions do not have. See for example the discussion here about Projecteur, a very useful tool. Hyperbola seems to be the only Linux distribution unable to run it, just because of Qt 5.8:
https://github.com/jahnf/Projecteur/issues/26
|
|
Any | Update Request | Very Low | High | [mpv] request for package bump | Closed | |
Task Description
Hello,
Would it be possible to get a package bump for mpv ?
Currently, Debian Buster (stable) uses 0.29.1-1. This would be great as it introduces many fixes and support for lua scripts I heavily use. 0.29.* requires a ffmpeg to 4.x series as well.
Thanks.
|
|
Stable | Update Request | Very Low | Low | [icewm] Upgrade package version | Closed | |
Task Description
The current version of the package icewm within the Hyperbola-repositories is 1.3.8. The latest version is 1.6.3! An update would be helpful as this window-manager follows absolutely the principles of the distribution Hyperbola itself, being simple and fast.
|
|
Stable | Update Request | Very Low | Medium | [varnish] Missing init script | Closed | |
|
|
Any | Backport Request | Low | Medium | [docker] package request | Closed | |
|
|
Any | Bug Report | Low | High | [php-fpm] service fails to start | Closed | |
|
|
Any | Bug Report | Low | Medium | [openrc] Error: fopen(/run/openrc/rc.log) failed: No su ... | Closed | |
|
|
Any | Bug Report | Low | Medium | [cryptsetup] when dmcrypt start, the "/" filesystem, m... | Assigned | |
|
|
Any | Bug Report | Low | Medium | [cryptsetup] can't umount luks filesystem on reboot/shu ... | Closed | |
|
|
Any | Bug Report | Low | Medium | [samba] wrong permissions on /etc/conf.d folder | Closed | |
|
|
Any | Bug Report | Low | Low | [x11vnc] service contains error: "Service 'x11vnc' need ... | Closed | |
|
|
Any | Bug Report | Low | Critical | [openvswitch-lts] netifrc fails to start openvwitch int ... | Closed | |
|
|
Any | Bug Report | Low | Critical | [hostapd] fails to start at boot when using openvwitch ... | Closed | |
|
|
Any | Bug Report | Low | Low | [usbutils] lsusb does not list device names | Closed | |
|
|
Any | Bug Report | Low | Low | [emacs-nox] uses "nox" suffix | Closed | |
|
|
Any | Bug Report | Low | Low | [erlang-nox] uses "nox" suffix | Closed | |
|
|
Any | Bug Report | Low | Low | [qbittorrent-nox] uses "nox" suffix | Closed | |
|
|
Stable | Bug Report | Low | Medium | Garbled display with xfce4-terminal (terminfo) | Closed | |
|
|
Any | Bug Report | Low | Low | [crystal] error build Invidious | Closed | |
|
|
Any | Bug Report | Low | High | [kaccounts-integration] option to add NextCloud/OwnClou ... | Closed | |
|
|
Any | Bug Report | Low | High | [kdenetwork-kopete] clicking to add an Jabber Account o ... | Closed | |
|
|
Any | Bug Report | Low | High | [xfce4-power-manager] locking session issue | Closed | |
|
|
Any | Bug Report | Low | Low | [xdg-utils] doesn't work with -uxp applications and has ... | Closed | |
|
|
Any | Drop Request | Low | Low | [gegl02] remove unmaintained version of GEGL | Closed | |
|
|
Any | Drop Request | Low | Low | [nginx-mainline] remove unstable and duplicated package | Closed | |
|
|
Any | Drop Request | Low | Low | [libreoffice-fresh*] remove unstable and duplicated pac ... | Closed | |
|
|
Any | Drop Request | Low | Low | [autoconf-2.64] remove duplicated package | Closed | |
|
|
Any | Drop Request | Low | Low | [wine*] remove unstable and staging packages | Closed | |
|