Packages

Category Task Type Priority  desc Severity Summary Status Progress
AnySecurity IssueVery HighCritical [znc] CVE-2018-14055: privilege escalation & CVE-2018-1 ...Closed
100%
Task Description

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

AnySecurity IssueVery HighCritical [xulrunner] unmaintained and unsupportable Closed
100%
Task Description

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

StableFreedom IssueVery HighCritical [xorg-fonts-misc] contains non-libre/free Syriac typefa ...Closed
100%
Task Description

A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.

[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt

AnyFreedom IssueVery HighCritical [xmind] is probably directing users to proprietary soft ...Closed
100%
Task Description

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

AnySecurity IssueVery HighCritical [xen] multiple security issues: CVE-2018-10472, CVE-201 ...Closed
100%
Task Description

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

AnySecurity IssueVery HighCritical [wpa_supplicant] vulnerable to KRAK attack Closed
100%
Task Description

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

AnySecurity IssueVery HighCritical [wget] - GNU Wget Cookie Injection CVE-2018-0494 Closed
100%
Task Description

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

AnyFeature RequestVery HighHigh [wesnoth] contains systemd unit files Closed
100%
Task Description

Description:

  • The Arch version of Wesnoth from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : wesnoth
Version         : 1.12.6-4
Description     : A turn-based strategy game on a fantasy world
Architecture    : x86_64
URL             : http://www.wesnoth.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : sdl_ttf  sdl_net  sdl_mixer  sdl_image  fribidi  boost-libs  pango  lua52  wesnoth-data  dbus  python2
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 4.97 MiB
Installed Size  : 22.86 MiB
Packager        : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date      : Mon 02 Jan 2017 07:52:21 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
/usr/lib/systemd/system/wesnothd.service is owned by wesnoth 1.12.6-4
/usr/lib/tmpfiles.d/wesnothd.conf is owned by wesnoth 1.12.6-4

Steps to reproduce:

  • Install package.
AnySecurity IssueVery HighCritical [wesnoth] CVE-2018-1999023 - Code Injection vulnerabili ...Closed
100%
Task Description

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

https://security-tracker.debian.org/tracker/CVE-2018-1999023

Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318

AnyBug ReportVery HighCritical [warsow] the package is not compiled from source Closed
100%
Task Description

The package is not compiled from source

AnyFreedom IssueVery HighCritical [warsow] contains Steam support Closed
100%
Task Description

Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.

AnyFreedom IssueVery HighCritical [warsow-data] the package contains nonfree assets (CC B ...Closed
100%
Task Description

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

AnySecurity IssueVery HighCritical [w3m] unmaintained and unsupportable Closed
100%
Task Description

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

AnySecurity IssueVery HighCritical [vlc] CVE-2018-11529 Closed
100%
Task Description

Description:

  • VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Additional info:
* package version(s)

  • 2.2.6-1.hyperbola1

* config and/or log files etc.

  • None

Steps to reproduce:

  • Run VLC
AnySecurity IssueVery HighCritical [vlc] CVE-2017-17670 Closed
100%
Task Description

Description:

  • In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

Additional info:
* package version(s)

  • 2.2.6-1.hyperbola1

* config and/or log files etc.

  • None

Steps to reproduce:

  • Run VLC
AnyFeature RequestVery HighHigh [vino] contains systemd unit file Closed
100%
Task Description

Description:

  • The Arch version of Vino from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required. OpenRC init script replacement isn’t possible here because Vino is using a systemd unit file adapted for users instead of system users.

Additional info:

  • vino 3.22.0-1.hyperbola1
$ pacman -Si vino
Repository      : extra
Name            : vino
Version         : 3.22.0-1.hyperbola1
Description     : A VNC server for the GNOME desktop
Architecture    : x86_64
URL             : https://wiki.gnome.org/Projects/Vino
Licenses        : GPL
Groups          : gnome
Provides        : None
Depends On      : libnotify  libxtst  libsm  telepathy-glib  gtk3  libsecret  avahi  gnutls
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 368.24 KiB
Installed Size  : 2723.00 KiB
Packager        : Scott Adams <haricot@hyperbola.info>
Build Date      : Fri 09 Jun 2017 02:01:33 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
/usr/lib/systemd/user/vino-server.service is owned by vino 3.22.0-1.hyperbola1

Steps to reproduce:

  • Install package.
AnyFreedom IssueVery HighCritical [vdrift-data] contains nonfree car and track models Closed
100%
Task Description

The package contains nonfree car and track models

AnySecurity IssueVery HighCritical [util-linux] CVE-2018-7738 Closed
100%
Task Description

Description:
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

AnyFeature RequestVery HighHigh [unrealircd] needs OpenRC init script and contains syst ...Closed
100%
Task Description

Description:

  • needs OpenRC init script and contains systemd files

Additional info:

  • unrealircd 4.0.11-2
unrealircd /usr/lib/systemd/system/unrealircd.service
unrealircd /usr/lib/tmpfiles.d/unrealircd.conf

Steps to reproduce:

  • none
AnyFeature RequestVery HighHigh [umurmur] needs OpenRC init script and contains systemd ...Closed
100%
Task Description

Description:

  • needs OpenRC init script and contains systemd file

Additional info:

  • umurmur 0.2.16_a-6
umurmur /usr/lib/systemd/system/umurmur.service

Steps to reproduce:

  • none
AnyFeature RequestVery HighHigh [tracker] contains systemd unit files Closed
100%
Task Description

Description:

  • The Arch version of Tracker from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required. OpenRC init script replacement isn’t possible here because Tracker is using a systemd unit file adapted for users instead of system users.

Additional info:

  • tracker 1.12.0-2.hyperbola1
$ pacman -Si tracker
Repository      : extra
Name            : tracker
Version         : 1.12.0-2.hyperbola1
Description     : Desktop-neutral user information store, search tool and indexer
Architecture    : x86_64
URL             : https://wiki.gnome.org/Projects/Tracker
Licenses        : GPL
Groups          : gnome
Provides        : None
Depends On      : libtracker-sparql=1.12.0-2.hyperbola1  libsecret  upower  libexif  exempi  poppler-glib  libgsf  enca  libiptcdata  libcue  libosinfo  libnm-glib
                  gtk3  libgxps  taglib  flac  libvorbis  totem-plparser  gst-plugins-base-libs  giflib  libgrss  gvfs
Optional Deps   : nautilus: edit files' tracker tags
Conflicts With  : None
Replaces        : None
Download Size   : 1142.60 KiB
Installed Size  : 8459.00 KiB
Packager        : Scott Adams <haricot@hyperbola.info>
Build Date      : Thu 08 Jun 2017 03:57:24 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
/usr/lib/systemd/user/tracker-extract.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-apps.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-fs.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-rss.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-store.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-writeback.service is owned by tracker 1.12.0-2.hyperbola1

Steps to reproduce:

  • Install package.
AnySecurity IssueVery HighCritical [toxcore] Memory leak - Remote DDoS vunerability Closed
100%
Task Description

Description:

A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.

Additional info:
* package version(s): < 2.8

https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

AnyFreedom IssueVery HighCritical [torcs-data] contains nonfree car models Closed
100%
Task Description

The package contains nonfree car models

AnyFeature RequestVery HighHigh [tinc] contains systemd unit files Closed
100%
Task Description

Description:

  • The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : tinc
Version         : 1.0.31-2
Description     : VPN (Virtual Private Network) daemon
Architecture    : x86_64
URL             : http://www.tinc-vpn.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : lzo  openssl  zlib
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 107.42 KiB
Installed Size  : 194.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Mon 13 Mar 2017 01:06:11 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
/usr/lib/systemd/system/tinc.service is owned by tinc 1.0.31-2
/usr/lib/systemd/system/tinc@.service is owned by tinc 1.0.31-2

Steps to reproduce:

  • Install package.
AnyFeature RequestVery HighHigh [timidity++] contains systemd unit file Closed
100%
Task Description

Description:

  • The Arch version of TiMidity++ from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : extra
Name            : timidity++
Version         : 2.14.0-7
Description     : A MIDI to WAVE converter and player
Architecture    : x86_64
URL             : http://timidity.sourceforge.net
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : libao  jack
Optional Deps   : gtk2: for using the GTK+ interface
                  tk: for using the Tk interface
                  xaw3d: for using the Xaw interface
Conflicts With  : None
Replaces        : None
Download Size   : 530.60 KiB
Installed Size  : 1431.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Thu 10 Sep 2015 12:55:38 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
/usr/lib/systemd/system/timidity.service is owned by timidity++ 2.14.0-7

Steps to reproduce:

  • Install package.
AnyPrivacy IssueVery HighCritical [telepathy-morse] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ...Closed
100%
AnyPrivacy IssueVery HighCritical [telegramqml] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [telegram-qt] only useful with Telegram service Closed
100%
AnyBackport RequestVery HighHigh [tcpreplay] update package to 4.2.6 backport  Closed
100%
AnyFeature RequestVery HighHigh [system-config-printer] contains systemd unit file Closed
100%
AnyFreedom IssueVery HighCritical [supertuxkart] remove nonfree Ubuntu Font Family fonts Closed
100%
AnySecurity IssueVery HighCritical [schroedinger] unmaintained and unsupportable Closed
100%
AnyFeature RequestVery HighHigh [sage-notebook] contains systemd unit file Closed
100%
AnyFreedom IssueVery HighCritical [rust][cargo] trademark agreement affects user freedom Closed
100%
AnyImplementation RequestVery HighHigh [ring] add new package Closed
100%
AnySecurity IssueVery HighCritical [qtpass] Insecure Password Generation prior to 1.2.1 Closed
100%
AnyFreedom IssueVery HighCritical [qtemu] package recommends installing non-free OSes Closed
100%
AnyFreedom IssueVery HighCritical [python-pip][python2-pip] Pip recommends proprietary so ...Closed
100%
AnyBug ReportVery HighCritical [python-acme] to start crashing on June 19th  Closed
100%
AnyFreedom IssueVery HighCritical [purple-skypeweb] Plugin only useful with Skype Closed
100%
AnyPrivacy IssueVery HighCritical [purple-facebook] only useful with Facebook service Closed
100%
AnyFeature RequestVery HighHigh [prosody] needs OpenRC init script and contains systemd ...Closed
100%
AnyFeature RequestVery HighHigh [procps-ng] add init file to load sysctl configuration  ...Closed
100%
AnyDrop RequestVery HighCritical [pm-utils] unmaintained and unsupportable Closed
100%
AnyFeature RequestVery HighHigh [pkgfile] contains systemd unit files Closed
100%
AnyFeature RequestVery HighHigh [pkgfile] contains systemd unit files Closed
100%
AnyFeature RequestVery HighHigh [phpldapadmin] needs OpenRC init script  Closed
100%
AnySecurity IssueVery HighCritical [php] CVE-2017-9120 Closed
100%
AnySecurity IssueVery HighCritical [pam] pam_unix2 is orphaned and dead upstream Closed
100%
Showing tasks 1 - 50 of 1517 Page 1 of 31

Available keyboard shortcuts

Tasklist

Task Details

Task Editing