|
Any | Security Issue | Very High | Critical | [znc] CVE-2018-14055: privilege escalation & CVE-2018-1 ... | Closed | |
Task Description
Severity: high
Versions affected: 1.6.0 through 1.7.0 Potentially, all earlier versions too, but there is no known way to trigger this before 1.6.0
Mitigation: upgrade to 1.7.1
Description: ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate privilege, inject rogue values into znc.conf, and gain shell access.
Upstream patches: https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d
—
Severity: medium
Versions affected: 0.045 through 1.7.0
Mitigation: upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg *status DelPort` commands.
Description: ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user can set web skin name to ../ to access files outside of the intended skins directories and to cause DoS.
Upstream patch: https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
|
|
Any | Security Issue | Very High | Critical | [xulrunner] unmaintained and unsupportable | Closed | |
Task Description
Remove “xulrunner”[0][1] is unsecure/abandonware package
$ pacman -Si xulrunner Repository : community Name : xulrunner Version : 41.0.2-10 Description : Mozilla Runtime Environment Architecture : x86_64 URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None Provides : None Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2 Optional Deps : None Conflicts With : None Replaces : xulrunner-oss Download Size : 47.38 MiB Installed Size : 171.99 MiB Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03 Validated By : MD5 Sum SHA-256 Sum Signature
[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner
|
|
Stable | Freedom Issue | Very High | Critical | [xorg-fonts-misc] contains non-libre/free Syriac typefa ... | Closed | |
Task Description
A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.
[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt
|
|
Any | Freedom Issue | Very High | Critical | [xmind] is probably directing users to proprietary soft ... | Closed | |
Task Description
xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:
Further it is asking for license key to get the “Pro” version.
Thus xmind is pointing to proprietary software.
That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.
|
|
Any | Security Issue | Very High | Critical | [xen] multiple security issues: CVE-2018-10472, CVE-201 ... | Closed | |
Task Description
http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu devicemodel process. (The virtual CDROM device is read-only, so no data can be written.)
http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host.
http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time.
http://openwall.com/lists/oss-security/2018/05/11/2
[critical] A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded.
Patches provided by upstream.
|
|
Any | Security Issue | Very High | Critical | [wpa_supplicant] vulnerable to KRAK attack | Closed | |
Task Description
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
https://w1.fi/security/2017-1/
Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/
|
|
Any | Security Issue | Very High | Critical | [wget] - GNU Wget Cookie Injection CVE-2018-0494 | Closed | |
Task Description
An external attacker is able to inject arbitrary cookie values cookie jar file, adding new or replacing existing cookie values. http://openwall.com/lists/oss-security/2018/05/06/1
Fixed in GNU Wget 1.19.5 or later.
|
|
Any | Feature Request | Very High | High | [wesnoth] contains systemd unit files | Closed | |
Task Description
Description:
The Arch version of Wesnoth from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.
Additional info: * package version(s) * config and/or log files etc.
Repository : community
Name : wesnoth
Version : 1.12.6-4
Description : A turn-based strategy game on a fantasy world
Architecture : x86_64
URL : http://www.wesnoth.org/
Licenses : GPL
Groups : None
Provides : None
Depends On : sdl_ttf sdl_net sdl_mixer sdl_image fribidi boost-libs pango lua52 wesnoth-data dbus python2
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 4.97 MiB
Installed Size : 22.86 MiB
Packager : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date : Mon 02 Jan 2017 07:52:21 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
/usr/lib/systemd/system/wesnothd.service is owned by wesnoth 1.12.6-4
/usr/lib/tmpfiles.d/wesnothd.conf is owned by wesnoth 1.12.6-4
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [wesnoth] CVE-2018-1999023 - Code Injection vulnerabili ... | Closed | |
Task Description
The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.
https://security-tracker.debian.org/tracker/CVE-2018-1999023
Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318
|
|
Any | Bug Report | Very High | Critical | [warsow] the package is not compiled from source | Closed | |
Task Description
The package is not compiled from source
|
|
Any | Freedom Issue | Very High | Critical | [warsow] contains Steam support | Closed | |
Task Description
Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.
|
|
Any | Freedom Issue | Very High | Critical | [warsow-data] the package contains nonfree assets (CC B ... | Closed | |
Task Description
The package contains nonfree assets: data0_000_nonfree_21.pk3 data0_000_nonfree_21pure.pk3 tex_000_nonfree.pk3
|
|
Any | Security Issue | Very High | Critical | [w3m] unmaintained and unsupportable | Closed | |
Task Description
w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]
$ pacman -Qi w3m Name : w3m Version : 0.5.3.git20170102-2 Description : Text-based Web browser, as well as pager Architecture : x86_64 URL : http://w3m.sourceforge.net/ Licenses : custom Groups : None Provides : None Depends On : openssl gc ncurses gpm Optional Deps : imlib2: for graphics support [installed] Required By : None Optional For : None Conflicts With : None Replaces : None Installed Size : 1784.00 KiB Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03 Install Date : Tue 12 Sep 2017 03:43:25 AM -03 Install Reason : Explicitly installed Install Script : No Validated By : Signature
[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2018-11529 | Closed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2017-17670 | Closed | |
Task Description
Description:
In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Feature Request | Very High | High | [vino] contains systemd unit file | Closed | |
Task Description
Description:
The Arch version of Vino from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required. OpenRC init script replacement isn’t possible here because Vino is using a systemd unit file adapted for users instead of system users.
Additional info:
$ pacman -Si vino
Repository : extra
Name : vino
Version : 3.22.0-1.hyperbola1
Description : A VNC server for the GNOME desktop
Architecture : x86_64
URL : https://wiki.gnome.org/Projects/Vino
Licenses : GPL
Groups : gnome
Provides : None
Depends On : libnotify libxtst libsm telepathy-glib gtk3 libsecret avahi gnutls
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 368.24 KiB
Installed Size : 2723.00 KiB
Packager : Scott Adams <haricot@hyperbola.info>
Build Date : Fri 09 Jun 2017 02:01:33 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
/usr/lib/systemd/user/vino-server.service is owned by vino 3.22.0-1.hyperbola1
Steps to reproduce:
|
|
Any | Freedom Issue | Very High | Critical | [vdrift-data] contains nonfree car and track models | Closed | |
Task Description
The package contains nonfree car and track models
|
|
Any | Security Issue | Very High | Critical | [util-linux] CVE-2018-7738 | Closed | |
Task Description
Description: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
|
|
Any | Feature Request | Very High | High | [unrealircd] needs OpenRC init script and contains syst ... | Closed | |
Task Description
Description:
Additional info:
unrealircd /usr/lib/systemd/system/unrealircd.service
unrealircd /usr/lib/tmpfiles.d/unrealircd.conf
Steps to reproduce:
|
|
Any | Feature Request | Very High | High | [umurmur] needs OpenRC init script and contains systemd ... | Closed | |
Task Description
Description:
Additional info:
umurmur /usr/lib/systemd/system/umurmur.service
Steps to reproduce:
|
|
Any | Feature Request | Very High | High | [tracker] contains systemd unit files | Closed | |
Task Description
Description:
The Arch version of Tracker from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required. OpenRC init script replacement isn’t possible here because Tracker is using a systemd unit file adapted for users instead of system users.
Additional info:
$ pacman -Si tracker
Repository : extra
Name : tracker
Version : 1.12.0-2.hyperbola1
Description : Desktop-neutral user information store, search tool and indexer
Architecture : x86_64
URL : https://wiki.gnome.org/Projects/Tracker
Licenses : GPL
Groups : gnome
Provides : None
Depends On : libtracker-sparql=1.12.0-2.hyperbola1 libsecret upower libexif exempi poppler-glib libgsf enca libiptcdata libcue libosinfo libnm-glib
gtk3 libgxps taglib flac libvorbis totem-plparser gst-plugins-base-libs giflib libgrss gvfs
Optional Deps : nautilus: edit files' tracker tags
Conflicts With : None
Replaces : None
Download Size : 1142.60 KiB
Installed Size : 8459.00 KiB
Packager : Scott Adams <haricot@hyperbola.info>
Build Date : Thu 08 Jun 2017 03:57:24 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature
/usr/lib/systemd/user/tracker-extract.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-apps.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-fs.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-miner-rss.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-store.service is owned by tracker 1.12.0-2.hyperbola1
/usr/lib/systemd/user/tracker-writeback.service is owned by tracker 1.12.0-2.hyperbola1
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [toxcore] Memory leak - Remote DDoS vunerability | Closed | |
Task Description
Description:
A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.
Additional info: * package version(s): < 2.8
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
|
|
Any | Freedom Issue | Very High | Critical | [torcs-data] contains nonfree car models | Closed | |
Task Description
The package contains nonfree car models
|
|
Any | Feature Request | Very High | High | [tinc] contains systemd unit files | Closed | |
Task Description
Description:
The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.
Additional info: * package version(s) * config and/or log files etc.
Repository : community
Name : tinc
Version : 1.0.31-2
Description : VPN (Virtual Private Network) daemon
Architecture : x86_64
URL : http://www.tinc-vpn.org/
Licenses : GPL
Groups : None
Provides : None
Depends On : lzo openssl zlib
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 107.42 KiB
Installed Size : 194.00 KiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Mon 13 Mar 2017 01:06:11 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
/usr/lib/systemd/system/tinc.service is owned by tinc 1.0.31-2
/usr/lib/systemd/system/tinc@.service is owned by tinc 1.0.31-2
Steps to reproduce:
|
|
Any | Feature Request | Very High | High | [timidity++] contains systemd unit file | Closed | |
Task Description
Description:
The Arch version of TiMidity++ from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.
Additional info: * package version(s) * config and/or log files etc.
Repository : extra
Name : timidity++
Version : 2.14.0-7
Description : A MIDI to WAVE converter and player
Architecture : x86_64
URL : http://timidity.sourceforge.net
Licenses : GPL
Groups : None
Provides : None
Depends On : libao jack
Optional Deps : gtk2: for using the GTK+ interface
tk: for using the Tk interface
xaw3d: for using the Xaw interface
Conflicts With : None
Replaces : None
Download Size : 530.60 KiB
Installed Size : 1431.00 KiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Thu 10 Sep 2015 12:55:38 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
/usr/lib/systemd/system/timidity.service is owned by timidity++ 2.14.0-7
Steps to reproduce:
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-morse] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ... | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegramqml] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegram-qt] only useful with Telegram service | Closed | |
|
|
Any | Backport Request | Very High | High | [tcpreplay] update package to 4.2.6 backport | Closed | |
|
|
Any | Feature Request | Very High | High | [system-config-printer] contains systemd unit file | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [supertuxkart] remove nonfree Ubuntu Font Family fonts | Closed | |
|
|
Any | Security Issue | Very High | Critical | [schroedinger] unmaintained and unsupportable | Closed | |
|
|
Any | Feature Request | Very High | High | [sage-notebook] contains systemd unit file | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [rust][cargo] trademark agreement affects user freedom | Closed | |
|
|
Any | Implementation Request | Very High | High | [ring] add new package | Closed | |
|
|
Any | Security Issue | Very High | Critical | [qtpass] Insecure Password Generation prior to 1.2.1 | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [qtemu] package recommends installing non-free OSes | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [python-pip][python2-pip] Pip recommends proprietary so ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [python-acme] to start crashing on June 19th | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [purple-skypeweb] Plugin only useful with Skype | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [purple-facebook] only useful with Facebook service | Closed | |
|
|
Any | Feature Request | Very High | High | [prosody] needs OpenRC init script and contains systemd ... | Closed | |
|
|
Any | Feature Request | Very High | High | [procps-ng] add init file to load sysctl configuration ... | Closed | |
|
|
Any | Drop Request | Very High | Critical | [pm-utils] unmaintained and unsupportable | Closed | |
|
|
Any | Feature Request | Very High | High | [pkgfile] contains systemd unit files | Closed | |
|
|
Any | Feature Request | Very High | High | [pkgfile] contains systemd unit files | Closed | |
|
|
Any | Feature Request | Very High | High | [phpldapadmin] needs OpenRC init script | Closed | |
|
|
Any | Security Issue | Very High | Critical | [php] CVE-2017-9120 | Closed | |
|
|
Any | Security Issue | Very High | Critical | [pam] pam_unix2 is orphaned and dead upstream | Closed | |
|