Packages

Old clients (like the one packages by Hyperbola) no longer work due to changes in Electrum:

https://github.com/kyuupichan/electrumx/pull/760

The fix is to use a newer version.

As the default path of the ServerBin directory is now /usr/libexec/bin:
1. cups-files.conf should be modified/adapted accordingly.
2. The contents of /usr/lib/cups which is currently owned by cups-filters, cups-pdf foomatic-db-engine and smbclient should be moved to /usr/libexec/cups.

As it is, cups doesn’t work in v0.3.

Some addons are currently broken with latest iceweasel-uxp (iceweasel-uxp 52.9.20190926-1)

DownThemAll
Save to Wayback Machine
Self-Destructing Cookies
(and probably others)

g4jc suggested to drop PGO as it could be the culprit.

https://forums.hyperbola.info/viewtopic.php?pid=1149#p1149

Regarding addons, I'm fairly certain flipping the switch on PGO (which makes the browser faster at the expense of wrecking code) is the culprit. We were warned not to use it, and this is planned to be rolled back.

However, Hyperbot has to be scheduled to rebuild the packages and I do not set it's schedule. Will advise.

Description:

Ath9k wifi device not working, possibly bad compilation or issues with gcc

Additional info:
* package version(s)

- gcc-8.4.0-2
- ath9k-htc-firmware-1.4.0-8

* config and/or log files etc.

[    8.302952] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[    8.303011] usbcore: registered new interface driver ath9k_htc
[    8.303067] usb 1-1: Direct firmware load for ath9k_htc/htc_9271-1.4.0.fw failed with error -2
[    8.303073] usb 1-1: ath9k_htc: Firmware htc_9271.fw requested
[    8.623141] usb 1-1: ath9k_htc: Transferred FW: htc_9271.fw, size: 51008
[    9.683657] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[    9.683672] ath9k_htc: Failed to initialize the device

Steps to reproduce:

- Add wifi device with ath9k firmware, for example: TL-WN722N
- pacman -S ath9k-htc-firmware

References:

- https://bugzilla.kernel.org/show_bug.cgi?id=208251

Description: Tried with new compiled version of mumble no open and secured with SSL-certificate is reachable. Log within console:

qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_options
qt.network.ssl: QSslSocket: cannot resolve SSL_session_reused
qt.network.ssl: QSslSocket: cannot resolve SSL_set_options
qt.network.ssl: QSslSocket: cannot resolve BN_is_word
qt.network.ssl: QSslSocket: cannot resolve SSL_in_init

<W>2021-08-23 01:00:18.814 QSslSocket: cannot call unresolved function sk_num

<W>2021-08-23 01:00:20.270 QSslSocket: cannot call unresolved function SSL_CTX_set_options

Description:

Update package to 0.4.2 backport version

Note: Is needed by GIMP 2.10.2 backport or update [gegl] to 0.3.34
      Update the [babl] package
      https://issues.hyperbola.info/index.php?do=details&task_id=1051
      https://issues.hyperbola.info/index.php?do=details&task_id=1052
      https://issues.hyperbola.info/index.php?do=details&task_id=1054

Additional info:

gegl 0.3.26-2.hyperbola1

$ pacman -Si gegl
Repository      : extra
Name            : gegl
Version         : 0.3.26-2.hyperbola1
Description     : Graph based image processing framework
Architecture    : x86_64
URL             : http://www.gegl.org/
Licenses        : GPL3  LGPL3
Groups          : None
Provides        : None
Depends On      : babl  libspiro  json-glib
Optional Deps   : libraw: raw plugin
                  openexr: openexr plugin
                  ffmpeg: ffmpeg plugin
                  suitesparse: matting-levin plugin
                  librsvg: svg plugin
                  jasper: jasper plugin
                  libtiff: tiff plugin
                  lua: lua plugin
                  lensfun: lens-correct plugin
Conflicts With  : gegl02
Replaces        : gegl02
Download Size   : 1347.15 KiB
Installed Size  : 6823.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 31 Dec 2017 05:37:41 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

none

Description:

Update package to 2.10.2 backport version

Note: Needs [gegl] 0.4.2 and [babl] 0.1.50
      or update [gegl] 0.3.34 only
      Update the [babl] package
      https://issues.hyperbola.info/index.php?do=details&task_id=1051
      https://issues.hyperbola.info/index.php?do=details&task_id=1052
      https://issues.hyperbola.info/index.php?do=details&task_id=1053

Additional info:

gimp 2.8.22-1.hyperbola1

Repository      : extra
Name            : gimp
Version         : 2.8.22-1.hyperbola1
Description     : GNU Image Manipulation Program, with gegl and libxslt support
Architecture    : x86_64
URL             : https://www.gimp.org/
Licenses        : GPL  LGPL
Groups          : None
Provides        : None
Depends On      : pygtk  lcms  libxpm  libwmf  libxmu  librsvg  libmng  dbus-glib  libexif  gegl  jasper  desktop-file-utils  hicolor-icon-theme  babl  openexr
                  libgudev
Optional Deps   : gutenprint: for sophisticated printing only as gimp has built-in cups print support
                  poppler-glib: for pdf support
                  alsa-lib: for MIDI event controller module
                  curl: for URI support
                  ghostscript: for postscript support
Conflicts With  : gimp-devel
Replaces        : None
Download Size   : 12.12 MiB
Installed Size  : 67.73 MiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Sun 31 Dec 2017 08:42:46 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

none

Description:

Update package to 4.2.6 backport because of multiple security flaw and bugs

Additional info:
* current Hyperbola package version is 4.1.0-1 from December 2014

Example of fix from 4.1.0-1:

* AFL detected security crash in fuzz feature
* tcpcapinfo buffer overflow vulnerablily
* Buffer overflow bug in tcpprep

Steps to reproduce:

none

Description:

[netifrc] update package to 0.6.0 backport version

Fix security errors:

Fix errors:

Changes:

Features:

Note: Please add a extra hotfix patch from git:

netifrc 0.5.1-3

$ pacman -Si netifrc
Repository      : core
Name            : netifrc
Version         : 0.5.1-3
Description     : Network interface management scripts
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Netifrc
Licenses        : BSD2
Groups          : base
Provides        : None
Depends On      : eudev
Optional Deps   : iproute2: for interface handler, VPN, bridging and tunneling support (recommended)
                  net-tools: for interface handler support
                  bridge-utils: for bridging support
                  linux-atm: for CLIP and RFC 2684 bridge support
                  wpa_supplicant: for wireless networking support (recommended)
                  wireless_tools: for wireless networking support
                  dhcpcd: for DHCP support (recommended)
                  dhclient: for DHCP support
                  busybox: for DHCP support
                  iputils: for APIPA support
                  ifenslave: for bonding interfaces
                  ppp: for PPP and ADSL support (recommended)
                  rp-pppoe: for ADSL support
                  macchanger: for changing MAC addresses
                  ifplugd: for cable in/out detection
Conflicts With  : None
Replaces        : None
Download Size   : 62.75 KiB
Installed Size  : 349.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Wed 24 Jan 2018 09:05:24 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

contains errors in 0.5.1 version

Description:

Hi dear developers of Hyperbola. I work in the field of web development. I use a lot of javascript and nodejs to compile.
Could they do the nodejs update?. I also mention this because Hyperbola works with LTS packages.

Additional info:

* package version(s)

$ sudo pacman -Si nodejs
Repositorio               : community
Nombre                    : nodejs
Versión                   : 7.10.0-1
Descripción               : Evented I/O for V8 javascript
Arquitectura              : x86_64
URL                       : http://nodejs.org/
Licencias                 : MIT
Grupos                    : Nada
Provee                    : Nada
Depende de                : openssl-1.0  zlib  icu  libuv  http-parser  c-ares
Dependencias opcionales   : npm: nodejs package manager
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 4,55 MiB
Tamaño de la instalación  : 18,49 MiB
Encargado                 : Felix Yan <felixonmars@archlinux.org>
Fecha de creación         : mié 03 may 2017 09:50:26 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

$ sudo pacman -Si npm
Repositorio               : community
Nombre                    : npm
Versión                   : 4.5.0-1
Descripción               : A package manager for javascript
Arquitectura              : any
URL                       : https://www.npmjs.com/
Licencias                 : custom:Artistic
Grupos                    : Nada
Provee                    : nodejs-node-gyp
Depende de                : nodejs  semver
Dependencias opcionales   : python2: for node-gyp
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 2,72 MiB
Tamaño de la instalación  : 13,98 MiB
Encargado                 : Felix Yan <felixonmars@archlinux.org>
Fecha de creación         : mié 12 abr 2017 22:08:06 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

- NodeJS LTS (includes npm 5.6.0):

* https://nodejs.org/dist/v8.11.3/node-v8.11.3.tar.gz

* https://nodejs.org/dist/v8.11.3/SHASUMS256.txt.asc

Some errors that I suffer when compiling:
- https://stackoverflow.com/questions/46476741/nodejs-util-promisify-is-not-a-function

We seem to have a very old version of xscreensaver... Could you possibly update it?

this may be a security issue/privacy issue.

Cannot mix incompatible Qt library (version 0×50800) with this library (version 0×50904)
Aborted

./Nextcloud-2.3.3-x86_64.AppImage: /usr/lib/libQt5Core.so.5: version `Qt_5.9’ not found (required by /tmp/.mount_NextclpprMnG/usr/bin/../lib/libqt5keychain.so.1

These two packages are directly affected by an older qt5...

Could you update all the qt packages to the LTS version available?

Description:

this release is mostly bugfix, updated translations, removed some deprecated parts in code (abandoning libgnome-keyring and starting using libsecret) and in UI and added Till’s patches from Ubuntu (Thank you, Till!).

Additional info:
* package version(s)

# pacman -Si system-config-printer
Repositorio               : extra
Nombre                    : system-config-printer
Versión                   : 1.5.9-2
Descripción               : A CUPS printer configuration tool and status applet
Arquitectura              : x86_64
URL                       : https://github.com/zdohnal/system-config-printer
Licencias                 : GPL
Grupos                    : Nada
Provee                    : Nada
Depende de                : python-pycups  python-dbus  python-pycurl  libnotify  python-requests  python-gobject  gtk3  python-cairo
Dependencias opcionales   : python-pysmbc: SMB browser support
                            python-packagekit: to install drivers with PackageKit
                            cups-pk-helper: PolicyKit helper to configure cups with fine-grained privileges
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 908,59 KiB
Tamaño de la instalación  : 7159,00 KiB
Encargado                 : Andreas Radke <andyrtr@archlinux.org>
Fecha de creación         : vie 27 ene 2017 04:18:24 -03
Validado por              : Suma MD5  Suma SHA-256  Firma

* config and/or log files etc.

Steps to reproduce:

“npapi-sdk” (released in 2012) uses deprecated/unsecure NPAPI[0] api

$ pacman -Si npapi-sdk
Repository : extra
Name : npapi-sdk
Version : 0.27.2-1
Description : Netscape Plugin API (NPAPI)
Architecture : any
URL : https://bitbucket.org/mgorny/npapi-sdk Licenses : MPL
Groups : None
Provides : None
Depends On : None
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 15.77 KiB
Installed Size : 67.00 KiB
Packager : Ionut Biru ibiru@archlinux.org Build Date : Thu 25 Apr 2013 01:47:15 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“npapi-vlc” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si npapi-vlc
Repository : community
Name : npapi-vlc
Version : 2.2.5-1
Description : The modern VLC Mozilla (NPAPI) plugin
Architecture : x86_64
URL : https://code.videolan.org/videolan/npapi-vlc Licenses : GPL Groups : None
Provides : None
Depends On : gtk2 vlc
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 69.96 KiB
Installed Size : 287.00 KiB
Packager : Timothy Redaelli timothy.redaelli@gmail.com Build Date : Tue 14 Feb 2017 12:27:08 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“nspluginwrapper” (released in 2011) uses deprecated/unsecure NPAPI[0] api

$ pacman -Si nspluginwrapper
Repository : multilib
Name : nspluginwrapper
Version : 1.4.4-3
Description : Cross-platform NPAPI compatible plugin viewer
Architecture : x86_64
URL : http://nspluginwrapper.davidben.net/ Licenses : GPL Groups : None
Provides : None
Depends On : curl libxt lib32-libxt gcc-libs lib32-gcc-libs gtk2 lib32-gtk2
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 146.14 KiB
Installed Size : 475.00 KiB
Packager : Felix Yan felixonmars@gmail.com Build Date : Sat 12 Jul 2014 02:40:45 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“x2goplugin” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si x2goplugin
Repository : extra
Name : x2goplugin
Version : 4.1.0.0-1
Description : provides X2Go Client as QtBrowser-based Mozilla plugin
Architecture : x86_64
URL : http://www.x2go.org Licenses : GPL2
Groups : None
Provides : None
Depends On : qt4 libcups nxproxy libssh libxpm
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1250.54 KiB
Installed Size : 2761.00 KiB
Packager : Andreas Radke andyrtr@archlinux.org Build Date : Wed 22 Feb 2017 12:42:48 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “nsdejavu.so”, uses deprecated/unsecure NPAPI[0] api

$ sudo pacman -Si djview
Repository : community
Name : djview
Version : 4.10.6-1
Description : Portable DjVu viewer and browser plugin
Architecture : x86_64
URL : http://djvu.sourceforge.net/djview4.html Licenses : GPL Groups : None
Provides : djview4
Depends On : qt5-base djvulibre libxkbcommon-x11 libsm
Optional Deps : None
Conflicts With : djview4
Replaces : djview4
Download Size : 535.79 KiB
Installed Size : 1978.00 KiB
Packager : Gaetan Bisson bisson@archlinux.org Build Date : Wed 04 May 2016 08:53:23 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql djview
djview /usr/
djview /usr/bin/
djview /usr/bin/djview
djview /usr/bin/djview4
djview /usr/lib/
djview /usr/lib/mozilla/
djview /usr/lib/mozilla/plugins/
djview /usr/lib/mozilla/plugins/nsdejavu.so
djview /usr/share/
djview /usr/share/applications/
djview /usr/share/applications/djvulibre-djview4.desktop
djview /usr/share/djvu/
djview /usr/share/djvu/djview4/
djview /usr/share/djvu/djview4/djview_cs.qm
djview /usr/share/djvu/djview4/djview_de.qm
djview /usr/share/djvu/djview4/djview_es.qm
djview /usr/share/djvu/djview4/djview_fr.qm
djview /usr/share/djvu/djview4/djview_ru.qm
djview /usr/share/djvu/djview4/djview_uk.qm
djview /usr/share/djvu/djview4/djview_zh_cn.qm
djview /usr/share/djvu/djview4/djview_zh_tw.qm
djview /usr/share/icons/
djview /usr/share/icons/hicolor/
djview /usr/share/icons/hicolor/32×32/
djview /usr/share/icons/hicolor/32×32/mimetypes/
djview /usr/share/icons/hicolor/32×32/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/64×64/
djview /usr/share/icons/hicolor/64×64/mimetypes/
djview /usr/share/icons/hicolor/64×64/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/scalable/
djview /usr/share/icons/hicolor/scalable/mimetypes/
djview /usr/share/icons/hicolor/scalable/mimetypes/djvulibre-djview4.svgz
djview /usr/share/man/
djview /usr/share/man/man1/
djview /usr/share/man/man1/djview.1.gz
djview /usr/share/man/man1/nsdejavu.1.gz

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “IcedTeaPlugin.so”, it uses deprecated/unsecure NPAPI[0] apis

Note: this package contains “Java Web Start” and unsecured NPAPI plugin, it needs change package description and description on optional dependencies in “jre{7,8}-openjdk” packages.

$ pacman -Si icedtea-web
Repository : extra
Name : icedtea-web
Version : 1.6.2-2.hyperbola1
Description : Free web browser plugin to run applets written in Java and an implementation of Java Web Start, without nonfree firefox support
Architecture : x86_64
URL : http://icedtea.classpath.org/wiki/IcedTea-Web Licenses : GPL2
Groups : None
Provides : java-web-start
Depends On : java-runtime-openjdk desktop-file-utils
Optional Deps : rhino: for using proxy auto config files
Conflicts With : None
Replaces : icedtea-web-java7
Download Size : 1525.55 KiB
Installed Size : 2108.00 KiB
Packager : André Silva emulatorman@hyperbola.info Build Date : Fri 26 May 2017 06:13:18 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql icedtea-web
icedtea-web /usr/
icedtea-web /usr/bin/
icedtea-web /usr/bin/itweb-settings
icedtea-web /usr/bin/javaws
icedtea-web /usr/bin/policyeditor
icedtea-web /usr/lib/
icedtea-web /usr/lib/mozilla/
icedtea-web /usr/lib/mozilla/plugins/
icedtea-web /usr/lib/mozilla/plugins/IcedTeaPlugin.so
icedtea-web /usr/share/
icedtea-web /usr/share/applications/
icedtea-web /usr/share/applications/itweb-settings.desktop
icedtea-web /usr/share/applications/javaws.desktop
icedtea-web /usr/share/icedtea-web/
icedtea-web /usr/share/icedtea-web/bin/
icedtea-web /usr/share/icedtea-web/bin/itweb-settings
icedtea-web /usr/share/icedtea-web/bin/javaws
icedtea-web /usr/share/icedtea-web/bin/policyeditor
icedtea-web /usr/share/icedtea-web/javaws_splash.png
icedtea-web /usr/share/icedtea-web/lib/
icedtea-web /usr/share/icedtea-web/lib/IcedTeaPlugin.so
icedtea-web /usr/share/icedtea-web/netx.jar
icedtea-web /usr/share/icedtea-web/plugin.jar
icedtea-web /usr/share/man/
icedtea-web /usr/share/man/man1/
icedtea-web /usr/share/man/man1/icedtea-web-plugin.1.gz
icedtea-web /usr/share/man/man1/icedtea-web.1.gz
icedtea-web /usr/share/man/man1/itweb-settings.1.gz
icedtea-web /usr/share/man/man1/javaws.1.gz
icedtea-web /usr/share/man/man1/policyeditor.1.gz
icedtea-web /usr/share/pixmaps/
icedtea-web /usr/share/pixmaps/javaws.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

https://icepng.github.io/2017/04/21/PoDoFo-1/

https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference

http://www.securityfocus.com/bid/97296/info

Package information

Repositorio : community
Nombre : podofo
Versión : 0.9.5-2 Descripción : A C++ library to work with the PDF file format
Arquitectura : x86_64
URL : http://podofo.sourceforge.net Licencias : GPL Grupos : Nada
Provee : Nada
Depende de : lua openssl fontconfig libtiff libidn libjpeg-turbo
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 785,18 KiB
Tamaño de la instalación : 4492,00 KiB
Encargado : Antonio Rojas arojas@archlinux.org Fecha de creación : sáb 18 feb 2017 06:52:31 -05
Validado por : Suma MD5 Suma SHA-256 Firma

Debian just patched for v0.9.5-6

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/CVE-2017-738%5B0123%5D.patch/

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/

isync is currently on 1.2.1-3, the versions is 2 years old and a lot of security/features have been implemented to the version 1.3.0

isync needs be upgraded from 1.2.1 to 1.2.3 since it is a bugfix adapted for our current snapshot in Milky Way (2017-05-08) which is using isync 1.2.x series.

Package: https://www.hyperbola.info/packages/community/x86_64/busybox/

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Patch: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

Multiple vulnerabilities have been located in Irssi.

Access remote: yes

References links:

• https://irssi.org/security/irssi_sa_2018_02.txt

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3→Malloc→Thread1→Free’s→Thread2-Re-uses-Free’d Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.

https://security-tracker.debian.org/tracker/CVE-2018-1000030

Geth 1.6.x contains possible denial of service attacks “DoS Attack”, however it has been solved in 1.7.2 [0] instead. Since 1.6.x needs many modifications spread across multiple files of the code and it is inefficient to be backported, the newer version (eg. 1.7.x) could replace the current version package as exception, but repackaged with the appropriate suffix “-backports”.