|
Any | Security Issue | Very High | Critical | [pam] pam_unix2 is orphaned and dead upstream | Closed | |
Task Description
pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]
It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.
[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848
$ pacman -Si pam Repository : core Name : pam Version : 1.3.0-1 Description : PAM (Pluggable Authentication Modules) library Architecture : x86_64 URL : http://linux-pam.org Licenses : GPL2 Groups : None Provides : None Depends On : glibc cracklib libtirpc pambase Optional Deps : None Conflicts With : None Replaces : None Download Size : 609.71 KiB Installed Size : 2980.00 KiB Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03 Validated By : MD5 Sum SHA-256 Sum Signature
$ pacman -Ql pam > pam_fileslist.txt
|
|
Any | Security Issue | Very High | Critical | [wpa_supplicant] vulnerable to KRAK attack | Closed | |
Task Description
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
https://w1.fi/security/2017-1/
Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/
|
|
Any | Freedom Issue | Very High | Critical | [kodi] contains youtube-dl which runs non-free scripts | Closed | |
Task Description
Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).
Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.
|
|
Any | Security Issue | Very High | Critical | [dillo] enable IPv6, SSL/TLS and threaded DNS support | Closed | |
Task Description
Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.
1- Arch PKGBUILD problems:
a- not obtain source via https
b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl
My correction is committed in NAB-packages-community
|
|
Testing | Privacy Issue | Very High | Critical | [abiword] remove AltaVista's Babel Fish translator supp ... | Closed | |
Task Description
Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.
...
build() {
cd $pkgname-$pkgver
./configure --prefix=/usr \
--enable-shared \
--disable-static \
--enable-clipart \
--enable-templates \
--enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
eml epub freetranslation garble gdict gimp goffice grammar \
hancom hrtext iscii kword latex loadbindings mathview mht \
mif mswrite opendocument openwriter openxml opml ots paint \
passepartout pdb pdf presentation psion s5 sdw t602 urldict \
wikipedia wmf wml wordperfect wpg xslfo" \
--enable-introspection
sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
make
}
...
|
|
Any | Privacy Issue | Very High | Critical | [libreoffice*] contains Google API keys | Closed | |
Task Description
Libreoffice contains Google API keys which affects privacy.
|
|
Any | Freedom Issue | Very High | Critical | [aarch64-linux-gnu-linux-api-headers] compiles using b ... | Closed | |
Task Description
The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1]. This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.
[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD
[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662
|
|
Any | Freedom Issue | Very High | Critical | [aarch64-linux-gnu-linux-api-headers] compiles using b ... | Closed | |
Task Description
The aarch64-linux-gnu-linux-api-headers package from [community] compiles using the blobbed Linux kernel source[0], at Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1], since this issue is exactly the same as with linux-api-headers.
The solution is to simply compile using Linux-libre sources.
[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD
[1] https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662
|
|
Any | Security Issue | Very High | Critical | [linux-libre-lts*] Meltdown & Spectre Vulnerability | Closed | |
Task Description
Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.
|
|
Any | Security Issue | Very High | Critical | [libressl] add package as OpenSSL replacement and defau ... | Closed | |
Task Description
LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.
It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]
As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.
|
|
Any | Security Issue | Very High | Critical | [avahi] blacklist package since it's a zeroconf impleme ... | Closed | |
Task Description
Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]
Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.
|
|
Stable | Bug Report | High | Critical | [vhba-module-lts] modprobe: ERROR: could not insert 'vh ... | Closed | |
Task Description
filename: /lib/modules/4.9.77-gnu-1-lts/extramodules/vhba.ko
license: GPL
description: Virtual SCSI HBA
version: 20161009
author: Chia-I Wu
srcversion: E5A3E6F70DFD436A6B1C8D6
depends: scsi_mod
vermagic: 4.9.27-gnu-1-lts SMP mod_unload modversions
Can’t insert module vhba
Error :
modprobe: ERROR: could not insert ‘vhba’: Exec format error
|
|
Any | Security Issue | Very High | Critical | [electrum] JSONRPC vulnerability | Closed | |
Task Description
Our current version is vulnerable
|
|
Any | Security Issue | High | Critical | [irssi] IRSSI-SA-2018-02 Irssi Security Advisory | Closed | |
Task Description
Multiple vulnerabilities have been located in Irssi.
Access remote: yes
References links:
|
|
Any | Feature Request | High | Critical | [pacman-key][cronie][fcron] eating up hardware resource ... | Closed | |
Task Description
This morning while I was working on my X200, I noticed that my CPU was kept 100% busy for a long time by some process which was obvioulsy eating up the battery life. The culprit was pacman-key, triggered by logrotate.
To stop this, I did ‘chmod -x /etc/cron.daily/pacman-key’ and I rebooted.
Later on, it was impossible to install a new package as it was impossible to get over the step marked as “checking keys in keyring...”
So I tried to do again ‘pacman-key –refresh-keys’: the overall process took more than an hour—behind a fast and robust internet connection. I finally got three lines, saying that about 1,000 keys were updated but I never got the prompt back. So I hit Ctrl-C.
At the time of writing, I am still trying to refresh the keys—a quite desperate attempt, if I may say so.
Although I tagged this report as a “Feature request”, it is in my opinion of quite some importance. I understand very well the absolute necessity to always have the keys updated, but in this particular case, with so many keys and so frequent updates, I begin to wonder if losses are not beginning to prevail over benefits.
Unless I am doing something wrong or missing something I should do?
Any help would be strongly appreciated.
Robert
|
|
Any | Security Issue | High | Critical | [python2] heap-overflow vulnerability CVE-2018-1000030 | Closed | |
Task Description
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3→Malloc→Thread1→Free’s→Thread2-Re-uses-Free’d Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
https://security-tracker.debian.org/tracker/CVE-2018-1000030
|
|
Any | Privacy Issue | Very High | Critical | [openrc] Google in init.d and conf.d configuration (ne ... | Closed | |
Task Description
/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.
|
|
Any | Security Issue | Very High | Critical | [mupdf] multiple security issues | Closed | |
Task Description
Summary
The package mupdf is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6544, CVE-2018-6192, CVE-2018-6187, CVE-2018-5686 and CVE-2018-1000051.
Package Information
$ pacman -Si mupdf
Repositorio : community
Nombre : mupdf
Versión : 1.11-1
Descripción : Lightweight PDF and XPS viewer
Arquitectura : x86_64
URL : http://mupdf.com
Licencias : AGPL3
Grupos : Nada
Provee : Nada
Depende de : curl desktop-file-utils freetype2 harfbuzz jbig2dec libjpeg openjpeg2 openssl
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 18,18 MiB
Tamaño de la instalación : 33,03 MiB
Encargado : Christian Hesse <arch@eworm.de>
Fecha de creación : mar 11 abr 2017 05:22:41 -05
Validado por : Suma MD5 Suma SHA-256 Firma
References
|
|
Any | Replace Request | Very High | Critical | [dnscrypt-proxy] update package to 2.x following backpo ... | Closed | |
Task Description
Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]
Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.
|
|
Any | Security Issue | High | Critical | [geth] possible denial of service attacks "DoS Attack" | Closed | |
Task Description
Geth 1.6.x contains possible denial of service attacks “DoS Attack”, however it has been solved in 1.7.2 [0] instead. Since 1.6.x needs many modifications spread across multiple files of the code and it is inefficient to be backported, the newer version (eg. 1.7.x) could replace the current version package as exception, but repackaged with the appropriate suffix “-backports”.
|
|
Any | Replace Request | Very High | Critical | [kernel-firmware] split out firmware projects from linu ... | Closed | |
Task Description
Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.
However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].
This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.
This is the list of firmware files in linux-libre-lts-firmware and its dependencies:
linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
And here are the firmware files of the new linux-libre-firmware:
linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin
It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]
The new dependencies are:
Sources:
[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85 [2] https://jxself.org/firmware/ [3] https://jxself.org/git/?p=linux-libre-firmware.git [4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware [5] https://git.parabola.nu/abslibre.git/tree/libre
Updated Note:
Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.
|
|
Any | Privacy Issue | High | Critical | [deepin-desktop-base] Check for CNZZ Spyware | Closed | |
Task Description
As per a recent discovery, we should check if our deepin is affected by the CNZZ spyware in the AppStore. https://www.youtube.com/watch?v=v25Dy66AtNI
We also shouldn’t use the AppStore if it exists, due to non-free apps.
Known files: > usr/share/dbus-1/system-services/com.deepin.daemon.Apps.service > etc/appstore.json
|
|
Any | Update Request | Very High | Critical | [certbot] update package to support ACMEv2 and Wildcard | Closed | |
Task Description
Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.
Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.
These are the actual packages versions from Hyperbola and Arch:
certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]
NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.
The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.
[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061 [1] https://packages.debian.org/search?keywords=certbot
|
|
Any | Bug Report | Very High | Critical | [warsow] the package is not compiled from source | Closed | |
Task Description
The package is not compiled from source
|
|
Any | Freedom Issue | Very High | Critical | [warsow-data] the package contains nonfree assets (CC B ... | Closed | |
Task Description
The package contains nonfree assets: data0_000_nonfree_21.pk3 data0_000_nonfree_21pure.pk3 tex_000_nonfree.pk3
|
|
Any | Freedom Issue | Very High | Critical | [torcs-data] contains nonfree car models | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [vdrift-data] contains nonfree car and track models | Closed | |
|
|
Stable | Bug Report | High | Critical | [alsa-tools] create missing firmware folder since firmw ... | Closed | |
|
|
Stable | Bug Report | Very High | Critical | [openrc] Cowardly refusing to concatenate a logfile int ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [warsow] contains Steam support | Closed | |
|
|
Any | Security Issue | Very High | Critical | [xen] multiple security issues: CVE-2018-10472, CVE-201 ... | Closed | |
|
|
Any | Security Issue | Medium | Critical | [glusterfs] CVE-2018-1088: Privilege escalation via gl ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [wget] - GNU Wget Cookie Injection CVE-2018-0494 | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [rust][cargo] trademark agreement affects user freedom | Closed | |
|
|
Any | Drop Request | Very High | Critical | [cgmanager] unmaintained and unsupportable | Closed | |
|
|
Any | Drop Request | Very High | Critical | [pm-utils] unmaintained and unsupportable | Closed | |
|
|
Any | Security Issue | Very High | Critical | [networkmanager] CVE-2018-1111: DHCP client script code ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [pacman] uses "Linux" term instead of "GNU/Linux" in it ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [xmind] is probably directing users to proprietary soft ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [luminancehdr] depends on non-free qt5-webengine | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [bluegriffon] contains support to nonfree "Extended Fea ... | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [purple-facebook] only useful with Facebook service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [cutegram] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [libqtelegram-ae] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegram-qt] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegramqml] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-morse] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ... | Closed | |
|
|
Any | Bug Report | High | Critical | [light-locker] returns error while tries load shared li ... | Closed | |
|
|
Testing | Bug Report | Medium | Critical | [iceweasel-uxp-ublock-origin] Can't add filters and/or ... | Closed | |
|