|
Any | Privacy Issue | Very High | Critical | [openrc] Google in init.d and conf.d configuration (ne ... | Closed | |
Task Description
/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.
|
|
Any | Security Issue | Very High | Critical | [mupdf] multiple security issues | Closed | |
Task Description
Summary
The package mupdf is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6544, CVE-2018-6192, CVE-2018-6187, CVE-2018-5686 and CVE-2018-1000051.
Package Information
$ pacman -Si mupdf
Repositorio : community
Nombre : mupdf
Versión : 1.11-1
Descripción : Lightweight PDF and XPS viewer
Arquitectura : x86_64
URL : http://mupdf.com
Licencias : AGPL3
Grupos : Nada
Provee : Nada
Depende de : curl desktop-file-utils freetype2 harfbuzz jbig2dec libjpeg openjpeg2 openssl
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 18,18 MiB
Tamaño de la instalación : 33,03 MiB
Encargado : Christian Hesse <arch@eworm.de>
Fecha de creación : mar 11 abr 2017 05:22:41 -05
Validado por : Suma MD5 Suma SHA-256 Firma
References
|
|
Any | Replace Request | Very High | Critical | [dnscrypt-proxy] update package to 2.x following backpo ... | Closed | |
Task Description
Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]
Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.
|
|
Any | Security Issue | High | Critical | [geth] possible denial of service attacks "DoS Attack" | Closed | |
Task Description
Geth 1.6.x contains possible denial of service attacks “DoS Attack”, however it has been solved in 1.7.2 [0] instead. Since 1.6.x needs many modifications spread across multiple files of the code and it is inefficient to be backported, the newer version (eg. 1.7.x) could replace the current version package as exception, but repackaged with the appropriate suffix “-backports”.
|
|
Any | Replace Request | Very High | Critical | [kernel-firmware] split out firmware projects from linu ... | Closed | |
Task Description
Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.
However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].
This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.
This is the list of firmware files in linux-libre-lts-firmware and its dependencies:
linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
And here are the firmware files of the new linux-libre-firmware:
linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin
It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]
The new dependencies are:
Sources:
[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85 [2] https://jxself.org/firmware/ [3] https://jxself.org/git/?p=linux-libre-firmware.git [4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware [5] https://git.parabola.nu/abslibre.git/tree/libre
Updated Note:
Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.
|
|
Any | Update Request | Very High | Critical | [certbot] update package to support ACMEv2 and Wildcard | Closed | |
Task Description
Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.
Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.
These are the actual packages versions from Hyperbola and Arch:
certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]
NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.
The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.
[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061 [1] https://packages.debian.org/search?keywords=certbot
|
|
Any | Bug Report | Very High | Critical | [warsow] the package is not compiled from source | Closed | |
Task Description
The package is not compiled from source
|
|
Any | Freedom Issue | Very High | Critical | [warsow-data] the package contains nonfree assets (CC B ... | Closed | |
Task Description
The package contains nonfree assets: data0_000_nonfree_21.pk3 data0_000_nonfree_21pure.pk3 tex_000_nonfree.pk3
|
|
Any | Freedom Issue | Very High | Critical | [torcs-data] contains nonfree car models | Closed | |
Task Description
The package contains nonfree car models
|
|
Any | Freedom Issue | Very High | Critical | [vdrift-data] contains nonfree car and track models | Closed | |
Task Description
The package contains nonfree car and track models
|
|
Stable | Bug Report | High | Critical | [alsa-tools] create missing firmware folder since firmw ... | Closed | |
Task Description
### Some context ###
I use hdajackretask on my G41M-ES2L motherboard (Libreboot)
Alsamixer doesn’t offer automute feature so every time I plug my headphones, the sound is playing by my speakers. So to work around this, I use hdajackretask from alsa-tools package.
It allows to install a boot override to solve the issue.
Yesterday, I reinstalled Hyperbola on my system and the boot override because of missing /lib/firmware directory. (Although it was present before, something changed ?)
The error message was (I translate)
/mv: can't move '/tmp/hda-jack-retask-VH3KIZ/hda-jack-retask.fw' to /lib/firmware/hda-jack-retask.fw' No file or folder of this type
So I created a folder “firmware” in /lib/ and copied hda-jack-retask.fw in it.
Then I rebooted, 100% working.
I don’t know if the fix should apply to the PKGBUILD of alsa-tools (to create a /lib/firmware directory) or something else ?
|
|
Stable | Bug Report | Very High | Critical | [openrc] Cowardly refusing to concatenate a logfile int ... | Closed | |
Task Description
Since the update of openrc to 0.28-11 this morning something fails during boot process as I get the following error message:
Cowardly refusing to concatenate a logfile into itself.
Please change rc_log_path to something other than /var/log/rc.log get rid of this message
But why would I do that?
Besides, once the boot process is finished, I am unable to switch between TTY consoles as I used to using Ctrl-Alt + F1-Fx. I don’t get the login prompt anymore.
|
|
Any | Freedom Issue | Very High | Critical | [warsow] contains Steam support | Closed | |
Task Description
Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.
|
|
Any | Security Issue | Very High | Critical | [xen] multiple security issues: CVE-2018-10472, CVE-201 ... | Closed | |
Task Description
http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu devicemodel process. (The virtual CDROM device is read-only, so no data can be written.)
http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host.
http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time.
http://openwall.com/lists/oss-security/2018/05/11/2
[critical] A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded.
Patches provided by upstream.
|
|
Any | Security Issue | Medium | Critical | [glusterfs] CVE-2018-1088: Privilege escalation via gl ... | Closed | |
Task Description
https://security-tracker.debian.org/tracker/CVE-2018-1088
http://openwall.com/lists/oss-security/2018/04/18/1
https://bugs.debian.org/896128
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
Upstream patches: https://review.gluster.org/#/c/19899/1..2
Fixed in: https://github.com/gluster/glusterfs/releases/tag/v4.0.2
|
|
Any | Security Issue | Very High | Critical | [wget] - GNU Wget Cookie Injection CVE-2018-0494 | Closed | |
Task Description
An external attacker is able to inject arbitrary cookie values cookie jar file, adding new or replacing existing cookie values. http://openwall.com/lists/oss-security/2018/05/06/1
Fixed in GNU Wget 1.19.5 or later.
|
|
Any | Freedom Issue | Very High | Critical | [rust][cargo] trademark agreement affects user freedom | Closed | |
Task Description
Uses that require explicit approval
Distributing a modified version of the Rust programming language or the Cargo package manager and calling it Rust or Cargo requires explicit, written permission from the Rust core team. We will usually allow these uses as long as the modifications are (1) relatively small and (2) very clearly communicated to end-users.
Selling t-shirts, hats, and other artwork or merchandise requires explicit, written permission from the Rust core team. We will usually allow these uses as long as (1) it is clearly communicated that the merchandise is not in any way an official part of the Rust project and (2) it is clearly communicated whether profits benefit the Rust project.
Using the Rust trademarks within another trademark requires written permission from the Rust core team except as described above.
Since it violates the freedom to redistribute without “explicit” approval, this is a freedom issue.
|
|
Any | Drop Request | Very High | Critical | [cgmanager] unmaintained and unsupportable | Closed | |
Task Description
The CGManager project has been deprecated in favor of using the kernel’s CGroup Namespace or lxcfs’ simulated cgroupfs.
See https://s3hh.wordpress.com/2016/06/18/whither-cgmanager/ for details.
|
|
Any | Drop Request | Very High | Critical | [pm-utils] unmaintained and unsupportable | Closed | |
Task Description
pm-utils is no longer maintained from a long time . Therefore, it should be removed from repos since Hyperbola contains an amendment about anti-abandonware through its packaging guidelines .
|
|
Any | Freedom Issue | Very High | Critical | [pacman] uses "Linux" term instead of "GNU/Linux" in it ... | Closed | |
Task Description
The man page of pacman says:
DESCRIPTION
Pacman is a package management utility that tracks installed packages on a Linux
system
And I propose to change “Linux system” to “GNU/Linux system”.
|
|
Any | Freedom Issue | Very High | Critical | [xmind] is probably directing users to proprietary soft ... | Closed | |
Task Description
xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:
Further it is asking for license key to get the “Pro” version.
Thus xmind is pointing to proprietary software.
That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.
|
|
Any | Freedom Issue | Very High | Critical | [luminancehdr] depends on non-free qt5-webengine | Closed | |
Task Description
Please repackage or replace with free software which provides similar functionality such as MacroFusion (which is available in the AUR).
The package cannot be installed. Here is the terminal output:
$ sudo pacman -S luminancehdr
resolving dependencies...
warning: cannot resolve "qt5-webengine", a dependency of "luminancehdr"
:: The following package cannot be upgraded due to unresolvable dependencies:
luminancehdr
:: Do you want to skip the above package for this upgrade? [y/N] y
looking for conflicting packages...
there is nothing to do
|
|
Any | Freedom Issue | Very High | Critical | [bluegriffon] contains support to nonfree "Extended Fea ... | Closed | |
Task Description
BlueGriffon contains support to nonfree “Extended Features”
$ pacman -Qi bluegriffon
Name : bluegriffon
Version : 2.3.1-2
Description : The next-generation Web Editor based on the rendering engine of Firefox
Architecture : x86_64
URL : http://bluegriffon.org/
Licenses : MPL GPL LGPL
Groups : None
Provides : None
Depends On : alsa-lib desktop-file-utils dbus-glib gtk2 gtk3 hunspell mozilla-common nss libevent libvpx libxt python2 startup-notification
Optional Deps : None
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 120.72 MiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Tue 25 Apr 2017 12:22:30 PM -03
Install Date : Wed 08 Nov 2017 12:46:24 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
|
|
Any | Privacy Issue | Very High | Critical | [purple-facebook] only useful with Facebook service | Closed | |
Task Description
Description:
community/purple-facebook 0.9.3-1
Facebook protocol plugin for libpurple
It is up to maintainers to decide of course. IMHO I would remove this one as it uses proprietary network Facebook, exclusively, and even mentioning the word in the package.
See: https://www.gnu.org/distros/free-system-distribution-guidelines.html
A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so.
|
|
Any | Privacy Issue | Very High | Critical | [cutegram] only useful with Telegram service | Closed | |
Task Description
Description: Cutegram is a Telegram client. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.
Additional info:
$ pacman -Si cutegram
Repository : community
Name : cutegram
Version : 2.7.1-3
Description : A different telegram client from Aseman team
Architecture : x86_64
URL : http://aseman.co/en/products/cutegram/
Licenses : GPL
Groups : None
Provides : cutegram
Depends On : qt5-imageformats qt5-webkit telegramqml>=0.9.1 libqtelegram-ae>=3:6.1
Optional Deps : gst-plugins-bad: audio support
gst-plugins-good: audio and notification sound
Conflicts With : cutegram-git sigram-git sigram cutegram
Replaces : cutegram-cn
Download Size : 12.03 MiB
Installed Size : 17.07 MiB
Packager : Jiachen Yang <farseerfc@gmail.com>
Build Date : Mon 25 Jan 2016 05:59:04 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
|
|
Any | Privacy Issue | Very High | Critical | [libqtelegram-ae] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegram-qt] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telegramqml] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-morse] only useful with Telegram service | Closed | |
|
|
Any | Privacy Issue | Very High | Critical | [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ... | Closed | |
|
|
Any | Bug Report | High | Critical | [light-locker] returns error while tries load shared li ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [grub] remove the "placeholder" entry in /etc/grub.d/20 ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [openrc] rename "chroot-nspawn" keyword to "chroot+unsh ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [eudev] rename "systemd-nspawn" keyword to "chroot+unsh ... | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] please remove "mtab", "modules-load" and "swcl ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [openrc] use procps-ng's "sysctl" by default instead of ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [openrc] set "devfs" init script to run before than any ... | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] some init scripts are forced to load in certai ... | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] some init scripts are forced to load in certai ... | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] add "newinstance" mount parameter in "devpts" ... | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] add hidepid support in /proc filesystem. | Closed | |
|
|
Any | Feature Request | Very High | Critical | [netifrc] add net_macsec and net_veth init scripts | Closed | |
|
|
Any | Feature Request | Very High | Critical | [openrc] add chroot init config and script files | Closed | |
|
|
Any | Bug Report | Very High | Critical | [openrc] rename "procfs" init script to "binfmt_misc", ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [eudev][openrc] rename "dev-mount" to "devfs" in "udev" ... | Closed | |
|
|
Any | Backport Request | Very High | Critical | [netifrc] update package to 0.6.0 backport | Closed | |
|
|
Any | Security Issue | Very High | Critical | [openrc] remove dangerous "local" init script | Closed | |
|
|
Any | Feature Request | Medium | Critical | [hostapd] add 802.11r support | Closed | |
|
|
Any | Bug Report | Low | Critical | [openvswitch-lts] netifrc fails to start openvwitch int ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [znc] CVE-2018-14055: privilege escalation & CVE-2018-1 ... | Closed | |
|