Packages

Category Task Type Priority Severity  desc Summary Status Progress
AnySecurity IssueVery HighCritical [znc] CVE-2018-14055: privilege escalation & CVE-2018-1 ...Closed
100%
Task Description

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

AnyBug ReportHighCritical [zathura-ps] needs to be recompiled Closed
100%
Task Description

Description:
Since the update to 0.3.9 (or the update of girara to 0.2.9), zathura-pdf-poppler returns the following error:

error: Could not load plugin '/usr/lib/zathura/ps.so' (libgirara-gtk3.so.2: cannot open shared object file: No such file or directory).
AnySecurity IssueVery HighCritical [xulrunner] unmaintained and unsupportable Closed
100%
Task Description

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

StableFreedom IssueVery HighCritical [xorg-fonts-misc] contains non-libre/free Syriac typefa ...Closed
100%
Task Description

A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.

[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt

AnyFreedom IssueVery HighCritical [xmind] is probably directing users to proprietary soft ...Closed
100%
Task Description

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

TestingImplementation RequestHighCritical [xlsfonts] Missing package needs to be added for xenoca ...Closed
100%
Task Description

Description: Package xlsfonts is missing and should absolutely being added also within groups for ‘xenocara-apps’ and ‘xorg-apps’.

AnySecurity IssueVery HighCritical [xen] multiple security issues: CVE-2018-10472, CVE-201 ...Closed
100%
Task Description

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

TestingBug ReportHighCritical [wpa_supplicant]: wireless connection does not work Closed
100%
Task Description

Description:

Wireless connection does not work

Additional info:
* package version(s)

- wpa_supplicant 2:2.9-1
- libressl 3.2.2-1

* config and/or log files etc.

Successfully initialized wpa_supplicant
OpenSSL: Failed to set cipher string 'DEFAULT@SECLEVEL=1'
SSL: Failed to initialize TLS context.
Failed to initialize EAPOL state machines.
nl80211: deinit ifname=wlp0s18f2u1 disabled_11b_rates=0

Steps to reproduce:

$ wpa_supplicant -B -i device-name -c <(wpa_passphrase “ssid” “psk”)

AnySecurity IssueVery HighCritical [wpa_supplicant] vulnerable to KRAK attack Closed
100%
Task Description

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

AnySecurity IssueVery HighCritical [wget] - GNU Wget Cookie Injection CVE-2018-0494 Closed
100%
Task Description

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

AnyBug ReportMediumCritical [wesnoth]: prevents upgrade of Hyperbola, colliding fil ...Closed
100%
Task Description

Description:

I have tried to upgrade hyperbola.

Critical upgrades cannot be installed when wesnoth is installed, there are conflicting files

Steps to reproduce:

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 arch-keyring-201808...  1605.2 KiB   617K/s 00:03 [#########] 100%
 hyperbola-keyring-2...   215.9 KiB   635K/s 00:00 [#########] 100%
 linux-libre-lts-4.9...    59.6 MiB   749K/s 01:22 [#########] 100%
 openvpn-2.4.6-1.hyp...   402.2 KiB  1149K/s 00:00 [#########] 100%
 iceweasel-uxp-52.9....    39.8 MiB   839K/s 00:49 [#########] 100%
 libgdm-3.24.1-1.hyp...    57.3 KiB  1912K/s 00:00 [#########] 100%
 ntp-4.2.8.p11-2.hyp...  1798.4 KiB   833K/s 00:02 [#########] 100%
 sddm-0.14.0-2.hyper...     3.2 MiB   770K/s 00:04 [#########] 100%
 lxdm-0.5.3-4.hyperb...    98.4 KiB   984K/s 00:00 [#########] 100%
 tp_smapi-lts-0.43-1...    26.6 KiB  2.60M/s 00:00 [#########] 100%
 wesnoth-data-1.14.4...   395.1 MiB   745K/s 09:03 [#########] 100%
 wesnoth-1.14.4-1.hy...     5.5 MiB   616K/s 00:09 [#########] 100%
(12/12) checking keys in keyring                   [#########] 100%
(12/12) checking package integrity                 [#########] 100%
(12/12) loading package files                      [#########] 100%
(12/12) checking for file conflicts                [#########] 100%
error: failed to commit transaction (conflicting files)
/usr/share/icons/hicolor/128x128/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/16x16/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/256x256/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/32x32/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/512x512/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/64x64/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/metainfo/wesnoth.appdata.xml exists in both 'wesnoth-data' and 'wesnoth'
Errors occurred, no packages were upgraded.
AnySecurity IssueVery HighCritical [wesnoth] CVE-2018-1999023 - Code Injection vulnerabili ...Closed
100%
Task Description

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

https://security-tracker.debian.org/tracker/CVE-2018-1999023

Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318

AnyBug ReportVery HighCritical [warsow] the package is not compiled from source Closed
100%
Task Description

The package is not compiled from source

AnyFreedom IssueVery HighCritical [warsow] contains Steam support Closed
100%
Task Description

Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.

AnyFreedom IssueVery HighCritical [warsow-data] the package contains nonfree assets (CC B ...Closed
100%
Task Description

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

AnySecurity IssueVery HighCritical [w3m] unmaintained and unsupportable Closed
100%
Task Description

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

AnySecurity IssueVery HighCritical [vlc] CVE-2018-11529 Closed
100%
Task Description

Description:

  • VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Additional info:
* package version(s)

  • 2.2.6-1.hyperbola1

* config and/or log files etc.

  • None

Steps to reproduce:

  • Run VLC
AnySecurity IssueVery HighCritical [vlc] CVE-2017-17670 Closed
100%
Task Description

Description:

  • In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

Additional info:
* package version(s)

  • 2.2.6-1.hyperbola1

* config and/or log files etc.

  • None

Steps to reproduce:

  • Run VLC
StableBug ReportMediumCritical [virt-manager] Failed to initialize a valid firewall ba ...Closed
100%
Task Description

[virt-manager] Failed to initialize a valid firewall backend

I cannot start any virtual machine with current virt-manager.
The error message is the following :

Failed to initialize a valid firewall backend

My username is in “kvm” group.

The only modification to the libvirt config files I made are in /etc/libvirt/qemu.conf

[...]
# Some examples of valid values are:
#
#       user = "qemu"   # A user named "qemu"
#       user = "+0"     # Super user (uid=0)
#       user = "100"    # A user named "100" or a user with uid=100
# 
#user = "root"
user = "david"
[...]

The libvirtd service is enabled (and start without error)
Also, the optional dependencies are correctly installed :

ebtables: required for default NAT networking [installed]
dnsmasq: required for default NAT/DHCP for guests [installed]
bridge-utils: for bridged networking [installed]

This was working fine previously (with 0.2.9) so I don’t know why this isn’t working anymore. As said previously, my config hasn’t changed.

StableBug ReportHighCritical [vhba-module-lts] modprobe: ERROR: could not insert 'vh ...Closed
100%
Task Description
filename:       /lib/modules/4.9.77-gnu-1-lts/extramodules/vhba.ko
license:        GPL
description:    Virtual SCSI HBA
version:        20161009
author:         Chia-I Wu
srcversion:     E5A3E6F70DFD436A6B1C8D6
depends:        scsi_mod
vermagic:       4.9.27-gnu-1-lts SMP mod_unload modversions

Can’t insert module vhba

Error :

modprobe: ERROR: could not insert ‘vhba’: Exec format error

AnyFreedom IssueVery HighCritical [vdrift-data] contains nonfree car and track models Closed
100%
Task Description

The package contains nonfree car and track models

StableBug ReportMediumCritical [v4l-utils] Error in `dvbv5-scan': double free or corru ...Closed
100%
Task Description

With : v4l-utils 1.12.3-1.hyperbola1

dvb5-scan utility currently segfaults with rtl2832

*** Error in `dvbv5-scan': double free or corruption (fasttop): 0x000000000090be90 ***
======= Backtrace: =========
/lib/libc.so.6(+0x727ad)[0x7f4f9a9657ad]
/lib/libc.so.6(+0x78e6f)[0x7f4f9a96be6f]
/lib/libc.so.6(+0x796ce)[0x7f4f9a96c6ce]
/usr/lib/libdvbv5.so.0(free_dvb_dev+0x13)[0x7f4f9acafa53]
/usr/lib/libdvbv5.so.0(dvb_dev_free_devices+0x28)[0x7f4f9acafaf8]
/usr/lib/libdvbv5.so.0(dvb_dev_free+0x4e)[0x7f4f9acafe2e]
dvbv5-scan[0x401729]
/lib/libc.so.6(__libc_start_main+0xf1)[0x7f4f9a9135a1]
dvbv5-scan[0x4019fa]

This seems to have been fixed, see :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859008

I don’t know if a patch is available for it though..

AnyBug ReportHighCritical [utox] package needs rebuilding Closed
100%
Task Description

I get this error when trying to run it:

$ utox
utox: error while loading shared libraries: libtoxencryptsave.so.1: cannot open shared object file: No such file or directory

AnySecurity IssueVery HighCritical [util-linux] CVE-2018-7738 Closed
100%
Task Description

Description:
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

AnySecurity IssueVery LowCritical [unbound] Multiple CVEs Closed
100%
Task Description

https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934

AnySecurity IssueVery LowCritical [toxcore] Memory leak bug Closed
100%
AnySecurity IssueVery HighCritical [toxcore] Memory leak - Remote DDoS vunerability Closed
100%
StableBug ReportMediumCritical [torsocks] which: no getcap Closed
100%
AnyFreedom IssueVery HighCritical [torcs-data] contains nonfree car models Closed
100%
AnyPrivacy IssueVery HighCritical [telepathy-morse] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ...Closed
100%
AnyPrivacy IssueVery HighCritical [telegramqml] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [telegram-qt] only useful with Telegram service Closed
100%
AnySecurity IssueVery LowCritical [tcpreplay] CVEs Closed
100%
StableUpdate RequestHighCritical [system-config-printer] update to 1.5.11 Closed
100%
AnyBug ReportVery LowCritical [system-config-printer] Impossible to print some pdfs ( ...Closed
100%
AnyFreedom IssueVery HighCritical [supertuxkart] remove nonfree Ubuntu Font Family fonts Closed
100%
StableImplementation RequestMediumCritical [strongswan] add new package Closed
100%
StableReplace RequestVery LowCritical [spamassassin] includes dependencies for systemd Closed
100%
StableFreedom IssueHighCritical [smplayer] Removal of unfree "Chromecast"-plugin Closed
100%
StableBug ReportVery LowCritical [smartmontools] update-smart-drivedb fails to update Closed
100%
AnySecurity IssueVery HighCritical [schroedinger] unmaintained and unsupportable Closed
100%
AnyFreedom IssueVery HighCritical [rust][cargo] trademark agreement affects user freedom Closed
100%
TestingBug ReportMediumCritical [rsyslog] wrong reference to /usr/bin/rsyslog in /etc/l ...Closed
100%
StableBug ReportMediumCritical [roundcubemail-lts] not compatible with PHP 7.1 Closed
100%
AnySecurity IssueVery HighCritical [qtpass] Insecure Password Generation prior to 1.2.1 Closed
100%
AnyFreedom IssueVery HighCritical [qtemu] package recommends installing non-free OSes Closed
100%
StableUpdate RequestVery LowCritical [qt5] request for upgrade Closed
100%
AnyReplace RequestHighCritical [python2] replace deprecated Python 2 to Tauthon Closed
100%
AnySecurity IssueHighCritical [python2] heap-overflow vulnerability CVE-2018-1000030 Closed
100%
Showing tasks 1 - 50 of 1517 Page 1 of 31

Available keyboard shortcuts

Tasklist

Task Details

Task Editing