Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw

ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw

openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

• sh-elf-gcc (which depends on sh-elf-binutils)

• sh-elf-newlib

• arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)

• xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre

Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

Description:

• replace deprecated GNU Bazaar to Brezy for Canis Major

Additional info:

• bzr 2.7.0-2
• GNU Bazaar will be unmaintained (for now, there are only bug fixes)
• GNU Bazaar only supports Python 2.
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.
• Or use Tauthon (fork of Python 2.7) as dependency.

Note: It needs a provide: bazaar and brezy

Steps to reproduce:

• broken package

Description:

• replace deprecated Python 2 to Tauthon for Canis Major

Additional info:

• python 2.7.14-2.hyperbola1
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.

Steps to reproduce:

• Broken python2 packages.

Description: The package spamassassin has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 3.4.1-7

Description: The package opendkim has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 2.10.3-4

Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.

...

build() {
  cd $pkgname-$pkgver
  ./configure --prefix=/usr \
    --enable-shared \
    --disable-static \
    --enable-clipart \
    --enable-templates \
    --enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
                      eml epub freetranslation garble gdict gimp goffice grammar \
                      hancom hrtext iscii kword latex loadbindings mathview mht \
                      mif mswrite opendocument openwriter openxml opml ots paint \
                      passepartout pdb pdf presentation psion s5 sdw t602 urldict \
                      wikipedia wmf wml wordperfect wpg xslfo" \
    --enable-introspection
  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

...

Libreoffice contains Google API keys which affects privacy.

/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.

As per a recent discovery, we should check if our deepin is affected by the CNZZ spyware in the AppStore.
https://www.youtube.com/watch?v=v25Dy66AtNI

We also shouldn’t use the AppStore if it exists, due to non-free apps.

Known files:
> usr/share/dbus-1/system-services/com.deepin.daemon.Apps.service
> etc/appstore.json

Description:

community/purple-facebook 0.9.3-1
    Facebook protocol plugin for libpurple

It is up to maintainers to decide of course. IMHO I would remove this one as it uses proprietary network Facebook, exclusively, and even mentioning the word in the package.

See:
https://www.gnu.org/distros/free-system-distribution-guidelines.html

A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so.

Description:
Cutegram is a Telegram client. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si cutegram
Repository      : community
Name            : cutegram
Version         : 2.7.1-3
Description     : A different telegram client from Aseman team
Architecture    : x86_64
URL             : http://aseman.co/en/products/cutegram/
Licenses        : GPL
Groups          : None
Provides        : cutegram
Depends On      : qt5-imageformats  qt5-webkit  telegramqml>=0.9.1  libqtelegram-ae>=3:6.1
Optional Deps   : gst-plugins-bad: audio support
                  gst-plugins-good: audio and notification sound
Conflicts With  : cutegram-git  sigram-git  sigram  cutegram
Replaces        : cutegram-cn
Download Size   : 12.03 MiB
Installed Size  : 17.07 MiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:59:04 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
libqtelegram-ae is Telegram library written in Qt based on telegram-cli code. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si libqtelegram-ae
Repository      : community
Name            : libqtelegram-ae
Version         : 3:6.1-4
Description     : Telegram library written in Qt based on telegram-cli code
Architecture    : x86_64
URL             : https://launchpad.net/libqtelegram
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : qt5-base  qt5-multimedia
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 431.27 KiB
Installed Size  : 1999.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Wed 05 Apr 2017 07:16:39 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQt is a Telegram binding for Qt. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegram-qt
Repository      : community
Name            : telegram-qt
Version         : 0.1.0-2
Description     : Qt bindings for the Telegram protocol
Architecture    : x86_64
URL             : https://github.com/Kaffeine/telegram-qt
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-base
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 204.80 KiB
Installed Size  : 747.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 18 Feb 2017 06:49:55 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQML are Telegram API tools for QtQml and Qml. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegramqml
Repository      : community
Name            : telegramqml
Version         : 0.9.2-2
Description     : Telegram API tools for QtQml and Qml
Architecture    : x86_64
URL             : https://github.com/Aseman-Land/TelegramQML
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-webkit  qt5-imageformats  qt5-graphicaleffects  qt5-quickcontrols  libqtelegram-ae
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 401.03 KiB
Installed Size  : 1905.00 KiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:46:59 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
Telepathy-Morse is a Qt-based Telegram connection manager for the Telepathy framework. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telepathy-morse
Repository      : community
Name            : telepathy-morse
Version         : 0.1.0-1
Description     : Telepathy Connection Manager for the Telegram network
Architecture    : x86_64
URL             : https://github.com/TelepathyQt/telepathy-morse
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : telepathy-qt5  telegram-qt
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 90.80 KiB
Installed Size  : 351.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 16 Sep 2016 11:49:33 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
telepathy-kde-accounts-kcm contains the telepathy-morse package in its optdepends array. It should be removed since Telepathy-Morse provides support for Telegram, a nonfree server-side service that requires accounts tied to telephone numbers.

Additional info:

$ pacman -Si telepathy-kde-accounts-kcm
Repository      : extra
Name            : telepathy-kde-accounts-kcm
Version         : 17.04.0-1
Description     : KCM Module for configuring Telepathy Instant Messaging Accounts
Architecture    : x86_64
URL             : https://community.kde.org/Real-Time_Communication_and_Collaboration
Licenses        : GPL
Groups          : kde-applications  kdenetwork  telepathy-kde
Provides        : None
Depends On      : telepathy-qt  kaccounts-providers
Optional Deps   : telepathy-gabble: XMPP/Jabber accounts support
                  telepathy-haze: account types supported by Pidgin/libpurple
                  telepathy-morse: Telegram accounts support
                  telepathy-salut: link-local XMPP account support
Conflicts With  : None
Replaces        : None
Download Size   : 334.86 KiB
Installed Size  : 2111.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 15 Apr 2017 06:47:59 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

The current version of BleachBit needs to be adapted so it can clean the new .cache/hyperbola/ directory.

Description:

• Add Linux-libre kernel adapted for servers:
  • Disable "Loadable kernel modules"
  • Adapt config for servers

Additional info:

• none.

Steps to reproduce:

• none.

Description:

Package strongSwan is missing. Can it please be added to relevant repository? The package’s presence is critical for using IKEv2 in VPN.

Additional info:

* Source: Please see added link

Steps to reproduce:

N/A

Description: Package xlsfonts is missing and should absolutely being added also within groups for ‘xenocara-apps’ and ‘xorg-apps’.

$ pacman -Si cmake-fedora
Repository : community
Name : cmake-fedora
Version : 2.7.1-3
Description : CMake helper modules for fedora developers
Architecture : any
URL : https://pagure.io/cmake-fedora Licenses : custom:BSD
Groups : None
Provides : None
Depends On : cmake
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 90.94 KiB
Installed Size : 422.00 KiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 17 Apr 2017 06:39:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

Cataclysm-DDA contains a problematic license[0][1][2] for software.
Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.

$ pacman -Si cataclysm-dda
Repository : community
Name : cataclysm-dda
Version : 0.C-3
Description : A post-apocalyptic roguelike.
Architecture : x86_64
URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa
Groups : None
Provides : None
Depends On : ncurses lua
Optional Deps : sdl2_image: for tiles

                sdl2_ttf: for tiles
                freetype2: for tiles
                sdl2_mixer: for tiles

Conflicts With : None
Replaces : None
Download Size : 19.33 MiB
Installed Size : 53.32 MiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa