|
Any | Backport Request | Very High | High | [nodejs] backporting to nodejs LTS 8.11.3 | Closed | |
Task Description
Description:
Hi dear developers of Hyperbola. I work in the field of web development. I use a lot of javascript and nodejs to compile. Could they do the nodejs update?. I also mention this because Hyperbola works with LTS packages.
Additional info:
* package version(s)
$ sudo pacman -Si nodejs
Repositorio : community
Nombre : nodejs
Versión : 7.10.0-1
Descripción : Evented I/O for V8 javascript
Arquitectura : x86_64
URL : http://nodejs.org/
Licencias : MIT
Grupos : Nada
Provee : Nada
Depende de : openssl-1.0 zlib icu libuv http-parser c-ares
Dependencias opcionales : npm: nodejs package manager
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 4,55 MiB
Tamaño de la instalación : 18,49 MiB
Encargado : Felix Yan <felixonmars@archlinux.org>
Fecha de creación : mié 03 may 2017 09:50:26 -05
Validado por : Suma MD5 Suma SHA-256 Firma
$ sudo pacman -Si npm
Repositorio : community
Nombre : npm
Versión : 4.5.0-1
Descripción : A package manager for javascript
Arquitectura : any
URL : https://www.npmjs.com/
Licencias : custom:Artistic
Grupos : Nada
Provee : nodejs-node-gyp
Depende de : nodejs semver
Dependencias opcionales : python2: for node-gyp
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 2,72 MiB
Tamaño de la instalación : 13,98 MiB
Encargado : Felix Yan <felixonmars@archlinux.org>
Fecha de creación : mié 12 abr 2017 22:08:06 -05
Validado por : Suma MD5 Suma SHA-256 Firma
- NodeJS LTS (includes npm 5.6.0):
* https://nodejs.org/dist/v8.11.3/node-v8.11.3.tar.gz
* https://nodejs.org/dist/v8.11.3/SHASUMS256.txt.asc
Some errors that I suffer when compiling: - https://stackoverflow.com/questions/46476741/nodejs-util-promisify-is-not-a-function
|
|
Any | Security Issue | Very High | Critical | [openssh] CVE-2018-15473 | Closed | |
Task Description
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
https://security-tracker.debian.org/tracker/CVE-2018-15473
Patch: https://salsa.debian.org/ssh-team/openssh/commit/4641c58a3279f6b118f9562babaa0ee050a38619
Technical analysis: https://blog.nviso.be/2018/08/21/openssh-user-enumeration-vulnerability-a-close-look/
|
|
Any | Feature Request | Very High | High | [gpsd]: contains systemd files | Closed | |
Task Description
Since Hyperbola follows the Init Freedom Campaign, systemd unit files removal is required or add OpenRC init scripts to replace it.
Additional info: * package version(s)
extra/gpsd 3.16-3 [installed]
GPS daemon and library to support USB/serial GPS devices
* config and/or log files etc.
Additional info:
Steps to reproduce: install it
|
|
Any | Security Issue | Very High | Critical | [dropbear] CVE-2018-15599 | Closed | |
Task Description
User enumeration in Dropbear 2018.76 and earlier http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00
|
|
Any | Security Issue | Very High | Critical | [mutt] CVE-2018-14354 | Closed | |
Task Description
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
https://security-tracker.debian.org/tracker/CVE-2018-14354
|
|
Any | Security Issue | Very High | Critical | [iceweasel-uxp-noscript] Zero-day bypass and script exe ... | Closed | |
Task Description
Description:
NoScript zero-day allows script execution even with scripts blocked by default.
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/
https://twitter.com/ma1/status/1039163003034324992
Additional info: * package version(s) < 5.1.8.7
Steps to reproduce: Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”
|
|
Stable | Feature Request | Very High | High | [hiawatha]: remove systemd files, provide openrc | Closed | |
Task Description
Description:
Hiawatha contains only systemd files.
It shall be removed and openrc shall be provided
|
|
Any | Security Issue | Very High | Critical | [util-linux] CVE-2018-7738 | Closed | |
Task Description
Description: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
|
|
Any | Feature Request | Very High | High | [umurmur] needs OpenRC init script and contains systemd ... | Closed | |
Task Description
Description:
Additional info:
umurmur /usr/lib/systemd/system/umurmur.service
Steps to reproduce:
|
|
Any | Bug Report | Very High | High | [openrc] needs a minor fix | Closed | |
Task Description
Description:
Additional info:
openrc /usr/lib/rc/sh/init.sh
—
- mount -n -t proc -o noexec,nosuid,nodev,gid=proc,hidepid=2 proc /proc
+ mount -n -t proc -o noexec,nosuid,nodev proc /proc
+ mount -n /proc -o remount,gid=26,hidepid=2
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [schroedinger] unmaintained and unsupportable | Closed | |
Task Description
Description:
Remove Schrödinger in Hyperbola because it’s unmaintained and unsupportable. [0] [1]
Additional info:
$ pacman -Si schroedinger
Repository : extra
Name : schroedinger
Version : 1.0.11-3
Description : An implemenation of the Dirac video codec in ANSI C code
Architecture : x86_64
URL : https://launchpad.net/schroedinger
Licenses : GPL2 LGPL2.1 MPL MIT
Groups : None
Provides : None
Depends On : orc gcc-libs
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 331.64 KiB
Installed Size : 1676.00 KiB
Packager : Evangelos Foutras <evangelos@foutrelis.com>
Build Date : Sat 05 Dec 2015 12:28:01 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2017-17670 | Closed | |
Task Description
Description:
In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [vlc] CVE-2018-11529 | Closed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [qtpass] Insecure Password Generation prior to 1.2.1 | Closed | |
Task Description
Description: As stated on the home page of the project (https://qtpass.org/): <quote> All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers. </quote>
|
|
Any | Freedom Issue | Very High | Critical | [qtemu] package recommends installing non-free OSes | Closed | |
Task Description
When running QtEmu for the first time and running the new machine wizard, the software lists non-free operating systems and refers to GNU/Linux as Linux.
It would be nice to list LibertyBSD in the list of distros in this software in addition to GNU/Linux and GNU/Hurd (which are listed in aqemu).
|
|
Any | Security Issue | Very High | Critical | [toxcore] Memory leak - Remote DDoS vunerability | Closed | |
Task Description
Description:
A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.
Additional info: * package version(s): < 2.8
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
|
|
Any | Security Issue | Very High | Critical | [libssh] CVE-2018-10933 | Closed | |
Task Description
Description: libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
Additional info: * package version(s) : extra/libssh 0.7.5-1
CVE
|
|
Any | Security Issue | Very High | Critical | [openldap] 2.4.44 multiple security issues | Closed | |
Task Description
Description: Changelog
2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)
Additional info: * package version(s) : 2.4.44
|
|
Any | Bug Report | Very High | High | [mkinitcpio] consolefont and keymap hooks is adapted to ... | Closed | |
Task Description
Description:
Additional info:
/usr/lib/initcpio/install/consolefont
---
- [[ -s /etc/vconsole.conf ]] && . /etc/vconsole.conf
+ [[ -s /etc/conf.d/consolefont ]] && . /etc/conf.d/consolefont
- if [[ $FONT ]]; then
- for file in "/usr/share/kbd/consolefonts/$FONT".@(fnt|psf?(u))?(.gz); do
+ if [[ $consolefont ]]; then
+ for file in "/usr/share/kbd/consolefonts/$consolefont".@(fnt|psf?(u))?(.gz); do
- error "consolefont: requested font not found: \`%s'" "$FONT"
+ error "consolefont: requested font not found: \`%s'" "$consolefont"
-This hook loads consolefont specified in vconsole.conf during early
-userspace.
+This hook loads consolefont specified in /etc/conf.d/consolefont during
+early userspace.
/usr/lib/initcpio/install/keymap
---
- for cfg in /etc/{vconsole,locale}.conf; do
+ for cfg in /etc/{conf.d/keymaps,locale}.conf; do
- loadkeys -q $uc ${KEYMAP:-us} -b > "$BUILDROOT/keymap.bin"
+ loadkeys -q $uc ${keymap:-us} -b > "$BUILDROOT/keymap.bin"
-This hook loads keymap(s) specified in vconsole.conf during early
-userspace.
+This hook loads keymap(s) specified in /etc/conf.d/keymaps during
+early userspace.
Repository : core
Name : mkinitcpio
Version : 23-1.hyperbola3.1
Description : Modular initramfs image creation utility, with eudev support
Architecture : any
URL : https://projects.archlinux.org/mkinitcpio.git/
Licenses : GPL
Groups : None
Provides : None
Depends On : awk mkinitcpio-busybox>=1.19.4-2 kmod util-linux>=2.23 libarchive coreutils bash findutils grep filesystem>=2011.10-1 gzip eudev
Optional Deps : xz: Use lzma or xz compression for the initramfs image
bzip2: Use bzip2 compression for the initramfs image
lzop: Use lzo compression for the initramfs image
lz4: Use lz4 compression for the initramfs image
mkinitcpio-nfs-utils: Support for root filesystem on NFS
Conflicts With : None
Replaces : None
Download Size : 38.40 KiB
Installed Size : 186.00 KiB
Packager : André Silva <emulatorman@hyperbola.info>
Build Date : Fri 05 Oct 2018 03:28:32 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Steps to reproduce:
|
|
Any | Security Issue | Very High | Critical | [php] CVE-2017-9120 | Closed | |
Task Description
Description:
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
Additional info: * package version(s)
$ pacman -Si php
Repositorio : extra
Nombre : php
Versión : 7.1.4-3.hyperbola3
Descripción : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura : x86_64
URL : http://www.php.net
Licencias : PHP
Grupos : Nada
Provee : php-ldap=7.1.4
Depende de : libxml2 curl libzip pcre
Dependencias opcionales : Nada
En conflicto con : php-ldap
Remplaza a : php-ldap
Tamaño de la descarga : 3,02 MiB
Tamaño de la instalación : 15,94 MiB
Encargado : André Silva <emulatorman@hyperbola.info>
Fecha de creación : mié 27 dic 2017 19:15:03 -05
Validado por : Suma MD5 Suma SHA-256 Firma
* config and/or log files etc.
Last update of php be v7.1.x is v7.1.23:
- https://secure.php.net/ChangeLog-7.php#7.1.23
Patch availabble from v7.1.5 https://bugs.php.net/bug.php?id=74544
Steps to reproduce:
- Install php
|
|
Stable | Freedom Issue | Very High | Critical | [cool-retro-term] update package to 1.0.1 and remove no ... | Closed | |
Task Description
In the latest version fixes several issues and font improvements[1], but unfortunately there is a major problem contained five three non-libre/free typefaces in the source code.
Apple II (1977): a licence forbids to sell and modify. Already removed
Commodore PET (1977): a licence forbids to sell and modify. Already removed
Atari 400/800 (1979): in the latest version, there is a vague term “freeware”[2] in documentation, but forbids to sell and modify.
Commercial 64 (1982): a licence forbids to sell. Already removed
Monaco (modern): proprietary from Apple.
$ rm -fr "./app/qml/fonts/{1977-*,1979-atari-400-800,1982-commodore64,modern-monaco}/";
Also, I attached three QML source code diff files down below, by removing and replacing strings.
[1]: https://github.com/Swordfish90/cool-retro-term/releases/tag/1.0.1/ [2]: https://www.gnu.org/philosophy/words-to-avoid#Freeware
|
|
Stable | Freedom Issue | Very High | Critical | [xorg-fonts-misc] contains non-libre/free Syriac typefa ... | Closed | |
Task Description
A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.
[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt
|
|
Any | Freedom Issue | Very High | Critical | [python-pip][python2-pip] Pip recommends proprietary so ... | Closed | |
Task Description
Description: pip allows the user to search and install packages from the PyPi repository, which contains proprietary software.
Additional info: * example of proprietary package in PyPi repository: https://pypi.org/project/snaplogic * Trisquel’s solution was to remove python-pip: https://trisquel.info/en/issues/3741
Steps to reproduce: $ sudo pacman -S python-pip $ pip search snaplogic # prints information about proprietary package $ pip install snaplogic # installs proprietary package
|
|
Any | Freedom Issue | Very High | Critical | [purple-skypeweb] Plugin only useful with Skype | Closed | |
Task Description
Please remove as plugin is only useful with Skype hosted by a single company on a single server as far as I can tell (unlike pidgin-sipe).
|
|
Stable | Freedom Issue | Very High | Critical | [gftp] Remove many other (old and dead) FTP site bookma ... | Closed | |
Task Description
Contains many other (old and dead) non-FSDG distro and software archive and repo FTP sites, and must remove carefully.
|
|
Any | Freedom Issue | Very High | Critical | [man-pages] contains nonfree POSIX manual pages | Closed | |
|
|
Any | Bug Report | Very High | Critical | [linux-libre-lts] spinlock not released on kernel by i9 ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [electrum] package no longer works | Closed | |
|
|
Stable | Security Issue | Very High | Critical | [exim] CVE-2019-10149 | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [supertuxkart] remove nonfree Ubuntu Font Family fonts | Closed | |
|
|
Any | Bug Report | Very High | Critical | [cups] [cups-filters] ServerBin directory inconsistency | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [clementine] using non-free services and interfaces | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [gens] contains nonfree Starscream code | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [gens-gs] contains nonfree Starscream code and the Poor ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [dgen-sdl] contains nonfree CZ80, dZ80, DrZ80, Multi-Z8 ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [libarchive] CVE-2019-18408 | Closed | |
|
|
Any | Security Issue | Very High | Critical | [grub2] UEFI SecureBoot vulnerability + multiple flaws ... | Closed | |
|
|
Testing | Bug Report | Very High | Critical | [Hyperbola GNU/Linux 0.4] QtSSL is not working | Closed | |
|
|
Testing | Bug Report | High | High | [sway] error while loading shared libraries | Closed | |
|
|
Testing | Bug Report | High | High | [sddm] error while loading shared libraries | Closed | |
|
|
Any | Security Issue | High | High | [npapi-sdk] remove unsecure/deprecated package | Closed | |
|
|
Any | Security Issue | High | High | [npapi-vlc] remove unsecured package | Closed | |
|
|
Any | Security Issue | High | High | [nspluginwrapper] remove unsecure/deprecated package | Closed | |
|
|
Any | Security Issue | High | High | [x2goplugin] remove unsecure package | Closed | |
|
|
Any | Security Issue | High | High | [djview] remove unsecure "nsdejavu.so" | Closed | |
|
|
Any | Security Issue | High | High | [icedtea-web] remove unsecure "IcedTeaPlugin.so" | Closed | |
|
|
Testing | Bug Report | High | High | [freerdp] error while loading shared libraries | Closed | |
|
|
Testing | Bug Report | High | High | [ksystemlog] error while loading shared libraries | Closed | |
|
|
Any | Drop Request | High | High | [devtools] remove this package | Closed | |
|
|
Any | Privacy Issue | High | High | [redshift] remove geoclue2 support | Closed | |
|