Description:
As stated on the home page of the project (https://qtpass.org/):
<quote>
All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers.
</quote>

Description:

A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.

Additional info:
* package version(s): < 2.8

https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

Description:
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

The bug is fixed in TokTok c-toxcore v0.2.8. The bug is also fixed in the master branch of irungentoo’s toxcore, in commit bf69b54f64003d160d759068f4816b2d9b2e1e21. As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained.

Description:
libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Additional info:
* package version(s) : extra/libssh 0.7.5-1

CVE

Description:
Changelog

2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)

Additional info:
* package version(s) : 2.4.44

Description:

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.

Additional info:
* package version(s)

$ pacman -Si php
Repositorio               : extra
Nombre                    : php
Versión                   : 7.1.4-3.hyperbola3
Descripción               : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura              : x86_64
URL                       : http://www.php.net
Licencias                 : PHP
Grupos                    : Nada
Provee                    : php-ldap=7.1.4
Depende de                : libxml2  curl  libzip  pcre
Dependencias opcionales   : Nada
En conflicto con          : php-ldap
Remplaza a                : php-ldap
Tamaño de la descarga     : 3,02 MiB
Tamaño de la instalación  : 15,94 MiB
Encargado                 : André Silva <emulatorman@hyperbola.info>
Fecha de creación         : mié 27 dic 2017 19:15:03 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

* config and/or log files etc.

Last update of php be v7.1.x is v7.1.23:

- https://secure.php.net/ChangeLog-7.php#7.1.23

Patch availabble from v7.1.5
https://bugs.php.net/bug.php?id=74544

Steps to reproduce:

- Install php

Our current dokuwiki 20170219_b-1 has two serious CVE.

Error message attached after the first installation

A huge number of CVEs have been fixed on 4.3.1 :

CVE-2018-20552
CVE-2018-20553
CVE-2018-18408
CVE-2018-18407
CVE-2018-17974
CVE-2018-17580
CVE-2018-17582
CVE-2018-13112

Current Hyperbola version is 4.2.6

Description: There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

https://www.openwall.com/lists/oss-security/2019/06/06/1

https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/

https://security-tracker.debian.org/tracker/CVE-2019-18408

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation

https://security-tracker.debian.org/tracker/CVE-2019-2201

Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388

https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934

These two options could be enabled :

Kernel hacking → [*] Filter access to /dev/mem
[*] Filter I/O access to /dev/mem

Security options → [*] Restrict unprivileged access to the kernel syslog

Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now

“npapi-sdk” (released in 2012) uses deprecated/unsecure NPAPI[0] api

$ pacman -Si npapi-sdk
Repository : extra
Name : npapi-sdk
Version : 0.27.2-1
Description : Netscape Plugin API (NPAPI)
Architecture : any
URL : https://bitbucket.org/mgorny/npapi-sdk Licenses : MPL
Groups : None
Provides : None
Depends On : None
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 15.77 KiB
Installed Size : 67.00 KiB
Packager : Ionut Biru ibiru@archlinux.org Build Date : Thu 25 Apr 2013 01:47:15 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“npapi-vlc” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si npapi-vlc
Repository : community
Name : npapi-vlc
Version : 2.2.5-1
Description : The modern VLC Mozilla (NPAPI) plugin
Architecture : x86_64
URL : https://code.videolan.org/videolan/npapi-vlc Licenses : GPL Groups : None
Provides : None
Depends On : gtk2 vlc
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 69.96 KiB
Installed Size : 287.00 KiB
Packager : Timothy Redaelli timothy.redaelli@gmail.com Build Date : Tue 14 Feb 2017 12:27:08 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“nspluginwrapper” (released in 2011) uses deprecated/unsecure NPAPI[0] api

$ pacman -Si nspluginwrapper
Repository : multilib
Name : nspluginwrapper
Version : 1.4.4-3
Description : Cross-platform NPAPI compatible plugin viewer
Architecture : x86_64
URL : http://nspluginwrapper.davidben.net/ Licenses : GPL Groups : None
Provides : None
Depends On : curl libxt lib32-libxt gcc-libs lib32-gcc-libs gtk2 lib32-gtk2
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 146.14 KiB
Installed Size : 475.00 KiB
Packager : Felix Yan felixonmars@gmail.com Build Date : Sat 12 Jul 2014 02:40:45 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“x2goplugin” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si x2goplugin
Repository : extra
Name : x2goplugin
Version : 4.1.0.0-1
Description : provides X2Go Client as QtBrowser-based Mozilla plugin
Architecture : x86_64
URL : http://www.x2go.org Licenses : GPL2
Groups : None
Provides : None
Depends On : qt4 libcups nxproxy libssh libxpm
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1250.54 KiB
Installed Size : 2761.00 KiB
Packager : Andreas Radke andyrtr@archlinux.org Build Date : Wed 22 Feb 2017 12:42:48 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “nsdejavu.so”, uses deprecated/unsecure NPAPI[0] api

$ sudo pacman -Si djview
Repository : community
Name : djview
Version : 4.10.6-1
Description : Portable DjVu viewer and browser plugin
Architecture : x86_64
URL : http://djvu.sourceforge.net/djview4.html Licenses : GPL Groups : None
Provides : djview4
Depends On : qt5-base djvulibre libxkbcommon-x11 libsm
Optional Deps : None
Conflicts With : djview4
Replaces : djview4
Download Size : 535.79 KiB
Installed Size : 1978.00 KiB
Packager : Gaetan Bisson bisson@archlinux.org Build Date : Wed 04 May 2016 08:53:23 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql djview
djview /usr/
djview /usr/bin/
djview /usr/bin/djview
djview /usr/bin/djview4
djview /usr/lib/
djview /usr/lib/mozilla/
djview /usr/lib/mozilla/plugins/
djview /usr/lib/mozilla/plugins/nsdejavu.so
djview /usr/share/
djview /usr/share/applications/
djview /usr/share/applications/djvulibre-djview4.desktop
djview /usr/share/djvu/
djview /usr/share/djvu/djview4/
djview /usr/share/djvu/djview4/djview_cs.qm
djview /usr/share/djvu/djview4/djview_de.qm
djview /usr/share/djvu/djview4/djview_es.qm
djview /usr/share/djvu/djview4/djview_fr.qm
djview /usr/share/djvu/djview4/djview_ru.qm
djview /usr/share/djvu/djview4/djview_uk.qm
djview /usr/share/djvu/djview4/djview_zh_cn.qm
djview /usr/share/djvu/djview4/djview_zh_tw.qm
djview /usr/share/icons/
djview /usr/share/icons/hicolor/
djview /usr/share/icons/hicolor/32×32/
djview /usr/share/icons/hicolor/32×32/mimetypes/
djview /usr/share/icons/hicolor/32×32/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/64×64/
djview /usr/share/icons/hicolor/64×64/mimetypes/
djview /usr/share/icons/hicolor/64×64/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/scalable/
djview /usr/share/icons/hicolor/scalable/mimetypes/
djview /usr/share/icons/hicolor/scalable/mimetypes/djvulibre-djview4.svgz
djview /usr/share/man/
djview /usr/share/man/man1/
djview /usr/share/man/man1/djview.1.gz
djview /usr/share/man/man1/nsdejavu.1.gz

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “IcedTeaPlugin.so”, it uses deprecated/unsecure NPAPI[0] apis

Note: this package contains “Java Web Start” and unsecured NPAPI plugin, it needs change package description and description on optional dependencies in “jre{7,8}-openjdk” packages.

$ pacman -Si icedtea-web
Repository : extra
Name : icedtea-web
Version : 1.6.2-2.hyperbola1
Description : Free web browser plugin to run applets written in Java and an implementation of Java Web Start, without nonfree firefox support
Architecture : x86_64
URL : http://icedtea.classpath.org/wiki/IcedTea-Web Licenses : GPL2
Groups : None
Provides : java-web-start
Depends On : java-runtime-openjdk desktop-file-utils
Optional Deps : rhino: for using proxy auto config files
Conflicts With : None
Replaces : icedtea-web-java7
Download Size : 1525.55 KiB
Installed Size : 2108.00 KiB
Packager : André Silva emulatorman@hyperbola.info Build Date : Fri 26 May 2017 06:13:18 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql icedtea-web
icedtea-web /usr/
icedtea-web /usr/bin/
icedtea-web /usr/bin/itweb-settings
icedtea-web /usr/bin/javaws
icedtea-web /usr/bin/policyeditor
icedtea-web /usr/lib/
icedtea-web /usr/lib/mozilla/
icedtea-web /usr/lib/mozilla/plugins/
icedtea-web /usr/lib/mozilla/plugins/IcedTeaPlugin.so
icedtea-web /usr/share/
icedtea-web /usr/share/applications/
icedtea-web /usr/share/applications/itweb-settings.desktop
icedtea-web /usr/share/applications/javaws.desktop
icedtea-web /usr/share/icedtea-web/
icedtea-web /usr/share/icedtea-web/bin/
icedtea-web /usr/share/icedtea-web/bin/itweb-settings
icedtea-web /usr/share/icedtea-web/bin/javaws
icedtea-web /usr/share/icedtea-web/bin/policyeditor
icedtea-web /usr/share/icedtea-web/javaws_splash.png
icedtea-web /usr/share/icedtea-web/lib/
icedtea-web /usr/share/icedtea-web/lib/IcedTeaPlugin.so
icedtea-web /usr/share/icedtea-web/netx.jar
icedtea-web /usr/share/icedtea-web/plugin.jar
icedtea-web /usr/share/man/
icedtea-web /usr/share/man/man1/
icedtea-web /usr/share/man/man1/icedtea-web-plugin.1.gz
icedtea-web /usr/share/man/man1/icedtea-web.1.gz
icedtea-web /usr/share/man/man1/itweb-settings.1.gz
icedtea-web /usr/share/man/man1/javaws.1.gz
icedtea-web /usr/share/man/man1/policyeditor.1.gz
icedtea-web /usr/share/pixmaps/
icedtea-web /usr/share/pixmaps/javaws.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

https://icepng.github.io/2017/04/21/PoDoFo-1/

https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference

http://www.securityfocus.com/bid/97296/info

Package information

Repositorio : community
Nombre : podofo
Versión : 0.9.5-2 Descripción : A C++ library to work with the PDF file format
Arquitectura : x86_64
URL : http://podofo.sourceforge.net Licencias : GPL Grupos : Nada
Provee : Nada
Depende de : lua openssl fontconfig libtiff libidn libjpeg-turbo
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 785,18 KiB
Tamaño de la instalación : 4492,00 KiB
Encargado : Antonio Rojas arojas@archlinux.org Fecha de creación : sáb 18 feb 2017 06:52:31 -05
Validado por : Suma MD5 Suma SHA-256 Firma

Debian just patched for v0.9.5-6

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/CVE-2017-738%5B0123%5D.patch/

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/

isync is currently on 1.2.1-3, the versions is 2 years old and a lot of security/features have been implemented to the version 1.3.0

isync needs be upgraded from 1.2.1 to 1.2.3 since it is a bugfix adapted for our current snapshot in Milky Way (2017-05-08) which is using isync 1.2.x series.

$ sudo pacman -S blender
resolviendo dependencias…
buscando conflictos entre paquetes…

Paquetes (20) alembic-1.7.1-1  blender-common-2.78.c-1.hyperbola4  blosc-1.11.3-1  ilmbase-2.2.0-2  intel-tbb-2017_20170226-1  libraw-0.18.2-1  libspnav-0.2.3-1  llvm-4.0.0-2
              log4cplus-1.2.0-3  opencollada-1.6.45-1.hyperbola1  opencolorio-1.0.9-5  openexr-2.2.0-3.hyperbola2  openimageio-1.6.18-1.hyperbola1  openshadinglanguage-1.7.5-1.hyperbola1
              opensubdiv-3.1.1-1  openvdb-3.2.0-2  ptex-2.1.28-1.hyperbola1  valgrind-3.12.0-2  zstd-1.1.4-1  blender-2.78.c-1.hyperbola4

Tamaño total de la descarga:      0,33 MiB
Tamaño total de la instalación:  567,26 MiB

:: ¿Continuar con la instalación? [S/n] s
:: Recibiendo los paquetes…
 libspnav-0.2.3-1-x86_64                                                                     8,5 KiB   849K/s 00:00 [######################################################################] 100%
 zstd-1.1.4-1-x86_64                                                                       283,3 KiB   199K/s 00:01 [######################################################################] 100%
 blosc-1.11.3-1-x86_64                                                                      43,0 KiB   331K/s 00:00 [######################################################################] 100%
(20/20) comprobando las claves del depósito                                                                         [######################################################################] 100%
(20/20) verificando la integridad de los paquetes                                                                   [######################################################################] 100%
error: libspnav: signature from "Andrea Scarpino <me@andreascarpino.it>" is marginal trust
:: El archivo /var/cache/pacman/pkg/libspnav-0.2.3-1-x86_64.pkg.tar.xz está dañado (paquete no válido o dañado (firma PGP)).
¿Quiere eliminarlo? [S/n] s
error: zstd: signature from "Andrzej Giniewicz (giniu) <gginiu@gmail.com>" is marginal trust
:: El archivo /var/cache/pacman/pkg/zstd-1.1.4-1-x86_64.pkg.tar.xz está dañado (paquete no válido o dañado (firma PGP)).
¿Quiere eliminarlo? [S/n] s
error: blosc: signature from "Andrzej Giniewicz (giniu) <gginiu@gmail.com>" is marginal trust
:: El archivo /var/cache/pacman/pkg/blosc-1.11.3-1-x86_64.pkg.tar.xz está dañado (paquete no válido o dañado (firma PGP)).
¿Quiere eliminarlo? [S/n] s
error: no se pudo realizar la operación (paquete no válido o dañado)
Ocurrieron errores, por lo que no se actualizaron los paquetes

Package: https://www.hyperbola.info/packages/community/x86_64/busybox/

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Patch: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8