Packages

“npapi-vlc” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si npapi-vlc
Repository : community
Name : npapi-vlc
Version : 2.2.5-1
Description : The modern VLC Mozilla (NPAPI) plugin
Architecture : x86_64
URL : https://code.videolan.org/videolan/npapi-vlc Licenses : GPL Groups : None
Provides : None
Depends On : gtk2 vlc
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 69.96 KiB
Installed Size : 287.00 KiB
Packager : Timothy Redaelli timothy.redaelli@gmail.com Build Date : Tue 14 Feb 2017 12:27:08 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“nspluginwrapper” (released in 2011) uses deprecated/unsecure NPAPI[0] api

$ pacman -Si nspluginwrapper
Repository : multilib
Name : nspluginwrapper
Version : 1.4.4-3
Description : Cross-platform NPAPI compatible plugin viewer
Architecture : x86_64
URL : http://nspluginwrapper.davidben.net/ Licenses : GPL Groups : None
Provides : None
Depends On : curl libxt lib32-libxt gcc-libs lib32-gcc-libs gtk2 lib32-gtk2
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 146.14 KiB
Installed Size : 475.00 KiB
Packager : Felix Yan felixonmars@gmail.com Build Date : Sat 12 Jul 2014 02:40:45 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

“x2goplugin” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si x2goplugin
Repository : extra
Name : x2goplugin
Version : 4.1.0.0-1
Description : provides X2Go Client as QtBrowser-based Mozilla plugin
Architecture : x86_64
URL : http://www.x2go.org Licenses : GPL2
Groups : None
Provides : None
Depends On : qt4 libcups nxproxy libssh libxpm
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1250.54 KiB
Installed Size : 2761.00 KiB
Packager : Andreas Radke andyrtr@archlinux.org Build Date : Wed 22 Feb 2017 12:42:48 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “nsdejavu.so”, uses deprecated/unsecure NPAPI[0] api

$ sudo pacman -Si djview
Repository : community
Name : djview
Version : 4.10.6-1
Description : Portable DjVu viewer and browser plugin
Architecture : x86_64
URL : http://djvu.sourceforge.net/djview4.html Licenses : GPL Groups : None
Provides : djview4
Depends On : qt5-base djvulibre libxkbcommon-x11 libsm
Optional Deps : None
Conflicts With : djview4
Replaces : djview4
Download Size : 535.79 KiB
Installed Size : 1978.00 KiB
Packager : Gaetan Bisson bisson@archlinux.org Build Date : Wed 04 May 2016 08:53:23 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql djview
djview /usr/
djview /usr/bin/
djview /usr/bin/djview
djview /usr/bin/djview4
djview /usr/lib/
djview /usr/lib/mozilla/
djview /usr/lib/mozilla/plugins/
djview /usr/lib/mozilla/plugins/nsdejavu.so
djview /usr/share/
djview /usr/share/applications/
djview /usr/share/applications/djvulibre-djview4.desktop
djview /usr/share/djvu/
djview /usr/share/djvu/djview4/
djview /usr/share/djvu/djview4/djview_cs.qm
djview /usr/share/djvu/djview4/djview_de.qm
djview /usr/share/djvu/djview4/djview_es.qm
djview /usr/share/djvu/djview4/djview_fr.qm
djview /usr/share/djvu/djview4/djview_ru.qm
djview /usr/share/djvu/djview4/djview_uk.qm
djview /usr/share/djvu/djview4/djview_zh_cn.qm
djview /usr/share/djvu/djview4/djview_zh_tw.qm
djview /usr/share/icons/
djview /usr/share/icons/hicolor/
djview /usr/share/icons/hicolor/32×32/
djview /usr/share/icons/hicolor/32×32/mimetypes/
djview /usr/share/icons/hicolor/32×32/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/64×64/
djview /usr/share/icons/hicolor/64×64/mimetypes/
djview /usr/share/icons/hicolor/64×64/mimetypes/djvulibre-djview4.png
djview /usr/share/icons/hicolor/scalable/
djview /usr/share/icons/hicolor/scalable/mimetypes/
djview /usr/share/icons/hicolor/scalable/mimetypes/djvulibre-djview4.svgz
djview /usr/share/man/
djview /usr/share/man/man1/
djview /usr/share/man/man1/djview.1.gz
djview /usr/share/man/man1/nsdejavu.1.gz

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Remove “IcedTeaPlugin.so”, it uses deprecated/unsecure NPAPI[0] apis

Note: this package contains “Java Web Start” and unsecured NPAPI plugin, it needs change package description and description on optional dependencies in “jre{7,8}-openjdk” packages.

$ pacman -Si icedtea-web
Repository : extra
Name : icedtea-web
Version : 1.6.2-2.hyperbola1
Description : Free web browser plugin to run applets written in Java and an implementation of Java Web Start, without nonfree firefox support
Architecture : x86_64
URL : http://icedtea.classpath.org/wiki/IcedTea-Web Licenses : GPL2
Groups : None
Provides : java-web-start
Depends On : java-runtime-openjdk desktop-file-utils
Optional Deps : rhino: for using proxy auto config files
Conflicts With : None
Replaces : icedtea-web-java7
Download Size : 1525.55 KiB
Installed Size : 2108.00 KiB
Packager : André Silva emulatorman@hyperbola.info Build Date : Fri 26 May 2017 06:13:18 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql icedtea-web
icedtea-web /usr/
icedtea-web /usr/bin/
icedtea-web /usr/bin/itweb-settings
icedtea-web /usr/bin/javaws
icedtea-web /usr/bin/policyeditor
icedtea-web /usr/lib/
icedtea-web /usr/lib/mozilla/
icedtea-web /usr/lib/mozilla/plugins/
icedtea-web /usr/lib/mozilla/plugins/IcedTeaPlugin.so
icedtea-web /usr/share/
icedtea-web /usr/share/applications/
icedtea-web /usr/share/applications/itweb-settings.desktop
icedtea-web /usr/share/applications/javaws.desktop
icedtea-web /usr/share/icedtea-web/
icedtea-web /usr/share/icedtea-web/bin/
icedtea-web /usr/share/icedtea-web/bin/itweb-settings
icedtea-web /usr/share/icedtea-web/bin/javaws
icedtea-web /usr/share/icedtea-web/bin/policyeditor
icedtea-web /usr/share/icedtea-web/javaws_splash.png
icedtea-web /usr/share/icedtea-web/lib/
icedtea-web /usr/share/icedtea-web/lib/IcedTeaPlugin.so
icedtea-web /usr/share/icedtea-web/netx.jar
icedtea-web /usr/share/icedtea-web/plugin.jar
icedtea-web /usr/share/man/
icedtea-web /usr/share/man/man1/
icedtea-web /usr/share/man/man1/icedtea-web-plugin.1.gz
icedtea-web /usr/share/man/man1/icedtea-web.1.gz
icedtea-web /usr/share/man/man1/itweb-settings.1.gz
icedtea-web /usr/share/man/man1/javaws.1.gz
icedtea-web /usr/share/man/man1/policyeditor.1.gz
icedtea-web /usr/share/pixmaps/
icedtea-web /usr/share/pixmaps/javaws.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

https://icepng.github.io/2017/04/21/PoDoFo-1/

https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference

http://www.securityfocus.com/bid/97296/info

Package information

Repositorio : community
Nombre : podofo
Versión : 0.9.5-2 Descripción : A C++ library to work with the PDF file format
Arquitectura : x86_64
URL : http://podofo.sourceforge.net Licencias : GPL Grupos : Nada
Provee : Nada
Depende de : lua openssl fontconfig libtiff libidn libjpeg-turbo
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 785,18 KiB
Tamaño de la instalación : 4492,00 KiB
Encargado : Antonio Rojas arojas@archlinux.org Fecha de creación : sáb 18 feb 2017 06:52:31 -05
Validado por : Suma MD5 Suma SHA-256 Firma

Debian just patched for v0.9.5-6

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/CVE-2017-738%5B0123%5D.patch/

https://sources.debian.net/src/libpodofo/0.9.5-6/debian/patches/

isync is currently on 1.2.1-3, the versions is 2 years old and a lot of security/features have been implemented to the version 1.3.0

isync needs be upgraded from 1.2.1 to 1.2.3 since it is a bugfix adapted for our current snapshot in Milky Way (2017-05-08) which is using isync 1.2.x series.

Package: https://www.hyperbola.info/packages/community/x86_64/busybox/

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Patch: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

Multiple vulnerabilities have been located in Irssi.

Access remote: yes

References links:

• https://irssi.org/security/irssi_sa_2018_02.txt

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3→Malloc→Thread1→Free’s→Thread2-Re-uses-Free’d Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.

https://security-tracker.debian.org/tracker/CVE-2018-1000030

Geth 1.6.x contains possible denial of service attacks “DoS Attack”, however it has been solved in 1.7.2 [0] instead. Since 1.6.x needs many modifications spread across multiple files of the code and it is inefficient to be backported, the newer version (eg. 1.7.x) could replace the current version package as exception, but repackaged with the appropriate suffix “-backports”.

Octopi 0.9.0 is uploading system logs to ptpb.pw without confirmation through :

Tools
→ SysInfo → ptpb.pw

I think it should be either disabled or add at least a patch to ask for a confirmation.
An other way could be to patch this :

src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255:  QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- https://ptpb.pw/?u=1", tempFile->fileName());
256:  return ptpb;

to :

src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255:  QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- **https://ptpb.pw/", tempFile->fileName());
256:  return ptpb;

This way, you can at least ask for log deletion with the help of log uuid as explained here : https://ptpb.pw/#id10

Description:

Common use case is to have a reverse proxy managing the certificates from let’s encrypt.
If a backend server (behind the reverse proxy) needs to use SSL certificates, this requires to use certbot on the reverse proxy, generate the certificate and to move private key from the reverse proxy to the backend server.

There is another way: sharing NFS drive between servers but this breaks all the security best practices!

Today the “best” way is to SCP the private keys from a the reverse proxy to the backend server, this is not the best way and this needs to be repeated every 3 months before let’s encrypt certificate expires, moving the private key is not a best practice either.

version 0.24 brings a new function --reuse-key to reuse the same private key to renew the certificate, so this private key can stay to the backend server and no need to copy the new private key from the reverse proxy to the backend server because it was not changed during the renew.

Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:

> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]

As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.

Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]

Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.

Our current version is vulnerable