Packages

There appears to be a bug with the current version of ufw, 0.35-2

Dunno if updating it would fix it, but it is kind of annoying and possibly security issue.

it says ufw is inactive when I reboot despite it being installed in the runlevel.

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

—

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

Description:
Since the update to 0.3.9 (or the update of girara to 0.2.9), zathura-pdf-poppler returns the following error:

error: Could not load plugin '/usr/lib/zathura/ps.so' (libgirara-gtk3.so.2: cannot open shared object file: No such file or directory).

Description:

Fixes[0] a small error in the name API function extract.

Replaced name `indivious` to `invidious`

Attached[1] patch update

- [0]:https://github.com/arankaren/youtube-viewer/commit/a464c878579f22c1cf7e5e54897c5ecaf27e333e

- [1]:https://paste.debian.net/plain/1091395

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

I’m encountering this bug when using latest Pale Moon (version 2.8.0.1).

https://forum.palemoon.org/viewtopic.php?f=37&t=19941&sid=3cd95f0870b5cef74c582eb9a3ea778a

The bug doesn’t only affect the preferences dialog - other windows are not rendered correctly either such as DownThemAll! add-on (see attached image).

The suggested fix is to update the intel driver (the about:config suggested change makes the preference dialog usable but other windows such as DownThemAll! still aren’t displayed correctly).

I’m using a T60 with intel graphics.

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

Add Xen 4.8.x split packages (”xen” and “xen-docs”).

As per the source code, xdg-utils is meant to work with firefox, google-chrome, and other browsers. It is missing support for -uxp applications.

Description:

xdg-utils package contains some non-free applications

Additional info:

$ pacman -Si xdg-utils
Repositorio               : extra
Nombre                    : xdg-utils
Versión                   : 1.1.1-5
Descripción               : Command line tools that assist applications with a variety of
                            desktop integration tasks
Arquitectura              : any
URL                       : https://www.freedesktop.org/wiki/Software/xdg-utils/
Licencias                 : MIT
Grupos                    : Nada
Provee                    : Nada
Depende de                : sh  xorg-xset
Dependencias opcionales   : kde-cli-tools: for KDE Plasma5 support in xdg-open
                            exo: for Xfce support in xdg-open
                            xorg-xprop: for Xfce support in xdg-open
                            pcmanfm: for LXDE support in xdg-open
                            perl-file-mimeinfo: for generic support in xdg-open
                            perl-net-dbus: Perl extension to dbus used in xdg-screensaver
                            perl-x11-protocol: Perl X11 protocol used in xdg-screensaver
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 54,40 KiB
Tamaño de la instalación  : 303,00 KiB
Encargado                 : Andreas Radke <andyrtr@archlinux.org>
Fecha de creación         : vie 20 ene 2017 16:12:57 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

Steps to reproduce:

$ cat /usr/bin/xdg-open | grep 'chromium'

BROWSER=x-www-browser:firefox:iceweasel:seamonkey:mozilla:epiphany:konqueror:chromium:google-chrome:$BROWSER

“x2goplugin” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si x2goplugin
Repository : extra
Name : x2goplugin
Version : 4.1.0.0-1
Description : provides X2Go Client as QtBrowser-based Mozilla plugin
Architecture : x86_64
URL : http://www.x2go.org Licenses : GPL2
Groups : None
Provides : None
Depends On : qt4 libcups nxproxy libssh libxpm
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1250.54 KiB
Installed Size : 2761.00 KiB
Packager : Andreas Radke andyrtr@archlinux.org Build Date : Wed 22 Feb 2017 12:42:48 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

x11vnc service has been imported from Gentoo, however it forces use xdm service when it should be optional since there are users don’t like use xdm to run DMs. Also, Hyperbola contains another services alternatives such as gdm, lightdm, lxdm, sddm and slim to run directly without xdm.

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

I wondered if anyone else has experienced this, I cannot use sound on one of my games which has no drm on it. It’s not exactly, free as in freedom, (the game I want to play) but it has no drm. I could get it working on trisquel, debian, devuan, fedora... but not hyperbola for some reason.

The other problem though is that I know there are some errors with the packaging, because wine-staging and wine both say 2.7 version. Which absolutely cannot be right because wine stable hasn’t even released ver 2.1! yet... xD

Anyways though, This would be nice if you could fix it. sound won’t initalize and the versions are wrong at the moment...

Add Wine stable version (2.x) as default Wine package.

$ pacman -Si wine
Repository      : multilib
Name            : wine
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs
Architecture    : x86_64
URL             : http://www.winehq.com
Licenses        : LGPL
Groups          : None
Provides        : bin32-wine=2.7  wine-wow64=2.7
Depends On      : fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamag
e  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libp
cap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  cups
                  samba
                  dosbox
Conflicts With  : bin32-wine  wine-wow64
Replaces        : bin32-wine
Download Size   : 48.95 MiB
Installed Size  : 387.66 MiB
Packager        : Sven-Hendrik Haase <sh@lutzhaase.com>
Build Date      : Sun 30 Apr 2017 09:09:05 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Si wine-staging
Repository      : multilib
Name            : wine-staging
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs - Staging branch
Architecture    : x86_64
URL             : http://www.wine-staging.com
Licenses        : LGPL
Groups          : None
Provides        : wine=2.7  wine-wow64=2.7
Depends On      : attr  lib32-attr  fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamage  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libpcap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  libva
                  lib32-libva
                  gtk3
                  lib32-gtk3
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  vulkan-icd-loader
                  lib32-vulkan-icd-loader
                  cups
                  samba
                  dosbox
Conflicts With  : wine  wine-wow64
Replaces        : None
Download Size   : 42.36 MiB
Installed Size  : 404.19 MiB
Packager        : Felix Yan <felixonmars@archlinux.org>
Build Date      : Thu 04 May 2017 02:16:56 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Ss wine-staging-nine
Repository      : multilib
Name            : wine-staging-nine
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs - Staging branch with the gallium-nine patches
Architecture    : x86_64
URL             : http://www.wine-staging.com
Licenses        : LGPL
Groups          : None
Provides        : wine=2.7  wine-wow64=2.7  wine-staging=2.7
Depends On      : attr  lib32-attr  fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamage  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libpcap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  libva
                  lib32-libva
                  gtk3
                  lib32-gtk3
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  vulkan-icd-loader
                  lib32-vulkan-icd-loader
                  cups
                  samba
                  dosbox
Conflicts With  : wine  wine-wow64  wine-staging
Replaces        : None
Download Size   : 42.42 MiB
Installed Size  : 404.60 MiB
Packager        : Laurent Carlier <lordheavym@gmail.com>
Build Date      : Thu 04 May 2017 04:46:19 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

Description:

I have tried to upgrade hyperbola.

Critical upgrades cannot be installed when wesnoth is installed, there are conflicting files

Steps to reproduce:

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 arch-keyring-201808...  1605.2 KiB   617K/s 00:03 [#########] 100%
 hyperbola-keyring-2...   215.9 KiB   635K/s 00:00 [#########] 100%
 linux-libre-lts-4.9...    59.6 MiB   749K/s 01:22 [#########] 100%
 openvpn-2.4.6-1.hyp...   402.2 KiB  1149K/s 00:00 [#########] 100%
 iceweasel-uxp-52.9....    39.8 MiB   839K/s 00:49 [#########] 100%
 libgdm-3.24.1-1.hyp...    57.3 KiB  1912K/s 00:00 [#########] 100%
 ntp-4.2.8.p11-2.hyp...  1798.4 KiB   833K/s 00:02 [#########] 100%
 sddm-0.14.0-2.hyper...     3.2 MiB   770K/s 00:04 [#########] 100%
 lxdm-0.5.3-4.hyperb...    98.4 KiB   984K/s 00:00 [#########] 100%
 tp_smapi-lts-0.43-1...    26.6 KiB  2.60M/s 00:00 [#########] 100%
 wesnoth-data-1.14.4...   395.1 MiB   745K/s 09:03 [#########] 100%
 wesnoth-1.14.4-1.hy...     5.5 MiB   616K/s 00:09 [#########] 100%
(12/12) checking keys in keyring                   [#########] 100%
(12/12) checking package integrity                 [#########] 100%
(12/12) loading package files                      [#########] 100%
(12/12) checking for file conflicts                [#########] 100%
error: failed to commit transaction (conflicting files)
/usr/share/icons/hicolor/128x128/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/16x16/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/256x256/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/32x32/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/512x512/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/64x64/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/metainfo/wesnoth.appdata.xml exists in both 'wesnoth-data' and 'wesnoth'
Errors occurred, no packages were upgraded.

Description:

• The Arch version of Wesnoth from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : wesnoth
Version         : 1.12.6-4
Description     : A turn-based strategy game on a fantasy world
Architecture    : x86_64
URL             : http://www.wesnoth.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : sdl_ttf  sdl_net  sdl_mixer  sdl_image  fribidi  boost-libs  pango  lua52  wesnoth-data  dbus  python2
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 4.97 MiB
Installed Size  : 22.86 MiB
Packager        : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date      : Mon 02 Jan 2017 07:52:21 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/system/wesnothd.service is owned by wesnoth 1.12.6-4
/usr/lib/tmpfiles.d/wesnothd.conf is owned by wesnoth 1.12.6-4

Steps to reproduce:

• Install package.

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

https://security-tracker.debian.org/tracker/CVE-2018-1999023

Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318

The package is not compiled from source

Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m