Packages

There appears to be a bug with the current version of ufw, 0.35-2

Dunno if updating it would fix it, but it is kind of annoying and possibly security issue.

it says ufw is inactive when I reboot despite it being installed in the runlevel.

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

—

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

Description:
Since the update to 0.3.9 (or the update of girara to 0.2.9), zathura-pdf-poppler returns the following error:

error: Could not load plugin '/usr/lib/zathura/ps.so' (libgirara-gtk3.so.2: cannot open shared object file: No such file or directory).

Description:

Fixes[0] a small error in the name API function extract.

Replaced name `indivious` to `invidious`

Attached[1] patch update

- [0]:https://github.com/arankaren/youtube-viewer/commit/a464c878579f22c1cf7e5e54897c5ecaf27e333e

- [1]:https://paste.debian.net/plain/1091395

Description:

We know that YouTube is a problem. That’s why I added invidio.us as support for youtube-viewer and gtk-youtube-viewer.

invidio.us has already been added to the main source of youtube-viewer[0][1]

Attached[2] the patch to enable invidious in youtube-viewer

Additional info:

- [0]: https://github.com/trizen/youtube-viewer/commit/0cd9a5414513d18213d8fe460c533b7107b56ebc

- [1]: https://github.com/trizen/youtube-viewer/commit/d856b993c744e0ef17be0b14c6440378bfeec0f9

- [2]: https://paste.debian.net/plain/1091294

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

We seem to have a very old version of xscreensaver... Could you possibly update it?

this may be a security issue/privacy issue.

A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.

[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

In the latest version fixes several minor bugs and search file function issue[1].

[1]: http://roland65.free.fr/xfe/ (see 1.43 and 1.43.1 in the news section)

I’m encountering this bug when using latest Pale Moon (version 2.8.0.1).

https://forum.palemoon.org/viewtopic.php?f=37&t=19941&sid=3cd95f0870b5cef74c582eb9a3ea778a

The bug doesn’t only affect the preferences dialog - other windows are not rendered correctly either such as DownThemAll! add-on (see attached image).

The suggested fix is to update the intel driver (the about:config suggested change makes the preference dialog usable but other windows such as DownThemAll! still aren’t displayed correctly).

I’m using a T60 with intel graphics.

Description:
Context menu not being highlighted in UXP applications such as Iceweasel-UXP. This issue is generated in machines with i915 graphic cards using the Intel graphics driver .

Additional info:
* package version(s): 52.9.0_20180601-7

Steps to reproduce:

• Install Iceweasel-UXP:

  # pacman -S iceweasel-uxp

• Run Iceweasel-UXP:

  ~ iceweasel-uxp

• Open new tabs with right click to use context menu.

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

Add Xen 4.8.x split packages (”xen” and “xen-docs”).

As per the source code, xdg-utils is meant to work with firefox, google-chrome, and other browsers. It is missing support for -uxp applications.

Description:

xdg-utils package contains some non-free applications

Additional info:

$ pacman -Si xdg-utils
Repositorio               : extra
Nombre                    : xdg-utils
Versión                   : 1.1.1-5
Descripción               : Command line tools that assist applications with a variety of
                            desktop integration tasks
Arquitectura              : any
URL                       : https://www.freedesktop.org/wiki/Software/xdg-utils/
Licencias                 : MIT
Grupos                    : Nada
Provee                    : Nada
Depende de                : sh  xorg-xset
Dependencias opcionales   : kde-cli-tools: for KDE Plasma5 support in xdg-open
                            exo: for Xfce support in xdg-open
                            xorg-xprop: for Xfce support in xdg-open
                            pcmanfm: for LXDE support in xdg-open
                            perl-file-mimeinfo: for generic support in xdg-open
                            perl-net-dbus: Perl extension to dbus used in xdg-screensaver
                            perl-x11-protocol: Perl X11 protocol used in xdg-screensaver
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 54,40 KiB
Tamaño de la instalación  : 303,00 KiB
Encargado                 : Andreas Radke <andyrtr@archlinux.org>
Fecha de creación         : vie 20 ene 2017 16:12:57 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

Steps to reproduce:

$ cat /usr/bin/xdg-open | grep 'chromium'

BROWSER=x-www-browser:firefox:iceweasel:seamonkey:mozilla:epiphany:konqueror:chromium:google-chrome:$BROWSER

“x2goplugin” uses deprecated/unsecure NPAPI[0] api

$ pacman -Si x2goplugin
Repository : extra
Name : x2goplugin
Version : 4.1.0.0-1
Description : provides X2Go Client as QtBrowser-based Mozilla plugin
Architecture : x86_64
URL : http://www.x2go.org Licenses : GPL2
Groups : None
Provides : None
Depends On : qt4 libcups nxproxy libssh libxpm
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1250.54 KiB
Installed Size : 2761.00 KiB
Packager : Andreas Radke andyrtr@archlinux.org Build Date : Wed 22 Feb 2017 12:42:48 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

x11vnc service has been imported from Gentoo, however it forces use xdm service when it should be optional since there are users don’t like use xdm to run DMs. Also, Hyperbola contains another services alternatives such as gdm, lightdm, lxdm, sddm and slim to run directly without xdm.

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

I wondered if anyone else has experienced this, I cannot use sound on one of my games which has no drm on it. It’s not exactly, free as in freedom, (the game I want to play) but it has no drm. I could get it working on trisquel, debian, devuan, fedora... but not hyperbola for some reason.

The other problem though is that I know there are some errors with the packaging, because wine-staging and wine both say 2.7 version. Which absolutely cannot be right because wine stable hasn’t even released ver 2.1! yet... xD

Anyways though, This would be nice if you could fix it. sound won’t initalize and the versions are wrong at the moment...

Add Wine stable version (2.x) as default Wine package.

$ pacman -Si wine
Repository      : multilib
Name            : wine
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs
Architecture    : x86_64
URL             : http://www.winehq.com
Licenses        : LGPL
Groups          : None
Provides        : bin32-wine=2.7  wine-wow64=2.7
Depends On      : fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamag
e  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libp
cap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  cups
                  samba
                  dosbox
Conflicts With  : bin32-wine  wine-wow64
Replaces        : bin32-wine
Download Size   : 48.95 MiB
Installed Size  : 387.66 MiB
Packager        : Sven-Hendrik Haase <sh@lutzhaase.com>
Build Date      : Sun 30 Apr 2017 09:09:05 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Si wine-staging
Repository      : multilib
Name            : wine-staging
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs - Staging branch
Architecture    : x86_64
URL             : http://www.wine-staging.com
Licenses        : LGPL
Groups          : None
Provides        : wine=2.7  wine-wow64=2.7
Depends On      : attr  lib32-attr  fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamage  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libpcap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  libva
                  lib32-libva
                  gtk3
                  lib32-gtk3
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  vulkan-icd-loader
                  lib32-vulkan-icd-loader
                  cups
                  samba
                  dosbox
Conflicts With  : wine  wine-wow64
Replaces        : None
Download Size   : 42.36 MiB
Installed Size  : 404.19 MiB
Packager        : Felix Yan <felixonmars@archlinux.org>
Build Date      : Thu 04 May 2017 02:16:56 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Ss wine-staging-nine
Repository      : multilib
Name            : wine-staging-nine
Version         : 2.7-1
Description     : A compatibility layer for running Windows programs - Staging branch with the gallium-nine patches
Architecture    : x86_64
URL             : http://www.wine-staging.com
Licenses        : LGPL
Groups          : None
Provides        : wine=2.7  wine-wow64=2.7  wine-staging=2.7
Depends On      : attr  lib32-attr  fontconfig  lib32-fontconfig  lcms2  lib32-lcms2  libxml2  lib32-libxml2  libxcursor  lib32-libxcursor  libxrandr  lib32-libxrandr  libxdamage  lib32-libxdamage  libxi  lib32-libxi  gettext  lib32-gettext  freetype2  lib32-freetype2  glu  lib32-glu  libsm  lib32-libsm  gcc-libs  lib32-gcc-libs  libpcap  lib32-libpcap  desktop-file-utils
Optional Deps   : giflib
                  lib32-giflib
                  libpng
                  lib32-libpng
                  libldap
                  lib32-libldap
                  gnutls
                  lib32-gnutls
                  mpg123
                  lib32-mpg123
                  openal
                  lib32-openal
                  v4l-utils
                  lib32-v4l-utils
                  libpulse
                  lib32-libpulse
                  alsa-plugins
                  lib32-alsa-plugins
                  alsa-lib
                  lib32-alsa-lib
                  libjpeg-turbo
                  lib32-libjpeg-turbo
                  libxcomposite
                  lib32-libxcomposite
                  libxinerama
                  lib32-libxinerama
                  ncurses
                  lib32-ncurses
                  opencl-icd-loader
                  lib32-opencl-icd-loader
                  libxslt
                  lib32-libxslt
                  libva
                  lib32-libva
                  gtk3
                  lib32-gtk3
                  gst-plugins-base-libs
                  lib32-gst-plugins-base-libs
                  vulkan-icd-loader
                  lib32-vulkan-icd-loader
                  cups
                  samba
                  dosbox
Conflicts With  : wine  wine-wow64  wine-staging
Replaces        : None
Download Size   : 42.42 MiB
Installed Size  : 404.60 MiB
Packager        : Laurent Carlier <lordheavym@gmail.com>
Build Date      : Thu 04 May 2017 04:46:19 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

Description:

I have tried to upgrade hyperbola.

Critical upgrades cannot be installed when wesnoth is installed, there are conflicting files

Steps to reproduce:

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 arch-keyring-201808...  1605.2 KiB   617K/s 00:03 [#########] 100%
 hyperbola-keyring-2...   215.9 KiB   635K/s 00:00 [#########] 100%
 linux-libre-lts-4.9...    59.6 MiB   749K/s 01:22 [#########] 100%
 openvpn-2.4.6-1.hyp...   402.2 KiB  1149K/s 00:00 [#########] 100%
 iceweasel-uxp-52.9....    39.8 MiB   839K/s 00:49 [#########] 100%
 libgdm-3.24.1-1.hyp...    57.3 KiB  1912K/s 00:00 [#########] 100%
 ntp-4.2.8.p11-2.hyp...  1798.4 KiB   833K/s 00:02 [#########] 100%
 sddm-0.14.0-2.hyper...     3.2 MiB   770K/s 00:04 [#########] 100%
 lxdm-0.5.3-4.hyperb...    98.4 KiB   984K/s 00:00 [#########] 100%
 tp_smapi-lts-0.43-1...    26.6 KiB  2.60M/s 00:00 [#########] 100%
 wesnoth-data-1.14.4...   395.1 MiB   745K/s 09:03 [#########] 100%
 wesnoth-1.14.4-1.hy...     5.5 MiB   616K/s 00:09 [#########] 100%
(12/12) checking keys in keyring                   [#########] 100%
(12/12) checking package integrity                 [#########] 100%
(12/12) loading package files                      [#########] 100%
(12/12) checking for file conflicts                [#########] 100%
error: failed to commit transaction (conflicting files)
/usr/share/icons/hicolor/128x128/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/16x16/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/256x256/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/32x32/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/512x512/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/icons/hicolor/64x64/apps/wesnoth-icon.png exists in both 'wesnoth-data' and 'wesnoth'
/usr/share/metainfo/wesnoth.appdata.xml exists in both 'wesnoth-data' and 'wesnoth'
Errors occurred, no packages were upgraded.

Description:

• The Arch version of Wesnoth from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : wesnoth
Version         : 1.12.6-4
Description     : A turn-based strategy game on a fantasy world
Architecture    : x86_64
URL             : http://www.wesnoth.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : sdl_ttf  sdl_net  sdl_mixer  sdl_image  fribidi  boost-libs  pango  lua52  wesnoth-data  dbus  python2
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 4.97 MiB
Installed Size  : 22.86 MiB
Packager        : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date      : Mon 02 Jan 2017 07:52:21 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/system/wesnothd.service is owned by wesnoth 1.12.6-4
/usr/lib/tmpfiles.d/wesnothd.conf is owned by wesnoth 1.12.6-4

Steps to reproduce:

• Install package.