|
Any | Security Issue | Very Low | Critical | [opensmtpd] CVE-2020-8794 | Closed | |
Task Description
Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/
Qualys Security Advisory
LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)
Summary
Analysis
...
Acknowledgments
We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This
vulnerability, an out-of-bounds read introduced in December 2015 (commit
80c6a60c, “when peer outputs a multi-line response ...”), is exploitable
remotely and leads to the execution of arbitrary shell commands: either
as root, after May 2018 (commit a8e22235, “switch smtpd to new
grammar”); or as any non-root user, before May 2018.
Because this vulnerability resides in OpenSMTPD’s client-side code
(which delivers mail to remote SMTP servers), we must consider two
different scenarios:
- Client-side exploitation: This vulnerability is remotely exploitable
in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.
- Server-side exploitation: First, the attacker must connect to the
OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).
We developed a simple exploit for this vulnerability and successfully
tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
Fedora 31.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”
|
|
Stable | Implementation Request | Medium | Medium | [materia-theme] add package | Closed | |
Task Description
A Material-like flat theme for GTK+ 2/3, and GNOME shell, released under a GNU General Public Licence (GNU GPL) 2 and later.
|
|
Stable | Security Issue | Very Low | Medium | [git] Multiple CVEs | Closed | |
Task Description
CVE-2020-5260 has been fixed very recently in Debian, so I thought I would apply this patch. However, I found out that security patches have not been applied for quite a while (I could account for at least 6 CVEs).
Considering that the version in Debian stretch (2.11.0) is the nearest version with security patches released by Debian and that git project oldest supported version is 2.17, I have used patches from Debian stretch to apply on 2.12.2 currently in Milky Way.
But I have the following error on check():
| *** prove ***
|
| Test Summary Report
| -------------------
| t5570-git-daemon.sh (Wstat: 256 Tests: 20 Failed: 10)
| Failed tests: 3-7, 15-19
| Non-zero exit status: 1
| t5811-proto-disable-git.sh (Wstat: 256 Tests: 26 Failed: 16)
| Failed tests: 2-6, 9-11, 15-19, 21-23
| Non-zero exit status: 1
| Files=769, Tests=14137, 1101 wallclock secs ( 8.08 usr 1.12 sys + 144.48 cusr 63.42 csys = 217.10 CPU)
| Result: FAIL
| make[1]: *** [Makefile:45: prove] Error 1
| make[1]: Leaving directory '/build/git/src/git-2.12.2/t'
| make: *** [Makefile:2291: test] Error 2
| ==> ERROR: A failure occurred in check().
| Aborting...
This does not seem to be related to my change as the current version in Milky Way produces the same error (IOW the package currently in Milky Way is not rebuidable).
|
|
Stable | Bug Report | Very Low | Medium | Untrsuted gpg key | Closed | |
Task Description
Description:
There is an issue with Christian Rebischke key, i’ve tried to delete /etc/pacman.d/gnupg/ and repopulate it but it doesn’t fix the issue.
error: ascii: signature from “Christian Rebischke (Arch Linux Security Team-Member) Chris.Rebischke@archlinux.org” is unknown trust
File /var/cache/pacman/pkg/ascii-3.15-2-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Steps to reproduce:
sudo pacman -S ascii
|
|
Stable | Update Request | Very Low | Medium | [varnish] Missing init script | Closed | |
Task Description
Description:
Init script is missing for this package.
I think has some systemd dependecies.
/tmp/alpm_sYmHUS/.INSTALL: line 7: systemd-sysusers: command not found
error: command failed to execute correctly
package version: varnish-5.1.2-1
|
|
Testing | Bug Report | Medium | Medium | [Hyperbola GNU/Linux 0.4] Problems with ALSA and sndio ... | Closed | |
Task Description
Description: User reporting problems with sndio. A further check with ALSA showed no active device being used. User has HDMI-sound in usage.
|
|
Testing | Bug Report | Very Low | Medium | warzone2100 fail | Closed | |
Task Description
Description:
the program game crash-down when select a tank
Additional info:
* package version(s) : extra/warzone2100 3.3.0-3
* config and/or log files etc. ↓ and attach the log file
[ user | 2021-11-05 | 07:41 ]
[/home/user] [0]
$ warzone2100
which: no gdb in (/usr/bin:/usr/java/jre1.8.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/sbin:/usr/sbin:/sbin:/home/user/.hyperterm/personal/commands:/opt/chrome)
Saved dump file to ‘/home/user/.local/share/warzone2100-3.3.0//logs/warzone2100.gdmp-bspbru’ If you create a bugreport regarding this crash, please include this file.
Segmentation fault
Steps to reproduce:
after install, start a new campaing, select a tank, and the program crash
|
|
Testing | Bug Report | Medium | Medium | [xfontsel] Problem with font handling | Closed | |
Task Description
Description: Bug related to the font handling under Hyperbola. xfontsel doesn’t list the PCF bitmapped fonts, which are used for some legacy tools with Motif/Athena for instance. If you want to use a font with good coverage of symbols (misc fixed 10×20 iso10646-1) under DDD (for accented/non ASCII characters), you can’t, you are restricted to ASCII 9×15 fonts.
Additional info:
This error happens even if all -meta font meta-packages are installed.
|
|
Stable | Bug Report | Very Low | Low | Mupen64plus acts buggy | Closed | |
Task Description
the screen moves back and forth from left to right randomly, no matter what I do, any games any adapters do not work.
I wanted to have some fun with some old games...
Has anyone used mupen64plus successfully on hyperbola 0.2? I cannot get it to work without being completely confusing for the reasons I have mentioned and also, the glaring of the screen. Which only happens with mupen64plus...
|
|
Any | Freedom Issue | Very Low | Low | [wireshark*] mentions non-free OSes in pacman descripti ... | Closed | |
Task Description
community/wireshark-cli 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - CLI version
community/wireshark-common 2.2.6-1
Common files used by wireshark-gtk and wireshark-qt
community/wireshark-gtk 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - GTK frontend
community/wireshark-qt 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - Qt frontend
It’s better to change to a more neutral description such as “a cross-platform network protocol analyzer - CLI/GTK/Qt version”.
|
|
Any | Freedom Issue | Medium | Low | [openjpeg] vague terminology "Open Source" in descripti ... | Closed | |
Task Description
This package contains vague terminology “Open Source”:
extra/openjpeg 1.5.2-1
An open source JPEG 2000 codec
According to:
https://www.gnu.org/distros/free-system-distribution-guidelines.html
We shall avoid vague terminology such as “Open Source”, please see here:
https://www.gnu.org/philosophy/words-to-avoid.html#Open
It would be good example to set to have proper description of packages without using “Open Source”.
eg.
A free software JPEG 2000 codec
|
|
Any | Freedom Issue | Very Low | Low | [qpdf]: using "Content" in description | Closed | |
Task Description
Description:
extra/qpdf 6.0.0-2
QPDF: A Content-Preserving PDF Transformation System
The description is vague.
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Content
|
|
Any | Freedom Issue | Very Low | Low | [webkitgtk]: using "content" in description | Closed | |
Task Description
Description:
extra/webkitgtk 2.4.11-6.hyperbola1
Legacy Web content engine for GTK+ 3, without geoclue2 support
The description is vague. There is not even need to use “content” here. Web engine should be very clear. “Content” alone does not make sense.
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Content
|
|
Any | Freedom Issue | Very Low | Low | [antiword]: referring to kernel name, when it should to ... | Closed | |
Task Description
community/antiword 0.37-6 [installed]
A free MS Word reader for Linux and RISC OS
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
Description is referring to operating system, and not to the kernel itself (Linux). It shall be amended.
|
|
Any | Freedom Issue | Very Low | Low | [clamtk]: referring to kernel name, instead of operatin ... | Closed | |
Task Description
community/clamtk 5.24-1
Easy to use, light-weight, on-demand virus scanner for Linux systems
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
Description is referring to operating system, and not to the kernel itself (Linux). It shall be amended.
|
|
Any | Freedom Issue | Very Low | Low | [hexedit]: using kernel name instead of operating syste ... | Closed | |
Task Description
Description:
community/hexedit 1.2.13-3
Hex Editor for Linux
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
|
|
Any | Freedom Issue | Very Low | Low | [python2-pyinotify]: using kernel name instead of opera ... | Closed | |
Task Description
Description:
community/python2-pyinotify 0.9.6-3 [installed]
Python module used for monitoring filesystems events on Linux platforms with inotify.
community/qlandkartegt 1.8.1-8
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
|
|
Any | Freedom Issue | Very Low | Low | [wireshark-cli]: using kernel name when referring to op ... | Closed | |
Task Description
Description:
community/wireshark-cli 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - CLI version
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
I would remove Unix and Windows from description as those words steer users towards non-free proprietary software.
|
|
Any | Freedom Issue | Very Low | Low | [wireshark-gtk]: using kernel name when referring to op ... | Closed | |
Task Description
Description:
community/wireshark-gtk 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - GTK frontend
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
Please remove references to proprietary software.
|
|
Any | Freedom Issue | Very Low | Low | [wireshark-qt]: using kernel name when referring to ope ... | Closed | |
Task Description
Description:
community/wireshark-qt 2.2.6-1
a free network protocol analyzer for Unix/Linux and Windows - Qt frontend
See:
https://www.gnu.org/philosophy/words-to-avoid.html#Linux
|
|
Stable | Update Request | Very Low | Low | [icewm] Upgrade package version | Closed | |
Task Description
The current version of the package icewm within the Hyperbola-repositories is 1.3.8. The latest version is 1.6.3!
An update would be helpful as this window-manager follows absolutely the principles of the distribution Hyperbola itself, being simple and fast.
|
|
Testing | Freedom Issue | Very Low | Critical | [Hyperbola GNU/Linux-libre 0.4] [lumina-core] has some ... | Closed | |
Task Description
The list contains some icons before being removed for displaying non-libre and trademark-related stuffs, which may infringe the GNU Free System Distribution Guidelines and Hyperbola Packaging Guidelines.
/usr/share/icons/material-design-{dark,light}/scalable/applications/:
Icons that are libre apps but has problematic issues:
nodejs.svg
npm.svg
umbraco.svg
Icons that are non-libre apps:
Icons that are non-libre games:
black-mesa.svg
minecraft.svg
Icons that are non-libre network services:
amazon.svg
appnet.svg (discontinued)
basecamp.svg
bing.svg
bitbucket.svg
blogger.svg
deviantart.svg
disqus.svg
dribbble.svg
dropbox.svg
ebay.svg
etsy.svg
facebook.svg
flattr.svg
foursquare.svg
github.svg
gmail.svg
google-drive.svg
google-maps.svg
google-photos.svg
google-play.svg
google-plus.svg (discontinued)
google-translate.svg
google-wallet.svg (discontinued, now as Google Pay)
instagram.svg
jsfiddle.svg
lastfm.svg
linkedin.svg
linode.svg
mixcloud.svg
onedrive.svg
pandora.svg
pinterest.svg
rdio.svg (discontinued)
reddit.svg
soundcloud.svg
spotify.svg
stackexchange.svg
stackoverflow.svg
telegram.svg
tumblr.svg
twitch.svg
twitter.svg
vimeo.svg
vine.svg (discontinued)
vk.svg
wechat.svg
xing.svg
yelp.svg
youtube.svg
Icons that are non-FSDG operating systems:
Icons that are non-libre operating systems:
Icons that are trademarked brands and products:
Icons that are trademarked characters:
|
|
Testing | Implementation Request | High | Critical | [xlsfonts] Missing package needs to be added for xenoca ... | Closed | |
Task Description
Description: Package xlsfonts is missing and should absolutely being added also within groups for ‘xenocara-apps’ and ‘xorg-apps’.
|
|
Stable | Bug Report | Very Low | High | [devede] xorriso unsupported option '-dvd-video' | Closed | |
Task Description
Description:
Devede fails to convert transcoded videos to iso format with libburn-1.5.0.
Drive current: -outdev 'stdio:/home/heckyel/movie/movie.iso'
Media current: stdio file, overwriteable
Media status : is blank
Media summary: 0 sessions, 0 data blocks, 0 data, 334g free
xorriso : FAILURE : -as genisofs: Unsupported option '-dvd-video'
xorriso : NOTE : -return_with SORRY 32 triggered by problem severity FAI
Additional info:
$ pacman -Si devede
Repositorio : community
Nombre : devede
Versión : 4.8.8-1
Descripción : A program to create VideoDVDs and CDs
Arquitectura : any
URL : http://www.rastersoft.com/programas/devede.html
Licencias : GPL3
Grupos : Nada
Provee : Nada
Depende de : mencoder ffmpeg dvdauthor vcdimager cdrkit ttf-dejavu
gtk3 python-cairo python-gobject python-setuptools
Dependencias opcionales : mplayer
vlc
mpv
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 1640,88 KiB
Tamaño de la instalación : 3331,00 KiB
Encargado : Sergej Pupykin <pupykin.s+arch@gmail.com>
Fecha de creación : vie 10 feb 2017 05:06:37 -05
Validado por : Suma MD5 Suma SHA-256 Firma
Link’s code:
- https://gitlab.com/rastersoft/devedeng/blob/master/src/devedeng/mkisofs.py#L61
- https://gitlab.com/rastersoft/devedeng/blob/master/src/devedeng/genisoimage.py#L61
Steps to reproduce:
- Install devede
- Create video DVD disc
|
|
Any | Update Request | Medium | Medium | [cups] update request | Closed | |
Task Description
New versión v2.2.7
References:
|
|
Any | Feature Request | Very Low | Medium | Remove dependency of packages on pulseaudio/libpulse | Closed | |
|
|
Any | Security Issue | Very Low | Medium | [patch] CVE-2018-6951 - NULL pointer DoS | Closed | |
|
|
Any | Bug Report | Very Low | Medium | [clamtk] Gtk-WARNING **: Impossible to find the theme e ... | Closed | |
|
|
Testing | Bug Report | Medium | Medium | [Hyperbola GNU/Linux-libre 0.4] - Package [xscreensaver ... | Closed | |
|
|
Testing | Bug Report | Very Low | Medium | [Hyperbola GNU/Linux-libre 0.4] [opensurge] has refused ... | Closed | |
|
|
Testing | Bug Report | Medium | Medium | [Hyperbola GNU/Linux 0.4] Problems with touch- / trackp ... | Closed | |
|
|
Testing | Bug Report | Very Low | Medium | [Hyperbola GNU/Linux-libre 0.4] [numptyphysics] has cra ... | Closed | |
|
|
Any | Bug Report | Very Low | Low | [gimp] [gegl] Module '/usr/lib/gegl-0.3/lens-correct.so ... | Closed | |
|
|
Stable | Implementation Request | Very Low | Low | [xfe] Add Opus audio file type support | Closed | |
|
|
Any | Feature Request | Very High | High | [backuppc]: contains systemd files | Closed | |
|
|
Any | Privacy Issue | Medium | High | midori new Support for cross-browser web extensions | Closed | |
|
|
Any | Security Issue | Medium | Medium | [openssh] CVE-2018-15919 | Closed | |
|
|
Stable | Bug Report | Very Low | Medium | [postgrey] has systemd service and no OpenRC init scrip ... | Closed | |
|
|
Any | Freedom Issue | Very Low | Critical | [conky] Some serious issues | Closed | |
|
|
Any | Privacy Issue | Very Low | Critical | [bleachbit] needs to be adapted to UXP applications | Closed | |
|
|
Stable | Bug Report | Very Low | Critical | [smartmontools] update-smart-drivedb fails to update | Closed | |
|
|
Testing | Bug Report | High | Critical | [Hyperbola GNU/Linux-libre 0.4] Problems with sndio fai ... | Closed | |
|
|
Any | Bug Report | Very High | Critical | [ath9k-htc-firmware]: not work | Closed | |
|
|
Stable | Bug Report | Very Low | High | [ispell] require FHS | Closed | |
|
|
Testing | Feature Request | Very Low | Medium | [Hyperbola GNU/Linux-Libre 0.4] [lumina-core] Replace t ... | Closed | |
|
|
Testing | Bug Report | Very Low | Medium | [adwaita-icon-theme] Most symbolic icons look brokenly ... | Closed | |
|
|
Testing | Bug Report | Very Low | Medium | angband game Couldn't load the requested font. | Closed | |
|
|
Testing | Bug Report | Very Low | Very Low | [Hyperbola GNU/Linux-libre 0.4] [wine-stable] doesn't r ... | Closed | |
|
|
Any | Replace Request | High | Critical | [python2] replace deprecated Python 2 to Tauthon | Closed | |
|
|
Any | Security Issue | Very High | Critical | [grub2] UEFI SecureBoot vulnerability + multiple flaws ... | Closed | |
|
