Adélie Package Tree issueshttps://git.adelielinux.org/adelie/packages/-/issues2020-06-10T16:28:53Zhttps://git.adelielinux.org/adelie/packages/-/issues/273user/py3-twisted: multiple vulnerabilities2020-06-10T16:28:53ZEmilyuser/py3-twisted: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 273 |
| Alias(es) | CVE-2020-10108, CVE-2020-10109 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-24 15:00:41 -0500 |
| Modified | 2020-06-10 11:28:53 -0...| | |
| --- | --- |
| Bugzilla ID | 273 |
| Alias(es) | CVE-2020-10108, CVE-2020-10109 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-24 15:00:41 -0500 |
| Modified | 2020-06-10 11:28:53 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / major |
| URL | https://labs.twistedmatrix.com/2020/03/twisted-2030-released.html |
## Description
CVE-2020-10109: https://nvd.nist.gov/vuln/detail/CVE-2020-10109
> In Twisted Web through 19.10.0, there was an HTTP request splitting
> vulnerability. When presented with a content-length and a chunked
> encoding header, the content-length took precedence and the remainder
> of the request body was interpreted as a pipelined request.
Fixed in >= 20.3.0 https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
CVE-2020-10108: https://nvd.nist.gov/vuln/detail/CVE-2020-10108
> In Twisted Web through 19.10.0, there was an HTTP request splitting
> vulnerability. When presented with two content-length headers, it
> ignored the first header. When the second content-length value was set
> to zero, the request body was interpreted as a pipelined request.
Fixed in >= 20.3.0 (same patch)1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/272user/qemu: multiple vulnerabilities2022-11-12T05:19:11ZEmilyuser/qemu: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 272 |
| Alias(es) | CVE-2020-10702, CVE-2020-10717, CVE-2020-10761, CVE-2020-11869, CVE-2020-12829, CVE-2020-13253, CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754, CVE-2020-13791, CVE...| | |
| --- | --- |
| Bugzilla ID | 272 |
| Alias(es) | CVE-2020-10702, CVE-2020-10717, CVE-2020-10761, CVE-2020-11869, CVE-2020-12829, CVE-2020-13253, CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754, CVE-2020-13791, CVE-2020-13800, CVE-2020-14364, CVE-2020-14415, CVE-2020-15469, CVE-2020-15859, CVE-2020-15863, CVE-2020-16092 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-24 14:40:33 -0500 |
| Modified | 2020-09-04 16:04:17 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
| Package(s) | user/qemu |
| URL | https://www.openwall.com/lists/oss-security/2020/04/24/2 |
## Description
CVE-2020-11869: https://www.openwall.com/lists/oss-security/2020/04/24/2
> An integer overflow flaw was found in QEMU in the way it implemented
> the ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine
> while handling MMIO write operations through ati_mm_write() callback.
> A malicious guest could abuse this flaw to crash the QEMU process,
> resulting in a denial of service.
Fixed in >= 5.0.0 https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df71.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/271user/cups: multiple vulnerabilities2022-11-12T15:52:10ZEmilyuser/cups: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 271 |
| Alias(es) | CVE-2019-2228, CVE-2019-8842, CVE-2020-3898 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-23 13:15:07 -0500 |
| Modified | 2020-10-3...| | |
| --- | --- |
| Bugzilla ID | 271 |
| Alias(es) | CVE-2019-2228, CVE-2019-8842, CVE-2020-3898 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-23 13:15:07 -0500 |
| Modified | 2020-10-30 22:40:04 -0500 |
| Status | IN_PROGRESS |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/cups |
## Description
> A heap-based buffer overflow was discovered in in libcups's
> ppdFindOption() function in ppd-mark.c:430. The issue can be
> reproduced by loading a crafted ppd file and calling the
> ppdMarkDefaults() libcups API function.
Downstream patch https://src.fedoraproject.org/rpms/cups/blob/c1920d09b842bd2d0611559d00d595abd8aa2424/f/cups-ppdopen-heap-overflow.patch1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/270user/ctags: multiple vulnerabilities2022-11-13T06:54:43ZEmilyuser/ctags: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 270 |
| Alias(es) | CVE-2014-7204 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-23 12:27:09 -0500 |
| Modified | 2020-06-22 06:11:36 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 270 |
| Alias(es) | CVE-2014-7204 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-23 12:27:09 -0500 |
| Modified | 2020-06-22 06:11:36 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/ctags |
## Description
We currently ship 5.8, which is missing at least this fix for a format string vulnerability as described in [1, 2]:
https://sourceforge.net/p/ctags/code/747/
There seems to be even more commits after this one in trunk on SF as late as 2014. Seems the following distros only have the commits since 2011-03-10 however:
Debian
Trisquel
Ubuntu
Fedora[3] made me aware of CVE-2014-7204[4]:
> jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a
> denial of service (infinite loop and CPU and disk consumption) via a
> crafted JavaScript file.
Nix[5] is building off the latest SVN trunk.
openSUSE[6] has a hodgepodge of patches.
Alpine[7] switched to Universal ctags and dropped Exuberant ctags entirely.
[1] https://www.openwall.com/lists/oss-security/2020/04/23/4
[2] https://blog.jasper.la/poking-old-format-string-bugs.html
[3] https://src.fedoraproject.org/rpms/ctags/tree/master
[4] https://nvd.nist.gov/vuln/detail/CVE-2014-7204
[5] https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/misc/ctags/default.nix#L5
[6] https://build.opensuse.org/package/show/openSUSE:Factory/ctags
[7] https://git.alpinelinux.org/aports/commit/?id=a92e43efbc78b4f7a6b601653f07fb80e1ebd25f1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/269user/openjdk8: multiple vulnerabilities2020-06-13T00:25:07ZEmilyuser/openjdk8: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 269 |
| Alias(es) | CVE-2019-2602, CVE-2019-2684, CVE-2019-2698, CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842, CVE-2019-2894, CVE-2019-2933,...| | |
| --- | --- |
| Bugzilla ID | 269 |
| Alias(es) | CVE-2019-2602, CVE-2019-2684, CVE-2019-2698, CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842, CVE-2019-2894, CVE-2019-2933, CVE-2019-2945, CVE-2019-2949, CVE-2019-2958, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999, CVE-2019-7317, CVE-2020-2583, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2659, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2773, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805, CVE-2020-2830 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-21 12:48:16 -0500 |
| Modified | 2020-06-12 19:25:07 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| See also | https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3773 |
## Description
2019-04-16 advisory
https://openjdk.java.net/groups/vulnerability/advisories/2019-04-16
Fixed in >= 8u212
CVE-2019-2698
CVE-2019-2602
CVE-2019-2684
2019-07-16 advisory
https://openjdk.java.net/groups/vulnerability/advisories/2019-07-16
https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000000.html
Fixed in >= 8u221
CVE-2019-7317
CVE-2019-2769
CVE-2019-2762
CVE-2019-2745
CVE-2019-2816
CVE-2019-2842
CVE-2019-2786
CVE-2019-2766
2019-10-15 advisory
https://openjdk.java.net/groups/vulnerability/advisories/2019-10-15
https://mail.openjdk.java.net/pipermail/vuln-announce/2019-October/000003.html
Fixed in >= 8u232
CVE-2019-2949
CVE-2019-2989
CVE-2019-2958
CVE-2019-2975
CVE-2019-2999
CVE-2019-2981
CVE-2019-2973
CVE-2019-2983
CVE-2019-2988
CVE-2019-2978
CVE-2019-2964
CVE-2019-2992
CVE-2019-2962
CVE-2019-2987
CVE-2019-2894
CVE-2019-2933
CVE-2019-2945
2020-01-14 advisory
https://openjdk.java.net/groups/vulnerability/advisories/2020-01-14
https://mail.openjdk.java.net/pipermail/vuln-announce/2020-January/000005.html
Fixed in >= 8u242
CVE-2020-2604
CVE-2020-2601
CVE-2020-2593
CVE-2020-2654
CVE-2020-2590
CVE-2020-2659
CVE-2020-2583
2020-04-14 advisory
https://mail.openjdk.java.net/pipermail/vuln-announce/2020-April/000006.html
https://openjdk.java.net/groups/vulnerability/advisories/2020-04-14
Fixed in >= 8u252
CVE-2020-2803
CVE-2020-2805
CVE-2020-2781
CVE-2020-2830
CVE-2020-2800
CVE-2020-2754
CVE-2020-2755
CVE-2020-2773
CVE-2020-2756
CVE-2020-27571.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/268system/openssl: CVE-2020-1967: TLS 1.3 SSL_check_chain() NULL pointer derefer...2022-02-02T02:03:44ZEmilysystem/openssl: CVE-2020-1967: TLS 1.3 SSL_check_chain() NULL pointer dereference| | |
| --- | --- |
| Bugzilla ID | 268 |
| Alias(es) | CVE-2020-1967 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-21 11:45:07 -0500 |
| Modified | 2020-05-05 01:19:09 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 268 |
| Alias(es) | CVE-2020-1967 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-21 11:45:07 -0500 |
| Modified | 2020-05-05 01:19:09 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-1967 |
## Description
> Server or client applications that call the SSL_check_chain() function
> during or after a TLS 1.3 handshake may crash due to a NULL pointer
> dereference as a result of incorrect handling of the
> "signature_algorithms_cert" TLS extension. The crash occurs if an
> invalid or unrecognised signature algorithm is received from the peer.
> This could be exploited by a malicious peer in a Denial of Service
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by
> this issue. This issue did not affect OpenSSL versions prior to
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/267user/php7: multiple vulnerabilities2022-10-22T00:01:00ZEmilyuser/php7: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 267 |
| Alias(es) | CVE-2019-11048, CVE-2020-28948, CVE-2020-28949, CVE-2020-7067, CVE-2020-7068, CVE-2020-7069, CVE-2020-7070 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
...| | |
| --- | --- |
| Bugzilla ID | 267 |
| Alias(es) | CVE-2019-11048, CVE-2020-28948, CVE-2020-28949, CVE-2020-7067, CVE-2020-7068, CVE-2020-7069, CVE-2020-7070 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-20 18:55:36 -0500 |
| Modified | 2020-11-24 17:44:39 -0600 |
| Status | UNCONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
| Package(s) | user/php7 |
## Description
> If ``CHARSET_EBCDIC`` is defined (usually, on systems with EBCDIC
> encoding support), an Out-of-Bounds read can occur using a malformed
> url-encoded string.
Fixed in >= 7.4.5:
http://git.php.net/?p=php-src.git;a=commitdiff;h=9d6bf8221b05f86ce5875832f0f646c4c1f218be;hp=14fcc813948254b84f382ff537247d8a7e5e0e62
Since we are not an EBCDIC system, low priority to fix.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/265user/openvpn: CVE-2020-11810: clients can kill eachother's sessions via false...2022-02-02T02:03:51ZEmilyuser/openvpn: CVE-2020-11810: clients can kill eachother's sessions via false client floating| | |
| --- | --- |
| Bugzilla ID | 265 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-17 09:31:27 -0500 |
| Modified | 2020-04-19 00:54:45 -0500 |
| Status | RESOLVED FIXED |
| Version | 1...| | |
| --- | --- |
| Bugzilla ID | 265 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-17 09:31:27 -0500 |
| Modified | 2020-04-19 00:54:45 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://community.openvpn.net/openvpn/ticket/1272 |
## Description
> One client can effectively stop VPN traffic of another client by
> 'client float' mechanism in case of reuse peer_id. This allows
> disrupting service of a freshly connected client that has not yet not
> negotiated session keys. The vulnerability cannot be used to inject or
> steal VPN traffic.
Fixed in >= 2.4.9.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/264user/mate-panel: 1.24.0 MATE clock panel applet crashes when attempting to ad...2023-05-05T13:40:45ZEmilyuser/mate-panel: 1.24.0 MATE clock panel applet crashes when attempting to add a Location| | |
| --- | --- |
| Bugzilla ID | 264 |
| Reporter | Max Rees (sroracle) |
| Assignee | Kiyoshi Aman |
| Reported | 2020-04-15 19:41:26 -0500 |
| Modified | 2020-06-22 06:12:03 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| ...| | |
| --- | --- |
| Bugzilla ID | 264 |
| Reporter | Max Rees (sroracle) |
| Assignee | Kiyoshi Aman |
| Reported | 2020-04-15 19:41:26 -0500 |
| Modified | 2020-06-22 06:12:03 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / Intel x86 (32-bit) |
| Importance | --- / normal |
| Package(s) | user/mate-panel |
## Description
I'll try to get a backtrace on this later, but as soon as attempting to save a new Location in the preferences for the MATE clock panel applet on pmmx, the applet crashes and the panel prompts the user to either reload or remove the applet.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/263MATE SDDM session should launch via ck-launch-session2020-04-19T05:56:23ZEmilyMATE SDDM session should launch via ck-launch-session| | |
| --- | --- |
| Bugzilla ID | 263 |
| Reporter | Max Rees (sroracle) |
| Assignee | Kiyoshi Aman |
| Reported | 2020-04-15 19:38:42 -0500 |
| Modified | 2020-04-19 00:56:23 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 ...| | |
| --- | --- |
| Bugzilla ID | 263 |
| Reporter | Max Rees (sroracle) |
| Assignee | Kiyoshi Aman |
| Reported | 2020-04-15 19:38:42 -0500 |
| Modified | 2020-04-19 00:56:23 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
As discussed on IRC. Just need to change Exec= to ck-launch-session mate-session in the SDDM session file, and add consolekit2 to the package depends (it's already pulled in from lower in the dep tree, but better to be explicit).
The session file should probably be moved from mate-desktop to mate-complete, and all the changes made there.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/262user/mesa: 19.3.4-r0 causes crash during VLC playback2023-05-05T13:38:01ZEmilyuser/mesa: 19.3.4-r0 causes crash during VLC playback| | |
| --- | --- |
| Bugzilla ID | 262 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:23:43 -0500 |
| Modified | 2020-06-22 06:11:10 -0500 |
| Status | CONFIRMED |
| Version | 1.0-R...| | |
| --- | --- |
| Bugzilla ID | 262 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:23:43 -0500 |
| Modified | 2020-06-22 06:11:10 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / Intel x86 (32-bit) |
| Importance | --- / normal |
| Package(s) | user/mesa |
| See also | https://bts.adelielinux.org/show_bug.cgi?id=261 |
## Description
**Created [attachment 24](/uploads/55ddb2fb6d9ffce92450f7f28d6454c1/mesa19-vlc-pmmx.txt)**
gdb backtrace for VLC + Mesa 19 on pmmx
When playing a video using VLC on pmmx with mesa 19, a segfault occurs in the gallium i915 driver. This is a regression from mesa 18 (BETA4), similar to bug #261.
Backtrace is attached.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/261user/firefox-esr seccomp is blocking membarrier2021-05-12T03:19:45ZEmilyuser/firefox-esr seccomp is blocking membarrier| | |
| --- | --- |
| Bugzilla ID | 261 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:19:48 -0500 |
| Modified | 2020-05-19 22:33:41 -0500 |
| Status | RESOLVED FIXED |
| Version | 1...| | |
| --- | --- |
| Bugzilla ID | 261 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:19:48 -0500 |
| Modified | 2020-05-19 22:33:41 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / Intel x86 (64-bit) |
| Importance | --- / normal |
| See also | https://bts.adelielinux.org/show_bug.cgi?id=262 |
## Description
When loading any WebGL content in Firefox on x86_64, the tab instantly crashes. This is a regression between 18.3.6-r0 (BETA4) and 19.3.4-r0 (RC1) - downgrading all mesa subpackages to 18.3.6-r0 (and xf86-video-intel to its respective BETA4 version) causes the issue to go away.
I don't know how to debug a low level problem like this in Firefox. Since the tab immediately crashes and we don't ship Firefox with any of the crashpad/breakpad things, I'm not sure if there even is a way to debug it.
Based on the demo at [1], I think the crash happens as soon as the WebGL context is created:
> var gl = canvas.getContext("webgl")
> || canvas.getContext("experimental-webgl");
This means that even trying to *detect* WebGL will crash the tab.
"Workaround" is to set webgl.disabled = true in about:config.
[1] https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API/By_example/Detect_WebGL1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/259system/git: CVE-2020-5260: malicious URLs may cause Git to present stored cre...2022-02-02T02:04:00ZEmilysystem/git: CVE-2020-5260: malicious URLs may cause Git to present stored credentials to the wrong server| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-5260 |
## Description
CVE-2020-5260: https://nvd.nist.gov/vuln/detail/CVE-2020-5260
> Affected versions of Git have a vulnerability whereby Git can be
> tricked into sending private credentials to a host controlled by an
> attacker. Git uses external "credential helper" programs to store and
> retrieve passwords or other credentials from secure storage provided
> by the operating system. Specially-crafted URLs that contain an
> encoded newline can inject unintended values into the credential
> helper protocol stream, causing the credential helper to retrieve the
> password for one server (e.g., good.example.com) for an HTTP request
> being made to another server (e.g., evil.example.com), resulting in
> credentials for the former being sent to the latter. There are no
> restrictions on the relationship between the two, meaning that an
> attacker can craft a URL that will present stored credentials for any
> host to a host of their choosing. The vulnerability can be triggered
> by feeding a malicious URL to git clone. However, the affected URLs
> look rather suspicious; the likely vector would be through systems
> which automatically clone URLs not visible to the user, such as Git
> submodules, or package systems built around Git. The problem has been
> patched in the versions published on April 14th, 2020, going back to
> v2.17.x. Anyone wishing to backport the change further can do so by
> applying commit 9a6bbee (the full release includes extra checks for
> git fsck, but that commit is sufficient to protect clients against the
> vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4,
> 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
See also https://www.openwall.com/lists/oss-security/2020/04/15/5
Resolution will be bumping to 2.25.3.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/258user/thunderbird: multiple vulnerabilities2020-04-19T05:52:45ZEmilyuser/thunderbird: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 258 |
| Alias(es) | CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6822, CVE-2020-6825 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-14 15:08:55 ...| | |
| --- | --- |
| Bugzilla ID | 258 |
| Alias(es) | CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6822, CVE-2020-6825 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-14 15:08:55 -0500 |
| Modified | 2020-04-19 00:52:45 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/ |
## Description
CVE-2020-6819:
> Under certain conditions, when running the nsDocShell destructor, a
> race condition can cause a use-after-free.
CVE-2020-6820:
> Under certain conditions, when handling a ReadableStream, a race
> condition can cause a use-after-free.
CVE-2020-6821:
> When reading from areas partially or fully outside the source resource
> with WebGL's copyTexSubImage method, the specification requires the
> returned values be zero. Previously, this memory was uninitialized,
> leading to potentially sensitive data disclosure.
CVE-2020-6822:
> On 32-bit builds, an out of bounds write could have occurred when
> processing an image larger than 4 GB in GMPDecodeData. It is possible
> that with enough effort this could have been exploited to run
> arbitrary code.
CVE-2020-6825:
> Mozilla developers Tyson Smith and Christian Holler reported memory
> safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these
> bugs showed evidence of memory corruption and we presume that with
> enough effort some of these could have been exploited to run arbitrary
> code.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/257user/cyrus-sasl: CVE-2019-19906: OpenLDAP crash via malformed packet2022-02-02T02:04:06ZEmilyuser/cyrus-sasl: CVE-2019-19906: OpenLDAP crash via malformed packet| | |
| --- | --- |
| Bugzilla ID | 257 |
| Alias(es) | CVE-2019-19906 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-06 18:10:15 -0500 |
| Modified | 2020-04-19 00:52:10 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 257 |
| Alias(es) | CVE-2019-19906 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-06 18:10:15 -0500 |
| Modified | 2020-04-19 00:52:10 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-19906 |
## Description
> cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading
> to unauthenticated remote denial-of-service in OpenLDAP via a
> malformed LDAP packet. The OpenLDAP crash is ultimately caused by an
> off-by-one error in _sasl_add_string in common.c in cyrus-sasl.
https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f11.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/255system/check: requires user/patchutils for reproducible builds2023-01-05T19:27:26ZEmilysystem/check: requires user/patchutils for reproducible builds| | |
| --- | --- |
| Bugzilla ID | 255 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2020-04-04 23:42:29 -0500 |
| Modified | 2020-06-22 06:12:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-R...| | |
| --- | --- |
| Bugzilla ID | 255 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2020-04-04 23:42:29 -0500 |
| Modified | 2020-06-22 06:12:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/check |
## Description
This would require us to move user/patchutils to system/.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/254user/gnutls: multiple vulnerabilities2020-06-15T21:38:59ZEmilyuser/gnutls: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 254 |
| Alias(es) | CVE-2020-11501, CVE-2020-13777 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:29:36 -0500 |
| Modified | 2020-06-15 16:38:59 -0...| | |
| --- | --- |
| Bugzilla ID | 254 |
| Alias(es) | CVE-2020-11501, CVE-2020-13777 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:29:36 -0500 |
| Modified | 2020-06-15 16:38:59 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
> GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The
> earliest affected version is 3.6.3 (2018-07-16) because of an error in
> a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead
> of a random value, and thus contributes no randomness to a DTLS
> negotiation. This breaks the security guarantees of the DTLS protocol.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/253user/jasper: multiple vulnerabilities2022-11-13T06:54:43ZEmilyuser/jasper: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 253 |
| Alias(es) | CVE-2016-9398, CVE-2016-9399, CVE-2017-13746, CVE-2017-13748, CVE-2017-13750, CVE-2017-13751, CVE-2017-14132, CVE-2017-14232, CVE-2017-5499, CVE-2017-5503, CVE-2017-5504, CVE-2017...| | |
| --- | --- |
| Bugzilla ID | 253 |
| Alias(es) | CVE-2016-9398, CVE-2016-9399, CVE-2017-13746, CVE-2017-13748, CVE-2017-13750, CVE-2017-13751, CVE-2017-14132, CVE-2017-14232, CVE-2017-5499, CVE-2017-5503, CVE-2017-5504, CVE-2017-5505, CVE-2017-6851, CVE-2017-9782, CVE-2018-18873, CVE-2018-19139, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2018-20570, CVE-2018-20622, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:18:15 -0500 |
| Modified | 2020-10-30 22:37:34 -0500 |
| Status | IN_PROGRESS |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/jasper |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2017-14232 |
## Description
> The read_chunk function in flif-dec.cpp in Free Lossless Image Format
> (FLIF) 0.3 allows remote attackers to cause a denial of service
> (invalid memory read and application crash) via a crafted flif file.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/252user/net-snmp: CVE-2015-8100: weak permissions on /etc/snmp/snmpd.conf2022-02-02T02:04:13ZEmilyuser/net-snmp: CVE-2015-8100: weak permissions on /etc/snmp/snmpd.conf| | |
| --- | --- |
| Bugzilla ID | 252 |
| Alias(es) | CVE-2015-8100 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:15:53 -0500 |
| Modified | 2020-06-10 15:36:29 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 252 |
| Alias(es) | CVE-2015-8100 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:15:53 -0500 |
| Modified | 2020-06-10 15:36:29 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2015-8100 |
## Description
> The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for
> snmpd.conf, which allows local users to obtain sensitive community
> information by reading this file.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/251user/py3-pyyaml: CVE-2020-1747: full_load/FullLoader ACE2022-02-02T02:04:20ZEmilyuser/py3-pyyaml: CVE-2020-1747: full_load/FullLoader ACE| | |
| --- | --- |
| Bugzilla ID | 251 |
| Alias(es) | CVE-2020-1747 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:13:06 -0500 |
| Modified | 2020-06-15 16:39:00 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 251 |
| Alias(es) | CVE-2020-1747 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:13:06 -0500 |
| Modified | 2020-06-15 16:39:00 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-1747 |
## Description
> A vulnerability was discovered in the PyYAML library in versions
> before 5.3.1, where it is susceptible to arbitrary code execution when
> it processes untrusted YAML files through the full_load method or with
> the FullLoader loader. Applications that use the library to process
> untrusted input may be vulnerable to this flaw. An attacker could use
> this flaw to execute arbitrary code on the system by abusing the
> python/object/new constructor.1.0-BETA3