1 Topic by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Topic: [Hyperbola] Current security-threads overview

Hello together,

in this thread we like to introduce now an overview of current reported threads and how they affect Hyperbola. We will start now with a current report about a severe issue in newer version of glibc:

CVE-2023-6779 (glibc): This vulnerability involves an off-by-one heap-based buffer overflow in the __vsyslog_internal() function.
CVE-2023-6780 (glibc): This is an integer overflow issue in the __vsyslog_internal() function.

Conclusion based also on this article as source: Hyperbola is not affected as our version of glibc is 2.30.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

2 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2022-24300: Our minetest-version has patches for this reported issue.

CVE-2022-24301: Our minetest-version has patches for this reported issue.

CVE-2022-35978: Our minetest-version is not having any patch for this reported issue. Backport would be possible and was tested, see conclusion for further annotations.

Conclusion: As minetest is going into a complete different direction Hyperbola has decided to no longer provide any packaged version. Ports done in favor from the community are surely welcome, but minetest won't be any longer part in the Hyperbola-repositories.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

3 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2024-24806:
Improper Domain Lookup that potentially leads to SSRF attacks

Conclusion: We update our libuv to comply!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

4 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2023-50387 and CVE-2023-50868: https://www.isc.org/blogs/2024-bind-security-release/, fixed into --> 9.16.48
(Thanks for reporting to heckyel!)

Conclusion: Package bind will be updated corresponding!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

5 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2021-44847: A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.

Conclusion: Our version is not vulnerable.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

6 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-49285: Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

Conclusion: We will upgrade and patch our squid.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

7 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2023-29132: Irssi 1.3.x and 1.4.x before 1.4.4 has a use-after-free because of use of a stale special collector reference. This occurs when printing of a non-formatted line is concurrent with printing of a formatted line.

Conclusion: We upgrade our packaged version of irssi to 1.4.5.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

8 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Conclusion: Our version of xz is not affected.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

9 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

More to read about the xz issue: https://boehs.org/node/everything-i-kno … z-backdoor

No, our libarchive is also not affected. Our version is from 2020, the version suspicious with commits done to weaken the security is from 2021 and beyond.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

10 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: [Hyperbola] Current security-threads overview

General annotation: The package dillo will be reworked as the URL dillo.org is no longer under control of the project-team. Nevertheless the URL is used wide for that package and project. The project-team has written a clear article about their perspective: https://dillo-browser.github.io/dillo.org.html

Also a note from us direct: Please be always careful. Surely we track here the security-issues and situation. But also about packages from elsewhere it is better to stay critical. Not direct with sources first but with websites for sure. This example is a light one as there are foremost spam-articles mixed into a wordpress-blog now on dillo.org. But this can be also quite more severe for example used as honeypot, in that term just to collect metadata on the first run of visitors or even quite more.

Conclusion: We will use the new address as soon as possible.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!