2021-08-03 08:48:28 so tehre is a CVE in apk-tools? https://snyk.io/vuln/SNYK-ALPINE310-APKTOOLS-1534688 2021-08-03 08:48:53 it means that we need to tag a release for all stable branches 2021-08-03 08:50:52 oh, yes 2021-08-03 08:50:58 i need to follow up with the CVE team 2021-08-03 08:51:05 who i told to declassify that like a week ago 2021-08-03 08:51:48 ACTION mutters things about the CVE team :) 2021-08-03 18:17:09 Ariadne, ncopa: the CVE fix has an issue 2021-08-03 18:17:26 will need to patch it 2021-08-03 18:20:53 :( 2021-08-03 18:21:01 is the issue also needing a CVE? 2021-08-03 18:22:51 the number conversion is broke :/ I don't know how that slipped through 2021-08-03 18:22:58 parseuint needs: 2021-08-03 18:22:59 + else d = tolower(ch) - 'a' + 10; 2021-08-03 18:22:59 - else d = tolower(ch - 'a'); 2021-08-03 18:23:27 it affects only chunked http requests 2021-08-03 18:38:01 i'm committing that and making new releases 2021-08-03 19:00:04 ah, so that was the I/O Error bug reported by zacksiri 2021-08-04 09:37:51 ok, i will work on getting a new release out 2021-08-04 09:41:46 duncaen is okay with adding /etc/doas.d support btw 2021-08-04 09:41:58 thats great 2021-08-04 09:42:19 i'm more in favor of `update-doas-conf` since its more predictable 2021-08-04 09:42:21 but, 2021-08-04 09:42:23 i'll do it 2021-08-04 09:42:33 if it sucks, we can always do `update-doas-conf` :) 2021-08-04 09:45:31 so apk-tools 2.12.7 is the thing we need to push? 2021-08-04 09:46:06 seems so. ok 2021-08-04 09:47:35 yes, and 2.10.8 2021-08-05 10:10:07 https://ariadne.space/2021/08/04/bits-relating-to-alpine-security-initiatives-in-july/ :) 2021-08-05 10:44:38 \o/ 2021-08-05 11:15:20 the war on sudo, it will be more successful than the war on drugs 2021-08-05 11:17:26 Privilege escalation is a capital crime 2021-08-05 11:19:01 agreed 2021-08-05 11:19:06 escalating/pivoting sucks unless you're an attacker 2021-08-05 11:20:23 Ariadne: that's a low bar. 2021-08-05 11:21:04 always set low bars, that way you’re happy when it exceeds your expectations 2021-08-05 11:23:39 I'm wondering if it would make sense to recommend `apk-cron` in a more prominent way 2021-08-05 11:27:12 personally, i'm happy as long as sticking to sudo is still a possibility 2021-08-05 11:27:50 It's kept in community 2021-08-05 11:28:07 (will be) 2021-08-05 11:55:55 unlike the ACA’s errant promise of “we won’t screw up your health insurance”, you can keep sudo if you want it 2021-08-05 11:57:17 Ariadne: come to .eu ♥ 2021-08-05 11:57:46 ah yes, where i can choose from 27 countries that don’t actually want me :p 2021-08-05 11:58:34 oh 2021-08-05 12:25:51 i dunno if that’s true or not but that seems to be the vibe 2021-08-05 12:26:27 well, it also work the other way around 2021-08-05 12:44:05 it's a bit OT but most probably don't give much of a shit unless you're a convicted felon or terrorist 2021-08-05 12:46:32 not that it really matters, since not a lot of people in .eu want to go to the USA anyway :P 2021-08-05 12:48:24 fair point, many of the other europeans i know actively avoid it 2021-08-05 21:38:48 one of my former co-workers was in prison for some time while he was living in in north america and was still allowed to move to Germany 2021-08-06 09:46:37 Ariadne: I'm working with the OSV people. They told me that they'll followup on the url disagreement :) 2021-08-06 10:33:31 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ 2021-08-06 10:34:28 two high severity vulnerabilities (and one low) 2021-08-06 12:32:58 jvoisin: good, more people talking about this will help :) 2021-08-06 16:03:50 ACTION headdesks over the followup 2021-08-06 16:18:35 jvoisin: the OSV people just fundamentally don't get it. 2021-08-06 16:18:55 you can't replace CVE with a marginally better, but still closed, system 2021-08-06 16:18:58 that's not what people want 2021-08-06 16:30:24 oh 2021-08-06 16:30:30 yeah, I think this is the Google way™ 2021-08-06 16:30:36 monopoly all the way 2021-08-06 16:30:47 sigh 2021-08-06 16:31:59 !23072 !23073 !23074 !23075 2021-08-06 16:40:09 everybody else i've ran through this with 2021-08-06 16:40:15 understands 2021-08-06 16:40:20 immediately 2021-08-06 16:40:30 the whole benefit of allowing URIs to be a first class citizen here 2021-08-06 16:41:20 It's difficult to get someone to understand something if their salery depends on not understanding it 2021-08-06 16:41:43 indeed 2021-08-06 16:43:48 jvoisin: i don't think UVI folks are very swayed by the OSV team's argument, really 2021-08-06 16:44:38 yeah, I'm trying to convince my coworkers 2021-08-06 16:44:52 but their needs, inside Google, are different than the ones from people outside of Google 2021-08-06 16:45:24 "well, we're doing all this enrichment at OSV" 2021-08-06 16:45:26 great! 2021-08-06 16:45:34 but wouldn't it be neat if others could do it too? 2021-08-06 16:45:43 "well, we can add their database to the schema" 2021-08-06 16:45:55 what if you decide not to, but alpine decides to trust that database? what then? 2021-08-06 16:46:34 i find it ironic that Google, the company that became a trillion dollar company by building a web search engine, does not understand the potential here 2021-08-06 16:47:30 it's frustrating. i am sure we will get there eventually 2021-08-06 16:47:34 or we'll just fork OSV 2021-08-06 16:47:37 haha 2021-08-06 16:48:12 :D 2021-08-06 16:52:08 like, this is 90 fucking percent 2021-08-06 16:52:10 of what we need 2021-08-06 16:52:15 if they would just let URIs be a thing 2021-08-06 16:52:19 it would be 100% 2021-08-06 16:52:27 so frustrating 2021-08-06 16:52:35 i think it is because, they intend to monetize OSV 2021-08-06 16:52:42 there's talk about API keys and stuff 2021-08-06 16:53:03 ugh 2021-08-06 16:55:31 I suppose this isn't about the christian website Our Sunday Visitor 2021-08-06 16:56:01 https://github.com/google/osv 2021-08-06 16:56:21 thanks 2021-08-06 16:57:11 specifically, https://github.com/ossf/osv-schema/ 2021-08-06 16:57:23 which google strongarmed this spec through OpenSSF 2021-08-06 16:57:43 they want MITRE to adopt it, even though MITRE wants URIs to be a first-class citizen 2021-08-06 16:58:03 i predict that we will get OSV with URIs as a first-class citizen as part of CVE5 2021-08-06 17:01:22 hahahaha 2021-08-06 17:01:28 kurt basically ignored oliver 2021-08-06 17:01:29 love it 2021-08-07 12:28:33 Plain-text password leak through SNI in lynx: https://www.openwall.com/lists/oss-security/2021/08/07/5 2021-08-07 12:32:24 https://www.openwall.com/lists/oss-security/2021/08/07/1 2021-08-07 13:19:04 that's lynx-specific though 2021-08-07 14:06:46 i fixed it 2021-08-07 14:06:48 well "fixed" 2021-08-07 14:07:03 it turns out lynx does not know http://foo:bar@baz/ URIs at all 2021-08-07 14:07:19 so, i defanged it 2021-08-07 15:02:59 hm, so lynx is a browser with only partial url support? :/ 2021-08-07 15:07:34 :D 2021-08-07 15:07:48 yes, seems so 2021-08-07 19:16:06 Assigned CVE-2021-38165 2021-08-07 20:28:11 switched to upstream's fix, even though it is crappier :D 2021-08-07 20:28:29 I just saw it 2021-08-07 20:28:30 i was admittedly not confident that upstream still existed for lynx :P 2021-08-07 20:28:34 :D 2021-08-07 20:28:36 maybe we should move it to community 2021-08-09 14:29:46 CVE anounced for c-ares for tomorrow 2021-08-09 14:40:30 :D 2021-08-09 14:47:13 Embargoes are nice :P 2021-08-09 15:30:09 especially when they fall off the truck and into our mailbox? 2021-08-09 15:34:03 ahuh 2021-08-09 15:37:51 Ariadne: but I do not assume that has happened, or did it? 2021-08-09 15:38:35 it does from time to time with linux-distros 2021-08-09 15:39:17 but not in case of c-ares :) 2021-08-09 23:23:15 jvoisin: the conclusion we've made on the UVI side is trying to compromise with the OSV guys on linked data enrichment is probably just going to result in a data format that is crap for everyone to use 2021-08-09 23:24:11 jvoisin: so, we want to push OSV as being like the RSS of vulnerability data formats, meanwhile we will build something that is more appropriate for federated vulnerability data aggregation that can be trivially converted to OSV 2021-08-10 01:25:41 hahahahaha 2021-08-10 01:25:45 now OSV wants to do JSON-LD 2021-08-10 04:26:35 lol 2021-08-10 06:36:53 just curious, how is that stuff relevant to alpine? 2021-08-10 06:37:57 the data formats, exchanging, federation and all that 2021-08-10 07:13:53 Google has been trying to give the OpenSSF the OSV schema because GitHub put it down as a requirement for adopting it. 2021-08-10 07:13:58 I love politics 2021-08-10 07:54:42 https://www.openwall.com/lists/oss-security/2021/08/10/1 CVE-2021-3672 2021-08-10 09:28:37 Ariadne: yeah, they really like json-ld :/ 2021-08-10 09:28:39 like, a lot 2021-08-10 15:08:28 danieli: it’s relevant for one reason: other security teams want to send us what versions contain fixes to CVEs and vice versa 2021-08-10 15:10:40 right now, that information is shared but you have to go looking for it by hand. the goal is to change that so that security teams have that information up front 2021-08-10 16:15:50 sounds like you'll have to fix the whole world before getting any benefits from it, which kinda sucks 2021-08-10 16:16:58 Someone needs to start 2021-08-10 18:55:30 danieli: yes, which i mean, alpine has done that before :P 2021-08-10 18:56:16 security in FOSS projects should work like all other aspects of a FOSS project 2021-08-10 18:56:29 but right now, we live in a security world designed for proprietary vendors 2021-08-10 19:27:47 Ariadne: question about c-ares patching: For 3.12 and 3.11, we need to apply a patch, because only the latest version is fixed upstream. I can either apply a patch, or just upgrade from 1.15 / 1.16 to 1.17 2021-08-10 19:28:20 soname changed from 2.3.0 / 2.4.0 to 2.4.2 2021-08-10 19:28:27 i would backport 2021-08-10 19:28:33 i can work on it if you want 2021-08-10 19:28:37 No, I already have it 2021-08-10 19:28:41 ok 2021-08-10 19:28:55 ncopa in the past mentioned that he preferred upgrading 2021-08-10 19:29:04 for the 2.3.0, we should backport 2021-08-10 19:29:07 well 2021-08-10 19:29:09 hmm 2021-08-10 19:29:13 https://abi-laboratory.pro/index.php?view=timeline&l=c-ares 2021-08-10 19:29:27 yeah 2021-08-10 19:29:32 just go ahead and upgrade 2021-08-10 19:29:35 no rebuilds should be needed 2021-08-10 19:29:42 yeah, that's what I was thinking as well 2021-08-10 19:29:56 Ok, will do 2021-08-11 15:15:17 maybe stupid suggestion of the day: http://nginx.org/en/docs/dev/development_guide.html#debug_memory 2021-08-11 15:15:27 to make nginx use musl's memory allocator 2021-08-11 15:15:46 instead of its weird homebrewed, performance-oriented, poorly-secured, allocator 2021-08-11 15:17:03 jvoisin: are there benchmarks for it? I'd be curious to know how much more secure it even is :D 2021-08-11 15:17:10 *more performant 2021-08-11 15:18:52 I don't think that anyone benched it 2021-08-11 15:27:24 CVE-2021-20314: Remote stack buffer overflow in libspf2 2021-08-11 15:27:47 https://www.openwall.com/lists/oss-security/2021/08/11/6 2021-08-11 15:33:01 sigh, they say 1.2.11 has been released, but it's not available yet (they point to a github repo without any tags) 2021-08-11 15:33:47 Oh well, then we'll use the patch 2021-08-11 15:35:51 i was just looking at that too 2021-08-11 15:36:06 oh 2021-08-11 15:36:11 how far are you? 2021-08-11 15:36:53 was about to push to edge 2021-08-11 15:37:24 ok, then go ahead 2021-08-11 15:38:51 sec, i need to rebase 2021-08-11 17:04:56 jvoisin: seems like a reasonable idea to me, but i don't want to change it without the OK of whoever maintains nginx in alpine 2021-08-11 17:05:25 jirutka 2021-08-11 19:53:23 i talked to jirutka about it, he wants to see benchmarks and would prefer upstream have a more official option to turn off the malloc 2021-08-11 20:32:35 Ariadne: does he plan to discuss this with upstream? If so, I can help, but I'm unsure about doing everything by myself 2021-08-11 20:32:57 maybe we can open an issue to discuss it 2021-08-11 20:39:27 please do <3 2021-08-11 20:39:58 (the idea came up because of https://github.com/google/oss-fuzz/pull/6199 ) 2021-08-11 20:41:46 Details are kind of missing 2021-08-11 20:42:13 yeah that's a terrible commit 2021-08-11 20:42:17 Just "change alocator".. 2021-08-11 20:42:25 and wouldn't fuzzing the nginx allocator itself also have value? 2021-08-11 20:42:43 well, it was discussed internally 2021-08-11 20:42:53 I agree that the commit message isn't clear 2021-08-11 20:43:06 the nginx' allocator just alloc a huge area 2021-08-11 20:43:11 and does its magic in it 2021-08-11 20:43:28 so ASAN won't be able to find anything corrupted in memory managed by the allocator 2021-08-13 09:31:24 I think we need to move polipo to unmaintained. It's in testing, no maintainer, and multiple vulns reported 2021-08-13 09:33:20 sorry, a single CVE, but still 2021-08-13 09:33:22 CVE-2020-36420. 2021-08-13 09:33:58 https://github.com/jech/polipo upstream is dead as well 2021-08-13 09:34:59 yes 2021-08-13 09:35:08 forgot to mention that 2021-08-15 15:39:37 hi, I'm trying to exploit the problem that I mentioned in this MR 2021-08-15 15:39:55 !24261 2021-08-15 15:40:45 trying to modify su source code for init pam as autologin, I'm able to get this 2021-08-15 15:40:48 Aug 15 17:37:50 localhost authpriv.info su[2253]: Successful su for root by donoban 2021-08-15 15:40:54 without asking any password 2021-08-15 15:41:09 altought later fails due Aug 15 17:37:50 localhost authpriv.err su[2253]: bad group ID `0' for user `root': Operation not permitted 2021-08-15 15:41:22 I think that it can be exploited with not too much effort 2021-08-15 15:42:01 modifiying pam policy it fails as expected 2021-08-15 15:42:07 Aug 15 17:38:54 localhost authpriv.warn su[2448]: pam_authenticate: Authentication failure 2021-08-15 16:04:46 well maybe is not really a problem, but pam_rootok seems better option 2021-08-15 16:08:06 > PAM 2021-08-15 16:08:13 > exploited with not too much effort 2021-08-15 16:08:21 :P 2021-08-15 16:09:58 well, now think that is not so dangerous, altough you can trick PAM to think you have root credentials, your process still run as your normal user 2021-08-15 22:44:00 https://www.postgresql.org/about/news/postgresql-weekly-news-august-15-2021-2282/ 2021-08-15 22:44:07 guess we will need to do postgresql upgrades 2021-08-16 04:52:52 !24277 !24278 !24279 !24280 !24281 2021-08-16 09:57:42 !24262 2021-08-16 18:43:12 i did GNU grep upgrade backports because i consider the regression in 3.5/3.6 to be a security issue 2021-08-16 18:53:42 aha 2021-08-17 06:39:03 hi all. Dunno if this has already been discussed, but CVE-2021-33909 hits alpine too? 2021-08-17 06:39:17 Lookign at linux-lts, this commit is not applied: 2021-08-17 06:39:17 https://github.com/torvalds/linux/commit/8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b 2021-08-17 06:39:27 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909 2021-08-17 06:40:29 linux-lts edge. We're on 5.10.x, so we are affected. 2021-08-17 06:43:01 there's an exploit ready too: https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c 2021-08-17 06:43:34 So we manually need to backport it? 2021-08-17 06:44:00 Funny they have a function (or macro) called unlikely 2021-08-17 06:44:15 yes 2021-08-17 06:44:28 and also quite quickly... 2021-08-17 06:45:29 ncopa: ^? 2021-08-17 06:49:38 umh, nah. looks that linux-lts in edge has already this patch (dunno why i saw the contrary)... 2021-08-17 06:50:11 perhaps we need to check the stable versions 2021-08-17 06:51:12 I did saw ncopa upgrade the kernel yesterday 2021-08-17 06:51:20 also on 3.14-stable 2021-08-17 06:51:45 rnarld updated 3.13-stable 2021-08-17 06:51:58 and 3.12-stable 2021-08-17 06:52:10 there's no reference to CVE-2021-33909 though 2021-08-17 06:52:26 I think that this was something worthy to mention 2021-08-17 06:54:55 ok for 5.10.x, kenrels >5.10.52 are fixed 2021-08-17 06:54:57 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=174c34d9cda1b5818419b8f5a332ced10755e52f 2021-08-17 06:55:41 that is the commit and the next one has tagged the 5.10.52 release 2021-08-17 07:11:36 ok the first vulnerable alpine ver is 3.11 2021-08-17 07:11:37 https://pkgs.alpinelinux.org/packages?name=linux-lts&branch=v3.11 2021-08-17 07:11:48 has kernel 5.4.111 2021-08-17 07:11:51 right, so the only one that was not updated yet 2021-08-17 07:12:12 while the patch has been merged starting from 5.4.134 2021-08-18 02:45:01 fcolista: we don't track kernel CVEs 2021-08-18 02:45:23 there's way too many of them 2021-08-18 06:45:12 good to know...anyway this is scored as HIGH. Perhaps this kind of issue are worthy to be tracked? 2021-08-18 07:57:07 the kernel community don't want CVEs to be assigned to the kernel 2021-08-18 07:57:22 that's part of how all of this linked data stuff i've been talking about got started 2021-08-18 07:57:32 they want the whole thing to be automated, based on git commit messages 2021-08-18 07:57:33 gregkh has a nice talk about it 2021-08-18 07:57:45 His proposal is to use git commit hashes as identifiers 2021-08-18 07:57:54 yep 2021-08-18 07:58:09 that's the system that is being bikeshedded right now :P 2021-08-18 07:58:13 heh 2021-08-18 07:58:56 basically 'every bug is a potential security issue' 2021-08-18 07:59:39 thats the idea behind UVI, actually -- to build infrastructure to track every single issue 2021-08-18 08:00:16 it will be exciting once it starts to roll out :P 2021-08-18 08:12:14 thank you for the explanation guys 2021-08-18 14:18:08 https://nvd.nist.gov/vuln/detail/CVE-2021-36159 CPE -> libfetch :( 2021-08-18 14:18:24 so security.a.o does not pick it up for apk-tools 2021-08-18 17:27:12 it also says freebsd in the cpe 2021-08-18 17:28:31 yes, which is not incorrect, because that's the origin of libfetch. It would just need another CPE for apk-tools 2021-08-18 18:14:24 Vulnerability in BIND: https://kb.isc.org/docs/cve-2021-25218 2021-08-18 18:17:44 ikke: it might be interesting to allow maintainers to specify CPE patterns to match in APKBUILD 2021-08-18 19:37:59 someone already working on bind? 2021-08-18 19:41:21 i'm trying to make my x86 machine be an x86 machine again 2021-08-18 19:41:44 Is it pretending to be something else? 2021-08-18 19:42:28 it died, it is kind of resuscitated, but quite insistent on having a battery present 2021-08-18 19:42:42 i'm locked to 633mhz cpu speed until a new battery arrives 2021-08-18 19:45:00 that's kinda oof 2021-08-18 19:59:51 now i'm dealing with the midipix script kiddies 2021-08-18 20:00:20 i am glad we do not depend on any software from that person or his associates 2021-08-18 20:06:22 !24369 !24370 !24371 !24372 !24373 2021-08-18 20:56:20 All have been merged 2021-08-18 21:05:05 thanks 2021-08-19 07:51:14 CVE-2021-36770 affecting perl: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12929 (Someone requests to patch perl) 2021-08-19 08:07:12 only for edge, it seems 2021-08-20 00:24:18 !24325 2021-08-20 04:55:09 done 2021-08-21 15:22:06 oof, latest version of BIND (to address a CVE) forgot to increment an internal API version, which can lead to assertion errors when loading older versions of zone files 2021-08-21 15:28:48 ref? 2021-08-21 15:29:43 Sorry, forgot 2021-08-21 15:29:46 https://www.openwall.com/lists/oss-security/2021/08/20/2 2021-08-21 15:30:14 Need to patch back to 3.11 2021-08-21 16:33:54 sigh, BIND9 is a shitshow :/ 2021-08-22 20:29:07 i haven't used BIND in ages 2021-08-22 20:29:12 powerdns is just so much better 2021-08-23 15:56:36 bdb: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11757#note_176288 2021-08-23 16:51:25 lol 2021-08-23 16:51:38 this is why i hate bdb and why i want it to die 2021-08-23 16:51:44 bdb 5 is not vulnerable 2021-08-23 16:51:50 only the rewrite is 2021-08-24 10:51:10 our package signing keys are currently 2048 bit rsa, would it maybe make sense to upgrade to 4096 bit rsa before we setup the 3.15 builders? 🤔 2021-08-24 10:51:25 ncopa: ^ 2021-08-24 14:47:38 sound like an item for tsc? 2021-08-24 14:51:14 nmeum: makes sense. i think we can just go ahead and just do it 2021-08-24 15:02:13 yeah, I don't think that it needs to be discussed with the tsc 2021-08-24 15:08:18 Me neither 2021-08-25 08:39:32 request to backport CVE-2013-0340 to 3.13: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12946 2021-08-25 08:39:34 for expat 2021-08-25 08:39:49 https://security.alpinelinux.org/vuln/CVE-2013-0340 does not match expat (cpe is about libexpat) 2021-08-25 15:23:58 says expat 2.1.0 and earlier 2021-08-25 15:30:18 hum indeed seems like they fixed it in expat 2.4 something 2021-08-25 15:43:39 openembedded seems to have a patch https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg150074.html 2021-08-25 17:46:29 not a small patch.. 2021-08-25 19:00:02 !24571 2021-08-25 19:40:56 omni: the commit just talks about secfixes, but you are changing the upstream commit as well? 2021-08-25 21:22:03 ikke: I just changed the comment to be more accurate, the qtwebengine repo is often lagging a bit when it comes to updates to the qtwebengine-chromium repo 2021-08-25 21:23:42 but generally this is how we've done security updates for that aport since earlier this year 2021-08-25 21:24:59 But the hash actually changes? Is this an update as well? 2021-08-25 21:25:09 it's up to PureTryOut, I think, to decide if qtwebengine should be updated, for some reason they decided to stay on 5.15.3 I think 2021-08-25 21:25:53 ikke: the _chromium_commit hash? that is the latest from the 87-based branch of the qtwebengine-chromium repo 2021-08-25 21:26:29 -chromium_commit="6ed7e70372bf6ea56674eb464eef5ba7591a274e" 2021-08-25 21:26:30 +_chromium_commit="9f71911e38c041cedc5291c5e772b7d03ce8b8c8" 2021-08-25 21:26:35 yes 2021-08-25 21:27:21 it's "just" the chromium part that is updated, with backported secfixes and whatnot 2021-08-25 21:28:13 the secfixes subject implies that you just update the secfixes comments, but this is an actual upgrade 2021-08-25 21:28:32 just of one component, ofcourse 2021-08-25 21:29:19 it's consistent with my previous five commits on the aport 2021-08-25 21:30:12 it's possible that it could be worded in another way but noone has said anything about it until now 2021-08-25 21:31:41 compare https://git.alpinelinux.org/aports/log/?qt=grep&q=secfixes 2021-08-25 21:33:30 so "community/qt5-qtwebengine: chromium security upgrade" would be better? 2021-08-25 21:34:16 yes 2021-08-25 21:36:09 ikke: there we go 2021-08-25 21:36:40 some builds will probably fail again, they're often either killed or timeout 2021-08-25 21:37:00 yeah, if it passed before, I'll just merge it 2021-08-25 21:37:10 thanks! 2021-08-25 21:37:49 I re-run the pipelines until they went through, which is often needed with this specific aport 2021-08-26 05:04:35 https://github.com/docker-library/official-images/pull/10779 2021-08-26 05:04:49 hooray this stupid alpine glibc thing is back 2021-08-26 05:09:16 i think i am going to aggressively make it clear this is a bad idea by putting a conflicts on glibc package 2021-08-26 05:20:45 fabled: what do you think about adding a conflicts against glibc in the musl package? or should we make it softer somehow 2021-08-26 05:53:26 !24647 implements a conflict on glibc and i have confirmed that it prohibits installation of alpine-glibc 2021-08-26 06:00:07 Yeah, that combination sounds horrible 2021-08-26 06:10:54 we've discussed it before, but now there is docker official images wanting to ship this combination 2021-08-26 06:10:59 i think it is time to be more assertive 2021-08-26 06:11:06 however, i've referred the issue to TSC 2021-08-26 06:13:25 Yes, noticed 2021-08-26 06:13:27 Seems people don't understand how horribly wrong things can go when you mix two different c libraries like that. I think the conflict is good. But I fear they just rename the glibc package. 2021-08-26 06:15:45 that's where the council needs to get involved and tell them to rename `alpine-glibc` project to something else 2021-08-26 06:15:59 people see `alpine-` in the name and assume it has our blessing 2021-08-26 10:09:05 I asked them to remove 'alpine' if they go ahead with it. https://github.com/docker-library/official-images/pull/10779#issuecomment-906240756 2021-08-29 10:56:39 fetchmail CVE-2021-39272: fetchmail fails to enforce an encrypted connection. Fixed in 6.4.22, which is not released yet. 2021-08-29 17:17:19 backport? 2021-08-29 17:17:49 I expect 6.4.22 to be released soon 2021-08-29 17:18:06 rc2 is already released 2021-08-29 17:21:43 rc3 too 2021-08-29 17:22:19 right, that probably just happened then 2021-08-29 17:22:38 think so too 2021-08-29 17:22:48 So I'd rather wait for the release, then we can upgrade all stable alpine releases to this new release 2021-08-29 17:28:25 I don't mind, glad you mentioned it 2021-08-29 17:32:43 reference: https://www.openwall.com/lists/oss-security/2021/08/27/3 2021-08-31 08:35:25 Report about 3.13-stable/main/poppler being vulnerable against CVE-2020-35376: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12962 2021-08-31 08:35:52 https://security.alpinelinux.org/vuln/CVE-2020-35376 says it's about xpdf, which was fixed 2021-08-31 14:58:57 kk 2021-08-31 16:31:36 ikke: i think jfrog is wrong 2021-08-31 16:33:58 ikke: poppler forked off of xpdf years ago, and its a much different codebase at this point (also that patch is unrelated) 2021-08-31 16:47:04 right 2021-08-31 21:05:49 nodejs security releases: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/ 2021-08-31 21:06:02 v12 and v14