https://forum.alpinelinux.org/taxonomy/term/14 en https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/making-clamav-0993-r1-available-non-edge-repos <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Clamav 0.99.3-r1 has several security fixes: <br /><a href="http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html" rel="nofollow">http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html</a></p> <p>However, this package is only available in the edge repository for alpine distros. Are there plans to have this available in non-edge repos?</p> <p></p></div></div></div> Mon, 12 Feb 2018 17:14:00 +0000 rgutie01 19476 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/making-clamav-0993-r1-available-non-edge-repos#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/firefox-privacy-problem <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>turn off following configuration:</p> <p>Preferences &gt; Privacy &amp; Security &gt; Firefox Data Collection and Use</p> <p> Allow Firefox to install and run studies</p> <p><a href="https://sircmpwn.github.io/2017/12/16/Firefox-is-on-a-slippery-slope.html" rel="nofollow">https://sircmpwn.github.io/2017/12/16/Firefox-is-on-a-slippery-slope.html</a></p> <p><a href="https://news.ycombinator.com/item?id=15940144" rel="nofollow">https://news.ycombinator.com/item?id=15940144</a></p> <p><a href="https://github.com/MrAlex94/Waterfox" rel="nofollow">https://github.com/MrAlex94/Waterfox</a></p></div></div></div> Sun, 17 Dec 2017 19:48:38 +0000 mmix 19347 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/firefox-privacy-problem#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/need-help-erlang-inets-package <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Hi,</p> <p>I'm using Alpine RabbitMQ docker image and our security team has found unencrypted private keys in erlang-inets example package. Because of this our product has failed in security vulnerability test. I know this certificate is just a example one, however as the appcheck tool finds it, will be difficult to pass the test.</p> <p>Can we somehow custom build erlang-inets removing the examples or is there a way to remove the example folder from the package. Could someone please help.</p> <p>Regards,<br /> Nihar</p></div></div></div> Wed, 22 Nov 2017 07:37:51 +0000 nihar_pattanaik 19275 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/need-help-erlang-inets-package#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/bug-7357-there-eta-353 <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Hi all,</p> <p>First off, thank you for the work you all put into maintaining Alpine. It is appreciated.</p> <p>I was wondering when the 3.5.x branch might see its next release? A few CVEs had their fix merged 3 months ago (<a href="http://bugs.alpinelinux.org/issues/7357" rel="nofollow">http://bugs.alpinelinux.org/issues/7357</a>), but haven't yet seen release. I understand there is in general no firm release cadence; just am wondering if there is an estimate available on when might be released.</p> <p>Our use case: our Docker application is based on mhart/alpine-node:7, which is based on alpine:3.5 (If you're curious, the official node:alpine-7 is on alpine:3.4, so is even older). Neither of which are likely maintained, as Node.js 7.x is not maintained. Images based on mhart/alpine-node:7 that are scanned with a security tool like Twistlock report a few of the vulnerabilities that were addressed in the above-linked bug.</p> <p>Thanks in advance!</p> <p>Cheers,<br /> Spencer</p></div></div></div> Tue, 05 Sep 2017 23:14:53 +0000 spencerwilson-optimizely 19170 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/bug-7357-there-eta-353#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/chrome-firefox-package-vulnerable-phishing-attack <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>chrome and firefox package from alpine linux are not safe from phishing attack.</p> <p>latest chrome version safe but the version from alpine linux is 57.0.2987.133 (64-bit) which is NOT safe.</p> <p><a href="https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/" rel="nofollow">https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/</a></p> <p></p><div class="bb-quote">Quote:<blockquote class="bb-quote-body">Chrome has just released version 58.0.3029.81. We have confirmed that this resolves the issue and that our ‘epic.com’ test domain no longer shows as ‘epic.com’ and displays the raw punycode instead, which is ‘www.xn--e1awd7f.com’, making it clear that the domain is not ‘epic.com’. We encourage all Chrome users to immediately update to the above version of Chrome to resolve the issue. </blockquote></div> <p>At this moment(2017.04.26), don't click the link at the site that you don't trust in alpine linux environment</p> <p>--<br /> PS: <br /> How to fix this in Firefox:<br /> In your firefox location bar, type ‘about:config’ without quotes.<br /> Do a search for ‘punycode’ without quotes.<br /> You should see a parameter titled: network.IDN_show_punycode<br /> Change the value from false to true.</p></div></div></div> Wed, 26 Apr 2017 14:31:18 +0000 mmix 19027 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/chrome-firefox-package-vulnerable-phishing-attack#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/openssl-cve-2016-2180 <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Do alpine have any plan to fix this vulnerable?</p> <p>Below link is a patch to fix this vulnerable:<br /><a href="https://github.com/openssl/openssl/commit/0ed26acce328ec16a3aa635f1ca37365e8c7403a" rel="nofollow">https://github.com/openssl/openssl/commit/0ed26acce328ec16a3aa635f1ca37365e8c7403a</a> </p></div></div></div> Mon, 29 Aug 2016 00:36:06 +0000 sword 18822 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/openssl-cve-2016-2180#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/there-something-security-lists-other-distros <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>I just read about Alpine Linux in this week's Distrowatch Weekly. This looks very interesting, and I'd like to look into it during my (limited) spare time. One question I have is whether the Apline package maintainers track and report which CVEs are fixed in which releases. In particular, if a security patch is applied to a release, then I presume the package version number would be bumped; in that case, would there be something that says "fixed CVE-xxxx-yyy"? Is there something that would collect those? </p> <p>I saw the cvewatcher package described on this forum, and it looks promising. But, there is the caveat that it only looks at the package version and will have false positives if the CVE has been patched. </p></div></div></div> Mon, 06 Jul 2015 19:21:52 +0000 Pearson 18566 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/there-something-security-lists-other-distros#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/ghost-cve-2015-0235 <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Is Alpine Linux 3.1 (or other version) vulnerable to GHOST? <a href="https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability" rel="nofollow">https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability</a></p></div></div></div> Wed, 28 Jan 2015 18:49:38 +0000 bwhite 18414 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/ghost-cve-2015-0235#comments https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/xorg-server-20-year-old-security-bug <div class="field field-name-taxonomy-forums field-type-taxonomy-term-reference field-label-above"><div class="field-label">Forums:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/forums/common-vulnerabilities-and-exposures">Common Vulnerabilities and Exposures</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>I inaugurate this section...;-)</p> <p><a href="http://lists.freedesktop.org/archives/xorg/2013-October/056074.html" rel="nofollow">http://lists.freedesktop.org/archives/xorg/2013-October/056074.html</a></p> <p>Regards.</p></div></div></div> Fri, 18 Oct 2013 18:15:04 +0000 AmatCoder 15663 at https://forum.alpinelinux.org https://forum.alpinelinux.org/forum/common-vulnerabilities-and-exposures/xorg-server-20-year-old-security-bug#comments