Parabola Issue Tracker: Issueshttps://labs.parabola.nu/https://labs.parabola.nu/favicon.ico?15367742552022-04-25T15:48:40ZParabola Issue Tracker
Redmine Packages - Bug #3261 (confirmed): [log4j-1.2] Unmaintained, insecure, vulnerable packagehttps://labs.parabola.nu/issues/32612022-04-25T15:48:40Zgap
<p>From the upstream URL: <a class="external" href="https://logging.apache.org/log4j/1.2/">https://logging.apache.org/log4j/1.2/</a></p>
<blockquote>
<p>End of Life</p>
<p>On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the Apache Blog. Users of Log4j 1 are recommended to upgrade to Apache Log4j 2.</p>
<p>Security Vulnerabilities</p>
<p>Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.</p>
<p>CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.</p>
<p>CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
<p>CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
<p>CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
<p>CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.</p>
<p>CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.</p>
</blockquote>
<p>Removing this package would have a knock-on effect on others, which depend on it.</p> Packages - Bug #2945 (info needed): [uboot4extlinux-a20-olinuxino-lime2]: does not support newer ...https://labs.parabola.nu/issues/29452020-12-16T12:10:37Zinfinite_recursion
<p>Current revisions of olinuxino lime2 have different ethernet PHYs compared to the earlier ones as shown at link below</p>
<p><a class="external" href="https://linux-sunxi.org/Olimex_A20-OLinuXino-Lime2">https://linux-sunxi.org/Olimex_A20-OLinuXino-Lime2</a></p>
<p>Due to this, lan port does not work. Guided by</p>
<p><a class="external" href="https://regrow.earth/openbsd-on-olinuxino-lime2/">https://regrow.earth/openbsd-on-olinuxino-lime2/</a></p>
<p>and top link, making changes of following to configs/A20-OLinuXino-Lime2_defconfig work<br /><pre><code class="shell syntaxhl"><span class="nt">-CONFIG_PHY_REALTEK</span><span class="o">=</span>y
+CONFIG_PHY_MICREL<span class="o">=</span>y
+CONFIG_PHY_MICREL_KSZ9031<span class="o">=</span>y
+CONFIG_GMAC_TX_DELAY<span class="o">=</span>4
</code></pre></p> Upstreaming Patches - Upstreaming #2809 (open): Upstream pcr/searx changeshttps://labs.parabola.nu/issues/28092020-06-15T13:49:01ZGNUtooGNUtoo@cyberdimension.orgPackages - Bug #2805 (unconfirmed): Verify if the u-boot documentation is FSDG complianthttps://labs.parabola.nu/issues/28052020-06-14T18:54:57ZGNUtooGNUtoo@cyberdimension.orgPackages - Bug #2803 (confirmed): Add patch from eschwartz to use system libs in iceweasel / icec...https://labs.parabola.nu/issues/28032020-06-12T22:02:40ZGNUtooGNUtoo@cyberdimension.orgPackages - Bug #2795 (confirmed): Add support for the TBS TBS2910 and finish the u-boot for I.MX ...https://labs.parabola.nu/issues/27952020-06-12T18:21:01ZGNUtooGNUtoo@cyberdimension.orgPackages - Bug #2744 (confirmed): [libre/openttd]: rebuild against new icu (x86_64)https://labs.parabola.nu/issues/27442020-05-05T15:30:18Zbill-augerPackages - Bug #2639 (confirmed): [uboot4extlinux] do not use fallback images as initrdhttps://labs.parabola.nu/issues/26392020-02-25T18:52:16ZMegver83megver83@parabola.nu
<p>Linux-libre kernels for ARM do not have fallback images (although I can add them, but that's another discussion). And, as they are not present, uboot4extlinux fails to boot using the default configuration (happened to me with uboot4extlinux-bananpi in my BPi M1).</p>
<p>Plus, they have non-existing kernels, which were removed a long time ago. Please, before updating the extlinux.conf make sure about what you put there because, e.g., linux-libre-hardened is only for x86_64.</p>
<p>Maybe instead of removing the fallback entries I could add them in the armv7 mkinitcpio presets and the uboot maintainer would just have to add the non-fallback entries in extlinux.conf (or without initrd entries like bedore, in fact, idk why they were added)</p> Packages - Feature Request #2578 (open): ARM: Add back GRUBhttps://labs.parabola.nu/issues/25782019-12-09T22:35:46ZGNUtooGNUtoo@cyberdimension.org
<p>On ARM, we currently use the standard distro booting scheme from u-boot:<br />- It tries boot.scr first<br />- It then try syslinux.cfg which is more familiar to people used to x86.</p>
<p>This can be improved to be even more by using grub which is even more familiar as most people are already using it on x86.</p> Packages - Bug #2171 (forwarded upstream): [supercollider]: requires 'qt5-webengine'https://labs.parabola.nu/issues/21712019-02-06T06:55:03Zbill-auger
<p>denis has a PKGBUILD for [libre] already</p>
<p>from the git log:<br /><pre>
To avoid qt5-webengine, this package has been built without
QT support. QT support was used for the IDE and a GUI, which
may be able to work without qt5-webengine if supercollider
is patched.
Supercollider can also be used as a dependency of other packages
that are not yet in Parabola such as sonicpi.
</pre></p> Packages - Bug #1779 (open): [armv7] compile [qemu-user-static-binfmt]https://labs.parabola.nu/issues/17792018-05-01T15:31:32ZGNUtooGNUtoo@cyberdimension.org
<p>Hi,</p>
<p>Having qemu-user-static-binfmt would be nice to have on ARM, as it could enable users to transparently run x86 code.</p>
<p>On Parabola x86, it works fine to run arm code (with it you can transparently arch-chroot inside a Parabola ARM installation for instance)</p>
<p>Denis.</p> Packages - Bug #1762 (open): [openvpn-update-resolv-conf-git] and/or [openvpn-update-systemd-reso...https://labs.parabola.nu/issues/17622018-04-25T12:47:32ZGNUtooGNUtoo@cyberdimension.org
<p>OpenVPN isn't capable of handling DNS server push information in GNU/Linux without the help of external scripts like<br /><pre>
/etc/openvpn/update-resolv-conf
</pre></p>
<p>Trisquel and <a href="https://packages.debian.org/stretch/amd64/openvpn/filelist" class="external">other debian based distribution ship this file in the openvpn package</a> :</p>
<p>However arch and Parabola don't have such file in the OpenVPN package.</p>
However there is a PKGBUILDS for this file available here:
<ul>
<li><a class="external" href="https://aur.archlinux.org/packages/openvpn-update-resolv-conf-git/">https://aur.archlinux.org/packages/openvpn-update-resolv-conf-git/</a><br />and a pkgbuild for an alternative script using systemd here:</li>
<li><a class="external" href="https://aur.archlinux.org/packages/openvpn-update-systemd-resolved/">https://aur.archlinux.org/packages/openvpn-update-systemd-resolved/</a></li>
</ul>