• Arch-audit security concerns.


    $arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package greenbone-security-assistant is affected by ["CVE-2016-1926"]. Medium risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-curl is affected by ["CVE-2017-7468"]. Medium risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package lib32-libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package lib32-nss is affected by ["CVE-2017-5461"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    

    For me, a long time debian user it looks like a some kind of a massacre, or the North-Korean technology!
    Let say I can get over the medium-risks, but the few high ones for a core thing like binutils is a big no-no.
    Just like a Critical risk for a lib32-nss, which I cant do nothing about cause it looks like very core and has lot of dependencies.
    Any ideas on how I’m supposed to deal with this?

    My humble words to the developers : Most users needs antergos safe as possible, nobody would upgrade anything just to be hacked.

    Cheers.

  • $ arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    
    

    @developers
    @Community-Moderators
    Nunca vi esto y tampoco lo conosco…acabo de hacerlo para saber que tira y mmmm…no se

    I never saw this and I did not know it either … I just did it to know what to pull and mmmm … I do not know

    Mis respetos.-

  • https://cve.mitre.org/cve/cve.html
    https://security.archlinux.org/
    Example:
    https://security.archlinux.org/CVE-2017-8287

    So as you can see there are always issues on security but ArchLinux has a security issue system, tracking them and solve them.
    Risk is almost lower on a rolling release, because latest packages means also latest security fixes (almost ;) )

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • But webkitgtk? i just uninstall it: https://webkitgtk.org/security/WSA-2017-0001.html

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in Arch-audit security concerns.:

    But webkitgtk? i just uninstall it

    So now that I show my audit, I’m going to hack Romanians, I’m going to get on webkit … :) :)

    https://www.youtube.com/watch?v=EGANoRjJOmM

    Mis respetos.-

  • @joekamprad said in Arch-audit security concerns.:

    But webkitgtk? i just uninstall it

    $ sudo pacman -R webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    error: no se pudo preparar la operación (no se pudieron satisfacer las dependencias)
    :: antergos-welcome: quitando «webkitgtk» se rompe la dependencia con «webkitgtk3»
    
    

    What do I do wrong then I can not uninstall it because I break another dependency ???

    Mis respetos.-

  • pacman -Rsc
    

    { Warning: This operation is recursive, and must be used with care since it can remove many potentially needed packages.}
    my friend ;)

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in Arch-audit security concerns.:

    pacman -Rsc
    

    {Warning: This operation is recursive, and must be used with care since it can remove many potentially needed packages.}
    my friend ;)

    I just wanted to do it in a gentle way … for fear of breaking … :(

    $ sudo pacman -Rnc webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    
    Paquetes (2) antergos-welcome-0.0.2-2  webkitgtk-2.4.11-6
    
    Tamaño total quitado:  45,12 MiB
    
    :: ¿Desea quitar estos paquetes? [S/n] 
    
    
    

    Mis respetos.-

  • https://www.ubuntu.com/usn/
    Showing page 1 of 76

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @judd said in Arch-audit security concerns.:

    Paquetes (2)
    Eliminar muchos paquetes potencialmente necesarios!!

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in Arch-audit security concerns.:

    https://www.ubuntu.com/usn/
    Showing page 1 of 76

    No found, Does not open the site…

    Mis respetos.-

  • @judd https:// issue?

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in Arch-audit security concerns.:

    @judd https:// issue?

    Yes, Does not open

    Mis respetos.-

  • But why antergos-welcome was installed?
    https://github.com/Antergos/antergos-welcome/issues/3

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in Arch-audit security concerns.:

    But why antergos-welcome was installed?
    https://github.com/Antergos/antergos-welcome/issues/3

    I do not have the slightest idea friend … that’s why I did not uninstall anything …

    Mis respetos.-

  • @joekamprad
    This is what throws me arch-audit in a new installation of antergos:

    $ sudo pacman -S arch-audit
    [sudo] password for judd: 
    resolviendo dependencias…
    buscando conflictos entre paquetes…
    
    Paquetes (1) arch-audit-0.1.8-3
    
    Tamaño total de la descarga:    0,57 MiB
    Tamaño total de la instalación:  1,89 MiB
    
    :: ¿Continuar con la instalación? [S/n] 
    :: Recibiendo los paquetes…
     arch-audit-0.1.8-3-...   584,1 KiB  1446K/s 00:00 [----------------------] 100%
    (1/1) comprobando las claves del depósito          [----------------------] 100%
    descargando las claves requeridas…
    :: ¿Importar clave PGP 4096 R / 6DAF7B808F9DF25139620000D21461E3DFE2060D, «Christian Rebischke <[email protected]>», creada: 2015-07-16? [S/n] 
    (1/1) verificando la integridad de los paquetes    [----------------------] 100%
    (1/1) cargando los archivos de los paquetes        [----------------------] 100%
    (1/1) comprobando conflictos entre archivos        [----------------------] 100%
    (1/1) comprobando el espacio disponible en el ...  [----------------------] 100%
    :: Procesando los cambios de los paquetes...
    (1/1) instalando arch-audit                        [----------------------] 100%
    :: Ejecutando los «hooks» de posinstalación...
    (1/1) Arming ConditionNeedsUpdate...
    [[email protected] ~]$ arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-curl is affected by ["CVE-2017-7468"]. Medium risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package lib32-libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package lib32-nss is affected by ["CVE-2017-5461"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    
    

    Mis respetos.-

  • @joekamprad said in Arch-audit security concerns.:

    Pero ¿por qué se instaló antergos-bienvenida?

    $ sudo pacman -Rnc webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    
    Paquetes (2) antergos-welcome-0.0.2-2  webkitgtk-2.4.11-6
    
    Tamaño total quitado:  45,12 MiB
    
    :: ¿Desea quitar estos paquetes? [S/n] 
    
    

    As before

    Mis respetos.-

  • El paquete “Antergos-Welcome” probablemente se instaló con la DE …

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • Guys? Trump got you all deported or why are we talking Spanish?
    It’s a beautiful language but me not comprendo! xD

    Anyway I hope there will be some fixes for this things soon, or at least some solution to install older packets in that place.
    Have a nice day amigos!

arch-audit1 risks1 security9 Posts 30Views 1090
Log in to reply