• Arch-audit security concerns.


    $arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package greenbone-security-assistant is affected by ["CVE-2016-1926"]. Medium risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-curl is affected by ["CVE-2017-7468"]. Medium risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package lib32-libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package lib32-nss is affected by ["CVE-2017-5461"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    

    For me, a long time debian user it looks like a some kind of a massacre, or the North-Korean technology!
    Let say I can get over the medium-risks, but the few high ones for a core thing like binutils is a big no-no.
    Just like a Critical risk for a lib32-nss, which I cant do nothing about cause it looks like very core and has lot of dependencies.
    Any ideas on how I’m supposed to deal with this?

    My humble words to the developers : Most users needs antergos safe as possible, nobody would upgrade anything just to be hacked.

    Cheers.

  • $ arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    
    

    @developers
    @Community-Moderators
    Nunca vi esto y tampoco lo conosco…acabo de hacerlo para saber que tira y mmmm…no se

    I never saw this and I did not know it either … I just did it to know what to pull and mmmm … I do not know

  • https://cve.mitre.org/cve/cve.html
    https://security.archlinux.org/
    Example:
    https://security.archlinux.org/CVE-2017-8287

    So as you can see there are always issues on security but ArchLinux has a security issue system, tracking them and solve them.
    Risk is almost lower on a rolling release, because latest packages means also latest security fixes (almost ;) )

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • But webkitgtk? i just uninstall it: https://webkitgtk.org/security/WSA-2017-0001.html

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad said in Arch-audit security concerns.:

    But webkitgtk? i just uninstall it

    So now that I show my audit, I’m going to hack Romanians, I’m going to get on webkit … :) :)

    https://www.youtube.com/watch?v=EGANoRjJOmM

  • @joekamprad said in Arch-audit security concerns.:

    But webkitgtk? i just uninstall it

    $ sudo pacman -R webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    error: no se pudo preparar la operación (no se pudieron satisfacer las dependencias)
    :: antergos-welcome: quitando «webkitgtk» se rompe la dependencia con «webkitgtk3»
    
    

    What do I do wrong then I can not uninstall it because I break another dependency ???

  • pacman -Rsc
    

    { Warning: This operation is recursive, and must be used with care since it can remove many potentially needed packages.}
    my friend ;)

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad said in Arch-audit security concerns.:

    pacman -Rsc
    

    {Warning: This operation is recursive, and must be used with care since it can remove many potentially needed packages.}
    my friend ;)

    I just wanted to do it in a gentle way … for fear of breaking … :(

    $ sudo pacman -Rnc webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    
    Paquetes (2) antergos-welcome-0.0.2-2  webkitgtk-2.4.11-6
    
    Tamaño total quitado:  45,12 MiB
    
    :: ¿Desea quitar estos paquetes? [S/n] 
    
    
    
  • https://www.ubuntu.com/usn/
    Showing page 1 of 76

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @judd said in Arch-audit security concerns.:

    Paquetes (2)
    Eliminar muchos paquetes potencialmente necesarios!!

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad said in Arch-audit security concerns.:

    https://www.ubuntu.com/usn/
    Showing page 1 of 76

    No found, Does not open the site…

  • @judd https:// issue?

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad said in Arch-audit security concerns.:

    @judd https:// issue?

    Yes, Does not open

  • But why antergos-welcome was installed?
    https://github.com/Antergos/antergos-welcome/issues/3

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad said in Arch-audit security concerns.:

    But why antergos-welcome was installed?
    https://github.com/Antergos/antergos-welcome/issues/3

    I do not have the slightest idea friend … that’s why I did not uninstall anything …

  • @joekamprad
    This is what throws me arch-audit in a new installation of antergos:

    $ sudo pacman -S arch-audit
    [sudo] password for judd: 
    resolviendo dependencias…
    buscando conflictos entre paquetes…
    
    Paquetes (1) arch-audit-0.1.8-3
    
    Tamaño total de la descarga:    0,57 MiB
    Tamaño total de la instalación:  1,89 MiB
    
    :: ¿Continuar con la instalación? [S/n] 
    :: Recibiendo los paquetes…
     arch-audit-0.1.8-3-...   584,1 KiB  1446K/s 00:00 [----------------------] 100%
    (1/1) comprobando las claves del depósito          [----------------------] 100%
    descargando las claves requeridas…
    :: ¿Importar clave PGP 4096 R / 6DAF7B808F9DF25139620000D21461E3DFE2060D, «Christian Rebischke <[email protected]>», creada: 2015-07-16? [S/n] 
    (1/1) verificando la integridad de los paquetes    [----------------------] 100%
    (1/1) cargando los archivos de los paquetes        [----------------------] 100%
    (1/1) comprobando conflictos entre archivos        [----------------------] 100%
    (1/1) comprobando el espacio disponible en el ...  [----------------------] 100%
    :: Procesando los cambios de los paquetes...
    (1/1) instalando arch-audit                        [----------------------] 100%
    :: Ejecutando los «hooks» de posinstalación...
    (1/1) Arming ConditionNeedsUpdate...
    [[email protected] ~]$ arch-audit
    Package binutils is affected by ["CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
    Package freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package ghostscript is affected by ["CVE-2017-8291"]. High risk!
    Package jasper is affected by ["CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
    Package lib32-curl is affected by ["CVE-2017-7468"]. Medium risk!
    Package lib32-freetype2 is affected by ["CVE-2017-8287", "CVE-2017-8105"]. Critical risk!
    Package lib32-libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package lib32-nss is affected by ["CVE-2017-5461"]. Critical risk!
    Package libplist is affected by ["CVE-2017-6440", "CVE-2017-6439", "CVE-2017-6438", "CVE-2017-6437", "CVE-2017-6436", "CVE-2017-6435", "CVE-2017-5836", "CVE-2017-5835", "CVE-2017-5834", "CVE-2017-5545", "CVE-2017-5209"]. High risk!
    Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
    Package libusbmuxd is affected by ["CVE-2016-5104"]. Medium risk!
    Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
    Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
    Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
    Package webkitgtk is affected by ["CVE-2017-2481", "CVE-2017-2476", "CVE-2017-2475", "CVE-2017-2471", "CVE-2017-2470", "CVE-2017-2469", "CVE-2017-2468", "CVE-2017-2466", "CVE-2017-2465", "CVE-2017-2464", "CVE-2017-2460", "CVE-2017-2459", "CVE-2017-2457", "CVE-2017-2455", "CVE-2017-2454", "CVE-2017-2447", "CVE-2017-2446", "CVE-2017-2445", "CVE-2017-2442", "CVE-2017-2433", "CVE-2017-2419", "CVE-2017-2415", "CVE-2017-2405", "CVE-2017-2396", "CVE-2017-2395", "CVE-2017-2394", "CVE-2017-2392", "CVE-2017-2386", "CVE-2017-2377", "CVE-2017-2376", "CVE-2017-2367", "CVE-2016-9643", "CVE-2016-9642", "CVE-2017-2373", "CVE-2017-2371", "CVE-2017-2369", "CVE-2017-2366", "CVE-2017-2365", "CVE-2017-2364", "CVE-2017-2363", "CVE-2017-2362", "CVE-2017-2356", "CVE-2017-2355", "CVE-2017-2354", "CVE-2017-2350"]. Critical risk!
    
    
  • @joekamprad said in Arch-audit security concerns.:

    Pero ¿por qué se instaló antergos-bienvenida?

    $ sudo pacman -Rnc webkitgtk
    [sudo] password for judd: 
    comprobando dependencias…
    
    Paquetes (2) antergos-welcome-0.0.2-2  webkitgtk-2.4.11-6
    
    Tamaño total quitado:  45,12 MiB
    
    :: ¿Desea quitar estos paquetes? [S/n] 
    
    

    As before

  • El paquete “Antergos-Welcome” probablemente se instaló con la DE …

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • Guys? Trump got you all deported or why are we talking Spanish?
    It’s a beautiful language but me not comprendo! xD

    Anyway I hope there will be some fixes for this things soon, or at least some solution to install older packets in that place.
    Have a nice day amigos!

risks1 security11 arch-audit1 Posts 31Views 2405
Log in to reply