CVE-2016-10009: loading of untrusted PKCS#11 modules in ssh-agent
CVE-2016-10010: privilege escalation via Unix domain socket forwarding
CVE-2016-10011: Leak of host private key material to privilege-separated child process via realloc()
CVE-2016-10012: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
---
main/openssh/APKBUILD | 38 +++++++++--
main/openssh/CVE-2016-10009.patch | 130 ++++++++++++++++++++++++++++++++++++
main/openssh/CVE-2016-10010.patch | 29 ++++++++
main/openssh/CVE-2016-10011.patch | 37 ++++++++++
main/openssh/CVE-2016-10012-1.patch | 89 ++++++++++++++++++++++++
main/openssh/CVE-2016-10012-2.patch | 33 +++++++++
main/openssh/CVE-2016-10012-3.patch | 17 +++++
7 files changed, 369 insertions(+), 4 deletions(-)
create mode 100644 main/openssh/CVE-2016-10009.patch
create mode 100644 main/openssh/CVE-2016-10010.patch
create mode 100644 main/openssh/CVE-2016-10011.patch
create mode 100644 main/openssh/CVE-2016-10012-1.patch
create mode 100644 main/openssh/CVE-2016-10012-2.patch
create mode 100644 main/openssh/CVE-2016-10012-3.patch
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index b295bf7..92f8dc6 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=7.2_p2
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -24,6 +25,12 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
CVE-2016-6210-1.patch
CVE-2016-6210-2.patch
CVE-2016-6515.patch
+ CVE-2016-10009.patch
+ CVE-2016-10010.patch
+ CVE-2016-10011.patch
+ CVE-2016-10012-1.patch
+ CVE-2016-10012-2.patch
+ CVE-2016-10012-3.patch
"
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
@@ -32,6 +39,11 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
# - CVE-2016-6210
# 7.2_p2-r2:
# - CVE-2016-6515
+# 7.2_p2-r3:
+# - CVE-2016-10009
+# - CVE-2016-10010
+# - CVE-2016-10011
+# - CVE-2016-10012
_builddir="$srcdir"/$pkgname-$_myver
prepare() {
@@ -136,7 +148,13 @@ b35e9f3829f4cfca07168fcba98749c7 sshd.confd
2dd7e366607e95f9762273067309fd6e openssh-sftp-interactive.diff
8bdbd8213f3f5cac420839045fd377be CVE-2016-6210-1.patch
0a21e81b0920b2b79f788668072b827e CVE-2016-6210-2.patch
-c70de89a56f365514ea7a877c8267715 CVE-2016-6515.patch"
+c70de89a56f365514ea7a877c8267715 CVE-2016-6515.patch
+c90d3f553ab3f7e18eef857160b4f3e4 CVE-2016-10009.patch
+ff2645ea513fd071553f657aabb49e2b CVE-2016-10010.patch
+368a1f2e4d381157647671effbb2f48e CVE-2016-10011.patch
+af9e3c0a4d90b72cc9532120dd50341c CVE-2016-10012-1.patch
+7bc38d8b2ff07def069a063a4ba74311 CVE-2016-10012-2.patch
+75b99affc2a24f8187561e27a90cfbc8 CVE-2016-10012-3.patch"
sha256sums="a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c openssh-7.2p2.tar.gz
bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff
861132af07c18f5e0ac7b64f389a929e61a051887bf44bda770a97e3afd9bfb6 openssh7.1-dynwindows.diff
@@ -147,7 +165,13 @@ c31a116bba900c6c4795b061766169e6455d6e1b7cf9aa2ee5ba4eaa1afa76b0 sshd.initd
4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376 openssh-sftp-interactive.diff
9d241c182c62d6ac55ef2db0f377cea8b2293131b75b97de939f36ece61725a4 CVE-2016-6210-1.patch
021f15627e56ca5c45a05d3a71d2c79af9d3c86637c1eb40208c6f71d2fb9697 CVE-2016-6210-2.patch
-dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa CVE-2016-6515.patch"
+dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa CVE-2016-6515.patch
+21cc3551212d0e7468ea624fed9a77f75c26ee618d0c8f9db5ba371a6714c2c9 CVE-2016-10009.patch
+477fe3e0aa4e84ed456ed976070596047a587e0a743c2be8a69274869e904a01 CVE-2016-10010.patch
+2e281fe5fae68346097c83738516195733e3745cbf144404983116f90c9790ea CVE-2016-10011.patch
+fedc1069bdbd7e95b8ba7f597fa0f07cae09714ba839b454596e5aa860698004 CVE-2016-10012-1.patch
+2be09b0a0aa4b3859fddd360a679b41c95f97a7e11df95aa1a1abe174f97bab7 CVE-2016-10012-2.patch
+bd6fa4cfd9cd7ebdfb4e9b8b6295b6b9579e48e90d46da1ec0a9d53aa1479369 CVE-2016-10012-3.patch"
sha512sums="44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b openssh-7.2p2.tar.gz
e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff
72a7dc21d18388c635d14dda762ac50caeefd38f0153d8ea36d18e9d7c982e104f7b7a3af8c18fd479c31201fbdee1639f3a1ec60d035d4ca8721a8563fa11a0 openssh7.1-dynwindows.diff
@@ -158,4 +182,10 @@ b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 openssh-sftp-interactive.diff
6c78935209d9af00c4f0ce27261a40cdea8714ce0eaf28935ec75853333421f72ee2281c674d70c2a5ef7c297ec0fe4699214e0874efe0341c35dfd5027a1702 CVE-2016-6210-1.patch
aad1fc45a8f83fc778105ea43b6406860155fc89545a058ff0359586cbb33a0d0ebff99dc70be64a9e1021c4b971658b33bbae3efd383a9d81531dc4395b83a5 CVE-2016-6210-2.patch
-23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6 CVE-2016-6515.patch"
+23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6 CVE-2016-6515.patch
+8fed8ced305b61428a83c074c4a4ea53c7ad5a59c68604398852a5e33b728c241ca12f89f15fb6d3df37e82854b574a117522e4c178e20ca466f3f725ad05be1 CVE-2016-10009.patch
+d6798d818ff7dfad0cd314c2f0e2d3d5477e4567f5422ff2409fdd56050d45e88073fb2b9008c3335cc3ac596b6c0ed13128fa5d588cbb56d4919ab62b218c26 CVE-2016-10010.patch
+3ab26c702f7a64225d11dd485b288ac81f96afa2a13ab0a8082245d80d31d7c9c335e49cb4cec1e0439c39cb32df5360afd6bf6363d4cbaa80cb3a991c636755 CVE-2016-10011.patch
+8d7601ecf86d5e4fcb7908690598d28af25a7e019d359b7b680a235844403414127262978e07679e36cef2293c114d417bd139c8791423febdb4ce2437d628b6 CVE-2016-10012-1.patch
+8f2e4b851d69ff1328452ed0b2f804cb55f1ba668a9a77cb1b14c8bbd573436d8f4daa163662ac40e15bebfedaba2a666519c9b9e6f53a769415cef343e61fd5 CVE-2016-10012-2.patch
+deef0aba42fa3d5c63807cfb106eaee25be2ab63a0f7cd80046ffd8e67bbc78ca19f1cdf433d522dbd09b088c4f0a165f3edcaba4c12d0200f8615da3c98f78a CVE-2016-10012-3.patch"
diff --git a/main/openssh/CVE-2016-10009.patch b/main/openssh/CVE-2016-10009.patch
new file mode 100644
index 0000000..a7adc16
--- /dev/null
+++ b/main/openssh/CVE-2016-10009.patch
@@ -0,0 +1,130 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&sortby=date&f=h&f=u
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
+retrieving revision 1.214
+retrieving revision 1.215
+diff -u -r1.214 -r1.215
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -69,11 +69,16 @@
+ #include "misc.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "match.h"
+
+ #ifdef ENABLE_PKCS11
+ #include "ssh-pkcs11.h"
+ #endif
+
++#ifndef DEFAULT_PKCS11_WHITELIST
++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
++#endif
++
+ #if defined(HAVE_SYS_PRCTL_H)
+ #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
+ #endif
+@@ -121,6 +126,9 @@
+ char socket_name[PATH_MAX];
+ char socket_dir[PATH_MAX];
+
++/* PKCS#11 path whitelist */
++static char *pkcs11_whitelist;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -724,7 +732,7 @@
+ static void
+ process_add_smartcard_key(SocketEntry *e)
+ {
+- char *provider = NULL, *pin;
++ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
+ int r, i, version, count = 0, success = 0, confirm = 0;
+ u_int seconds;
+ time_t death = 0;
+@@ -756,10 +764,21 @@
+ goto send;
+ }
+ }
++ if (realpath(provider, canonical_provider) == NULL) {
++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
++ provider, strerror(errno));
++ goto send;
++ }
++ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
++ verbose("refusing PKCS#11 add of \"%.100s\": "
++ "provider not whitelisted", canonical_provider);
++ goto send;
++ }
++ debug("%s: add %.100s", __func__, canonical_provider);
+ if (lifetime && !death)
+ death = monotime() + lifetime;
+
+- count = pkcs11_add_provider(provider, pin, &keys);
++ count = pkcs11_add_provider(canonical_provider, pin, &keys);
+ for (i = 0; i < count; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+@@ -767,8 +786,8 @@
+ if (lookup_identity(k, version) == NULL) {
+ id = xcalloc(1, sizeof(Identity));
+ id->key = k;
+- id->provider = xstrdup(provider);
+- id->comment = xstrdup(provider); /* XXX */
++ id->provider = xstrdup(canonical_provider);
++ id->comment = xstrdup(canonical_provider); /* XXX */
+ id->death = death;
+ id->confirm = confirm;
+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+@@ -1157,7 +1176,7 @@
+ {
+ fprintf(stderr,
+ "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+- " [-t life] [command [arg ...]]\n"
++ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ " ssh-agent [-c | -s] -k\n");
+ exit(1);
+ }
+@@ -1191,7 +1210,7 @@
+ OpenSSL_add_all_algorithms();
+ #endif
+
+- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
+ switch (ch) {
+ case 'E':
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1206,6 +1225,11 @@
+ case 'k':
+ k_flag++;
+ break;
++ case 'P':
++ if (pkcs11_whitelist != NULL)
++ fatal("-P option already specified");
++ pkcs11_whitelist = xstrdup(optarg);
++ break;
+ case 's':
+ if (c_flag)
+ usage();
+@@ -1240,6 +1264,9 @@
+ if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+ usage();
+
++ if (pkcs11_whitelist == NULL)
++ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
++
+ if (ac == 0 && !c_flag && !s_flag) {
+ shell = getenv("SHELL");
+ if (shell != NULL && (len = strlen(shell)) > 2 &&
+@@ -1385,7 +1412,7 @@
+ signal(SIGTERM, cleanup_handler);
+ nalloc = 0;
+
+- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
++ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+ fatal("%s: pledge: %s", __progname, strerror(errno));
+
+ while (1) {
diff --git a/main/openssh/CVE-2016-10010.patch b/main/openssh/CVE-2016-10010.patch
new file mode 100644
index 0000000..7d3f45e
--- /dev/null
+++ b/main/openssh/CVE-2016-10010.patch
@@ -0,0 +1,29 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189&sortby=date&f=h&f=u
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
+retrieving revision 1.188
+retrieving revision 1.189
+diff -u -r1.188 -r1.189
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -472,7 +472,7 @@
+
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+- !no_port_forwarding_flag) {
++ !no_port_forwarding_flag && use_privsep) {
+ c = channel_connect_to_path(target,
+ "direct-streamlocal@openssh.com", "direct-streamlocal");
+ } else {
+@@ -748,7 +749,7 @@
+
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+- || no_port_forwarding_flag) {
++ || no_port_forwarding_flag || !use_privsep) {
+ success = 0;
+ packet_send_debug("Server has disabled port forwarding.");
+ } else {
diff --git a/main/openssh/CVE-2016-10011.patch b/main/openssh/CVE-2016-10011.patch
new file mode 100644
index 0000000..aea75f3
--- /dev/null
+++ b/main/openssh/CVE-2016-10011.patch
@@ -0,0 +1,37 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
+retrieving revision 1.121
+retrieving revision 1.122
+diff -u -r1.121 -r1.122
+--- a/authfile.c
++++ b/authfile.c
+@@ -98,13 +98,24 @@
+ u_char buf[1024];
+ size_t len;
+ struct stat st;
+- int r;
++ int r, dontmax = 0;
+
+ if (fstat(fd, &st) < 0)
+ return SSH_ERR_SYSTEM_ERROR;
+ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
+ st.st_size > MAX_KEY_FILE_SIZE)
+ return SSH_ERR_INVALID_FORMAT;
++ /*
++ * Pre-allocate the buffer used for the key contents and clamp its
++ * maximum size. This ensures that key contents are never leaked via
++ * implicit realloc() in the sshbuf code.
++ */
++ if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
++ st.st_size = 64*1024; /* 64k should be enough for anyone :) */
++ dontmax = 1;
++ }
++ if (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0)
++ return r;
+ for (;;) {
+ if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
+ if (errno == EPIPE)
diff --git a/main/openssh/CVE-2016-10012-1.patch b/main/openssh/CVE-2016-10012-1.patch
new file mode 100644
index 0000000..4d228de
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-1.patch
@@ -0,0 +1,89 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
+retrieving revision 1.165
+retrieving revision 1.166
+diff -u -r1.165 -r1.166
+--- a/monitor.c
++++ b/monitor.c
+@@ -70,7 +70,6 @@
+ #include "misc.h"
+ #include "servconf.h"
+ #include "monitor.h"
+-#include "monitor_mm.h"
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+@@ -335,31 +334,6 @@
+ monitor_read(pmonitor, mon_dispatch, NULL);
+ }
+
+-void
+-monitor_sync(struct monitor *pmonitor)
+-{
+- if (options.compression) {
+- /* The member allocation is not visible, so sync it */
+- mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
+- }
+-}
+-
+-/* Allocation functions for zlib */
+-static void *
+-mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
+-{
+- if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size)
+- fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
+-
+- return mm_malloc(mm, size * ncount);
+-}
+-
+-static void
+-mm_zfree(struct mm_master *mm, void *address)
+-{
+- mm_free(mm, address);
+-}
+-
+ static int
+ monitor_read_log(struct monitor *pmonitor)
+ {
+@@ -1292,13 +1266,6 @@
+ kex->host_key_index=&get_hostkey_index;
+ kex->sign = sshd_hostkey_sign;
+ }
+-
+- /* Update with new address */
+- if (options.compression) {
+- ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib,
+- (ssh_packet_comp_alloc_func *)mm_zalloc,
+- (ssh_packet_comp_free_func *)mm_zfree);
+- }
+ }
+
+ /* This function requries careful sanity checking */
+@@ -1351,23 +1318,10 @@
+ struct monitor *
+ monitor_init(void)
+ {
+- struct ssh *ssh = active_state; /* XXX */
+ struct monitor *mon;
+
+ mon = xcalloc(1, sizeof(*mon));
+-
+ monitor_openfds(mon, 1);
+-
+- /* Used to share zlib space across processes */
+- if (options.compression) {
+- mon->m_zback = mm_create(NULL, MM_MEMSIZE);
+- mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
+-
+- /* Compression needs to share state across borders */
+- ssh_packet_set_compress_hooks(ssh, mon->m_zlib,
+- (ssh_packet_comp_alloc_func *)mm_zalloc,
+- (ssh_packet_comp_free_func *)mm_zfree);
+- }
+
+ return mon;
+ }
diff --git a/main/openssh/CVE-2016-10012-2.patch b/main/openssh/CVE-2016-10012-2.patch
new file mode 100644
index 0000000..4f462fb
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-2.patch
@@ -0,0 +1,33 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/monitor.h,v
+retrieving revision 1.19
+retrieving revision 1.20
+diff -u -r1.19 -r1.20
+--- a/monitor.h
++++ b/monitor.h
+@@ -58,21 +58,17 @@
+ MONITOR_REQ_TERM = 50,
+ };
+
+-struct mm_master;
+ struct monitor {
+ int m_recvfd;
+ int m_sendfd;
+ int m_log_recvfd;
+ int m_log_sendfd;
+- struct mm_master *m_zback;
+- struct mm_master *m_zlib;
+ struct kex **m_pkex;
+ pid_t m_pid;
+ };
+
+ struct monitor *monitor_init(void);
+ void monitor_reinit(struct monitor *);
+-void monitor_sync(struct monitor *);
+
+ struct Authctxt;
+ void monitor_child_preauth(struct Authctxt *, struct monitor *);
diff --git a/main/openssh/CVE-2016-10012-3.patch b/main/openssh/CVE-2016-10012-3.patch
new file mode 100644
index 0000000..423b56a
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-3.patch
@@ -0,0 +1,17 @@
+CVE-2016-10012 fix for openssh-7.2_p2
+Idea taken from patches:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
+
+===================================================================
+--- a/sshd.c
++++ b/sshd.c
+@@ -683,8 +683,5 @@
+ ssh_sandbox_parent_preauth(box, pid);
+ monitor_child_preauth(authctxt, pmonitor);
+
+- /* Sync memory */
+- monitor_sync(pmonitor);
+-
+ /* Wait for the child's exit status */
+ while (waitpid(pid, &status, 0) < 0) {
--
2.6.6
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---