Mail archive

[alpine-devel] [APK] Feature request - Changelog of updates

From: Olivier Mauras <>
Date: Thu, 03 Nov 2016 10:45:27 +0100


I already discussed this point with some of the team on IRC and the
conclusion has been to take it up the list.

Every major distribution includes a "changelog" option in their package
manager. This makes things very easy to list all the CVEs affecting your

For example "yum --changelog update" outputs something like that for
each package:

ChangeLog for: libxml2-2.9.1-6.el7_2.3.x86_64
* Mon Jun 6 14:00:00 2016 Daniel Veillard <> -
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
- Bug 763071: Heap-buffer-overflow in xmlStrncat
<> (CVE-2016-1834)
- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup
<> (CVE-2016-1840)
- Bug 758588: Heap-based buffer overread in
<> (CVE-2016-1838)
- Bug 758605: Heap-based buffer overread in xmlDictAddString
<> (CVE-2016-1839)
- Bug 759398: Heap use-after-free in xmlDictComputeFastKey
<> (CVE-2016-1836)
- Fix inappropriate fetch of entities content (CVE-2016-4449)
- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral
- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
- Add missing increments of recursion depth counter to XML parser.
- Avoid building recursive entities (CVE-2016-3627)
- Fix some format string warnings with possible format string
vulnerability (CVE-2016-4448)
- More format string warnings with possible format string vulnerability

As you can see, it's then fairly easy to parse the output to get a list
of the CVEs.

I'd love to see an "apk upgrade -s --changelog" option that would mimic
this behaviour. Ideally only the changelog between installed version and
available update should be displayed

The questions are:
   - How to do it?
   - How to get the needed informations?


Received on Thu Nov 03 2016 - 10:45:27 UTC