[Security] Wvdial depends on wvstreams which itself depends on unmaintained and vulnerable openssl-1.0

wvdial depends on wvstreams which itself depends on unmaintained and vulnerable openssl-1.0.

wvdial seems still to be in base install: https://github.com/endeavouros-team/EndeavourOS-packages-lists/blob/master/eos-base-group.

Partly archlinux.org themselves are to blame because they still offer the unmaintained openssl-1.0 core package.

1 Like

@joekamprad, what is the eos-base-group actually used for?

I don’t think think the installer uses it and wvdial isn’t present on the ISO.

for nothing, it is for reinstalling purposes only.

1 Like

but the packages list there is outdated i will go to update them :wink:
@dfhdfhbdrtzbrtzrt thanks for the hint.

1 Like



Thanks for removing it.

I see it was removed here, maybe that’s where the base install comes from.

wvdial was part of my ISO installation because it is/was part of the base install:

$ grep -i wvdial /var/log/pacman.log
[PACMAN] Running 'pacman -S --needed --noconfirm base-devel linux-firmware linux-headers lsb-release mkinitcpio-openswap python libwnck3 xf86-input-libinput xf86-video-fbdev xf86-video-vesa xorg-server xorg-xinit xorg-xinput xorg-xkill xorg-xrandr xf86-video-amdgpu xf86-video-ati xf86-video-intel b43-fwcutter broadcom-wl-dkms dhclient dialog dnsmasq dnsutils ethtool gnu-netcat ipw2100-fw ipw2200-fw iwd linux-atm modemmanager ndisc6 netctl net-tools networkmanager networkmanager-openvpn nss-mdns ntfs-3g openconnect openvpn ppp pptpclient r8168 rp-pppoe usb_modeswitch vpnc whois wireless-regdb wireless_tools wpa_supplicant wvdial xl2tpd downgrade pacman-contrib rebuild-detector reflector yay accountsservice bash-completion ffmpegthumbnailer freetype2 gst-libav gst-plugin-pipewire gst-plugins-bad gst-plugins-ugly libdvdcss libgsf libopenraw mlocate poppler-glib xdg-user-dirs xdg-utils haveged smartmontools solid adobe-source-han-sans-cn-fonts adobe-source-han-sans-jp-fonts adobe-source-han-sans-kr-fonts cantarell-fonts noto-fonts opendesktop-fonts ttf-bitstream-vera ttf-dejavu ttf-liberation ttf-opensans alsa-firmware alsa-plugins alsa-utils paprefs pavucontrol pulseaudio amd-ucode dosfstools efibootmgr intel-ucode mtools sof-firmware tlp upower endeavouros-theming eos-apps-info eos-hooks eos-log-tool eos-rankmirrors eos-update-notifier grub-tools keyserver-rank reflector-simple welcome yad-eos duf firefox glances hwinfo inxi meld neofetch python-defusedxml s-tui tldr wget arc-gtk-theme-eos arc-gtk-theme-eos arc-x-icons-theme arc-x-icons-theme celluloid cinnamon cinnamon-translations file-roller gnome-calculator gnome-screenshot gnome-system-monitor gnome-terminal gthumb gvfs gvfs-afc gvfs-gphoto2 gvfs-mtp gvfs-nfs gvfs-smb lightdm lightdm-gtk-greeter lightdm-gtk-greeter-settings nemo-fileroller nemo-image-converter nemo-preview nemo-share x-apps xdg-user-dirs-gtk cups cups-filters cups-pdf foomatic-db foomatic-db-engine foomatic-db-gutenprint-ppds foomatic-db-nonfree foomatic-db-nonfree-ppds foomatic-db-ppds ghostscript gsfonts gutenprint splix system-config-printer hplip python-pyqt5 python-reportlab xsane'

and as such is present on everyone’s system. Maybe, if possible, you should provide an update which removes it/openssl-1.0 from everyone’s system.

It will certainly be present on systems which had it in the original install and didn’t deselect it or remove it.

We don’t generally modify peoples systems intrusively like that. It isn’t up to us to decide who should and shouldn’t use a certain package.

It isn’t up to us to decide who should and shouldn’t use a certain package.

Weird you say this because you installed wvdial on everyone’s system. I understand what you mean but I still think you should at least somehow notify your users and I still think removing or updating this package would be the right thing to do.

That isn’t really the same thing. The person opted to install EndeavourOS expecting that we would install many packages. Arbitrarily removing a package from someone’s system is totally different.

Yes, notification is a good idea.

Since it is a package coming from Arch, there isn’t much we can do about that.

EDIT: I probably should add that I am just sharing my personal opinions here. The team, as a whole, can certainly make different decisions.

Notification about such changes, or after community reports would be great indeed.

And I agree with @dalto that we can not remove package from installed systems, basically EndeavourOS provides an install tool.

We do not maintain installed systems, aside from providing help and helper tools for managing package updates.

But we do work together with the users and we need the help of the community to get information about issues in all matters :wink:

1 Like

indeed I removed it after see that it is not needed anymore, and users reporting that it bring in old openssl… it was a dependency for the ArchIso before, as far as I remember.

https://archlinux.org/packages/multilib/x86_64/steam-native-runtime/ p.e. also depending on this…