--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2022-6ec78b2586
2022-11-10 16:17:54.575869
--------------------------------------------------------------------------------Name        : device-mapper-multipath
Product     : Fedora 36
Version     : 0.8.7
Release     : 9.fc36
URL         : http://christophe.varoqui.free.fr/
Summary     : Tools to manage multipath devices using device-mapper
Description :
device-mapper-multipath provides tools to manage multipath devices by
instructing the device-mapper multipath kernel module what to do.
The tools are :
* multipath - Scan the system for multipath devices and assemble them.
* multipathd - Detects when paths fail and execs multipath to update things.

--------------------------------------------------------------------------------Update Information:

Security fix for CVE-2022-41973 and CVE-2022-41974
--------------------------------------------------------------------------------ChangeLog:

* Wed Oct 26 2022 Benjamin Marzinski  - 0.8.7-9
- Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch
  * Fixes bz #2137414
- Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch
  * Fixes bz #2137416
- Resolves: bz #2137414, #2137416
* Tue Aug 23 2022 Benjamin Marzinski  - 0.8.7-8.1
- Add 0038-multipathd-Add-missing-ctype-include.patch
- Add 0039-multipathd-replace-libreadline-with-libedit.patch
  * replace readline with libedit, to avoid license conflicts. readline
    is licensed GPL v3, and multipathd includes code licensed gpl v2
    only.
- Require libedit instead of readline
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp)
        https://bugzilla.redhat.com/show_bug.cgi?id=2123894
  [ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
        https://bugzilla.redhat.com/show_bug.cgi?id=2133988
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam, report it: https://pagure.io/login/

Fedora 36: device-mapper-multipath 2022-6ec78b2586

November 10, 2022

Security fix for CVE-2022-41973 and CVE-2022-41974

Summary

device-mapper-multipath provides tools to manage multipath devices by

instructing the device-mapper multipath kernel module what to do.

The tools are :

* multipath - Scan the system for multipath devices and assemble them.

* multipathd - Detects when paths fail and execs multipath to update things.

Security fix for CVE-2022-41973 and CVE-2022-41974

* Wed Oct 26 2022 Benjamin Marzinski - 0.8.7-9

- Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch

* Fixes bz #2137414

- Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch

* Fixes bz #2137416

- Resolves: bz #2137414, #2137416

* Tue Aug 23 2022 Benjamin Marzinski - 0.8.7-8.1

- Add 0038-multipathd-Add-missing-ctype-include.patch

- Add 0039-multipathd-replace-libreadline-with-libedit.patch

* replace readline with libedit, to avoid license conflicts. readline

is licensed GPL v3, and multipathd includes code licensed gpl v2

only.

- Require libedit instead of readline

[ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp)

https://bugzilla.redhat.com/show_bug.cgi?id=2123894

[ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

https://bugzilla.redhat.com/show_bug.cgi?id=2133988

su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: https://pagure.io/login/

FEDORA-2022-6ec78b2586 2022-11-10 16:17:54.575869 Product : Fedora 36 Version : 0.8.7 Release : 9.fc36 URL : http://christophe.varoqui.free.fr/ Summary : Tools to manage multipath devices using device-mapper Description : device-mapper-multipath provides tools to manage multipath devices by instructing the device-mapper multipath kernel module what to do. The tools are : * multipath - Scan the system for multipath devices and assemble them. * multipathd - Detects when paths fail and execs multipath to update things. Security fix for CVE-2022-41973 and CVE-2022-41974 * Wed Oct 26 2022 Benjamin Marzinski - 0.8.7-9 - Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch * Fixes bz #2137414 - Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch * Fixes bz #2137416 - Resolves: bz #2137414, #2137416 * Tue Aug 23 2022 Benjamin Marzinski - 0.8.7-8.1 - Add 0038-multipathd-Add-missing-ctype-include.patch - Add 0039-multipathd-replace-libreadline-with-libedit.patch * replace readline with libedit, to avoid license conflicts. readline is licensed GPL v3, and multipathd includes code licensed gpl v2 only. - Require libedit instead of readline [ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp) https://bugzilla.redhat.com/show_bug.cgi?id=2123894 [ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket https://bugzilla.redhat.com/show_bug.cgi?id=2133988 su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/ Do not reply to spam, report it: https://pagure.io/login/