Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 36: 2022-6ec78b2586 Moderate: Device-Mapper Multipath Attack Fix

fedora
Calendar Grey November 10, 2022
Dist Fedora Esm H88
Fedora 36 provides robust security measures that mitigate symlink vulnerabilities and authorization bypass issues related to device-mapper-multipath, enhancing system integrity.
Security fix for CVE-2022-41973 and CVE-2022-41974

Summary

device-mapper-multipath provides tools to manage multipath devices by

instructing the device-mapper multipath kernel module what to do.

The tools are :

* multipath - Scan the system for multipath devices and assemble them.

* multipathd - Detects when paths fail and execs multipath to update things.

Security fix for CVE-2022-41973 and CVE-2022-41974

* Wed Oct 26 2022 Benjamin Marzinski - 0.8.7-9

- Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch

* Fixes bz #2137414

- Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch

* Fixes bz #2137416

- Resolves: bz #2137414, #2137416

* Tue Aug 23 2022 Benjamin Marzinski - 0.8.7-8.1

- Add 0038-multipathd-Add-missing-ctype-include.patch

- Add 0039-multipathd-replace-libreadline-with-libedit.patch

* replace readline with libedit, to avoid license conflicts. readline

is licensed GPL v3, and multipathd includes code licensed gpl v2

only.

- Require libedit instead of readline

[ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp)

https://bugzilla.redhat.com/show_bug.cgi?id=2123894

[ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

https://bugzilla.redhat.com/show_bug.cgi?id=2133988

su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it:

Topics%20covered

Topics Covered

security advisory Fedora security fix symlink attack patch device-mapper authorization bypass

Change Log

References

Update Instructions

Product: Fedora 36
Version: 0.8.7
Release: 9.fc36
URL: http://christophe.varoqui.free.fr/
Summary: Tools to manage multipath devices using device-mapper

Topics%20covered

Topics Covered

security advisory Fedora security fix symlink attack patch device-mapper authorization bypass

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here