Fedora 36: device-mapper-multipath 2022-6ec78b2586 | LinuxSecurity.com
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-6ec78b2586
2022-11-10 16:17:54.575869
--------------------------------------------------------------------------------

Name        : device-mapper-multipath
Product     : Fedora 36
Version     : 0.8.7
Release     : 9.fc36
URL         : https://christophe.varoqui.free.fr/
Summary     : Tools to manage multipath devices using device-mapper
Description :
device-mapper-multipath provides tools to manage multipath devices by
instructing the device-mapper multipath kernel module what to do.
The tools are :
* multipath - Scan the system for multipath devices and assemble them.
* multipathd - Detects when paths fail and execs multipath to update things.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2022-41973 and CVE-2022-41974
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 26 2022 Benjamin Marzinski  - 0.8.7-9
- Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch
  * Fixes bz #2137414
- Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch
  * Fixes bz #2137416
- Resolves: bz #2137414, #2137416
* Tue Aug 23 2022 Benjamin Marzinski  - 0.8.7-8.1
- Add 0038-multipathd-Add-missing-ctype-include.patch
- Add 0039-multipathd-replace-libreadline-with-libedit.patch
  * replace readline with libedit, to avoid license conflicts. readline
    is licensed GPL v3, and multipathd includes code licensed gpl v2
    only.
- Require libedit instead of readline
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp)
        https://bugzilla.redhat.com/show_bug.cgi?id=2123894
  [ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
        https://bugzilla.redhat.com/show_bug.cgi?id=2133988
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Fedora 36: device-mapper-multipath 2022-6ec78b2586

November 10, 2022

Summary

device-mapper-multipath provides tools to manage multipath devices by

instructing the device-mapper multipath kernel module what to do.

The tools are :

* multipath - Scan the system for multipath devices and assemble them.

* multipathd - Detects when paths fail and execs multipath to update things.

Update Information:

Security fix for CVE-2022-41973 and CVE-2022-41974

Change Log

* Wed Oct 26 2022 Benjamin Marzinski - 0.8.7-9 - Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch * Fixes bz #2137414 - Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch * Fixes bz #2137416 - Resolves: bz #2137414, #2137416 * Tue Aug 23 2022 Benjamin Marzinski - 0.8.7-8.1 - Add 0038-multipathd-Add-missing-ctype-include.patch - Add 0039-multipathd-replace-libreadline-with-libedit.patch * replace readline with libedit, to avoid license conflicts. readline is licensed GPL v3, and multipathd includes code licensed gpl v2 only. - Require libedit instead of readline

References

[ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp) https://bugzilla.redhat.com/show_bug.cgi?id=2123894 [ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket https://bugzilla.redhat.com/show_bug.cgi?id=2133988

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
Name : device-mapper-multipath
Product : Fedora 36
Version : 0.8.7
Release : 9.fc36
URL : https://christophe.varoqui.free.fr/
Summary : Tools to manage multipath devices using device-mapper

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.