openSUSE Security Update: Security update for firejail
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0271-1
Rating:             important
References:         #1181990 
Cross-References:   CVE-2020-17367 CVE-2020-17368 CVE-2021-26910
                   
CVSS scores:
                    CVE-2020-17367 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-17368 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for firejail fixes the following issues:

   firejail 0.9.64.4 is shipped to openSUSE Leap 15.2

   - CVE-2021-26910: Fixed root privilege escalation due to race condition
     (boo#1181990)

   Update to 0.9.64.4:

   * disabled overlayfs, pending multiple fixes
   * fixed launch firefox for open url in telegram-desktop.profile

   Update to 0.9.64.2:

   * allow --tmpfs inside $HOME for unprivileged users   * --disable-usertmpfs compile time option
   * allow AF_BLUETOOTH via --protocol=bluetooth
   * setup guide for new users: contrib/firejail-welcome.sh
   * implement netns in profiles
   * added nolocal6.net IPv6 network filter
   * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer,
     gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer,
     straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker,
     yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview,
     pkglog, kdiff3, CoyIM.

   Update to version 0.9.64:

   * replaced --nowrap option with --wrap in firemon
   * The blocking action of seccomp filters has been changed from killing the
     process to returning EPERM to the caller. To get the previous behaviour,
     use --seccomp-error-action=kill or syscall:kill syntax when constructing
     filters, or override in /etc/firejail/firejail.config file.
   * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must
     be installed, if not D-Bus access will be allowed. With this version
     nodbus is deprecated, in favor of dbus-user none and dbus-system none
     and will be removed in a future version.
   * DHCP client support
   * firecfg only fix dektop-files if started with sudo
   * SELinux labeling support
   * custom 32-bit seccomp filter support
   * restrict ${RUNUSER} in several profiles
   * blacklist shells such as bash in several profiles
   * whitelist globbing
   * mkdir and mkfile support for /run/user directory
   * support ignore for include
   * --include on the command line
   * splitting up media players whitelists in whitelist-players.inc
   * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
   * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
   * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl,
     mutool
   * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
   * new profiles: presentations18, presentations18free, textmaker18, teams
   * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
   * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
   * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
   * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
   * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
   * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
   * new profiles: gnome-tetravex, blobwars,
     gravity-beams-and-evaporating-stars   * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
   * new profiles: mirrormagic, mrrescue, scorched3d-wrapper,
     scorchwentbonkers   * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
   * new profiles: swell-foop, fdns, five-or-more, steam-runtime
   * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
   * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher,
     xonotic-sdl-wrapper
   * new profiles: gapplication, openarena_ded, element-desktop, cawbird
   * new profiles: freetube, strawberry, jitsi-meet-desktop
   * new profiles: homebank, mattermost-desktop, newsflash,
     com.gitlab.newsflash
   * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer,
     lyx
   * new profiles: minitube, nuclear, mtpaint, minecraft-launcher,
     gnome-calendar
   * new profiles: vmware, git-cola, otter-browser, kazam, menulibre,
     musictube
   * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
   * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
   * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
   * new profiles: qrencode, ytmdesktop, twitch
   * new profiles: xournalpp, chromium-freeworld, equalx

   - Make the AppArmor profile compatible with AppArmor 3.0 (add missing
     include )

   Update to 0.9.62.4

   * fix AppArmor broken in the previous release
   * miscellaneous fixes

   Update to 0.9.62.2

   * fix CVE-2020-17367
   * fix CVE-2020-17368


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-271=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      firejail-0.9.64.4-lp152.3.6.1
      firejail-debuginfo-0.9.64.4-lp152.3.6.1
      firejail-debugsource-0.9.64.4-lp152.3.6.1


References:

   https://www.suse.com/security/cve/CVE-2020-17367.html
   https://www.suse.com/security/cve/CVE-2020-17368.html
   https://www.suse.com/security/cve/CVE-2021-26910.html
   https://bugzilla.suse.com/1181990

openSUSE: 2021:0271-1 important: firejail

February 10, 2021
An update that fixes three vulnerabilities is now available

Description

This update for firejail fixes the following issues: firejail 0.9.64.4 is shipped to openSUSE Leap 15.2 - CVE-2021-26910: Fixed root privilege escalation due to race condition (boo#1181990) Update to 0.9.64.4: * disabled overlayfs, pending multiple fixes * fixed launch firefox for open url in telegram-desktop.profile Update to 0.9.64.2: * allow --tmpfs inside $HOME for unprivileged users * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles * added nolocal6.net IPv6 network filter * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM. Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper * new profiles: gapplication, openarena_ded, element-desktop, cawbird * new profiles: freetube, strawberry, jitsi-meet-desktop * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send * new profiles: qrencode, ytmdesktop, twitch * new profiles: xournalpp, chromium-freeworld, equalx - Make the AppArmor profile compatible with AppArmor 3.0 (add missing include ) Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-271=1


Package List

- openSUSE Leap 15.2 (x86_64): firejail-0.9.64.4-lp152.3.6.1 firejail-debuginfo-0.9.64.4-lp152.3.6.1 firejail-debugsource-0.9.64.4-lp152.3.6.1


References

https://www.suse.com/security/cve/CVE-2020-17367.html https://www.suse.com/security/cve/CVE-2020-17368.html https://www.suse.com/security/cve/CVE-2021-26910.html https://bugzilla.suse.com/1181990


Severity
Announcement ID: openSUSE-SU-2021:0271-1
Rating: important
Affected Products: openSUSE Leap 15.2 .

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved