openSUSE Security Update: Security update for firejail
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0037-1
Rating:             important
References:         #1195880 
Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:

   This update for firejail fixes the following issues:

   - Update Leap 15.3 package to 0.9.68 (boo#1195880)

   update to firejail 0.9.68:

   - security: on Ubuntu, the PPA is now recommended over the distro package
   - (see README.md) (#4748)
   - security: bugfix: private-cwd leaks access to the entire filesystem
   - (#4780); reported by Hugo Osvaldo Barrera
   - feature: remove (some) environment variables with auth-tokens (#4157)
   - feature: ALLOW_TRAY condition (#4510 #4599)
   - feature: add basic Firejail support to AppArmor base abstraction (#3226
   - #4628)
   - feature: intrusion detection system (--ids-init, --ids-check)
   - feature: deterministic shutdown command (--deterministic-exit-code,
   - --deterministic-shutdown) (#928 #3042 #4635)
   - feature: noprinters command (#4607 #4827)
   - feature: network monitor (--nettrace)
   - feature: network locker (--netlock) (#4848)
   - feature: whitelist-ro profile command (#4740)
   - feature: disable pipewire with --nosound (#4855)
   - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
   - feature: Allow apostrophe in whitelist and blacklist (#4614)
   - feature: AppImage support in --build command (#4878)
   - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
   - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
   - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
   - modifs: nogroups now stopped causing certain system groups to be dropped,
   - which are now controlled by the relevant "no" options instead (such as
   - nosound -> drop audio group), which fixes device access issues on systems
   - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
   - removal: --disable-whitelist at compile time
   - removal: whitelist=yes/no in /etc/firejail/firejail.config
   - bugfix: Fix sndio support (#4362 #4365)
   - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
   - bugfix: --build clears the environment (#4460 #4467)
   - bugfix: firejail hangs with net parameter (#3958 #4476)
   - bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
   - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
   - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
   - bugfix: firejail symlinks are not skipped with private-bin + globs
     (#4626)
   - bugfix: Firejail rejects empty arguments (#4395)
   - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
   - bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
   - bugfix: private-etc does not work with symlinks (#4887)
   - bugfix: Hardware key not detected on keepassxc (#4883)
   - build: allow building with address sanitizer (#4594)
   - build: Stop linking pthread (#4695)
   - build: Configure cleanup and improvements (#4712)
   - ci: add profile checks for sorting disable-programs.inc and
   - firecfg.config and for the required arguments in private-etc (#2739
     #4643)
   - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
   - docs: Add new command checklist to CONTRIBUTING.md (#4413)
   - docs: Rework bug report issue template and add both a question and a
   - feature request template (#4479 #4515 #4561)
   - docs: fix contradictory descriptions of machine-id ("preserves" vs
   - "spoofs") (#4689)
   - docs: Document that private-bin and private-etc always accumulate (#4078)
   - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
   - new includes: disable-proc.inc (#4521)
   - removed includes: disable-passwordmgr.inc (#4454 #4461)
   - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
   - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
   - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
   - new profiles: imv, retroarch, torbrowser, CachyBrowser,
   - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
   - new profiles: Seafile, neovim, com.github.tchx84.Flatseal

   firejail 0.9.66:

   * deprecated --audit options, relpaced by jailcheck utility
   * deprecated follow-symlink-as-user from firejail.config
   * new firejail.config settings: private-bin, private-etc
   * new firejail.config settings: private-opt, private-srv
   * new firejail.config settings: whitelist-disable-topdir
   * new firejail.config settings: seccomp-filter-add
   * removed kcmp syscall from seccomp default filter
   * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
   * --protocol now accumulates
   * jailtest utility for testing running sandboxes
   * faccessat2 syscall support
   * --private-dev keeps /dev/input
   * added --noinput to disable /dev/input
   * add support for subdirs in --private-etc
   * subdirs support in private-etc
   * input devices support in private-dev, --no-input
   * support trailing comments on profile lines
   * many new profiles
   - split shell completion into standard subpackages


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-37=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      firejail-0.9.68-bp153.2.3.1


References:

   https://bugzilla.suse.com/1195880