openSUSE Security Update: Security update for firejail
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0037-1
Rating:             important
References:         #1195880 
Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:

   This update for firejail fixes the following issues:

   - Update Leap 15.3 package to 0.9.68 (boo#1195880)

   update to firejail 0.9.68:

   - security: on Ubuntu, the PPA is now recommended over the distro package
   - (see README.md) (#4748)
   - security: bugfix: private-cwd leaks access to the entire filesystem
   - (#4780); reported by Hugo Osvaldo Barrera
   - feature: remove (some) environment variables with auth-tokens (#4157)
   - feature: ALLOW_TRAY condition (#4510 #4599)
   - feature: add basic Firejail support to AppArmor base abstraction (#3226
   - #4628)
   - feature: intrusion detection system (--ids-init, --ids-check)
   - feature: deterministic shutdown command (--deterministic-exit-code,
   - --deterministic-shutdown) (#928 #3042 #4635)
   - feature: noprinters command (#4607 #4827)
   - feature: network monitor (--nettrace)
   - feature: network locker (--netlock) (#4848)
   - feature: whitelist-ro profile command (#4740)
   - feature: disable pipewire with --nosound (#4855)
   - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
   - feature: Allow apostrophe in whitelist and blacklist (#4614)
   - feature: AppImage support in --build command (#4878)
   - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
   - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
   - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
   - modifs: nogroups now stopped causing certain system groups to be dropped,
   - which are now controlled by the relevant "no" options instead (such as
   - nosound -> drop audio group), which fixes device access issues on systems
   - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
   - removal: --disable-whitelist at compile time
   - removal: whitelist=yes/no in /etc/firejail/firejail.config
   - bugfix: Fix sndio support (#4362 #4365)
   - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
   - bugfix: --build clears the environment (#4460 #4467)
   - bugfix: firejail hangs with net parameter (#3958 #4476)
   - bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
   - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
   - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
   - bugfix: firejail symlinks are not skipped with private-bin + globs
     (#4626)
   - bugfix: Firejail rejects empty arguments (#4395)
   - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
   - bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
   - bugfix: private-etc does not work with symlinks (#4887)
   - bugfix: Hardware key not detected on keepassxc (#4883)
   - build: allow building with address sanitizer (#4594)
   - build: Stop linking pthread (#4695)
   - build: Configure cleanup and improvements (#4712)
   - ci: add profile checks for sorting disable-programs.inc and
   - firecfg.config and for the required arguments in private-etc (#2739
     #4643)
   - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
   - docs: Add new command checklist to CONTRIBUTING.md (#4413)
   - docs: Rework bug report issue template and add both a question and a
   - feature request template (#4479 #4515 #4561)
   - docs: fix contradictory descriptions of machine-id ("preserves" vs
   - "spoofs") (#4689)
   - docs: Document that private-bin and private-etc always accumulate (#4078)
   - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
   - new includes: disable-proc.inc (#4521)
   - removed includes: disable-passwordmgr.inc (#4454 #4461)
   - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
   - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
   - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
   - new profiles: imv, retroarch, torbrowser, CachyBrowser,
   - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
   - new profiles: Seafile, neovim, com.github.tchx84.Flatseal

   firejail 0.9.66:

   * deprecated --audit options, relpaced by jailcheck utility
   * deprecated follow-symlink-as-user from firejail.config
   * new firejail.config settings: private-bin, private-etc
   * new firejail.config settings: private-opt, private-srv
   * new firejail.config settings: whitelist-disable-topdir
   * new firejail.config settings: seccomp-filter-add
   * removed kcmp syscall from seccomp default filter
   * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
   * --protocol now accumulates
   * jailtest utility for testing running sandboxes
   * faccessat2 syscall support
   * --private-dev keeps /dev/input
   * added --noinput to disable /dev/input
   * add support for subdirs in --private-etc
   * subdirs support in private-etc
   * input devices support in private-dev, --no-input
   * support trailing comments on profile lines
   * many new profiles
   - split shell completion into standard subpackages


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-37=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      firejail-0.9.68-bp153.2.3.1


References:

   https://bugzilla.suse.com/1195880

openSUSE: 2022:0037-1 important: firejail

February 16, 2022
An update that contains security fixes can now be installed

Description

This update for firejail fixes the following issues: - Update Leap 15.3 package to 0.9.68 (boo#1195880) update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510 #4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928 #3042 #4635) - feature: noprinters command (#4607 #4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362 #4365) - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) - bugfix: --build clears the environment (#4460 #4467) - bugfix: firejail hangs with net parameter (#3958 #4476) - bugfix: Firejail does not work with a custom hosts file (#2758 #4560) - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606) - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626) - bugfix: Firejail rejects empty arguments (#4395) - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) - bugfix: Seccomp list output goes to stdout instead of stderr (#4328) - bugfix: private-etc does not work with symlinks (#4887) - bugfix: Hardware key not detected on keepassxc (#4883) - build: allow building with address sanitizer (#4594) - build: Stop linking pthread (#4695) - build: Configure cleanup and improvements (#4712) - ci: add profile checks for sorting disable-programs.inc and - firecfg.config and for the required arguments in private-etc (#2739 #4643) - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774) - docs: Add new command checklist to CONTRIBUTING.md (#4413) - docs: Rework bug report issue template and add both a question and a - feature request template (#4479 #4515 #4561) - docs: fix contradictory descriptions of machine-id ("preserves" vs - "spoofs") (#4689) - docs: Document that private-bin and private-etc always accumulate (#4078) - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) - new includes: disable-proc.inc (#4521) - removed includes: disable-passwordmgr.inc (#4454 #4461) - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego - new profiles: imv, retroarch, torbrowser, CachyBrowser, - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd, - new profiles: Seafile, neovim, com.github.tchx84.Flatseal firejail 0.9.66: * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config * new firejail.config settings: private-bin, private-etc * new firejail.config settings: private-opt, private-srv * new firejail.config settings: whitelist-disable-topdir * new firejail.config settings: seccomp-filter-add * removed kcmp syscall from seccomp default filter * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion * command line: --mkdir, --mkfile * --protocol now accumulates * jailtest utility for testing running sandboxes * faccessat2 syscall support * --private-dev keeps /dev/input * added --noinput to disable /dev/input * add support for subdirs in --private-etc * subdirs support in private-etc * input devices support in private-dev, --no-input * support trailing comments on profile lines * many new profiles - split shell completion into standard subpackages

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-37=1


Package List

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): firejail-0.9.68-bp153.2.3.1


References

https://bugzilla.suse.com/1195880


Severity
Announcement ID: openSUSE-SU-2022:0037-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP3 .

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved