Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

SUSE: 2021:1094-1 Important Flatpak DoS Risk Security Update

suse
Calendar Grey April 7, 2021
Scroller Suse
Urgent security patch for SUSE targeting a sandbox breach flaw within flatpak and associated components.
An update that solves one vulnerability, contains one feature and has three fixes is now available

Summary

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 - Enable LTO. (bsc#1133120) - This update contains scalability improvements and bugfixes. - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. - Summaries and delta have been reworked to allow more fine-grained fetching. - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. - Static deltas can now be signed to more easily support offline verification. - There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration.

References

#1133120 #1133124 #1175899 #1180996 SLE-7171

Cross- CVE-2021-21261

CVSS scores:

CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Affected Products:

SUSE Linux Enterprise Module for Desktop Applications 15-SP2

SUSE Linux Enterprise Module for Basesystem 15-SP2

https://www.suse.com/security/cve/CVE-2021-21261.html

https://bugzilla.suse.com/1133120

https://bugzilla.suse.com/1133124

https://bugzilla.suse.com/1175899

https://bugzilla.suse.com/1180996

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2021:1094-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.