Explore top 10 tips to secure your open-source projects now. Read More
×
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2024-5291 http://linux.oracle.com/errata/ELSA-2024-5291.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: grafana-9.2.10-17.el8_10.x86_64.rpm grafana-selinux-9.2.10-17.el8_10.x86_64.rpm aarch64: grafana-9.2.10-17.el8_10.aarch64.rpm grafana-selinux-9.2.10-17.el8_10.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates//grafana-9.2.10-17.el8_10.src.rpm Related CVEs: CVE-2024-24788 CVE-2024-24789 CVE-2024-24790 Description of changes: [9.2.10-17] - Allow for mssql datasource in selinux policy - Resolves RHEL-43435 _______________________________________________ El-errata mailing list
Update to 2.54.3. Cherry pick misc SELinux policy fixes. Fixes for CVE-2021-44731, CVE-2021-44730, CVE-2021-4120.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-5df8b52ba4 2022-02-20 01:08:12.119349 --------------------------------------------------------------------------------Name : snapd Product : Fedora 35 Version : 2.54.3 Release : 1.fc35 URL : https://github.com/canonical/snapd Summary : A transactional software package manager Description : Snappy is a modern, cross-distribution, transactional package manager designed for working with self-contained, immutable packages. --------------------------------------------------------------------------------Update Information: Update to 2.54.3. Cherry pick misc SELinux policy fixes. Fixes for CVE-2021-44731, CVE-2021-44730, CVE-2021-4120. --------------------------------------------------------------------------------ChangeLog: * Thu Feb 17 2022 Maciek Borzecki - 2.54.3-1 - Release 2.54.3 to Fedora - Cherry pick SELinux policy fixes for RHBZ#1944390, RHBZ#2043160, RHBZ#2043161, RHBZ#2046358, RHBZ#2046363, RHBZ#2046361, RHBZ#2046364, RHBZ#2046365, RHBZ#2051594, RHBZ#2043902, RHBZ#1944390 * Tue Feb 15 2022 Michael Vogt - New upstream release 2.54.3 - bugfixes --------------------------------------------------------------------------------References: [ 1 ] Bug #2056058 - CVE-2021-44731 snapd: Race condition in snap-confine's setup_private_mount() https://bugzilla.redhat.com/show_bug.cgi?id=2056058 [ 2 ] Bug #2056061 - CVE-2021-44730 snapd: Hardlink attack in snap-confine's sc_open_snapd_tool() https://bugzilla.redhat.com/show_bug.cgi?id=2056061 [ 3 ] Bug #2056065 - CVE-2021-4120 snapd: Insufficient validation of snap content interface and layout paths https://bugzilla.redhat.com/show_bug.cgi?id=2056065 --------------------------------------------------------------------------------Thisupdate can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-5df8b52ba4' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing) (CVE-2018-1063). . MGASA-2021-0032 - Updated policycoreutils packages fix a security vulnerability Publication date: 17 Jan 2021 URL: https://advisories.mageia.org/MGASA-2021-0032.html Type: security Affected Mageia releases: 7 CVE: CVE-2018-1063 Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing) (CVE-2018-1063). References: - https://bugs.mageia.org/show_bug.cgi?id=22890 - https://access.redhat.com/errata/RHSA-2018:0913 - https://www.cve.org/CVERecord?id=CVE-2018-1063 SRPMS: - 7/core/policycoreutils-2.5-14.1.mga7 . Mageia 2021-0045 fixes a security flaw related to improper handling of memory in the kernel. Continue reading for further information.. Mageia Security Advisory, SELinux Context, Policycoreutils Update. . Severity: Critical. LinuxSecurity.com Team
An update for runc is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2 runc security update Advisory ID: RHSA-2019:4074-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4074 Issue date: 2019-12-03 CVE Names: CVE-2019-16884 ==================================================================== 1. Summary: An update for runc is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.2 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the runc RPM package for Red Hat OpenShift Container Platform 4.2.9. The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides a container runtime. Security Fix(es): * runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortlyfor release 4.2.9, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.2/html/release_notes/ocp-4-2-release-notes Details on how to access this content are available at - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1757214 - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc 6. Package List: Red Hat OpenShift Container Platform 4.2: Source: runc-1.0.0-63.rc8.el8.src.rpm x86_64: runc-1.0.0-63.rc8.el8.x86_64.rpm runc-debuginfo-1.0.0-63.rc8.el8.x86_64.rpm runc-debugsource-1.0.0-63.rc8.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2019-16884 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXebOP9zjgjWX9erEAQiRbBAAmnkcx9NyiCrPQujU3aA1UKX0STZ58q9r gIrqnYHCk1YbZBttq2qgxEog9yw77+29EZo6hf4itjD2FE1Clk6XJTJRv6B36j9o B3GTF4jAOBcl9OxehKSSRJOEHlMxown24wyD3YSvGET85phmxb/OvRZP9GQoPQRw evYCjNszkgjmPeBrL17nIC5aQvsuHr07ErINF7uXy6q/spDaoMMjYLsGb9CEETGi lEpnjRmdCRAPkL+EGpQX4Sx6Bqyf/sIoczFxt6+l86Fu2r6ompVkWo/4MPiE1YI8 2fon1uPBfxOeL66xGyhhzbO+Y1kU2p4wEwRW8fRKNEgnWEJZS0jUm2j44GzmwVaO ZQbbdLw6Bc6PT38R7W3UqGAolSfF6MwQdcYvzDBDsmXJiMbNsjKuyLd8Zgr5/GJ1 CDCMNaPdqUJ6o92TAggVr5Vqx6HPpx9hrrGpyy4EY0Wz1lqpqzW2h7bdJeSNktSb m6jOsiLOvrxz6ecyP3FayGtPV9gASsRc/EXrufIExi87YKrK/P8PFv3LSBFasm2y G7Izevx4GCnik0HJybfzya16Q6VAUOP1OXlLRKUIuxC9wfEGgWUvcydHEm8tlxyv WnxvFZGEFGVH/ieZYF4D/IzgrseAguJHPZojVDCCzKOqCVNtp7LkVBK5a+bOvwPS Lrz6NUyONRM=TC9T -----END PGP SIGNATURE----- -- RHSA-announce mailing list
CVE-2018-10906 This is a fix for a restriction bypass of the "allow_other" option when SELinux is active. . Package : fuse Version : 2.9.3-15+deb8u3 CVE ID : CVE-2018-10906 CVE-2018-10906 This is a fix for a restriction bypass of the "allow_other" option when SELinux is active. For Debian 8 "Jessie", this problem has been fixed in version 2.9.3-15+deb8u3. We recommend that you upgrade your fuse packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . This announcement resolves an issue concerning the evasion of limitations associated with the allow_other flag in SELinux within the fuse component of Debian.. Debian Fuse Update, SELinux Security Fix, Security Advisory DLA-1468-1. . Severity: Critical. LinuxSecurity.com Team
Low: selinux-policy enhancement update. Date: Tue, 11 Sep 2012 08:47:10 -0500 Reply-To: Pat Riehecky Sender: Security Errata for Scientific Linux From: Pat Riehecky Organization: Fermilab Subject: FASTBUGS for SL 5x i386, x86_64 now available MIME-Version: 1.0 The following FASTBUGS have been uploadedto i386: cyrus-sasl-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-devel-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-gssapi-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-ldap-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-md5-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-ntlm-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-plain-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-sql-2.1.22-7.el5_8.1.i386.rpm gimp-2.2.13-2.0.10.el5.i386.rpm gimp-devel-2.2.13-2.0.10.el5.i386.rpm gimp-libs-2.2.13-2.0.10.el5.i386.rpm gnome-session-2.16.0-10.el5.i386.rpm ipsec-tools-0.6.5-14.el5_8.5.i386.rpm logwatch-7.3-10.el5.noarch.rpm rgmanager-2.0.52-28.el5_8.4.i386.rpm sysstat-7.0.2-12.el5.i386.rpm x86_64: cyrus-sasl-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-devel-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-devel-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-gssapi-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-gssapi-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-ldap-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-ldap-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-lib-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-md5-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-md5-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-ntlm-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-ntlm-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-plain-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-plain-2.1.22-7.el5_8.1.x86_64.rpm cyrus-sasl-sql-2.1.22-7.el5_8.1.i386.rpm cyrus-sasl-sql-2.1.22-7.el5_8.1.x86_64.rpm gimp-2.2.13-2.0.10.el5.x86_64.rpm gimp-devel-2.2.13-2.0.10.el5.i386.rpm gimp-devel-2.2.13-2.0.10.el5.x86_64.rpm gimp-libs-2.2.13-2.0.10.el5.i386.rpm gimp-libs-2.2.13-2.0.10.el5.x86_64.rpm gnome-session-2.16.0-10.el5.x86_64.rpm ipsec-tools-0.6.5-14.el5_8.5.x86_64.rpm logwatch-7.3-10.el5.noarch.rpm rgmanager-2.0.52-28.el5_8.4.x86_64.rpm sysstat-7.0.2-12.el5.x86_64.rpm Date: Tue, 11 Sep 2012 08:50:55 -0500 Reply-To: Pat Riehecky Sender: Security Errata for Scientific Linux From: Pat Riehecky Organization: Fermilab Subject: Security ERRATA Low:selinux-policy enhancement update on SL5.x, SL6.x i386/x86_64 MIME-Version: 1.0 Synopsis: Low: selinux-policy enhancement update Issue date: 2012-09-11 This update adds the following enhancements: * Previously, with the MLS policy activated, a user created with a MLS level was not able to log into the system using the ssh utility because an appropriate MLS policy rule was missing. This update adds the MLS rule and users can now log into the system as expected in the described scenario. * When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned. This update has been placed in the security tree to avoid selinux bugs. SL6.x SRPMS: selinux-policy-3.7.19-155.el6_3.4.src.rpm i386: selinux-policy-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-doc-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-minimum-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-mls-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-targeted-3.7.19-155.el6_3.4.noarch.rpm x86_64: selinux-policy-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-doc-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-minimum-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-mls-3.7.19-155.el6_3.4.noarch.rpm selinux-policy-targeted-3.7.19-155.el6_3.4.noarch.rpm . Date: Tue, 11 Sep 2012 08:47:10 -0500 Reply-To: Pat Riehecky Sender: Security Errata for Scientific . selinux-policy, enhancement, update, reply-to, riehecky. . Severity: Low. LinuxSecurity.com Team
Some of the updates are, Allow nmbd to list inotifyfs_t, Dontaudit consolekit access to user homedir, dontaudit nscd getserv and shmemserv, Allow rsync_t dac overrides, Allow xfs_t to listen to sockets, Allow lvm to search mnt, Add booleans for xguest account.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2007-3547 2007-11-29 01:48:17.783142 --------------------------------------------------------------------------------Name : selinux-policy Product : Fedora 8 Version : 3.0.8 Release : 58.fc8 URL : Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2393. --------------------------------------------------------------------------------ChangeLog: * Fri Nov 16 2007 Dan Walsh 3.0.8-58 - Allow nmbd to list inotifyfs_t - Dontaudit consolekit access to user homedir - dontaudit nscd getserv and shmemserv - Allow rsync_t dac overrides - Allow xfs_t to listen to sockets * Fri Nov 16 2007 Dan Walsh 3.0.8-57 - Allow lvm to search mnt - Add booleans for xguest account xguest_mount_media xguest_connect_network xguest_use_bluetooth * Thu Nov 15 2007 Dan Walsh 3.0.8-56 - Remove /usr/sbin/gdm label - Label gstreamer codecs in homedir as textrel_shlib_t * Wed Nov 14 2007 Dan Walsh 3.0.8-55 - Allow spamd to manage razor files * Mon Nov 12 2007 Dan Walsh 3.0.8-54 - Allow cyrus to authenticate via sasl - Allow sshd to work in tunnel mode - Allow sshd to use -R - Allow ssh to read user homedirs - Add /var/lib/tftp to tftp.fc - Add labels for /dev/dmmdi and /dev/admmdi - Allow postmap to be run by unconfined_t - Allow dictd to write pid file - Allow bluetooth to connectto unix_stream_sockets * Mon Nov 12 2007 Dan Walsh 3.0.8-53 - Allow bugzilla policy to connect to postgresql and mysql on other machines * Mon Nov 12 2007 Dan Walsh 3.0.8-52 - Allow apache to readunconfined users content * Sat Nov 10 2007 Dan Walsh 3.0.8-51 - Allow login programs to run mount - Dontaudit writes to user_home_t for semanage - Allow sendmail to write to cyrus_stream - Define /dev/dmmidi1 as a sound_device_t - Allow saslauthd to use nis_authentication * Fri Nov 9 2007 Dan Walsh 3.0.8-50 - Allow login programs to delete user temp files * Thu Nov 8 2007 Dan Walsh 3.0.8-49 - Separate xguest from guest - Allow confined domains to output to rpm pipes * Wed Nov 7 2007 Dan Walsh 3.0.8-48 - Add obsoletes selinux-policy-strict - Run inetd unconfined - dontaudit loadkeys looking at homedir * Tue Nov 6 2007 Dan Walsh 3.0.8-47 - Allow all dns_resolves to use avahi stream - Don't transition from unconfined_t to ping_t * Tue Nov 6 2007 Dan Walsh 3.0.8-46 - Allow sendmail to interact with winbind - Allow dovecot to write log files * Fri Nov 2 2007 Dan Walsh 3.0.8-45 - Allow system_mail_t to domtrans to exim_t --------------------------------------------------------------------------------Updated packages: e301b608c32fd3468b1be5cacb7a5779851ab38f selinux-policy-mls-3.0.8-58.fc8.noarch.rpm 0cfd8add130581f1a5871f1b00486b742eba2222 selinux-policy-devel-3.0.8-58.fc8.noarch.rpm de6c03233d228c2d88498236b4c13746919154a0 selinux-policy-targeted-3.0.8-58.fc8.noarch.rpm cb5cc93fd932af2175c8a20f6c66a4cd2ec9a5c7 selinux-policy-3.0.8-58.fc8.noarch.rpm e246ba5e11336b8cfee322fcb08028e6a8a2d776 selinux-policy-3.0.8-58.fc8.src.rpm This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at . --------------------------------------------------------------------------------_______________________________________________ Fedora-package-announce mailing list
Update SELinux policy to current rawhide to fix many policy problems. ---------------------------------------------------------------------Fedora Update Notification FEDORA-2006-271 2006-04-11 ---------------------------------------------------------------------Product : Fedora Core 5 Name : checkpolicy Version : 1.30.3 Release : 1.fc5 Summary : SELinux policy compiler Description : Security-enhanced Linux is a feature of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security. This package contains checkpolicy, the SELinux policy compiler. Only required for building policies. ---------------------------------------------------------------------Update Information: Update SELinux policy to current rawhide to fix many policy problems ---------------------------------------------------------------------* Tue Apr 4 2006 Dan Walsh - 1.30.3-1.fc5 - Bump for FC-5 * Tue Mar 28 2006 Dan Walsh - 1.30.3-1 - Latest upgrade from NSA * Fixed checkmodule to call link_modules prior to expand_module to handle optionals. * Fixed require_class to avoid shadowing permissions already defined in an inherited common definition. * Mon Mar 27 2006 Dan Walsh - 1.30.1-2 - Rebuild with new libsepol * Thu Mar 23 2006 Dan Walsh - 1.30.1-1 - Latest upgrade from NSA * Moved processing of role and user require statements to 2nd pass. ---------------------------------------------------------------------This update can be downloaded from: 7898c324c55af7cdef2f3a74773c6b70adb497bb SRPMS/checkpolicy-1.30.3-1.fc5.src.rpm b485bd9121e4f4415e2f17b0e37ce7303ac0cd16 ppc/checkpolicy-1.30.3-1.fc5.ppc.rpm 35f483301ba44238d70cd3bcb669d358d698e3cb ppc/debug/checkpolicy-debuginfo-1.30.3-1.fc5.ppc.rpm 37cda38df6eb6a8c03494159989dd85d68fba2e2 x86_64/checkpolicy-1.30.3-1.fc5.x86_64.rpm 54d3ec7cf1e2f9fb271a2c6400a8ebd6f73b0b0c x86_64/debug/checkpolicy-debuginfo-1.30.3-1.fc5.x86_64.rpm 452461559e1afd7744c11a9036c51d33f5a15b22 i386/checkpolicy-1.30.3-1.fc5.i386.rpm 65374698d63d2bb5b14793d415dc91ab1372aed8 i386/debug/checkpolicy-debuginfo-1.30.3-1.fc5.i386.rpm This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at . ----------------------------------------------------------------------- fedora-announce-list mailing list
Get the latest Linux and open source security news straight to your inbox.