Comment 21 for bug 1726372

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.8-0ubuntu1

apport (2.20.8-0ubuntu1) bionic; urgency=medium

   * New upstream release:
     - SECURITY UPDATE: Denial of service via resource exhaustion and
       privilege escalation when handling crashes of tainted processes.
     - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that
       the user and group owning the /proc/<PID>/stat file is the same
       owner and group that started the process. Rather check the dump
       mode of the crashed process and do not write a core file if its
       value is 2. Thanks to Sander Bos for discovering this issue!
       (CVE-2017-14177, LP: #1726372)
     - SECURITY UPDATE: Denial of service via resource exhaustion,
       privilege escalation, and possible container escape when handling
       crashes of processes inside PID namespaces.
     - Change the method for determining if a crash is from a container
       so that there are no false positives from software using PID
       namespaces. Additionally, disable container crash forwarding by
       ignoring crashes that occur in a PID namespace. This functionality
       may be re-enabled in a future update. Thanks to Sander Bos for
       discovering this issue!
       (CVE-2017-14180, LP: #1726372)
   * apport/ modify package_versions to return an empty string if
     packages is empty. (LP: #1723822)

 -- Brian Murray <email address hidden> Wed, 15 Nov 2017 12:44:24 -0800