Multiple CVEs in xenial
Bug #1655136 reported by
Reiner Herrmann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firejail (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Reiner Herrmann | ||
Zesty |
Fix Released
|
High
|
Unassigned |
Bug Description
firejail 0.9.38 is affected by the following CVEs:
- CVE-2016-9016: sandbox escape
- CVE-2016-10118: overwrite /etc/resolv.conf
- CVE-2017-5180: local root exploit
Please apply the attached debdiff.
firejail 0.9.40 is also affected by those (and perhaps other) CVEs.
But fixing that looks like a bit more effort (patches don't apply cleanly), and there were several related upstream commits that attempted to fix them.
CVE References
description: | updated |
Changed in firejail (Ubuntu Xenial): | |
status: | New → In Progress |
assignee: | nobody → Reiner Herrmann (deki) |
Changed in firejail (Ubuntu Zesty): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in firejail (Ubuntu Xenial): | |
importance: | Undecided → High |
description: | updated |
information type: | Public → Public Security |
tags: | added: patch |
To post a comment you must log in.
Thanks Reiner for the debdiff.
I noticed that upstream provides Long Term Support versions: 0.9.38.x, which is the same branch in Xenial. According to the SRU policy, new upstream micro releases could be pushed as updates if they introduce only bug fixes, especially for Ubuntu LTS releases. https:/ /wiki.ubuntu. com/StableRelea seUpdates# New_upstream_ microreleases
If you find that it is more beneficial and it is easier for you to push the whole micro release instead of cherry picking fixes, go for it.