ESB-2018.1388 - [Ubuntu] Swift: Root compromise - Existing account 2018-05-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1388
           Security Update 2018-001 Swift 4.1.1 for Ubuntu 14.04
                                7 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Swift
Publisher:         Apple
Operating System:  Ubuntu
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-4220  

Original Bulletin: 
   https://support.apple.com/en-au/HT208804

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2018-05-04-1 Security Update 2018-001 Swift 4.1.1 for
Ubuntu 14.04

Security Update 2018-001 Swift 4.1.1 for Ubuntu 14.04 is
now available and addresses the following:

Swift for Ubuntu
Available for: Ubuntu 14.04
Not impacted: Ubuntu 16.04 and 16.10
Impact: A process may gain admin privileges and execute arbitrary
code
Description: An issue existed in specific versions of Swift on Ubuntu
14.04 where libraries are loaded with write and execute permissions.
This issue was addressed with improved permissions.
CVE-2018-4220: Apple

Installation note:

Security Update 2018-001 Swift 4.1.1 for Ubuntu 14.04 may be obtained
from https://swift.org/download.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222 and the Swift
announcements section on the forum:
https://forums.swift.org/c/general-announce

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlrsmUcpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbkbA//
TuLWltNrBXakVq4NY1wBZ0P+/SYUlw312FHtWrtDcAKNykyfED9bA8AnG0Ux3d1g
MdJqT9KkRLXOSunWgiXG8IpWH9KCApeWDV/AE4p6isgOzE4orx02QeHzu9zc7RN6
jBVlfJaGCpTzVuFJRiEimyupjbd5db33N8raRmLxMUKTn0jVjG6ARNS7G+rpUygE
4Dy/lwP05tLWffK1O+w0oihfGsxEl1xiNAcErHTk6Fb/ZVHiITXsuOw9E775dRsM
5fkuyVU6uyhzVNWXkJ9AhOlld7t6gBFNCADMsi+jSqT6EYCHKODBXrar0CfafrsP
edAvUE6PopD2i5ee7msdB+WxTLf1J/WPqT4kyD9kD4SwPeE6eN8evTqubNsOF+jc
cwhsgFuH34AvsoCea5i5v9mwLpjWodgq6OyMkF0Ee3shVx8HRo2Gm/sjj/THJq/G
76Wkfb2bOcVJ3ncDAHAHO3tWfrqZYD9+Eg5hQLwyRDpBKTBzl9R5yXQZFa0naLdC
1iEzXtom+IeXn9jYqE79qOUkBSMzZQ95j98CklKGfKMz8UtfOzM2+mmwCSx5CAwC
H92XBJ7wMyg6EEgByPX89Y4oyg9Ng+reTtAQD2TC9rygEKh5LMJxlhCM+CLDWEqC
ys0NCk7M9izqbAZ4zsf+D+Ml/4h71iDBae92JURjhas=
=sqwr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWu+pS4x+lLeg9Ub1AQgnuA/9E9Ve8eKdS5rftQN25bxrYGONOt8DAmnJ
cj4nMiP1jVMxlzgahsdmzpC+eI6JdpAsZH2qG2rMuGDyWcqjoNfQht+05Xr8MQwM
ZGEahReDGJJ967nBDdRdZfamAzV5zy7h4y1mZVCuD1AS2qQtKTWJvwcwd5fRNhNg
L/q+Puj3iHNiowRI3vI5fVOUO5CN1rGTR4fknVaECvFYQezSVYLqHAsgmHz7SqCK
ZUF/pbsB2cz83nLZ6svWOpufXZgwR6dbWV1xJeGOFkYMZ1EbxLFWGwTJxEz4hfna
o9pHs7b5PCQ/s4JD3i58edmTApwTfr69UfkDMdmZyS2AWsFQfwg4RIVyO1lPZjuH
pOyzpkMUyUUomQnwoO9eBPaAwljFqZsZ0iyfKeZdhmRckTrzWpgWuveDOwTtdCwr
Usj3/96zGyPyI7ESKRCzARAq8+yhMohmQ2GWclProlJ4DWrtbay5P7jTJTWX4I5k
c3FJ95DjMjt4HRdEIzJHi6mDhay6n46FnRW6sJSi4SNr+CJghbZWF0GOx/WaxeiS
vvSr51JYG5LeT5oUOLKgcGw3UxCQRBhNIc+DkGy/DKr2yuHdN4IBxKiG1gCOtMpM
qQxXPbbbfXfipXal767CuUiAmubp8Obl+g38vXd2kiM+N4FRXyemJPsRyorNdSyd
Dv8Fpcc5Frg=
=SVE7
-----END PGP SIGNATURE-----

« Back to bulletins