ESB-2018.2191 - [UNIX/Linux][Debian] fuse: Unauthorised access - Existing account 2018-07-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2191
                           fuse security update
                               30 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           fuse
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10906  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4257

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running fuse check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4257-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 28, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : fuse
CVE ID         : CVE-2018-10906
Debian Bug     : 904439

Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the
bypass of the 'user_allow_other' restriction when SELinux is active
(including in permissive mode). A local user can take advantage of this
flaw in the fusermount utility to bypass the system configuration and
mount a FUSE filesystem with the 'allow_other' mount option.

For the stable distribution (stretch), this problem has been fixed in
version 2.9.7-1+deb9u1.

We recommend that you upgrade your fuse packages.

For the detailed security status of fuse please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/fuse

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltcenNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QvRg//W3kUaO9PE7ctcY3CxCa5uej51kqun1Jy7JAw0fjQK84pTH//J8GCJnAs
vbcONxyvrkxlLMRamvRrKU0EfH0vLHkvjcfVY2l5ECPBEISkpVff/MPWCwTplzF9
GMUFdrF+qJNC7EW2y5BfMwkBFn7FYTyEoroSm1AmQjjqncSuzvxIjK8p+P/NVq20
RawwRsEJIquVQQ3ZYE9mnJ9QixYI1+le33bg/FI9eIUy44W43m+OPqmf7kvwH7Qh
SamYcFMvl8uc8reijl2cSoZ1ocCJAr4etJ3M/C0Br/wtQxedk4+bAtYjxxolR101
VBZqh9bnTsBpVnQaMjcBsGsT77IupfCY4nraZQJqcDF9N4712W6MUKckaP933HQa
VKWjlSUqNlIUh2UocONgPWU8yvxtkSHiQIkEEQnuNchNPGGcu+zrdTR3BY/oBIHc
yDgBqk1SV0CNLTzZj/fzDmwaVgzYrE8Dc2+TPok1O8UgnifSlRBmQrLJNxaQE4FL
TDhBB3O+H3laHAFeMPMi92tvr66r/QI5EEhNXBCpauOwYLg32DhL9RJ64FY+mOr6
/YrQMyfX5fI1v/WaqRB4rNgaQROYFaC9uOtSp6UTRa8w2R98JSEUrKuaE/ndVJM+
HtFaaKkequ/hcIARHdiCeya3jZVCOhMgeIJZEcw0G2LntY1z46M=
=MTqc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW15k32aOgq3Tt24GAQhtbBAAtFtjAqGZIFZG1WgIQ62iRxR1Wvu86A8Y
M/BhDZ0zR3BzhqbcJV/sWivGm50BFjxaR0/D+g0yatAgsFHGQTaw/BAwrtlqVgGu
h0P/tYB2ZQA3+7yyiV+hk7FMHw2oPLVbkfDDx9IaxolTyIxRrPi1m1bStgFi2KsF
7ISW2UCo5uJ5f3iOrANKRiLg4ydK7+wcOcIhI53oT3HanPBvDyhHG7FVahvSMB39
i2O4569X3Skb3WNeL0y9UokSquJNcfLW2dYAo9RqLqK8VuQB1ae9FRIF55E9Yjrr
pdED7zaZlVCFL/OErEa7w6WszG4CHC7lPTfxwShi2Cn0CWG48VzENGMUGzzgKEuZ
2p45LD0s/QzVPVbNKpvOtOfK2Do5K14+WJjGWXUkYmwL+X0VYZMVPOARF4yCCMhC
LRDS3XRgkwAhBAwtQsgsNxU36fpDRQfdnoUURDE5Vn89I33PcZb7JMdz7nTrQxzg
l0pnX4TsUkkK9E5F5KGAWgNlWkheeZqoV1GIew+gMYJ/SEhUM9jB7xDrK44vbBlv
PYY4mONRF20V3ql1HFl67IUq181h4lu+NJbqfYXbOUFYoheiHLEunrYH1IHN34+c
rVCVvOmDBwjyYio95xvOBHX+22jdWxCxzSIfreHDJW4yFAwjGAXWtP1bLPYSOWBS
GSZtgAkWGdk=
=axFT
-----END PGP SIGNATURE-----

« Back to bulletins