Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1928
polkit security update
4 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: polkit
Publisher: Red Hat
Operating System: Red Hat
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3560
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2236
https://access.redhat.com/errata/RHSA-2021:2237
https://access.redhat.com/errata/RHSA-2021:2238
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running polkit check for an updated version of the software for
their operating system.
This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: polkit security update
Advisory ID: RHSA-2021:2236-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2236
Issue date: 2021-06-03
CVE Names: CVE-2021-3560
=====================================================================
1. Summary:
An update for polkit is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The polkit packages provide a component for controlling system-wide
privileges. This component provides a uniform and organized way for
non-privileged processes to communicate with privileged ones.
Security Fix(es):
* polkit: local privilege escalation using
polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1):
Source:
polkit-0.115-9.el8_1.1.src.rpm
aarch64:
polkit-0.115-9.el8_1.1.aarch64.rpm
polkit-debuginfo-0.115-9.el8_1.1.aarch64.rpm
polkit-debugsource-0.115-9.el8_1.1.aarch64.rpm
polkit-devel-0.115-9.el8_1.1.aarch64.rpm
polkit-libs-0.115-9.el8_1.1.aarch64.rpm
polkit-libs-debuginfo-0.115-9.el8_1.1.aarch64.rpm
noarch:
polkit-docs-0.115-9.el8_1.1.noarch.rpm
ppc64le:
polkit-0.115-9.el8_1.1.ppc64le.rpm
polkit-debuginfo-0.115-9.el8_1.1.ppc64le.rpm
polkit-debugsource-0.115-9.el8_1.1.ppc64le.rpm
polkit-devel-0.115-9.el8_1.1.ppc64le.rpm
polkit-libs-0.115-9.el8_1.1.ppc64le.rpm
polkit-libs-debuginfo-0.115-9.el8_1.1.ppc64le.rpm
s390x:
polkit-0.115-9.el8_1.1.s390x.rpm
polkit-debuginfo-0.115-9.el8_1.1.s390x.rpm
polkit-debugsource-0.115-9.el8_1.1.s390x.rpm
polkit-devel-0.115-9.el8_1.1.s390x.rpm
polkit-libs-0.115-9.el8_1.1.s390x.rpm
polkit-libs-debuginfo-0.115-9.el8_1.1.s390x.rpm
x86_64:
polkit-0.115-9.el8_1.1.x86_64.rpm
polkit-debuginfo-0.115-9.el8_1.1.i686.rpm
polkit-debuginfo-0.115-9.el8_1.1.x86_64.rpm
polkit-debugsource-0.115-9.el8_1.1.i686.rpm
polkit-debugsource-0.115-9.el8_1.1.x86_64.rpm
polkit-devel-0.115-9.el8_1.1.i686.rpm
polkit-devel-0.115-9.el8_1.1.x86_64.rpm
polkit-libs-0.115-9.el8_1.1.i686.rpm
polkit-libs-0.115-9.el8_1.1.x86_64.rpm
polkit-libs-debuginfo-0.115-9.el8_1.1.i686.rpm
polkit-libs-debuginfo-0.115-9.el8_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3560
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYLiqEtzjgjWX9erEAQgpRw//aH+YvfC6BfsjJjIATE9H186vpmfz0sbt
rqCjLnfM5kaFXPFMs0o9t4GA1tX8EH63DBN3DJLj1NMhC9mqaQR8g77mJPSmGtZd
6W/YyMjozQDQjI9a4pGqZ8uKHRe5Ul3Bz8vc0Tw4xKDcd3f+y7k4TY6GYiHPowTH
gzZMw/HSRqal4mKiHis3JjqNBe/he5R9TYvOhyeLcBzf7jneNYVLPVIqe7gqc8CD
d1sAdb3Gab7nil9q3n37pB72HTKRwefVXwpsfcZ0CjtLIT5WFAbtfq5hz8T9DEbI
n1Wf613EnkOCasCVeBf81ZJPYlj3SDeqd/LhfoKQwZi/If8t3OurmiDEvjZ3xazi
N4li+vI2fUkouYjG/byVLMBVGnkSm3+9AXIGy/7rcfTNpZUvXlDNycw+ldB7Jzsz
gF9EFiQz3jOU2Qi/xOxvdnmOV9W2G3ozFmTNJXFEuZrwODrIxBnuziGNHqffk2un
uubY+aJGBZ+0r7DoS542mEc2oWW899au9UtGB9Ds0nOaLRNwR+YJmJAQkwRiXEYp
kzArNIPYMwisdeBTNj3ZuLzo3oMZ+CBsOjA2TSel5QoPwdOh+YH09W6TcNsmWApd
XjFEYnhxSAonm6dw+Jkt+VRwjHRVIpQgU5xUqk2fk/sFS6/puJR5KxcGI29M6qm/
7X6ulojVW68=
=0UrL
- -----END PGP SIGNATURE-----
- ---------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: polkit security update
Advisory ID: RHSA-2021:2237-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2237
Issue date: 2021-06-03
CVE Names: CVE-2021-3560
=====================================================================
1. Summary:
An update for polkit is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The polkit packages provide a component for controlling system-wide
privileges. This component provides a uniform and organized way for
non-privileged processes to communicate with privileged ones.
Security Fix(es):
* polkit: local privilege escalation using
polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2):
Source:
polkit-0.115-11.el8_2.1.src.rpm
aarch64:
polkit-0.115-11.el8_2.1.aarch64.rpm
polkit-debuginfo-0.115-11.el8_2.1.aarch64.rpm
polkit-debugsource-0.115-11.el8_2.1.aarch64.rpm
polkit-devel-0.115-11.el8_2.1.aarch64.rpm
polkit-libs-0.115-11.el8_2.1.aarch64.rpm
polkit-libs-debuginfo-0.115-11.el8_2.1.aarch64.rpm
noarch:
polkit-docs-0.115-11.el8_2.1.noarch.rpm
ppc64le:
polkit-0.115-11.el8_2.1.ppc64le.rpm
polkit-debuginfo-0.115-11.el8_2.1.ppc64le.rpm
polkit-debugsource-0.115-11.el8_2.1.ppc64le.rpm
polkit-devel-0.115-11.el8_2.1.ppc64le.rpm
polkit-libs-0.115-11.el8_2.1.ppc64le.rpm
polkit-libs-debuginfo-0.115-11.el8_2.1.ppc64le.rpm
s390x:
polkit-0.115-11.el8_2.1.s390x.rpm
polkit-debuginfo-0.115-11.el8_2.1.s390x.rpm
polkit-debugsource-0.115-11.el8_2.1.s390x.rpm
polkit-devel-0.115-11.el8_2.1.s390x.rpm
polkit-libs-0.115-11.el8_2.1.s390x.rpm
polkit-libs-debuginfo-0.115-11.el8_2.1.s390x.rpm
x86_64:
polkit-0.115-11.el8_2.1.x86_64.rpm
polkit-debuginfo-0.115-11.el8_2.1.i686.rpm
polkit-debuginfo-0.115-11.el8_2.1.x86_64.rpm
polkit-debugsource-0.115-11.el8_2.1.i686.rpm
polkit-debugsource-0.115-11.el8_2.1.x86_64.rpm
polkit-devel-0.115-11.el8_2.1.i686.rpm
polkit-devel-0.115-11.el8_2.1.x86_64.rpm
polkit-libs-0.115-11.el8_2.1.i686.rpm
polkit-libs-0.115-11.el8_2.1.x86_64.rpm
polkit-libs-debuginfo-0.115-11.el8_2.1.i686.rpm
polkit-libs-debuginfo-0.115-11.el8_2.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3560
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYLi1ytzjgjWX9erEAQj6JQ/+Ik+R7SUSfCbwFjrLA6fdU+1ZzU9RtR21
vSK+9Z7F9BKpfDWLz9AlYd7DPNiAeqy1Lp9U9AE2G6rePS/wrs0azcMAcIdfqDQJ
H6bTWrJ/2iloLMzvsCZNE1+pWTJO7jUkGzyU9RoN+2m2Unqf+pvCGm9BM17YCodY
kQxcBKApLKIf0SmRqJQBTxdxll6fLzeIdL1SHcjn42kXHRlFfwdJ6SM08EPmc6EX
S/KffC5lQaEDFsM+mYYn9IopyG9OIUDAzyOf30GbKkT1Ca3L06mAcZa/M54RLm0M
ntUnuo2ZC+UpLEQd9zb+rqs8M1dzeiK5+yGmnqQiZQFRTmBuwYOufP3Dxlf+3hcL
Tpkei1WmrRGWwZfALcGSTopUnkxG9y0JmjTlynIv/+6dwieSZ2HQpgT7RJHcSF0t
N+buPcJ/rmjP86gs7VLG5XtYg1WW3Ql2rPJ3u5bAWK5ZCpHINs8RxAnK/rqVJT4e
MbHIIG9nwqEWAYizU0e0ls2W6j8ARRPCa8PBwRvcCW4DbE9t5IHgap3cK3NL5dYy
Xj5KzS0jO48RI7HRJSpsQXNExa+lGCFDVtuIMBxzE/k8y697Xf8qfew+SfWrdJIe
0tS8D/cARc4/VI2DAYrboOWa5y5MtScrvOXZrfGrkD/tw3rCF7L7EuPHLGjwwBdh
ibtMu+r2UUk=
=JVcx
- -----END PGP SIGNATURE-----
- ---------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: polkit security update
Advisory ID: RHSA-2021:2238-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2238
Issue date: 2021-06-03
CVE Names: CVE-2021-3560
=====================================================================
1. Summary:
An update for polkit is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The polkit packages provide a component for controlling system-wide
privileges. This component provides a uniform and organized way for
non-privileged processes to communicate with privileged ones.
Security Fix(es):
* polkit: local privilege escalation using
polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
polkit-0.115-11.el8_4.1.src.rpm
aarch64:
polkit-0.115-11.el8_4.1.aarch64.rpm
polkit-debuginfo-0.115-11.el8_4.1.aarch64.rpm
polkit-debugsource-0.115-11.el8_4.1.aarch64.rpm
polkit-devel-0.115-11.el8_4.1.aarch64.rpm
polkit-libs-0.115-11.el8_4.1.aarch64.rpm
polkit-libs-debuginfo-0.115-11.el8_4.1.aarch64.rpm
noarch:
polkit-docs-0.115-11.el8_4.1.noarch.rpm
ppc64le:
polkit-0.115-11.el8_4.1.ppc64le.rpm
polkit-debuginfo-0.115-11.el8_4.1.ppc64le.rpm
polkit-debugsource-0.115-11.el8_4.1.ppc64le.rpm
polkit-devel-0.115-11.el8_4.1.ppc64le.rpm
polkit-libs-0.115-11.el8_4.1.ppc64le.rpm
polkit-libs-debuginfo-0.115-11.el8_4.1.ppc64le.rpm
s390x:
polkit-0.115-11.el8_4.1.s390x.rpm
polkit-debuginfo-0.115-11.el8_4.1.s390x.rpm
polkit-debugsource-0.115-11.el8_4.1.s390x.rpm
polkit-devel-0.115-11.el8_4.1.s390x.rpm
polkit-libs-0.115-11.el8_4.1.s390x.rpm
polkit-libs-debuginfo-0.115-11.el8_4.1.s390x.rpm
x86_64:
polkit-0.115-11.el8_4.1.x86_64.rpm
polkit-debuginfo-0.115-11.el8_4.1.i686.rpm
polkit-debuginfo-0.115-11.el8_4.1.x86_64.rpm
polkit-debugsource-0.115-11.el8_4.1.i686.rpm
polkit-debugsource-0.115-11.el8_4.1.x86_64.rpm
polkit-devel-0.115-11.el8_4.1.i686.rpm
polkit-devel-0.115-11.el8_4.1.x86_64.rpm
polkit-libs-0.115-11.el8_4.1.i686.rpm
polkit-libs-0.115-11.el8_4.1.x86_64.rpm
polkit-libs-debuginfo-0.115-11.el8_4.1.i686.rpm
polkit-libs-debuginfo-0.115-11.el8_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3560
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYLi4ItzjgjWX9erEAQgWKxAAiAvTOLcjeLfqDt751ICRtlApTe+DRKVL
Fs8aXYDg6mH6kdCmHAWPqcZQtrQlG7GhYnoy+R8VBxKqjbMgjCiGnTQ7/r5PXDdV
Z/BsM15FfEdQEROCJdk3DKSU/Gp7m4UTFEIm0A+kVGOMA9acf+EFQAxDxCeEppGn
UiEjGO6SaTa2CEtyOxtcIZVf5g/Iqg/N3OZYZrnbs6IsmXSn32o5HNV5yi87sOnc
JCRm3RBq012FTL6+zpjcOZEwkwHOgdvlTYEfbYUZ8pqdS/oRH7Af9XNKP1AAODAN
1IdUFgr0nBMFL0KxP+jj2pQZZxiVzFXkWw4qSA4ijW6GRmdOcLtWl9aqJEX88m/1
ca2NDL0BWUb/piYMDm5hUXkUM1kvnzieMDjnphYP05EHGOE1MmGKIJ0qpW/vCRls
1+uVcXRLhHh2mWnaB/BGYxoT+iF8+wEiKwdZf0qYO4Vw2OWfV7EhKKjTsBR48Zxx
4TpyQMG0Rae+Dk2hbIYUQ2VBfqipDxWBcXbte/ux+YrgxtifA+4BeEXlEIHkQIfQ
D4BYvT6M1IgwHKXmGIt2elu0vQOjPXZry8aQx5uMfyh+c+LDbfbFx5dUclvikKQ/
BcT2/AsHhHUdSSRj5hJKG6x41kHBDn1OsHaxiek/OmD3hhocLAXHsrmp8u19YNMx
1d+y+LGvqG4=
=g5Dl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYLlixeNLKJtyKPYoAQiXHw/+IAsB5S9tFQDiRYAM2yYFbC++olDPrz9A
EmKgrume8KV8MNt7mp0ZZFwMyAt8Jexta+Sx50Sm98tXbzJzt6RKdhOQGxXO/JZz
vVv5I7qMHgAxQeqt1qy1hQM2YyJhyJowKbKvFJ+pmejXjBjV8wRzYe6ZuFfq0lrs
gFAowtKpPlhMxSkSJZGKyAo2cXprn2y6Sej3GzVF1pBqrioqS/2ofnpDz0X6apuX
UH+rDok7UFbrB8Hq4DrExOyGaUFrUGXv5APUhrBvnhuZqHA7s/iBC76NqEl/67wK
0sTZ2/JHaWlMqu9MDpcaBaXLb2aGTNoIwfCmebh/ww499W+IgvQpyusbWeip9WJB
1GP5jMA68QuT/Frq75S6qbDvMUwwx/u6hIYRtiAyCJGxvGwA690WGPIj1+AiTQcm
a7oSAJY7+IEhd/hWdI37sTsXkTTEsxLxTSQHw2vmXF5nFk/Eq5XAR11nGso4VaPb
mn4IY8RV20aIQP5GGfoUjzWwHyKwaiUtZwI8fztI/e5qJ9aNg/GJSzjcpGWmhbu9
72UzQvw9K6fSrnj2JyXYVWgPd0agsw5FwhXy/cvBmZod/GLUfOyVJXm/zM3kn2jR
/hFGEncJdsHptGQzAPjW7WIi+1fTVzu99k6apxtanxYzGsNtre1Kyvinoji99Qpe
YhNuuY2slVE=
=onZm
-----END PGP SIGNATURE-----