Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1928 polkit security update 4 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: polkit Publisher: Red Hat Operating System: Red Hat UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3560 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:2236 https://access.redhat.com/errata/RHSA-2021:2237 https://access.redhat.com/errata/RHSA-2021:2238 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running polkit check for an updated version of the software for their operating system. This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: polkit security update Advisory ID: RHSA-2021:2236-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2236 Issue date: 2021-06-03 CVE Names: CVE-2021-3560 ===================================================================== 1. Summary: An update for polkit is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix(es): * polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.1): Source: polkit-0.115-9.el8_1.1.src.rpm aarch64: polkit-0.115-9.el8_1.1.aarch64.rpm polkit-debuginfo-0.115-9.el8_1.1.aarch64.rpm polkit-debugsource-0.115-9.el8_1.1.aarch64.rpm polkit-devel-0.115-9.el8_1.1.aarch64.rpm polkit-libs-0.115-9.el8_1.1.aarch64.rpm polkit-libs-debuginfo-0.115-9.el8_1.1.aarch64.rpm noarch: polkit-docs-0.115-9.el8_1.1.noarch.rpm ppc64le: polkit-0.115-9.el8_1.1.ppc64le.rpm polkit-debuginfo-0.115-9.el8_1.1.ppc64le.rpm polkit-debugsource-0.115-9.el8_1.1.ppc64le.rpm polkit-devel-0.115-9.el8_1.1.ppc64le.rpm polkit-libs-0.115-9.el8_1.1.ppc64le.rpm polkit-libs-debuginfo-0.115-9.el8_1.1.ppc64le.rpm s390x: polkit-0.115-9.el8_1.1.s390x.rpm polkit-debuginfo-0.115-9.el8_1.1.s390x.rpm polkit-debugsource-0.115-9.el8_1.1.s390x.rpm polkit-devel-0.115-9.el8_1.1.s390x.rpm polkit-libs-0.115-9.el8_1.1.s390x.rpm polkit-libs-debuginfo-0.115-9.el8_1.1.s390x.rpm x86_64: polkit-0.115-9.el8_1.1.x86_64.rpm polkit-debuginfo-0.115-9.el8_1.1.i686.rpm polkit-debuginfo-0.115-9.el8_1.1.x86_64.rpm polkit-debugsource-0.115-9.el8_1.1.i686.rpm polkit-debugsource-0.115-9.el8_1.1.x86_64.rpm polkit-devel-0.115-9.el8_1.1.i686.rpm polkit-devel-0.115-9.el8_1.1.x86_64.rpm polkit-libs-0.115-9.el8_1.1.i686.rpm polkit-libs-0.115-9.el8_1.1.x86_64.rpm polkit-libs-debuginfo-0.115-9.el8_1.1.i686.rpm polkit-libs-debuginfo-0.115-9.el8_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3560 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLiqEtzjgjWX9erEAQgpRw//aH+YvfC6BfsjJjIATE9H186vpmfz0sbt rqCjLnfM5kaFXPFMs0o9t4GA1tX8EH63DBN3DJLj1NMhC9mqaQR8g77mJPSmGtZd 6W/YyMjozQDQjI9a4pGqZ8uKHRe5Ul3Bz8vc0Tw4xKDcd3f+y7k4TY6GYiHPowTH gzZMw/HSRqal4mKiHis3JjqNBe/he5R9TYvOhyeLcBzf7jneNYVLPVIqe7gqc8CD d1sAdb3Gab7nil9q3n37pB72HTKRwefVXwpsfcZ0CjtLIT5WFAbtfq5hz8T9DEbI n1Wf613EnkOCasCVeBf81ZJPYlj3SDeqd/LhfoKQwZi/If8t3OurmiDEvjZ3xazi N4li+vI2fUkouYjG/byVLMBVGnkSm3+9AXIGy/7rcfTNpZUvXlDNycw+ldB7Jzsz gF9EFiQz3jOU2Qi/xOxvdnmOV9W2G3ozFmTNJXFEuZrwODrIxBnuziGNHqffk2un uubY+aJGBZ+0r7DoS542mEc2oWW899au9UtGB9Ds0nOaLRNwR+YJmJAQkwRiXEYp kzArNIPYMwisdeBTNj3ZuLzo3oMZ+CBsOjA2TSel5QoPwdOh+YH09W6TcNsmWApd XjFEYnhxSAonm6dw+Jkt+VRwjHRVIpQgU5xUqk2fk/sFS6/puJR5KxcGI29M6qm/ 7X6ulojVW68= =0UrL - -----END PGP SIGNATURE----- - --------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: polkit security update Advisory ID: RHSA-2021:2237-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2237 Issue date: 2021-06-03 CVE Names: CVE-2021-3560 ===================================================================== 1. Summary: An update for polkit is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix(es): * polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.2): Source: polkit-0.115-11.el8_2.1.src.rpm aarch64: polkit-0.115-11.el8_2.1.aarch64.rpm polkit-debuginfo-0.115-11.el8_2.1.aarch64.rpm polkit-debugsource-0.115-11.el8_2.1.aarch64.rpm polkit-devel-0.115-11.el8_2.1.aarch64.rpm polkit-libs-0.115-11.el8_2.1.aarch64.rpm polkit-libs-debuginfo-0.115-11.el8_2.1.aarch64.rpm noarch: polkit-docs-0.115-11.el8_2.1.noarch.rpm ppc64le: polkit-0.115-11.el8_2.1.ppc64le.rpm polkit-debuginfo-0.115-11.el8_2.1.ppc64le.rpm polkit-debugsource-0.115-11.el8_2.1.ppc64le.rpm polkit-devel-0.115-11.el8_2.1.ppc64le.rpm polkit-libs-0.115-11.el8_2.1.ppc64le.rpm polkit-libs-debuginfo-0.115-11.el8_2.1.ppc64le.rpm s390x: polkit-0.115-11.el8_2.1.s390x.rpm polkit-debuginfo-0.115-11.el8_2.1.s390x.rpm polkit-debugsource-0.115-11.el8_2.1.s390x.rpm polkit-devel-0.115-11.el8_2.1.s390x.rpm polkit-libs-0.115-11.el8_2.1.s390x.rpm polkit-libs-debuginfo-0.115-11.el8_2.1.s390x.rpm x86_64: polkit-0.115-11.el8_2.1.x86_64.rpm polkit-debuginfo-0.115-11.el8_2.1.i686.rpm polkit-debuginfo-0.115-11.el8_2.1.x86_64.rpm polkit-debugsource-0.115-11.el8_2.1.i686.rpm polkit-debugsource-0.115-11.el8_2.1.x86_64.rpm polkit-devel-0.115-11.el8_2.1.i686.rpm polkit-devel-0.115-11.el8_2.1.x86_64.rpm polkit-libs-0.115-11.el8_2.1.i686.rpm polkit-libs-0.115-11.el8_2.1.x86_64.rpm polkit-libs-debuginfo-0.115-11.el8_2.1.i686.rpm polkit-libs-debuginfo-0.115-11.el8_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3560 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLi1ytzjgjWX9erEAQj6JQ/+Ik+R7SUSfCbwFjrLA6fdU+1ZzU9RtR21 vSK+9Z7F9BKpfDWLz9AlYd7DPNiAeqy1Lp9U9AE2G6rePS/wrs0azcMAcIdfqDQJ H6bTWrJ/2iloLMzvsCZNE1+pWTJO7jUkGzyU9RoN+2m2Unqf+pvCGm9BM17YCodY kQxcBKApLKIf0SmRqJQBTxdxll6fLzeIdL1SHcjn42kXHRlFfwdJ6SM08EPmc6EX S/KffC5lQaEDFsM+mYYn9IopyG9OIUDAzyOf30GbKkT1Ca3L06mAcZa/M54RLm0M ntUnuo2ZC+UpLEQd9zb+rqs8M1dzeiK5+yGmnqQiZQFRTmBuwYOufP3Dxlf+3hcL Tpkei1WmrRGWwZfALcGSTopUnkxG9y0JmjTlynIv/+6dwieSZ2HQpgT7RJHcSF0t N+buPcJ/rmjP86gs7VLG5XtYg1WW3Ql2rPJ3u5bAWK5ZCpHINs8RxAnK/rqVJT4e MbHIIG9nwqEWAYizU0e0ls2W6j8ARRPCa8PBwRvcCW4DbE9t5IHgap3cK3NL5dYy Xj5KzS0jO48RI7HRJSpsQXNExa+lGCFDVtuIMBxzE/k8y697Xf8qfew+SfWrdJIe 0tS8D/cARc4/VI2DAYrboOWa5y5MtScrvOXZrfGrkD/tw3rCF7L7EuPHLGjwwBdh ibtMu+r2UUk= =JVcx - -----END PGP SIGNATURE----- - --------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: polkit security update Advisory ID: RHSA-2021:2238-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2238 Issue date: 2021-06-03 CVE Names: CVE-2021-3560 ===================================================================== 1. Summary: An update for polkit is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix(es): * polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: polkit-0.115-11.el8_4.1.src.rpm aarch64: polkit-0.115-11.el8_4.1.aarch64.rpm polkit-debuginfo-0.115-11.el8_4.1.aarch64.rpm polkit-debugsource-0.115-11.el8_4.1.aarch64.rpm polkit-devel-0.115-11.el8_4.1.aarch64.rpm polkit-libs-0.115-11.el8_4.1.aarch64.rpm polkit-libs-debuginfo-0.115-11.el8_4.1.aarch64.rpm noarch: polkit-docs-0.115-11.el8_4.1.noarch.rpm ppc64le: polkit-0.115-11.el8_4.1.ppc64le.rpm polkit-debuginfo-0.115-11.el8_4.1.ppc64le.rpm polkit-debugsource-0.115-11.el8_4.1.ppc64le.rpm polkit-devel-0.115-11.el8_4.1.ppc64le.rpm polkit-libs-0.115-11.el8_4.1.ppc64le.rpm polkit-libs-debuginfo-0.115-11.el8_4.1.ppc64le.rpm s390x: polkit-0.115-11.el8_4.1.s390x.rpm polkit-debuginfo-0.115-11.el8_4.1.s390x.rpm polkit-debugsource-0.115-11.el8_4.1.s390x.rpm polkit-devel-0.115-11.el8_4.1.s390x.rpm polkit-libs-0.115-11.el8_4.1.s390x.rpm polkit-libs-debuginfo-0.115-11.el8_4.1.s390x.rpm x86_64: polkit-0.115-11.el8_4.1.x86_64.rpm polkit-debuginfo-0.115-11.el8_4.1.i686.rpm polkit-debuginfo-0.115-11.el8_4.1.x86_64.rpm polkit-debugsource-0.115-11.el8_4.1.i686.rpm polkit-debugsource-0.115-11.el8_4.1.x86_64.rpm polkit-devel-0.115-11.el8_4.1.i686.rpm polkit-devel-0.115-11.el8_4.1.x86_64.rpm polkit-libs-0.115-11.el8_4.1.i686.rpm polkit-libs-0.115-11.el8_4.1.x86_64.rpm polkit-libs-debuginfo-0.115-11.el8_4.1.i686.rpm polkit-libs-debuginfo-0.115-11.el8_4.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3560 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLi4ItzjgjWX9erEAQgWKxAAiAvTOLcjeLfqDt751ICRtlApTe+DRKVL Fs8aXYDg6mH6kdCmHAWPqcZQtrQlG7GhYnoy+R8VBxKqjbMgjCiGnTQ7/r5PXDdV Z/BsM15FfEdQEROCJdk3DKSU/Gp7m4UTFEIm0A+kVGOMA9acf+EFQAxDxCeEppGn UiEjGO6SaTa2CEtyOxtcIZVf5g/Iqg/N3OZYZrnbs6IsmXSn32o5HNV5yi87sOnc JCRm3RBq012FTL6+zpjcOZEwkwHOgdvlTYEfbYUZ8pqdS/oRH7Af9XNKP1AAODAN 1IdUFgr0nBMFL0KxP+jj2pQZZxiVzFXkWw4qSA4ijW6GRmdOcLtWl9aqJEX88m/1 ca2NDL0BWUb/piYMDm5hUXkUM1kvnzieMDjnphYP05EHGOE1MmGKIJ0qpW/vCRls 1+uVcXRLhHh2mWnaB/BGYxoT+iF8+wEiKwdZf0qYO4Vw2OWfV7EhKKjTsBR48Zxx 4TpyQMG0Rae+Dk2hbIYUQ2VBfqipDxWBcXbte/ux+YrgxtifA+4BeEXlEIHkQIfQ D4BYvT6M1IgwHKXmGIt2elu0vQOjPXZry8aQx5uMfyh+c+LDbfbFx5dUclvikKQ/ BcT2/AsHhHUdSSRj5hJKG6x41kHBDn1OsHaxiek/OmD3hhocLAXHsrmp8u19YNMx 1d+y+LGvqG4= =g5Dl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYLlixeNLKJtyKPYoAQiXHw/+IAsB5S9tFQDiRYAM2yYFbC++olDPrz9A EmKgrume8KV8MNt7mp0ZZFwMyAt8Jexta+Sx50Sm98tXbzJzt6RKdhOQGxXO/JZz vVv5I7qMHgAxQeqt1qy1hQM2YyJhyJowKbKvFJ+pmejXjBjV8wRzYe6ZuFfq0lrs gFAowtKpPlhMxSkSJZGKyAo2cXprn2y6Sej3GzVF1pBqrioqS/2ofnpDz0X6apuX UH+rDok7UFbrB8Hq4DrExOyGaUFrUGXv5APUhrBvnhuZqHA7s/iBC76NqEl/67wK 0sTZ2/JHaWlMqu9MDpcaBaXLb2aGTNoIwfCmebh/ww499W+IgvQpyusbWeip9WJB 1GP5jMA68QuT/Frq75S6qbDvMUwwx/u6hIYRtiAyCJGxvGwA690WGPIj1+AiTQcm a7oSAJY7+IEhd/hWdI37sTsXkTTEsxLxTSQHw2vmXF5nFk/Eq5XAR11nGso4VaPb mn4IY8RV20aIQP5GGfoUjzWwHyKwaiUtZwI8fztI/e5qJ9aNg/GJSzjcpGWmhbu9 72UzQvw9K6fSrnj2JyXYVWgPd0agsw5FwhXy/cvBmZod/GLUfOyVJXm/zM3kn2jR /hFGEncJdsHptGQzAPjW7WIi+1fTVzu99k6apxtanxYzGsNtre1Kyvinoji99Qpe YhNuuY2slVE= =onZm -----END PGP SIGNATURE-----