Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3379
flatpak security update
13 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: flatpak
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-41133
Original Bulletin:
http://www.debian.org/security/2021/dsa-4984
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running flatpak check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4984-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 12, 2021 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : flatpak
CVE ID : CVE-2021-41133
Debian Bug : 995935
It was discovered that sandbox restrictions in Flatpak, an application
deployment framework for desktop apps, could be bypassed for a Flatpak
app with direct access to AF_UNIX sockets, by manipulating the VFS using
mount-related syscalls that are not blocked by Flatpak's denylist
seccomp filter.
Details can be found in the upstream advisory at
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
For the stable distribution (bullseye), this problem has been fixed in
version 1.10.5-0+deb11u1.
We recommend that you upgrade your flatpak packages.
For the detailed security status of flatpak please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/flatpak
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmFl+ylfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qysg/9GSusDNb//c2YenjtD69MbupqsPif+PkKOxD1CUo2wWZReglxg28gBTy2
1WDhACY07FalwuOGbRAruWEJ5+Meb+ecQ8oI2VWtqIm7sTUaxWQ/CsKmwkviWZyh
jCWLr2ds7LSUISf5yl+HYzeAYGDCfdfdxDQ5BgcBXL7AiAMEmoDObi6dBk2QonVP
uF6ArVSm1uBgLYtsl2t1OjxzjXaaDIyGy6rA2RwO6AYAJU6+gZ6PQnf04gDz5kZ2
oj30TqBYTIgXM1TFdkJMNrxGbsGYW/mGYeFNYlZb3eBnNggTKyIlRKcr3OHDEjPf
MYELv2lN7UN4zU8qr5KmMqKYbmw5E2SZVpwtann3acWIk8TdasAZ3uLn+03qr4ke
T1ppk1unaH+V9JEXcyG1JIltgDZv7MmjF/xvlo8hLI9PRRtNu2Hb1RUQLVOiEB23
tNbYn2uJ3kRxQkWcBJMB64uEdihl+nt3VvwO8c03pNimC3NgLwEUiLzu3unwftxb
OYV2ypgoeLe27HBLvBJGS/uPQak9IH0OlNyGi7Rmstl/I2b983IfQJR+1Y5wRedx
Gl3JtjrEK7dCN87pLDjgb3gI9FV3bkyTHdO063by8V/Q4pqDk7xfBX1cS1iqrmhZ
tsABke2ApaxHGjyf7deztxVhTK6zwuznqPOtbAMi0bFF/fUMUmw=
=L6qM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYWZiQeNLKJtyKPYoAQjFmQ//Z/p5zBGKuOKvvKmTmV2Ep3utdC8HTubQ
bZG5sK1NW4p2jLzuk4rllPzFaPqg9dUN6vunStvThZLPyVV3IjFYqpZEL8gUsbP1
/X/J+Dz+SJ1Mbw1dQo63FwBA4G6LuE/8a81skPO4gv+VtuwF4TManY3AsScumy55
1G9rhke4DT0tVRhJtWAzRvTFgdR1d/BAPsjziWi6TD8WZjOwNH0rCLwN2Zo7FLBd
yJwQCUvy7cFVeMo85LhX0M3Z7838tKYdmRD3ZJfaXcR3iFLFBHDaRt1l6uotgeuv
tEwCyjUYUZDW1vVZxOiWCANc3MEnxfWsPvZZYh4XpHsoAODMgL1P1BooGXR3shCr
4TTRra1DKf/+xTeMmrE3NxH2Fs26500+57OFtcL34gkaL3mnnaEBWfqvOkKZHbYY
AB4z+IbeSDh8UTYPKkH1O4QnlhLyus4a5NaTDYsxcImbpUJV8Eowna37msBIJKff
qwZ3ywxI/hrMcXIa/drHJM1WuUVPufRDDo4S8IPzjNPgJoCxJ2U7+chD+gMD3qEb
ea4ABC2lrVTAuh7u3AU3X/Sj9R6WAzFcdIsfAoAePICMpRvqBzufZ2/V/ueXYemJ
HKZMc2Y0Swcp3UwVdZFUwzhJgFoQCJnV0ffXVvnP1s6MwqskTxojtgQ6xkt0iHj9
1FCB2xY1mVE=
=XM7l
-----END PGP SIGNATURE-----