Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3379 flatpak security update 13 October 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: flatpak Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-41133 Original Bulletin: http://www.debian.org/security/2021/dsa-4984 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running flatpak check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4984-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 12, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : flatpak CVE ID : CVE-2021-41133 Debian Bug : 995935 It was discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could be bypassed for a Flatpak app with direct access to AF_UNIX sockets, by manipulating the VFS using mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter. Details can be found in the upstream advisory at https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q For the stable distribution (bullseye), this problem has been fixed in version 1.10.5-0+deb11u1. We recommend that you upgrade your flatpak packages. For the detailed security status of flatpak please refer to its security tracker page at: https://security-tracker.debian.org/tracker/flatpak Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmFl+ylfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qysg/9GSusDNb//c2YenjtD69MbupqsPif+PkKOxD1CUo2wWZReglxg28gBTy2 1WDhACY07FalwuOGbRAruWEJ5+Meb+ecQ8oI2VWtqIm7sTUaxWQ/CsKmwkviWZyh jCWLr2ds7LSUISf5yl+HYzeAYGDCfdfdxDQ5BgcBXL7AiAMEmoDObi6dBk2QonVP uF6ArVSm1uBgLYtsl2t1OjxzjXaaDIyGy6rA2RwO6AYAJU6+gZ6PQnf04gDz5kZ2 oj30TqBYTIgXM1TFdkJMNrxGbsGYW/mGYeFNYlZb3eBnNggTKyIlRKcr3OHDEjPf MYELv2lN7UN4zU8qr5KmMqKYbmw5E2SZVpwtann3acWIk8TdasAZ3uLn+03qr4ke T1ppk1unaH+V9JEXcyG1JIltgDZv7MmjF/xvlo8hLI9PRRtNu2Hb1RUQLVOiEB23 tNbYn2uJ3kRxQkWcBJMB64uEdihl+nt3VvwO8c03pNimC3NgLwEUiLzu3unwftxb OYV2ypgoeLe27HBLvBJGS/uPQak9IH0OlNyGi7Rmstl/I2b983IfQJR+1Y5wRedx Gl3JtjrEK7dCN87pLDjgb3gI9FV3bkyTHdO063by8V/Q4pqDk7xfBX1cS1iqrmhZ tsABke2ApaxHGjyf7deztxVhTK6zwuznqPOtbAMi0bFF/fUMUmw= =L6qM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYWZiQeNLKJtyKPYoAQjFmQ//Z/p5zBGKuOKvvKmTmV2Ep3utdC8HTubQ bZG5sK1NW4p2jLzuk4rllPzFaPqg9dUN6vunStvThZLPyVV3IjFYqpZEL8gUsbP1 /X/J+Dz+SJ1Mbw1dQo63FwBA4G6LuE/8a81skPO4gv+VtuwF4TManY3AsScumy55 1G9rhke4DT0tVRhJtWAzRvTFgdR1d/BAPsjziWi6TD8WZjOwNH0rCLwN2Zo7FLBd yJwQCUvy7cFVeMo85LhX0M3Z7838tKYdmRD3ZJfaXcR3iFLFBHDaRt1l6uotgeuv tEwCyjUYUZDW1vVZxOiWCANc3MEnxfWsPvZZYh4XpHsoAODMgL1P1BooGXR3shCr 4TTRra1DKf/+xTeMmrE3NxH2Fs26500+57OFtcL34gkaL3mnnaEBWfqvOkKZHbYY AB4z+IbeSDh8UTYPKkH1O4QnlhLyus4a5NaTDYsxcImbpUJV8Eowna37msBIJKff qwZ3ywxI/hrMcXIa/drHJM1WuUVPufRDDo4S8IPzjNPgJoCxJ2U7+chD+gMD3qEb ea4ABC2lrVTAuh7u3AU3X/Sj9R6WAzFcdIsfAoAePICMpRvqBzufZ2/V/ueXYemJ HKZMc2Y0Swcp3UwVdZFUwzhJgFoQCJnV0ffXVvnP1s6MwqskTxojtgQ6xkt0iHj9 1FCB2xY1mVE= =XM7l -----END PGP SIGNATURE-----