FEDORA-2020-a4206f14f1 — security update for bubblewrap

stable

bubblewrap-0.4.1-1.fc31

FEDORA-2020-a4206f14f1 created by amigadave 5 years ago for Fedora 31

Update to 0.4.1

This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only if installed setuid while at the same time the kernel supports unprivileged user namespaces. More details in the advisory here:

GHSA-j2qp-rvxj-43vj

Additionally there are some minor changes:

Always clear the capability bounding set (cosmetic issue)
Make the tests work with libcap >= 2.29
Properly report child exit status in some cases

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-a4206f14f1

This update has been submitted for testing by amigadave.

5 years ago

This update's test gating status has been changed to 'waiting'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago

This update has been pushed to testing.

5 years ago

This update's test gating status has been changed to 'greenwave_failed'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago

kparal commented & provided feedback 5 years ago

karma

my flatpak apps work fine

This update can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for stable by bodhi.

5 years ago

This update has been pushed to stable.

5 years ago

Please log in to add feedback.

Metadata

Type

security

Severity

low

Karma

Signed

Content Type

RPM

Test Gating

ignored

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

14 days

Dates

submitted

5 years ago

in testing

5 years ago

in stable

5 years ago

Builds

bubblewrap-0.4.1-1.fc31

Automated Test Results

ignored