OPENSUSE-SU-2022:0037-1
Vulnerability from csaf_opensuse - Published: 2022-02-16 13:25 - Updated: 2022-02-16 13:25Summary
Security update for firejail
Notes
Title of the patch
Security update for firejail
Description of the patch
This update for firejail fixes the following issues:
- Update Leap 15.3 package to 0.9.68 (boo#1195880)
update to firejail 0.9.68:
- security: on Ubuntu, the PPA is now recommended over the distro package
- (see README.md) (#4748)
- security: bugfix: private-cwd leaks access to the entire filesystem
- (#4780); reported by Hugo Osvaldo Barrera
- feature: remove (some) environment variables with auth-tokens (#4157)
- feature: ALLOW_TRAY condition (#4510 #4599)
- feature: add basic Firejail support to AppArmor base abstraction (#3226
- #4628)
- feature: intrusion detection system (--ids-init, --ids-check)
- feature: deterministic shutdown command (--deterministic-exit-code,
- --deterministic-shutdown) (#928 #3042 #4635)
- feature: noprinters command (#4607 #4827)
- feature: network monitor (--nettrace)
- feature: network locker (--netlock) (#4848)
- feature: whitelist-ro profile command (#4740)
- feature: disable pipewire with --nosound (#4855)
- feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
- feature: Allow apostrophe in whitelist and blacklist (#4614)
- feature: AppImage support in --build command (#4878)
- modifs: exit code: distinguish fatal signals by adding 128 (#4533)
- modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
- modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
- modifs: nogroups now stopped causing certain system groups to be dropped,
- which are now controlled by the relevant 'no' options instead (such as
- nosound -> drop audio group), which fixes device access issues on systems
- not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
- removal: --disable-whitelist at compile time
- removal: whitelist=yes/no in /etc/firejail/firejail.config
- bugfix: Fix sndio support (#4362 #4365)
- bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
- bugfix: --build clears the environment (#4460 #4467)
- bugfix: firejail hangs with net parameter (#3958 #4476)
- bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
- bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
- bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
- bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
- bugfix: Firejail rejects empty arguments (#4395)
- bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
- bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
- bugfix: private-etc does not work with symlinks (#4887)
- bugfix: Hardware key not detected on keepassxc (#4883)
- build: allow building with address sanitizer (#4594)
- build: Stop linking pthread (#4695)
- build: Configure cleanup and improvements (#4712)
- ci: add profile checks for sorting disable-programs.inc and
- firecfg.config and for the required arguments in private-etc (#2739 #4643)
- ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
- docs: Add new command checklist to CONTRIBUTING.md (#4413)
- docs: Rework bug report issue template and add both a question and a
- feature request template (#4479 #4515 #4561)
- docs: fix contradictory descriptions of machine-id ('preserves' vs
- 'spoofs') (#4689)
- docs: Document that private-bin and private-etc always accumulate (#4078)
- new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
- new includes: disable-proc.inc (#4521)
- removed includes: disable-passwordmgr.inc (#4454 #4461)
- new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
- new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
- new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
- new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
- new profiles: imv, retroarch, torbrowser, CachyBrowser,
- new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
- new profiles: Seafile, neovim, com.github.tchx84.Flatseal
firejail 0.9.66:
* deprecated --audit options, relpaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
* new firejail.config settings: private-bin, private-etc
* new firejail.config settings: private-opt, private-srv
* new firejail.config settings: whitelist-disable-topdir
* new firejail.config settings: seccomp-filter-add
* removed kcmp syscall from seccomp default filter
* rename --noautopulse to keep-config-pulse
* filtering environment variables
* zsh completion
* command line: --mkdir, --mkfile
* --protocol now accumulates
* jailtest utility for testing running sandboxes
* faccessat2 syscall support
* --private-dev keeps /dev/input
* added --noinput to disable /dev/input
* add support for subdirs in --private-etc
* subdirs support in private-etc
* input devices support in private-dev, --no-input
* support trailing comments on profile lines
* many new profiles
- split shell completion into standard subpackages
Patchnames
openSUSE-2022-37
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for firejail",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for firejail fixes the following issues:\n\n- Update Leap 15.3 package to 0.9.68 (boo#1195880)\n\nupdate to firejail 0.9.68:\n\n- security: on Ubuntu, the PPA is now recommended over the distro package\n- (see README.md) (#4748)\n- security: bugfix: private-cwd leaks access to the entire filesystem\n- (#4780); reported by Hugo Osvaldo Barrera\n- feature: remove (some) environment variables with auth-tokens (#4157)\n- feature: ALLOW_TRAY condition (#4510 #4599)\n- feature: add basic Firejail support to AppArmor base abstraction (#3226\n- #4628)\n- feature: intrusion detection system (--ids-init, --ids-check)\n- feature: deterministic shutdown command (--deterministic-exit-code,\n- --deterministic-shutdown) (#928 #3042 #4635)\n- feature: noprinters command (#4607 #4827)\n- feature: network monitor (--nettrace)\n- feature: network locker (--netlock) (#4848)\n- feature: whitelist-ro profile command (#4740)\n- feature: disable pipewire with --nosound (#4855)\n- feature: Unset TMP if it doesn\u0027t exist inside of sandbox (#4151)\n- feature: Allow apostrophe in whitelist and blacklist (#4614)\n- feature: AppImage support in --build command (#4878)\n- modifs: exit code: distinguish fatal signals by adding 128 (#4533)\n- modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)\n- modifs: close file descriptors greater than 2 (--keep-fd) (#4845)\n- modifs: nogroups now stopped causing certain system groups to be dropped,\n- which are now controlled by the relevant \u0027no\u0027 options instead (such as\n- nosound -\u003e drop audio group), which fixes device access issues on systems\n- not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)\n- removal: --disable-whitelist at compile time\n- removal: whitelist=yes/no in /etc/firejail/firejail.config\n- bugfix: Fix sndio support (#4362 #4365)\n- bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)\n- bugfix: --build clears the environment (#4460 #4467)\n- bugfix: firejail hangs with net parameter (#3958 #4476)\n- bugfix: Firejail does not work with a custom hosts file (#2758 #4560)\n- bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)\n- bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)\n- bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)\n- bugfix: Firejail rejects empty arguments (#4395)\n- bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)\n- bugfix: Seccomp list output goes to stdout instead of stderr (#4328)\n- bugfix: private-etc does not work with symlinks (#4887)\n- bugfix: Hardware key not detected on keepassxc (#4883)\n- build: allow building with address sanitizer (#4594)\n- build: Stop linking pthread (#4695)\n- build: Configure cleanup and improvements (#4712)\n- ci: add profile checks for sorting disable-programs.inc and\n- firecfg.config and for the required arguments in private-etc (#2739 #4643)\n- ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)\n- docs: Add new command checklist to CONTRIBUTING.md (#4413)\n- docs: Rework bug report issue template and add both a question and a\n- feature request template (#4479 #4515 #4561)\n- docs: fix contradictory descriptions of machine-id (\u0027preserves\u0027 vs\n- \u0027spoofs\u0027) (#4689)\n- docs: Document that private-bin and private-etc always accumulate (#4078)\n- new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)\n- new includes: disable-proc.inc (#4521)\n- removed includes: disable-passwordmgr.inc (#4454 #4461)\n- new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim\n- new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl\n- new profiles: yt-dlp, goldendict, goldendict, bundle, cmake\n- new profiles: make, meson, pip, codium, telnet, ftp, OpenStego\n- new profiles: imv, retroarch, torbrowser, CachyBrowser,\n- new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,\n- new profiles: Seafile, neovim, com.github.tchx84.Flatseal\n\nfirejail 0.9.66:\n\n* deprecated --audit options, relpaced by jailcheck utility\n* deprecated follow-symlink-as-user from firejail.config\n* new firejail.config settings: private-bin, private-etc\n* new firejail.config settings: private-opt, private-srv\n* new firejail.config settings: whitelist-disable-topdir\n* new firejail.config settings: seccomp-filter-add\n* removed kcmp syscall from seccomp default filter\n* rename --noautopulse to keep-config-pulse\n* filtering environment variables\n* zsh completion\n* command line: --mkdir, --mkfile\n* --protocol now accumulates\n* jailtest utility for testing running sandboxes\n* faccessat2 syscall support\n* --private-dev keeps /dev/input\n* added --noinput to disable /dev/input\n* add support for subdirs in --private-etc\n* subdirs support in private-etc\n* input devices support in private-dev, --no-input\n* support trailing comments on profile lines\n* many new profiles\n- split shell completion into standard subpackages\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2022-37",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0037-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0037-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWYUOU25A4H7UO242AHCSAQPLQYRMJ6T/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0037-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWYUOU25A4H7UO242AHCSAQPLQYRMJ6T/"
},
{
"category": "self",
"summary": "SUSE Bug 1195880",
"url": "https://bugzilla.suse.com/1195880"
}
],
"title": "Security update for firejail",
"tracking": {
"current_release_date": "2022-02-16T13:25:43Z",
"generator": {
"date": "2022-02-16T13:25:43Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0037-1",
"initial_release_date": "2022-02-16T13:25:43Z",
"revision_history": [
{
"date": "2022-02-16T13:25:43Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "firejail-0.9.68-bp153.2.3.1.aarch64",
"product": {
"name": "firejail-0.9.68-bp153.2.3.1.aarch64",
"product_id": "firejail-0.9.68-bp153.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "firejail-0.9.68-bp153.2.3.1.i586",
"product": {
"name": "firejail-0.9.68-bp153.2.3.1.i586",
"product_id": "firejail-0.9.68-bp153.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "firejail-0.9.68-bp153.2.3.1.ppc64le",
"product": {
"name": "firejail-0.9.68-bp153.2.3.1.ppc64le",
"product_id": "firejail-0.9.68-bp153.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "firejail-0.9.68-bp153.2.3.1.s390x",
"product": {
"name": "firejail-0.9.68-bp153.2.3.1.s390x",
"product_id": "firejail-0.9.68-bp153.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "firejail-0.9.68-bp153.2.3.1.x86_64",
"product": {
"name": "firejail-0.9.68-bp153.2.3.1.x86_64",
"product_id": "firejail-0.9.68-bp153.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP3",
"product": {
"name": "SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.aarch64 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.aarch64"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.i586 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.i586"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.ppc64le as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.ppc64le"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.s390x as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.s390x"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.x86_64 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.x86_64"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.aarch64"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.i586 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.i586"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.ppc64le"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.s390x"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "firejail-0.9.68-bp153.2.3.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.x86_64"
},
"product_reference": "firejail-0.9.68-bp153.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…