libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions

libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument...

Updated systemd packages fix security vulnerability

Updated systemd packages fix security vulnerability: Nadav Markus from Palo Alto Networks discovered that systemd-resolved does not enforce appropriate access controls on its D-Bus interface and allows unprivileged users to execute methods that are meant to be available only to privileged users...

systemd security, bug fix, and enhancement update

239-18.0.1 - fix netdev is missing for iscsi entry in /etc/fstab [email protected] Orabug: 25897792 - set 'RemoveIPC=no' in logind.conf as default for OL7.2 Orabug: 22224874 - allow dm remove ioctl to co-operate with UEK3 Vaughan Cao Orabug: 18467469 - add hv dynamic memory support Jerry...

Medium: libseccomp

Issue Overview: libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators LT, GT, LE, GE, which might able to lead to bypassing seccomp filters and potential privilege escalations. CVE-2019-9893 Affected Packages: libseccomp Note: This...

CVE-2018-15746

qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service guest crash by leveraging mishandling of the seccomp policy for threads other than the main thread...

Security update for lxc (moderate)

openSUSE Security Update: Security update for lxc Announcement ID: openSUSE-SU-2019:2286-1 Rating: moderate References: 1131762 Cross-References: CVE-2019-5736 Affected Products: openSUSE Backports SLE-15-SP1 An update that fixes one vulnerability is now available. Description: This update for lx...

Security update for singularity (moderate)

openSUSE Security Update: Security update for singularity Announcement ID: openSUSE-SU-2019:2288-1 Rating: moderate References: 1125369 1128598 Cross-References: CVE-2019-11328 Affected Products: openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 An update that solves one vulnerability and h...

openSUSE Security Update : lxc (openSUSE-2019-2245)

This update for lxc fixes the following issues : Update to lxc 3.2.1. The changelog can be found at https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322 + seccomp: support syscall forwarding to userspace + add lxc.seccomp.allownesting + pidfd: Add initial support for the new pid...

Security update for lxc (moderate)

openSUSE Security Update: Security update for lxc Announcement ID: openSUSE-SU-2019:2245-1 Rating: moderate References: 1131762 Cross-References: CVE-2019-5736 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update for lxc fixes the...

EulerOS 2.0 SP2 : libseccomp (EulerOS-SA-2019-1856)

According to the version of the libseccomp package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators LT, GT, LE, GE, which migh...

EulerOS 2.0 SP5 : libseccomp (EulerOS-SA-2019-1794)

According to the version of the libseccomp package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators LT, GT, LE, GE, which migh...

USN-4095-2 linux-lts-xenial, linux-aws vulnerabilities

USN-4095-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux...

qemu-kvm security, bug fix, and enhancement update

1.5.3-167.el7 - Reverting kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch bz1618503 - Resolves: bz1618503 qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads rhel-7 1.5.3-166.el7 - kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch bz1618503 - Resolves: bz1618503 qemu-kv...

The vulnerability of the seccomp component in the Linux operating system’s kernel allows a attacker to increase their privileges and execute arbitrary code.

The vulnerability of the seccomp component in the Linux operating system’s kernel is related to access control errors. Exploiting this vulnerability can allow an attacker to enhance their privileges and execute arbitrary code...

Seccomp Tools - Provide Powerful Tools For Seccomp Analysis

Provide powerful tools for seccomp analysis. This project is targeted to but not limited to analyze seccomp sandbox in CTF pwn challenges. Some features might be CTF-specific, but still useful for analyzing seccomp in real-case. Features Dump - Automatically dumps seccomp-bpf from execution files...

Denial Of Service (Dos)

qemu is vulnerable to denial of service. Mishandling of the seccomp policy for threads other than the main thread allows local OS guest users to crash the application...

Important: Red Hat Security Advisory: qemu-kvm-rhev security and bug fix update

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 10.0 Newton, Red Hat OpenStack Platform 13.0 Queens, and Red Hat OpenStack Platform 14.0 Rocky. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring Syste...

USN-4076-1: Linux kernel vulnerabilities

It was discovered that a race condition existed in the Serial Attached SCSI SAS implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service system crash or execute arbitrary code. CVE-2018-20836 It was discovered that the ext4 file system implementati...

USN-4076-1 linux, linux-aws, linux-kvm, linux-raspi2 vulnerabilities

It was discovered that a race condition existed in the Serial Attached SCSI SAS implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service system crash or execute arbitrary code. CVE-2018-20836 It was discovered that the ext4 file system implementati...

Privilege Escalation

rkt is vulnerable to privilege escalation attacks. Processes generated with the rkt enter command run with escalated capabilities, without seccomp filtering, and are not limited by cgroups which leads to the privilege escalation vulnerability. Affected component is Process Handler...