8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
An update that solves one vulnerability and has three fixes
is now available.
Description:
This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:
libostree:
Update to version 2020.8
Enable LTO. (bsc#1133120)
This update contains scalability improvements and bugfixes.
Caching-related HTTP headers are now supported on summaries and
signatures, so that they do not have to be re-downloaded if not changed
in the meanwhile.
Summaries and delta have been reworked to allow more fine-grained
fetching.
Fixes several bugs related to atomic variables, HTTP timeouts, and
32-bit architectures.
Static deltas can now be signed to more easily support offline
verification.
There’s now support for multiple initramfs images; Is it possible to
have a “main” initramfs image and a secondary one which represents local
configuration.
The documentation is now moved to https://ostreedev.github.io/ostree/
Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.
ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.
ostree now supports /
and /boot
being on the same filesystem.
Improvements to the GObject Introspection metadata, some (cosmetic)
static analyzer fixes, a fix for the immutable bit on s390x, dropping a
deprecated bit in the systemd unit file.
Fix a regression 2020.4 where the “readonly sysroot” changes incorrectly
left the sysroot read-only
on systems that started out with a read-only /
(most of them, e.g.
Fedora Silverblue/IoT at least).
The default dracut config now enables reproducibility.
There is a new ostree admin unlock --transient
. This should to be a
foundation for further support for “live” updates.
New ed25519
signing support, powered by libsodium
.
stree commit gained a new --base
argument, which significantly
simplifies constructing “derived” commits, particularly for systems
using SELinux.
Handling of the read-only sysroot was reimplemented to run in the
initramfs and be more reliable. Enabling the readonly=true
flag in the
repo config is recommended.
Several fixes in locking for the temporary “staging” directories OSTree
creates, particularly on NFS.
A new timestamp-check-from-rev
option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.
Several fixes and enhancements made for “collection” pulls including a
new --mirror
option.
The ostree commit command learned a new --mode-ro-executables
which
enforces W^R
semantics
on all executables.
Added a new commit metadata key OSTREE_COMMIT_META_KEY_ARCHITECTURE
to help standardize the architecture of the OSTree commit. This could be
used on the client side for example to sanity-check that the commit
matches the architecture of the machine before deploying.
Stop invalid usage of %_libexecdir
:
%{_prefix}/lib
where appropriate._systemdgeneratordir
for the systemd-generators._dracutmodulesdir
based on dracut.pc
. Addxdg-desktop-portal:
Update to version 1.8.0:
/usr/bin/fusermount
: xdg-document-portal
calls out to the%_libexecdir
changing to /usr/libexec
xdg-desktop-portal-gtk:
Update to version 1.8.0:
flatpak:
Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)
This is a security update which fixes a potential attack where a
flatpak application could use custom formated .desktop
file to gain
access to files on the host system.
Fix memory leaks
Documentation and translations updates
Spawn portal better handles non-utf8 filenames
Fix flatpak build on systems with setuid bwrap
Fix crash on updating apps with no deploy data
Remove deprecated texinfo packaging macros.
Support for the new repo format which should make updates faster and
download less data.
The systemd generator snippets now call flatpak --print-updated-env
in
place of a bunch of shell for better login performance.
The .profile
snippets now disable GVfs when calling flatpak to avoid
spawning a gvfs daemon when logging in via ssh.
Flatpak now finds the pulseaudio sockets better in uncommon
configurations.
Sandboxes with network access it now also has access to the
systemd-resolved
socket to do dns lookups.
Flatpak supports unsetting environment variables in the sandbox using
--unset-env
, and --env=FOO=
now sets FOO to the empty string instead
of unsetting it.
The spawn portal now has an option to share the pid namespace with the
sub-sandbox.
This security update fixes a sandbox escape where a malicious
application can execute code outside the sandbox by controlling the
environment of the “flatpak run” command when spawning a sub-sandbox
(bsc#1180996, CVE-2021-21261)
Fix support for ppc64.
Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow
to remove python3 dependency on main package.
Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
Fixed progress reporting for OCI and extra-data.
The in-memory summary cache is more efficient.
Fixed authentication getting stuck in a loop in some cases.
Fixed authentication error reporting.
Extract OCI info for runtimes as well as apps.
Fixed crash if anonymous authentication fails and -y
is specified.
flatpak info now only looks at the specified installation if one is
specified.
Better error reporting for server HTTP errors during download.
Uninstall now removes applications before the runtime it depends on.
Avoid updating metadata from the remote when uninstalling.
FlatpakTransaction now verifies all passed in refs to avoid.
Added validation of collection id settings for remotes.
Fix seccomp filters on s390.
Robustness fixes to the spawn portal.
Fix support for masking update in the system installation.
Better support for distros with uncommon models of merged /usr
.
Cache responses from localed/AccountService.
Fix hangs in cases where xdg-dbus-proxy
fails to start.
Fix double-free in cups socket detection.
OCI authenticator now doesn’t ask for auth in case of http errors.
Fix invalid usage of %{_libexecdir}
to reference systemd directories.
Fixes for %_libexecdir
changing to /usr/libexec
Avoid calling authenticator in update if ref didn’t change
Don’t fail transaction if ref is already installed (after transaction
start)
Fix flatpak run handling of userns in the --device=all
case
Fix handling of extensions from different remotes
Fix flatpak run --no-session-bus
FlatpakTransaction
has a new signal install-authenticator
which
clients can handle to install authenticators needed for the transaction.
This is done in the CLI commands.
Now the host timezone data is always exposed, fixing several apps that
had timezone issues.
There’s a new systemd unit (not installed by default) to automatically
detect plugged in usb sticks with sideload repos.
By default the gdm env.d
file is no longer installed because the
systemd generators work better.
create-usb
now exports partial commits by default
Fix handling of docker media types in oci remotes
Fix subjects in remote-info --log
output
This release is also able to host flatpak images on e.g. docker hub.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-520=1
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE Leap | 15.2 | i586 | < - openSUSE Leap 15.2 (i586 x86_64): | - openSUSE Leap 15.2 (i586 x86_64):.i586.rpm | |
openSUSE Leap | 15.2 | x86_64 | < - openSUSE Leap 15.2 (i586 x86_64): | - openSUSE Leap 15.2 (i586 x86_64):.x86_64.rpm | |
openSUSE Leap | 15.2 | x86_64 | < - openSUSE Leap 15.2 (x86_64): | - openSUSE Leap 15.2 (x86_64):.x86_64.rpm | |
openSUSE Leap | 15.2 | noarch | < - openSUSE Leap 15.2 (noarch): | - openSUSE Leap 15.2 (noarch):.noarch.rpm |
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C