[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[atomic-devel] bubblewrap 0.1.3 (fixes CVE-2016-8659)

From: Colin Walters <walters verbum org>
To: atomic-devel projectatomic io
Subject: [atomic-devel] bubblewrap 0.1.3 (fixes CVE-2016-8659)
Date: Fri, 14 Oct 2016 12:53:40 -0400

A new release of bubblewrap is available:

https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.3

Which fixes a local privilege escalation.  Specifically relevant to Project Atomic,
this applies only to CentOS7/RHEL7 systems which have
bubblewrap installed as privileged code.

Notably, we *do* install it by default as /usr/bin/bwrap in
CentOS Atomic Host Alpha, but not in the primary CentOS Atomic Host
release, where it exists solely as /usr/libexec/rpm-ostree/bwrap for
use by rpm-ostree's package layering, but is not installed as
privileged and hence is not a vulnerability vector.

Fedora, because it unconditionally enables `CLONE_NEWUSER`
access, is not vulnerable to this.

So, expect updates to land in:
 
 - EPEL7
 - CentOS AH Alpha

soon.

Follow-Ups:
- Re: [atomic-devel] bubblewrap 0.1.3 (fixes CVE-2016-8659)
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]