Summary: | <sys-apps/firejail-0.9.44.2, <sys-apps/firejail-lts-0.9.38.6: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | jamesrutledge |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aidecoe, jstein |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://firejail.wordpress.com/download-2/release-notes/ | ||
Whiteboard: | B2 [glsa cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
jamesrutledge
2016-12-08 14:55:54 UTC
is it correct, that we have old versions without fix for the CVE in the tree? Multiple fixes: https://github.com/netblue30/firejail/commit/8b5b444c766b8d0592346decc6ed4a6d345e4f67 https://github.com/netblue30/firejail/commit/e847207df28e181a8f590ade825b5f06d4fadf17 https://github.com/netblue30/firejail/commit/18f6e9dc9b304f7aca291c3edce5122562b1e36c @ Maintainer(s): Please bump to =sys-apps/firejail-0.9.44.2 0.9.44.2 has been submitted. Please stabilize. I will remove 0.9.38.2 as soon as 0.9.38.4 is stabilized as well. amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. GLSA requested. Quoting netblue30 (firejail developer) about 0.9.38: > The security problems fixed in 0.9.44.2 don't affect 0.9.38. They've > been introduced introduced after 0.9.38 release. However, I do have some > bug fixes, small things like vlc crashing and security improvements > coming. Also, I started backporting some new security features. I hope > to have the next LTS release out in early January. I have bumped 0.9.42.2 and removed 0.9.42. There's no vulnerable version in the tree. 0.9.38.4 LTS is in the tree with ~amd64 keyword. I will reopen bug 602034 to stabilize LTS version as well, but it's not related to this bug any more. It appears upstream might have forgotten about one fix. I have backported <https://github.com/netblue30/firejail/commit/4f4e59c7529888339fe2337dc893984eb7833d01> in 0.9.38.4-r1. (In reply to Amadeusz Żołnowski from comment #9) > It appears upstream might have forgotten about one fix. I have backported > <https://github.com/netblue30/firejail/commit/ > 4f4e59c7529888339fe2337dc893984eb7833d01> in 0.9.38.4-r1. Ready for stable? Upstream said he's going to release this soon, maybe even today, so I think it's better wait for that. I'll update tomorrow. Upstream has released 0.9.38.6 with the security fix. I have split firejail into sys-apps/firejail-lts and sys-apps/firejail (bleeding-edge). Please stabilize sys-apps/firejail-0.9.38.6. Please stabilize sys-apps/firejail-lts-0.9.38.6, not sys-apps/firejail-0.9.38.6. Sorry. Stable on amd64. This issue was resolved and addressed in GLSA 201612-48 at https://security.gentoo.org/glsa/201612-48 by GLSA coordinator Aaron Bauman (b-man). |