group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <1655136@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package firejail - 0.9.38-1ubuntu0.1

---------------
firejail (0.9.38-1ubuntu0.1) xenial-security; urgency=low

  * SECURITY UPDATE: sandbox escape via TIOCSTI ioctl (LP: #1655136)
    - debian/patches/CVE-2016-9016.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit 19302eb)
    - CVE-2016-9016
  * SECURITY UPDATE: truncate /etc/resolv.conf as non-root user (LP: #1655136)
    - debian/patches/CVE-2016-10118.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit 4f4e59c)
    - CVE-2016-10118
  * SECURITY UPDATE: local privilege escalation to root (LP: #1655136)
    - debian/patches/CVE-2017-5180.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit ad97545)
    - CVE-2017-5180

 -- Reiner Herrmann <reiner@xxxxxxxxxxx>  Tue, 17 Jan 2017 20:16:26
+0100

** Changed in: firejail (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1655136

Title:
  Multiple CVEs in xenial

Status in firejail package in Ubuntu:
  Fix Released
Status in firejail source package in Xenial:
  Fix Released
Status in firejail source package in Zesty:
  Fix Released

Bug description:
  firejail 0.9.38 is affected by the following CVEs:
  - CVE-2016-9016: sandbox escape
  - CVE-2016-10118: overwrite /etc/resolv.conf
  - CVE-2017-5180: local root exploit

  Please apply the attached debdiff.

  firejail 0.9.40 is also affected by those (and perhaps other) CVEs.
  But fixing that looks like a bit more effort (patches don't apply cleanly), and there were several related upstream commits that attempted to fix them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1655136/+subscriptions