Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1098 Low: policycoreutils security, bug fix, and enhancement update 11 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: policycoreutils Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Linux variants Impact/Access: Modify Permissions -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1063 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:0913 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running policycoreutils check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: policycoreutils security, bug fix, and enhancement update Advisory ID: RHSA-2018:0913-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:0913 Issue date: 2018-04-10 CVE Names: CVE-2018-1063 ===================================================================== 1. Summary: An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Buildroot (shipped just to git.centos.org) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x 3. Description: The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es): * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Métrich (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 974163 - semanage port -l shows a port with multiple types 1260238 - RFE: restorecon should say in verbose mode when it doesn't change a context due to customizable_type 1337192 - semodule: provide better documentation for behavior across operations with modules 1376770 - sealert tracebacks when lithuanian locales are used 1409813 - file context policy does not honor globs for /home based entries 1458831 - '/sbin/fixfiles restore' doesn't relabel all files when run from /.autorelabel or from system when some special files are present in /tmp 1471809 - RFE: backport SELinux/InfiniBand userspace support 1481191 - [policycoreutils] Tier 0 Localization 1499259 - semanage fcontext "-f/--ftype" description is broken 1550122 - CVE-2018-1063 policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.i686.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-devel-2.5-22.el7.i686.rpm policycoreutils-devel-2.5-22.el7.x86_64.rpm policycoreutils-gui-2.5-22.el7.x86_64.rpm policycoreutils-newrole-2.5-22.el7.x86_64.rpm policycoreutils-python-2.5-22.el7.x86_64.rpm policycoreutils-sandbox-2.5-22.el7.x86_64.rpm Buildroot (shipped just to git.centos.org): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-restorecond-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-newrole-2.5-22.el7.x86_64.rpm policycoreutils-python-2.5-22.el7.x86_64.rpm Buildroot (shipped just to git.centos.org): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: policycoreutils-debuginfo-2.5-22.el7.i686.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-devel-2.5-22.el7.i686.rpm policycoreutils-devel-2.5-22.el7.x86_64.rpm policycoreutils-gui-2.5-22.el7.x86_64.rpm policycoreutils-restorecond-2.5-22.el7.x86_64.rpm policycoreutils-sandbox-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: policycoreutils-2.5-22.el7.src.rpm ppc64: policycoreutils-2.5-22.el7.ppc64.rpm policycoreutils-debuginfo-2.5-22.el7.ppc.rpm policycoreutils-debuginfo-2.5-22.el7.ppc64.rpm policycoreutils-devel-2.5-22.el7.ppc.rpm policycoreutils-devel-2.5-22.el7.ppc64.rpm policycoreutils-gui-2.5-22.el7.ppc64.rpm policycoreutils-newrole-2.5-22.el7.ppc64.rpm policycoreutils-python-2.5-22.el7.ppc64.rpm policycoreutils-sandbox-2.5-22.el7.ppc64.rpm ppc64le: policycoreutils-2.5-22.el7.ppc64le.rpm policycoreutils-debuginfo-2.5-22.el7.ppc64le.rpm policycoreutils-devel-2.5-22.el7.ppc64le.rpm policycoreutils-gui-2.5-22.el7.ppc64le.rpm policycoreutils-newrole-2.5-22.el7.ppc64le.rpm policycoreutils-python-2.5-22.el7.ppc64le.rpm policycoreutils-sandbox-2.5-22.el7.ppc64le.rpm s390x: policycoreutils-2.5-22.el7.s390x.rpm policycoreutils-debuginfo-2.5-22.el7.s390.rpm policycoreutils-debuginfo-2.5-22.el7.s390x.rpm policycoreutils-devel-2.5-22.el7.s390.rpm policycoreutils-devel-2.5-22.el7.s390x.rpm policycoreutils-gui-2.5-22.el7.s390x.rpm policycoreutils-newrole-2.5-22.el7.s390x.rpm policycoreutils-python-2.5-22.el7.s390x.rpm policycoreutils-sandbox-2.5-22.el7.s390x.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.i686.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-devel-2.5-22.el7.i686.rpm policycoreutils-devel-2.5-22.el7.x86_64.rpm policycoreutils-gui-2.5-22.el7.x86_64.rpm policycoreutils-newrole-2.5-22.el7.x86_64.rpm policycoreutils-python-2.5-22.el7.x86_64.rpm policycoreutils-sandbox-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: policycoreutils-2.5-22.el7.src.rpm aarch64: policycoreutils-2.5-22.el7.aarch64.rpm policycoreutils-debuginfo-2.5-22.el7.aarch64.rpm policycoreutils-devel-2.5-22.el7.aarch64.rpm policycoreutils-gui-2.5-22.el7.aarch64.rpm policycoreutils-newrole-2.5-22.el7.aarch64.rpm policycoreutils-python-2.5-22.el7.aarch64.rpm policycoreutils-sandbox-2.5-22.el7.aarch64.rpm ppc64le: policycoreutils-2.5-22.el7.ppc64le.rpm policycoreutils-debuginfo-2.5-22.el7.ppc64le.rpm policycoreutils-devel-2.5-22.el7.ppc64le.rpm policycoreutils-gui-2.5-22.el7.ppc64le.rpm policycoreutils-newrole-2.5-22.el7.ppc64le.rpm policycoreutils-python-2.5-22.el7.ppc64le.rpm policycoreutils-sandbox-2.5-22.el7.ppc64le.rpm s390x: policycoreutils-2.5-22.el7.s390x.rpm policycoreutils-debuginfo-2.5-22.el7.s390.rpm policycoreutils-debuginfo-2.5-22.el7.s390x.rpm policycoreutils-devel-2.5-22.el7.s390.rpm policycoreutils-devel-2.5-22.el7.s390x.rpm policycoreutils-gui-2.5-22.el7.s390x.rpm policycoreutils-newrole-2.5-22.el7.s390x.rpm policycoreutils-python-2.5-22.el7.s390x.rpm policycoreutils-sandbox-2.5-22.el7.s390x.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: policycoreutils-debuginfo-2.5-22.el7.aarch64.rpm policycoreutils-restorecond-2.5-22.el7.aarch64.rpm ppc64le: policycoreutils-debuginfo-2.5-22.el7.ppc64le.rpm policycoreutils-restorecond-2.5-22.el7.ppc64le.rpm s390x: policycoreutils-debuginfo-2.5-22.el7.s390x.rpm policycoreutils-restorecond-2.5-22.el7.s390x.rpm Buildroot (shipped just to git.centos.org): Source: policycoreutils-2.5-22.el7.src.rpm ppc64: policycoreutils-2.5-22.el7.ppc64.rpm policycoreutils-debuginfo-2.5-22.el7.ppc64.rpm ppc64le: policycoreutils-2.5-22.el7.ppc64le.rpm policycoreutils-debuginfo-2.5-22.el7.ppc64le.rpm s390x: policycoreutils-2.5-22.el7.s390x.rpm policycoreutils-debuginfo-2.5-22.el7.s390x.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: policycoreutils-debuginfo-2.5-22.el7.ppc64.rpm policycoreutils-restorecond-2.5-22.el7.ppc64.rpm ppc64le: policycoreutils-debuginfo-2.5-22.el7.ppc64le.rpm policycoreutils-restorecond-2.5-22.el7.ppc64le.rpm s390x: policycoreutils-debuginfo-2.5-22.el7.s390x.rpm policycoreutils-restorecond-2.5-22.el7.s390x.rpm x86_64: policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-restorecond-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.i686.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-devel-2.5-22.el7.i686.rpm policycoreutils-devel-2.5-22.el7.x86_64.rpm policycoreutils-gui-2.5-22.el7.x86_64.rpm policycoreutils-newrole-2.5-22.el7.x86_64.rpm policycoreutils-python-2.5-22.el7.x86_64.rpm policycoreutils-sandbox-2.5-22.el7.x86_64.rpm Buildroot (shipped just to git.centos.org): Source: policycoreutils-2.5-22.el7.src.rpm x86_64: policycoreutils-2.5-22.el7.x86_64.rpm policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: policycoreutils-debuginfo-2.5-22.el7.x86_64.rpm policycoreutils-restorecond-2.5-22.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1063 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-US/red_hat_enterprise_linux/7/html/7.5_release_notes/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFazHm7XlSAg2UNWIIRAsW7AJwNMvwEDeYhCV8W1mUZjYAtPBx6cgCfUJL7 Bk9p+RFKwkBhodIlcn06UAk= =cEf5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWs2OpYx+lLeg9Ub1AQhPdg/+O3v2vi7L2/3HJWWyX4ZTn/IwpmDETjio m3zVGXiO/Y5A+VjnZdTk1cMdgd70zuuI6xYgErvljiwLYTXcSEPxl62uicSRNUO7 dvOpuRIe5RbUAMaOP2MNpbJG0kkPGY5dbe0lhn8oHjIBmLSMvHGBnUFoazLfetEe NxGWjHsx2ZvWuuY46ryyghPidRGVoKt3pXe/UcgMuW3J6chbziVoxkcN2KVujDE5 iMH3mFZ2AxyiOSPrkUXP6rW1Bc5MqDz7N/Sas9X6gi7ZNLpC8rhF1NAxbmn0EFWw 4UhqG1w1qHvkyD6GvRLQL3P6VuXZISx+vNB+hW6beIaInzgOYk7Z9+nPJqlsRkB1 HMhCC7SWLPrpnmItG8Wjdo0T1oCfPiNOKsiH11Zz/AVRiciAX0ZYfcGEivZ61nCS vE7tq5Z4u81F97RFLpzroX6RV/9MIeTkRABmag4YTJNQcppprAHxf5+yd8k9+Ktn +3kBLLABvAxi+bhwJ00NW7e4qYaRxhWp8aHo54z5eCOHL+AJi6t7vo8jZRLL0yfR Jnm4iKVXKnXky0TxIwM2k7KuQ+T6tR2lGiiBx+Y4LiHRgxS8aWDkeTPUjPK+4YpN Pj4ri1Fj4YYSEbY6ftexYFsU0mYChH/+Ydm3vb9zADW353xi9yDgPlt8Tn4EQqwK T84x2oRUzHQ= =Dlg9 -----END PGP SIGNATURE-----