Your message dated Thu, 18 Oct 2018 23:34:46 +0000
with message-id <[email protected]>
and subject line Bug#911343: fixed in fuse3 3.2.6-1
has caused the Debian Bug report #911343,
regarding fuse3: CVE-2018-10906: Restriction bypass of the allow_other option
when SELinux is active
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
911343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911343
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fuse
Version: 2.9.7-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/libfuse/libfuse/pull/268
Hi,
The following vulnerability was published for fuse.
CVE-2018-10906[0]:
Restriction bypass of the "allow_other" option when SELinux is active
To exploit it, SELinux nedds to be active (including in permissive
mode).
I have prepared an update for stretch (not yet released), although as
said, its a problem only with active SELinux, which is not by default
in Debian.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10906
[1] https://github.com/libfuse/libfuse/pull/268
[2] https://sourceforge.net/p/fuse/mailman/message/36374753/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fuse3
Source-Version: 3.2.6-1
We believe that the bug you reported is fixed in the latest version of
fuse3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated fuse3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 18 Oct 2018 21:36:00 +0000
Source: fuse3
Binary: fuse3 libfuse3-3 libfuse3-dev fuse3-udeb libfuse3-3-udeb
Architecture: source amd64
Version: 3.2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
fuse3 - Filesystem in Userspace (3.x version)
fuse3-udeb - Filesystem in Userspace (3.x version) (udeb)
libfuse3-3 - Filesystem in Userspace (library) (3.x version)
libfuse3-3-udeb - Filesystem in Userspace (library) (3.x version) (udeb)
libfuse3-dev - Filesystem in Userspace (development) (3.x version)
Closes: 910029 910030 911343
Changes:
fuse3 (3.2.6-1) unstable; urgency=medium
.
* New upstream release:
- fix CVE-2018-10906, restriction bypass of the allow_other option when
SELinux is active (closes: #911343).
* Honor nocheck in DEB_BUILD_OPTIONS (closes: #910029).
* Don't force xz compression for source and binaries (closes: #910030).
* Update copyright file.
Checksums-Sha1:
22fc8e353be19a2aaf2e0c4d3fd8f90dfadcc8b1 2327 fuse3_3.2.6-1.dsc
1bed50c4d7737b17079dc585864d6432cc6dedec 1456220 fuse3_3.2.6.orig.tar.xz
652943f5256774893ca8c5f9c8191429060bd78e 1012 fuse3_3.2.6.orig.tar.xz.asc
2170cb1a32b257269393b4001246f2273805e5cf 16352 fuse3_3.2.6-1.debian.tar.xz
3a84f29114e56e892ca612410bfe8f5cdc9ddb1c 48224 fuse3-dbgsym_3.2.6-1_amd64.deb
cf180c071271ba915bc5b17f17f9995fbd1e9aaf 14984 fuse3-udeb_3.2.6-1_amd64.udeb
2e44c5d7bfb175f66f78124dd1aea71c81cc84c9 9024 fuse3_3.2.6-1_amd64.buildinfo
ea028e10097460383012efc95233ded7ec889a62 30540 fuse3_3.2.6-1_amd64.deb
16c434ba7b9069b2d1fd99fc4a915224d435287a 261780
libfuse3-3-dbgsym_3.2.6-1_amd64.deb
30940c1e1dcdaa00e6b19886228e4ca86585eb1f 62108
libfuse3-3-udeb_3.2.6-1_amd64.udeb
b5a957a923aa614dd417d7c1fa4e21ce0782474b 79648 libfuse3-3_3.2.6-1_amd64.deb
094f3ffd52ca5d51de66cd9111a5d36ab4ec634c 123324 libfuse3-dev_3.2.6-1_amd64.deb
Checksums-Sha256:
4fd42858da9c5e94db3feca18d6f907f55d19b2e32329bd3b8dac0c98ba455a0 2327
fuse3_3.2.6-1.dsc
cea4dad559b3fbdbb8e4ad5f9df6083fdb7f2b904104bd507ef790d311d271cf 1456220
fuse3_3.2.6.orig.tar.xz
366d6c3567f990bbc9ab8fa3e71c0f7e0c3cff7fe59a808e648aa38b5ad79096 1012
fuse3_3.2.6.orig.tar.xz.asc
92fbe00d92268eb25e7674709a13f56d82e7dcb9db29572db0c2bb774102fc62 16352
fuse3_3.2.6-1.debian.tar.xz
48da38558d6af8b0aa2eae8ea1e4b3e8d79483deb4958347cb63c02a2cb58db3 48224
fuse3-dbgsym_3.2.6-1_amd64.deb
5ef0c2ac0f32e28c34bd111a025344b5499e850d0268de476770c032c02ca794 14984
fuse3-udeb_3.2.6-1_amd64.udeb
cc2d1c105fb6a2f030a113166b0cd8e7683b18b48b8aad49e70f9aa241dde3a3 9024
fuse3_3.2.6-1_amd64.buildinfo
4eb23c0e4e73815f6d8ac4424fa057873eb4474081c85e42c2ee4816a54bd2bb 30540
fuse3_3.2.6-1_amd64.deb
5be964b0f136746d4cb0e73e7c1056f61bef99622a55a13364d95d102e36fbd7 261780
libfuse3-3-dbgsym_3.2.6-1_amd64.deb
f47f995fd1c618eed85c566ad4602a21269049745aa782ffc521543282a4857e 62108
libfuse3-3-udeb_3.2.6-1_amd64.udeb
5c9782d2da32bf0394de89902a00e219abad8ddea1d906009b066ae66f7e33d6 79648
libfuse3-3_3.2.6-1_amd64.deb
6a2dba7188714ce89ddab2a67ab28d665eb386a12f966096117dabd720ec1152 123324
libfuse3-dev_3.2.6-1_amd64.deb
Files:
672ff6e61acbaa21749f89bf82a4e6d3 2327 utils optional fuse3_3.2.6-1.dsc
4b068c444a4d2e62f61ff205363e2757 1456220 utils optional fuse3_3.2.6.orig.tar.xz
99e57c9822f43e44dfe55991d2978c27 1012 utils optional
fuse3_3.2.6.orig.tar.xz.asc
032778341e0def61fc2d0b41758a2732 16352 utils optional
fuse3_3.2.6-1.debian.tar.xz
1c9b293b0849d8545cd8c78d172074f4 48224 debug optional
fuse3-dbgsym_3.2.6-1_amd64.deb
fa22c1fa16ddb81bf3063b4fdf08061e 14984 debian-installer optional
fuse3-udeb_3.2.6-1_amd64.udeb
2727218a04db828b6369f1a76abd742d 9024 utils optional
fuse3_3.2.6-1_amd64.buildinfo
c9e5360766db10ad22262f1d7494b611 30540 utils optional fuse3_3.2.6-1_amd64.deb
6ff9093b60dbd4b5ea2557ecf39405e0 261780 debug optional
libfuse3-3-dbgsym_3.2.6-1_amd64.deb
ab9793b11f835df7481d63456a90042a 62108 debian-installer optional
libfuse3-3-udeb_3.2.6-1_amd64.udeb
74d8df9dc9043fbdfcab2f4be7e58ef9 79648 libs optional
libfuse3-3_3.2.6-1_amd64.deb
4a8910656027eebaf1f3e8047dd0b2bd 123324 libdevel optional
libfuse3-dev_3.2.6-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlvJE2gACgkQ3OMQ54ZM
yL/SMxAAtmkXdOeB2vM2GW/ESpx3guVtJlWz65htiSLNwWYhZoEEc7ZtHzbY1UXe
YXDT1O7YQxeMUMWnqinHY4MjisLszNWySP56N2GCm0JvUpmewt4hRCS1L3Hm5D8e
OH2YHUK0QyxGnesmbThHjhWFXHLzp51Eh7dQVUDTKFLtF7YgQh48jrBVwPl18hhH
Uo7rC1zjNLApwRf9PqjFFftqdOEsgxFT//FBrP3HE9b6jsirXu4rAqUhPVRfejut
UJmO2ePi32wMUf0sLMnWkndyXkggRXYza9ls4mj5plRweX0ccplAoKtzGcXwICd1
Oi/2s7oHG2HRVHZ9y4b0j6WFAnJA74D1Du0nzHyMc9S+MO4GMt2/5fVAao/kdL4m
gPX/QTQfb5lwURfBzk69pF0OTBezODWUd1WFB7ozU//FvFUp6v2XDg5Yb4D/Ixrr
5a7m/va79pihHAMpv09NoEMxtRjV8H82ePQYhQCJ+7At7kbGuWm4+npnXNe2VIdP
wrUnHCb/81f3HVwJ9hR4Mwqa9v0C/K4gQ7SuxHGbKK6bNfykz0c7mhmPHXIUt9kS
iiKLSNY7fGMSqQ3wcue5hoQqURQnjXMlJMqv1MsH4wQbMxqFcXL+LQKqhpmuVs55
S952+EhpKMvTLZCr0aA5NzZcfel0+wJw1r0ZEZtAibyluvg4s68=
=mmPc
-----END PGP SIGNATURE-----
--- End Message ---
