Source: attr Version: 1:2.5.2-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1:2.5.2-3 Control: found -1 1:2.5.1-4
Hi, The following vulnerability was published for attr. CVE-2026-54371[0]: | attr before version 2.6.0 contains a symlink traversal vulnerability | in the getfattr and setfattr utilities that allows local attackers | to escalate privileges by replacing a pathname component with a | symbolic link during directory hierarchy traversal. Attackers who | control a pathname component can redirect getfattr and setfattr | operations to arbitrary files by substituting a symlink, leading to | local privilege escalation when getfattr or setfattr is invoked by a | privileged process over an attacker-controlled path. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54371 https://www.cve.org/CVERecord?id=CVE-2026-54371 [1] https://www.openwall.com/lists/oss-security/2026/06/29/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

