Source: systemd Version: 236-1 Severity: important Tags: security upstream Forwarded: https://github.com/systemd/systemd/issues/7986
Hi, the following vulnerability was published for systemd, filling this bug to keep track of the bug in the Debian BTS. CVE-2018-6954[0]: | systemd-tmpfiles in systemd through 237 mishandles symlinks present in | non-terminal path components, which allows local users to obtain | ownership of arbitrary files via vectors involving creation of a | directory and a file under that directory, and later replacing that | directory with a symlink. This occurs even if the fs.protected_symlinks | sysctl is turned on. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6954 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954 [1] https://github.com/systemd/systemd/issues/7986 Please adjust the affected versions in the BTS as needed (all earlier versions should be affected). Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team