tag name | v0.1.3 (f1ba61b581fa4c5ae7351901a1aaa537f35dfe5f) |
tag date | 2016-10-14 12:43:43 -0400 |
tagged by | Colin Walters <walters@verbum.org> |
tagged object | commit 0bf9fb66c7... |
download | bubblewrap-0.1.3.tar.gz |
---|
Release 0.1.3 (fixes CVE-2016-8659)
This release fixes CVE-2016-8659: https://github.com/projectatomic/bubblewrap/issues/107
which is a local privilege escalation that applies when
bubblewrap is installed with suid or file capabilities. This
vulnerability does not apply for systems/distributions which
unconditionally enable `CLONE_NEWUSER` access for unprivileged
users, as e.g. Fedora 24 and newer (as of this writing) do.
However, this will apply to systems such as CentOS/RHEL 7, Debian
stable, Arch, etc. that use bubblewrap as a gating mechanism for
container/app tooling like Flatpak.
The bubblewrap authors wish to thank Sebastian Krahmer, who
has found and responsibly reported many security issues over
time, including this one.
At this time, the bubblewrap authors still believe the codebase is a
sensible option for systems/distributions which don't want to enable
full `CLONE_NEWUSER`. However, the upstream kernel has improved, and
continues to do so. It's likely at some point in the future that
bubblewrap will evolve more flexibility around gating access to
`CLONE_NEWUSER`, such as only allowing it for logged in human users,
not background daemons.
Alexander Larsson (3):
Move commandline args to top of the file
Don't allow setting hostname if not unsharing UTS namespace
Only set DUMPABLE when we need it (i.e. in user namespace child)
Bill Nottingham (1):
Fix capability list in spec file.
Colin Walters (1):
Release 0.1.3
Kenton Varda (1):
Make notes on sandstorm.io somewhat more accurate
Git-EVTag-v0-SHA512: 47f77d675735c9ad7f134ac996843b8a6889be9a6a925d586ecc6a4138d2d8d35d1270da04198f09c69434be42a85319b4b763e45ac97e0fce9a961535567c99
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJYAQs/Exx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtV
Swf/dAcfsvv2OSRJnGZSUd9food16NmqgTG+VtvwGpkHJsTeP/7gPu8f0o1/GJCq
AZPyrWG8QFzF5Fp8169m66JpZ+qs/3PW533wj6QN/ElqIBQIvZQyk6XA4gnURHus
xZEMPREfEuZO7m74k2ASr0JXS6mD3Ewh97vryVSXU8MA5wSBLDqhD4jSpkFybIOW
xYN7q3l9r4wuqJLa9k/6NMgOVm+MrgvEB4AI+732XNnrQcG68tns+Zm9fLUIw2gN
oV9noBXnjlGTDTW3K8yoq5zjpzc1cCyLuvY+cj9RIsE9k8eWOQCNU59Z5r6bbQ+J
l8c/ouX2bkLBijSBTXx1fcGVqg==
=3pBd
-----END PGP SIGNATURE-----