|
|
Subscribe / Log in / New account

Debian alert DLA-4221-1 (libblockdev)



From:
              Thorsten Alteholz <debian@alteholz.de>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4221-1] libblockdev security update


Date:
              Tue, 17 Jun 2025 21:49:42 +0000


Message-ID:
              <4e8b89e6-fbfb-acaa-1e6b-9b1d7ace94@alteholz.de>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4221-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
June 17, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libblockdev
Version        : 2.25-2+deb11u1
CVE ID         : CVE-2025-6019


The Qualys Threat Research Unit (TRU) discovered a local privilege
escalation vulnerability in libblockdev, a library for manipulating
block devices. An "allow_active" user can exploit this flaw via the
udisks daemon to obtain the full privileges of the root user.

Details can be found in the Qualys advisory at
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Along with the libblockdev update, updated udisks2 packages are
released, to enforce that private mounts are mounted with
'nodev,nosuid'.


For Debian 11 bullseye, this problem has been fixed in version
2.25-2+deb11u1.

We recommend that you upgrade your libblockdev packages.

For the detailed security status of libblockdev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libblockdev

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmhR4vZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEcT1BAAtIFcA9Ghuhl8rA9a0pBGQmTBAmf93RPwxI101cIClsYHu8EexJRKCgG4
jZajh3JkElPxPhO27xYPnL2CNxnMb0jPgtKCQZ0lt1gA5kJM7/Tvwi6iAH3cecee
HGKZ/iZqvRHaoCkovF9YYQUwIDghuuQYCw985WkFUkmCGe/j38OAVO/WT5RyONsp
iDocNFIytcbjWfag1z+EHldnW6OLhGNmpf/nnPQ3q3yjhzb3LMjyy5DUaajwesz/
vNqz7Thxw4r0nfKJ0+obiElm83VOOKqKu+RKaqcU/xbyrGSmpcGtp94tJHLQL1Bd
7/K9HMtcOsVpJueNKJ3CcUN2tOgLZaxn8DxPBWLjg9tGhfLXarQza7GcrA8XDhF4
+gL9ftOgNZIlfxKrLRuH+0T8Ji1KGyIJ5p/VBzaxRDkThuqn/2j98/f/rPh5onm1
y3F6fTxYrhS1gkc7nZSP3FxGpRZVzmtgyaJP5UQb0ZvYiaXH77HB98Rrujfs1bza
Ght2RGVBMTyYVcHxCVzu9IeR1lxwO3MeoJLZXzhluUDz/GQ6Y8wR7/4sIrrfwszm
/ca+IkpBRFOFoDN3Urzc4+BmLMZzHtfFAd5BxzXRA+mi1D1kvMAFGEW0X/yZ2wWE
9WVXNAMDKQ4dfvhp8IyhD+pflDYyCWTbUXhhZ/wZGyKqwxqfe2I=
=nMDK
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds