SUSE alert SUSE-SU-2023:1715-1 (flatpak)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2023:1715-1: important: Security update for flatpak | |
| Date: | Fri, 31 Mar 2023 16:30:14 -0000 | |
| Message-ID: | <168028021488.30208.15296906240256114555@smelt2.suse.de> |
# Security update for flatpak Announcement ID: SUSE-SU-2023:1715-1 Rating: important References: * #1209410 * #1209411 Cross-References: * CVE-2023-28100 * CVE-2023-28101 CVSS scores: * CVE-2023-28100 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2023-28100 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H * CVE-2023-28101 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N * CVE-2023-28101 ( NVD ): 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Affected Products: * Desktop Applications Module 15-SP4 * openSUSE Leap 15.4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves two vulnerabilities can now be installed. ## Description: This update for flatpak fixes the following issues: * CVE-2023-28101: Fixed misleading terminal output with metadata with ANSI control codes (bsc#1209410). * CVE-2023-28100: Fixed unsandboxed TIOCLINUX commands (bsc#1209411). Update to version 1.12.8: * Update the SELinux module to explicitly permit the system helper have read access to /etc/passwd and systemd-userdbd, read and lock access to /var/lib/flatpak, and watch files inside $libexecdir * If an app update is blocked by parental controls policies, clean up the temporary deploy directory * Fix Autotools build with versions of gpgme that no longer provide gpgme- config(1) * Remove some unreachable code * Add missing handling for some D-Bus errors Update to version 1.12.7: * We now allow networked access to X11 and PulseAudio services if that is configured, and the application has network access. * Absolute paths in WAYLAND_DISPLAY now work * Allow apps that were built with Flatpak 1.13.x to export AppStream metadata in share/metainfo * Most commands now work if /var/lib/flatpak exists but ## Patch Instructions: To install this SUSE Important update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-1715=1 * Desktop Applications Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2023-1715=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * flatpak-1.12.8-150400.3.3.1 * typelib-1_0-Flatpak-1_0-1.12.8-150400.3.3.1 * flatpak-debuginfo-1.12.8-150400.3.3.1 * flatpak-devel-1.12.8-150400.3.3.1 * flatpak-zsh-completion-1.12.8-150400.3.3.1 * libflatpak0-1.12.8-150400.3.3.1 * system-user-flatpak-1.12.8-150400.3.3.1 * flatpak-debugsource-1.12.8-150400.3.3.1 * libflatpak0-debuginfo-1.12.8-150400.3.3.1 * Desktop Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64) * flatpak-1.12.8-150400.3.3.1 * typelib-1_0-Flatpak-1_0-1.12.8-150400.3.3.1 * flatpak-debuginfo-1.12.8-150400.3.3.1 * flatpak-devel-1.12.8-150400.3.3.1 * flatpak-zsh-completion-1.12.8-150400.3.3.1 * libflatpak0-1.12.8-150400.3.3.1 * system-user-flatpak-1.12.8-150400.3.3.1 * flatpak-debugsource-1.12.8-150400.3.3.1 * libflatpak0-debuginfo-1.12.8-150400.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2023-28100.html * https://www.suse.com/security/cve/CVE-2023-28101.html * https://bugzilla.suse.com/show_bug.cgi?id=1209410 * https://bugzilla.suse.com/show_bug.cgi?id=1209411