RedHat has issued an advisory today (April 10): https://access.redhat.com/errata/RHSA-2018:0913 We don't actually support SELinux, so we probably don't need to update this for Mageia 6, but we should at least fix it in Cauldron.
CC: (none) => marja11Assignee: bugsquad => basesystem
Status comment: (none) => Patch available from CentOS
Looking more closely, it looks like the easiest way to fix it would be to update to 2.8 (synced with Fedora).
CC: (none) => ngompa13
Whiteboard: (none) => MGA7TOO
fixed in cauldron and mga7 src: policycoreutils-2.5-14.1.mga7
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: basesystem => qa-bugsCC: (none) => mageia
Advisory: ======================== Updated policycoreutils packages fix security vulnerability: Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing) (CVE-2018-1063). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1063 https://access.redhat.com/errata/RHSA-2018:0913 ======================== Updated packages in core/updates_testing: ======================== policycoreutils-2.5-14.1.mga7 policycoreutils-debugsource-2.5-14.1.mga7 policycoreutils-python-utils-2.5-14.1.mga7 policycoreutils-python3-2.5-14.1.mga7 policycoreutils-python-2.5-14.1.mga7 libpolicycoreutils-devel-2.5-14.1.mga7 policycoreutils-sandbox-2.5-14.1.mga7 policycoreutils-newrole-2.5-14.1.mga7 policycoreutils-gui-2.5-14.1.mga7 policycoreutils-restorecond-2.5-14.1.mga7 from policycoreutils-2.5-14.1.mga7.src.rpm
Status comment: Patch available from CentOS => (none)
Installed policycoreutils, and ran the guis without actually doing anything. Used QA Repo to get the updated packages. No installation issues. Ran the guis again, and they looked and acted the same as before the update. Since we don't actively support SELinux, and this vulnerability was reported nearly three years ago, it's time to move this along. Validating with my simple test. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN.
CVE: (none) => CVE-2018-1063CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0032.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED