...and some more protection details, profiles, GUI improvement. Version-Release number: Our old version: 0.9.56 from sep 2018 Current released dec 2019: 0.9.62 ( both firejail & firetools ) https://firejail.wordpress.com/download-2/release-notes/ https://firejailtools.wordpress.com/release-notes/ One stated regression, noted in the release notes: from ver 0.9.60 may 2019 it drop support for flatpak/snap packages. But as this is a security related package, and upstream have chosen it, i guess it is best to have this tool updated. Note! two version interdependant (I suppose) packages: firejail & firetools
Thanks for the notice. > two version interdependant (I suppose) packages: firejail & firetools In fact our current pkgs are *not* at the same release. Perhaps it does not matter. Does the regression noted (drop support for flatpak/snap packages) matter for our packages? Assigning to wally as the registered & active maintainer for both these SRPMs.
Assignee: bugsquad => jani.valimaaSource RPM: firejail-0.9.56-2.mga7.src.rpm => firejail-0.9.56-2.mga7.src.rpm, firetools-0.9.52-3.mga7.src.rpm
Regarding flatpak and snap, we do not package any software in either format AFAIK, but we provide flatpak environment rpm to run flatpak programs our users retrieve from some other place. If a user today use firejail to run flatpak programs, user can not with the new version. User then have to run the flatpak program without firejail protection, or get it in Appimage format if available - which firejail now have improved support for. (currently the version we have fail on one Appimage i want to use) ( We should update flatpak for security reasons as well as for applications compatibility - Bug 25544 )
It sounds like this proposed update would probably violate our updates policy.
For security it is good to update. For compatibility with most binaries and appimage it is good. Only for flatpak it is not good. Is it possible to update in cauldron and 7 backport?
Fedora has issued an advisory for this today (February 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGVULJ6IKVDO6UAVIQRHQVSKOUD6QDWM/ They updated to 0.9.62 (the security issues are fixed in 0.9.60). Hopefully we can just backport the security fixes.
Summary: Firejail and Firetools have bugfixes incl one low pri security... => firejail new security issues CVE-2019-12499 and CVE-2019-12589Status comment: (none) => Fixed upstream in 0.9.60Severity: normal => major
QA Contact: (none) => securityComponent: RPM Packages => Security
https://bugs.mageia.org/show_bug.cgi?id=25544#c6 : (In reply to Neal Gompa from comment #6) > You're not supposed to use firejail with flatpak... > > Anyway, I'm working on the rebase for Cauldron and figuring out what to do > for Mageia 7. As we do not have snap, and firejail is not to be used with flatpack, i can not see why we should not update to 0.62?
Because we don't update packages to newer versions in stable Mageia just because "newer version" when they break things. Cauldron has it up to date, and for Mageia we have the security fixes backported (thanks to Jani), following our policies.
Advisory: ======================== Updated firejail package fixes security vulnerabilities: Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command) (CVE-2019-12499). In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker (CVE-2019-12589). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12589 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGVULJ6IKVDO6UAVIQRHQVSKOUD6QDWM/ ======================== Updated packages in core/updates_testing: ======================== firejail-0.9.56-2.1.mga7 from firejail-0.9.56-2.1.mga7.src.rpm
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugsStatus comment: Fixed upstream in 0.9.60 => (none)
OK thanks. I think advisory text should state the security fixes from 0.60 are backported to our 0.9.56-2.1
Um, as with any other advisory, that's obviously implied.
OK sorry for being bureaucratic :)
MGA7-64 Plasma on Lenovo B50 No installation issues. Googled for info and found https://firejail.wordpress.com/documentation-2/firefox-guide/ Closed firefox, and at CLI: $ firejail firefox -no-remote Firefox comes up empty as its home pages are Google and http://madb.mageia.org/tools/updates Pointed browser to /// and found that access to the system are restricted as described in the tutorial OK for me
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0115.html
Status: NEW => RESOLVEDResolution: (none) => FIXED