Security update for policycoreutils SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0926-1 Final 1 1 2018-04-11T16:01:16Z current 2018-04-11T16:01:16Z 2018-04-11T16:01:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for policycoreutils This update for policycoreutils fixes the following issues: - CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-RPI-12-SP2-2018-622,SUSE-SLE-SERVER-12-SP2-2018-622,SUSE-SLE-SERVER-12-SP3-2018-622 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180926-1/ Link for SUSE-SU-2018:0926-1 https://lists.suse.com/pipermail/sle-security-updates/2018-April/003887.html E-Mail link for SUSE-SU-2018:0926-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1083624 SUSE Bug 1083624 https://www.suse.com/security/cve/CVE-2018-1063/ SUSE CVE CVE-2018-1063 page SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 policycoreutils-2.5-10.3.1 policycoreutils-python-2.5-10.3.1 policycoreutils-2.5-10.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 policycoreutils-python-2.5-10.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 policycoreutils-2.5-10.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 policycoreutils-python-2.5-10.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 policycoreutils-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 policycoreutils-python-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 policycoreutils-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 policycoreutils-python-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 policycoreutils-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 policycoreutils-python-2.5-10.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11. CVE-2018-1063 SUSE Linux Enterprise Server 12 SP2:policycoreutils-2.5-10.3.1 SUSE Linux Enterprise Server 12 SP2:policycoreutils-python-2.5-10.3.1 SUSE Linux Enterprise Server 12 SP3:policycoreutils-2.5-10.3.1 SUSE Linux Enterprise Server 12 SP3:policycoreutils-python-2.5-10.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:policycoreutils-2.5-10.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:policycoreutils-python-2.5-10.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:policycoreutils-2.5-10.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:policycoreutils-python-2.5-10.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:policycoreutils-2.5-10.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:policycoreutils-python-2.5-10.3.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180926-1/ https://www.suse.com/security/cve/CVE-2018-1063.html CVE-2018-1063 https://bugzilla.suse.com/1083624 SUSE Bug 1083624