flatpak security update

2019-02-2020:15:35

CentOS Project

lists.centos.org

200

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

20.6%

JSON

CentOS Errata and Security Advisory CESA-2019:0375

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

Security Fix(es):

flatpak: potential /proc based sandbox escape (CVE-2019-8308)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2019-February/085365.html

Affected packages:
flatpak
flatpak-builder
flatpak-devel
flatpak-libs

Upstream details at:
https://access.redhat.com/errata/RHSA-2019:0375

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64flatpak< 1.0.2-4.el7_6flatpak-1.0.2-4.el7_6.x86_64.rpm
CentOS7x86_64flatpak-builder< 1.0.0-4.el7_6flatpak-builder-1.0.0-4.el7_6.x86_64.rpm
CentOS7x86_64flatpak-devel< 1.0.2-4.el7_6flatpak-devel-1.0.2-4.el7_6.x86_64.rpm
CentOS7x86_64flatpak-libs< 1.0.2-4.el7_6flatpak-libs-1.0.2-4.el7_6.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	x86_64	flatpak	< 1.0.2-4.el7_6	flatpak-1.0.2-4.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-builder	< 1.0.0-4.el7_6	flatpak-builder-1.0.0-4.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-devel	< 1.0.2-4.el7_6	flatpak-devel-1.0.2-4.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-libs	< 1.0.2-4.el7_6	flatpak-libs-1.0.2-4.el7_6.x86_64.rpm