flatpak security update

2019-05-1315:08:37

CentOS Project

lists.centos.org

148

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.6%

JSON

CentOS Errata and Security Advisory CESA-2019:1024

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

Security Fix(es):

flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226) (CVE-2019-10063)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2019-May/085462.html

Affected packages:
flatpak
flatpak-builder
flatpak-devel
flatpak-libs

Upstream details at:
https://access.redhat.com/errata/RHSA-2019:1024

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64flatpak< 1.0.2-5.el7_6flatpak-1.0.2-5.el7_6.x86_64.rpm
CentOS7x86_64flatpak-builder< 1.0.0-5.el7_6flatpak-builder-1.0.0-5.el7_6.x86_64.rpm
CentOS7x86_64flatpak-devel< 1.0.2-5.el7_6flatpak-devel-1.0.2-5.el7_6.x86_64.rpm
CentOS7x86_64flatpak-libs< 1.0.2-5.el7_6flatpak-libs-1.0.2-5.el7_6.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	x86_64	flatpak	< 1.0.2-5.el7_6	flatpak-1.0.2-5.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-builder	< 1.0.0-5.el7_6	flatpak-builder-1.0.0-5.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-devel	< 1.0.2-5.el7_6	flatpak-devel-1.0.2-5.el7_6.x86_64.rpm
CentOS	7	x86_64	flatpak-libs	< 1.0.2-5.el7_6	flatpak-libs-1.0.2-5.el7_6.x86_64.rpm