ALAS2-2018-1096


Amazon Linux 2 Security Advisory: ALAS-2018-1096
Advisory Release Date: 2018-10-24 16:37 Pacific
Advisory Updated Date: 2018-10-25 23:04 Pacific
Severity: Medium

Issue Overview:

It was found that flatpak's D-Bus proxy did not properly filter the access to D-Bus during the authentication protocol. A specially crafted flatpak application could use this flaw to bypass all restrictions imposed by flatpak and have full access to the D-BUS interface.(CVE-2018-6560)


Affected Packages:

flatpak


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update flatpak to update your system.

New Packages:
i686:
    flatpak-0.8.8-4.amzn2.i686
    flatpak-builder-0.8.8-4.amzn2.i686
    flatpak-devel-0.8.8-4.amzn2.i686
    flatpak-libs-0.8.8-4.amzn2.i686
    flatpak-debuginfo-0.8.8-4.amzn2.i686

src:
    flatpak-0.8.8-4.amzn2.src

x86_64:
    flatpak-0.8.8-4.amzn2.x86_64
    flatpak-builder-0.8.8-4.amzn2.x86_64
    flatpak-devel-0.8.8-4.amzn2.x86_64
    flatpak-libs-0.8.8-4.amzn2.x86_64
    flatpak-debuginfo-0.8.8-4.amzn2.x86_64