ALAS2-2018-1123


Amazon Linux 2 Security Advisory: ALAS-2018-1123
Advisory Release Date: 2018-12-08 01:51 Pacific
Severity: Medium
References: CVE-2018-10906 

Issue Overview:

A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.(CVE-2018-10906 )


Affected Packages:

fuse


Issue Correction:
Run yum update fuse to update your system.

New Packages:
aarch64:
    fuse-2.9.2-11.amzn2.aarch64
    fuse-libs-2.9.2-11.amzn2.aarch64
    fuse-devel-2.9.2-11.amzn2.aarch64
    fuse-debuginfo-2.9.2-11.amzn2.aarch64

i686:
    fuse-2.9.2-11.amzn2.i686
    fuse-libs-2.9.2-11.amzn2.i686
    fuse-devel-2.9.2-11.amzn2.i686
    fuse-debuginfo-2.9.2-11.amzn2.i686

src:
    fuse-2.9.2-11.amzn2.src

x86_64:
    fuse-2.9.2-11.amzn2.x86_64
    fuse-libs-2.9.2-11.amzn2.x86_64
    fuse-devel-2.9.2-11.amzn2.x86_64
    fuse-debuginfo-2.9.2-11.amzn2.x86_64