Amazon Linux 2 Security Advisory: ALAS-2018-1123
Advisory Release Date: 2018-12-06 20:29 Pacific
Advisory Updated Date: 2018-12-08 01:51 Pacific
A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.(CVE-2018-10906)
Affected Packages:
fuse
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update fuse to update your system.
aarch64:
fuse-2.9.2-11.amzn2.aarch64
fuse-libs-2.9.2-11.amzn2.aarch64
fuse-devel-2.9.2-11.amzn2.aarch64
fuse-debuginfo-2.9.2-11.amzn2.aarch64
i686:
fuse-2.9.2-11.amzn2.i686
fuse-libs-2.9.2-11.amzn2.i686
fuse-devel-2.9.2-11.amzn2.i686
fuse-debuginfo-2.9.2-11.amzn2.i686
src:
fuse-2.9.2-11.amzn2.src
x86_64:
fuse-2.9.2-11.amzn2.x86_64
fuse-libs-2.9.2-11.amzn2.x86_64
fuse-devel-2.9.2-11.amzn2.x86_64
fuse-debuginfo-2.9.2-11.amzn2.x86_64