Amazon Linux 2 Security Advisory: ALAS-2021-1589
Advisory Release Date: 2021-01-25 23:09 Pacific
Advisory Updated Date: 2021-01-26 18:49 Pacific
A flaw was found in Open-iSCSI rtslib-fb through versions 2.1.72, where it has weak permissions for /etc/target/saveconfig.json because the shutil.copyfile, instead of shutil.copy is used, and permissions are not preserved upon editing. This flaw allows an attacker with prior access to /etc/target/saveconfig.json to access a later version, resulting in a loss of integrity, depending on their permission settings. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14019)
Affected Packages:
python-rtslib
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-rtslib to update your system.
noarch:
python-rtslib-2.1.74-1.amzn2.noarch
python-rtslib-doc-2.1.74-1.amzn2.noarch
src:
python-rtslib-2.1.74-1.amzn2.src