Amazon Linux 1 Security Advisory: ALAS-2018-1123
Advisory Release Date: 2019-04-17 18:45 Pacific
Advisory Updated Date: 2019-04-19 16:27 Pacific
A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. (CVE-2018-10906)
Affected Packages:
fuse
Issue Correction:
Run yum update fuse to update your system.
i686:
fuse-libs-2.9.4-1.18.amzn1.i686
fuse-debuginfo-2.9.4-1.18.amzn1.i686
fuse-devel-2.9.4-1.18.amzn1.i686
fuse-2.9.4-1.18.amzn1.i686
src:
fuse-2.9.4-1.18.amzn1.src
x86_64:
fuse-devel-2.9.4-1.18.amzn1.x86_64
fuse-libs-2.9.4-1.18.amzn1.x86_64
fuse-debuginfo-2.9.4-1.18.amzn1.x86_64
fuse-2.9.4-1.18.amzn1.x86_64