ALAS-2018-1123


Amazon Linux AMI Security Advisory: ALAS-2018-1123
Advisory Release Date: 2019-04-19 16:27 Pacific
Severity: Medium
References: CVE-2018-10906 

Issue Overview:

A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. (CVE-2018-10906 )


Affected Packages:

fuse


Issue Correction:
Run yum update fuse to update your system.

New Packages:
i686:
    fuse-libs-2.9.4-1.18.amzn1.i686
    fuse-debuginfo-2.9.4-1.18.amzn1.i686
    fuse-devel-2.9.4-1.18.amzn1.i686
    fuse-2.9.4-1.18.amzn1.i686

src:
    fuse-2.9.4-1.18.amzn1.src

x86_64:
    fuse-devel-2.9.4-1.18.amzn1.x86_64
    fuse-libs-2.9.4-1.18.amzn1.x86_64
    fuse-debuginfo-2.9.4-1.18.amzn1.x86_64
    fuse-2.9.4-1.18.amzn1.x86_64