Re: [SECURITY] [DLA 3075-1] schroot security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 3075-1] schroot security update
From: Bryan Gay <debian@bryangay.com>
Date: Thu, 18 Aug 2022 08:06:19 -0400
Message-id: <[🔎] CAPiGVhu+w_oLfA6LawZoyBNPmuVUpF+WOaq7zRoMHSeq7wL4hg@mail.gmail.com>
In-reply-to: <E1oOdDG-0003yQ-9B@seger.debian.org>
References: <E1oOdDG-0003yQ-9B@seger.debian.org>

UNSUBSCRIBE

On Thu, Aug 18, 2022 at 6:57 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3075-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                 Salvatore Bonaccorso
> August 18, 2022                               https://wiki.debian.org/LTS
> - -------------------------------------------------------------------------
>
> Package        : schroot
> Version        : 1.6.10-6+deb10u1
> CVE ID         : CVE-2022-2787
>
> Julian Gilbey discovered that schroot, a tool allowing users to execute
> commands in a chroot environment, had too permissive rules on chroot or
> session names, allowing a denial of service on the schroot service for
> all users that may start a schroot session.
>
> Note that existing chroots and sessions are checked during upgrade, and
> an upgrade is aborted if any future invalid name is detected.
>
> Problematic session and chroots can be checked before upgrading with the
> following command:
>
>   schroot --list --all | LC_ALL=C grep -vE '^[a-z]+:[a-zA-Z0-9][a-zA-Z0-9_.-]*$'
>
> See
>
>   <https://codeberg.org/shelter/reschroot/src/tag/release/reschroot-1.6.13/NEWS#L10-L41>
>
> for instructions on how to resolve such a situation.
>
> For Debian 10 buster, this problem has been fixed in version
> 1.6.10-6+deb10u1.
>
> We recommend that you upgrade your schroot packages.
>
> For the detailed security status of schroot please refer to its security
> tracker page at:
> https://security-tracker.debian.org/tracker/schroot
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
> -----BEGIN PGP SIGNATURE-----
>
> iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmL+GrNfFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
> NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
> z0SrwxAAha5yvAoXqanfSYOZTsN4dI/SBj3TjVEWTgymihmXlGk6HP6+XKhi+iUq
> 6GCUfMFUKfwZTJHFpjGK5KPn4KV9zII5yj/VbJj22UBsFqfL7Xr2DDf+1+eynrw/
> cco30lLZH1ZP6mn36BX8dPkPWsvh9/D/fpRwfDQ9BltnbewjV+QcDNpzcCF3HxfJ
> XdkNz3rcpPp8yJQASX7GYXetctLvaiVubCCtrXGCmsZsO6PIPvTaSW+0YWyORlQi
> KRb+gk/a/AlApwNPKKnFH68mRfqEl+bmFOn8go8KwaN4PNGcZvjPfqT2AzpLICCG
> 417ByP3JcrNH2+SpeSmPEFxx7tXeHrF8+85diSADrscGe/M7v2rhir2hdVH94CqP
> Nqcqe/oVH+gBmIww/hcLWAqCQg6KDf85yUWeng3C3pGVEZWEKmyxtubuqcjWrWnK
> OOtfgWLc98P32lR+wBWmS72aoAOjzXIJpunBp/HW2Sylip6RVdLUqEc9CylHc6bV
> EQyY9TkOxvuBCu6KZsJeF8aiEqW0XwWDjEbvxuSC8OUNFzG9tjPj67x5IE/wjYJ0
> yHLi5ilPdEDYN4mXgBLC0i9YhU4XPK7xhSlaKbaQ8vlH4liOCHVTOrLcpIj7CRp/
> G7iQoeAKmUteAay1BqU9+WSYte4gZZmfeFVY8diUNGT6m2j9NF8=
> =CHZ2
> -----END PGP SIGNATURE-----
>

Reply to:

Prev by Date: Re: updating debian-security-support(.limited) in buster and bullseye (Re: EOL candidates for security-support-ended.deb10 (recap))
Next by Date: Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update
Previous by thread: webkit2gtk update in buster
Next by thread: Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update
Index(es):
- Date
- Thread