[Bugs] [Bug 13296] New: [CVE 21] pesign 115 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13296

          Platform: 2021.1
            Bug ID: 13296
           Summary: [CVE 21] pesign 115  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2022-3560,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package pesign version 115

INFO (CVEs are): pesign 115
 cves found
CVE-2022-3560
Desc: A flaw was found in pesign. The pesign package provides a systemd service
used to start the pesign daemon. This service unit runs a script to set ACLs
for /etc/pki/pesign and /run/pesign directories to grant access privileges to
users in the 'pesign' group. However, the script doesn't check for symbolic
links. This could allow an attacker to gain access to privileged files and
directories via a path traversal attack.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3560
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/b5e78f52/attachment-0001.html>