{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for firejail","title":"Title of the patch"},{"category":"description","text":"This update for firejail fixes the following issues:\n\n- Update Leap 15.3 package to 0.9.68 (boo#1195880)\n\nupdate to firejail 0.9.68:\n\n- security: on Ubuntu, the PPA is now recommended over the distro package\n- (see README.md) (#4748)\n- security: bugfix: private-cwd leaks access to the entire filesystem\n- (#4780); reported by Hugo Osvaldo Barrera\n- feature: remove (some) environment variables with auth-tokens (#4157)\n- feature: ALLOW_TRAY condition (#4510 #4599)\n- feature: add basic Firejail support to AppArmor base abstraction (#3226\n- #4628)\n- feature: intrusion detection system (--ids-init, --ids-check)\n- feature: deterministic shutdown command (--deterministic-exit-code,\n- --deterministic-shutdown) (#928 #3042 #4635)\n- feature: noprinters command (#4607 #4827)\n- feature: network monitor (--nettrace)\n- feature: network locker (--netlock) (#4848)\n- feature: whitelist-ro profile command (#4740)\n- feature: disable pipewire with --nosound (#4855)\n- feature: Unset TMP if it doesn't exist inside of sandbox (#4151)\n- feature: Allow apostrophe in whitelist and blacklist (#4614)\n- feature: AppImage support in --build command (#4878)\n- modifs: exit code: distinguish fatal signals by adding 128 (#4533)\n- modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)\n- modifs: close file descriptors greater than 2 (--keep-fd) (#4845)\n- modifs: nogroups now stopped causing certain system groups to be dropped,\n- which are now controlled by the relevant 'no' options instead (such as\n- nosound -> drop audio group), which fixes device access issues on systems\n- not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)\n- removal: --disable-whitelist at compile time\n- removal: whitelist=yes/no in /etc/firejail/firejail.config\n- bugfix: Fix sndio support (#4362 #4365)\n- bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)\n- bugfix: --build clears the environment (#4460 #4467)\n- bugfix: firejail hangs with net parameter (#3958 #4476)\n- bugfix: Firejail does not work with a custom hosts file (#2758 #4560)\n- bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)\n- bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)\n- bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)\n- bugfix: Firejail rejects empty arguments (#4395)\n- bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)\n- bugfix: Seccomp list output goes to stdout instead of stderr (#4328)\n- bugfix: private-etc does not work with symlinks (#4887)\n- bugfix: Hardware key not detected on keepassxc (#4883)\n- build: allow building with address sanitizer (#4594)\n- build: Stop linking pthread (#4695)\n- build: Configure cleanup and improvements (#4712)\n- ci: add profile checks for sorting disable-programs.inc and\n- firecfg.config and for the required arguments in private-etc (#2739 #4643)\n- ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)\n- docs: Add new command checklist to CONTRIBUTING.md (#4413)\n- docs: Rework bug report issue template and add both a question and a\n- feature request template (#4479 #4515 #4561)\n- docs: fix contradictory descriptions of machine-id ('preserves' vs\n- 'spoofs') (#4689)\n- docs: Document that private-bin and private-etc always accumulate (#4078)\n- new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)\n- new includes: disable-proc.inc (#4521)\n- removed includes: disable-passwordmgr.inc (#4454 #4461)\n- new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim\n- new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl\n- new profiles: yt-dlp, goldendict, goldendict, bundle, cmake\n- new profiles: make, meson, pip, codium, telnet, ftp, OpenStego\n- new profiles: imv, retroarch, torbrowser, CachyBrowser,\n- new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,\n- new profiles: Seafile, neovim, com.github.tchx84.Flatseal\n\nfirejail 0.9.66:\n\n* deprecated --audit options, relpaced by jailcheck utility\n* deprecated follow-symlink-as-user from firejail.config\n* new firejail.config settings: private-bin, private-etc\n* new firejail.config settings: private-opt, private-srv\n* new firejail.config settings: whitelist-disable-topdir\n* new firejail.config settings: seccomp-filter-add\n* removed kcmp syscall from seccomp default filter\n* rename --noautopulse to keep-config-pulse\n* filtering environment variables\n* zsh completion\n* command line: --mkdir, --mkfile\n* --protocol now accumulates\n* jailtest utility for testing running sandboxes\n* faccessat2 syscall support\n* --private-dev keeps /dev/input\n* added --noinput to disable /dev/input\n* add support for subdirs in --private-etc\n* subdirs support in private-etc\n* input devices support in private-dev, --no-input\n* support trailing comments on profile lines\n* many new profiles\n- split shell completion into standard subpackages\n","title":"Description of the patch"},{"category":"details","text":"openSUSE-2022-37","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0037-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2022:0037-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWYUOU25A4H7UO242AHCSAQPLQYRMJ6T/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2022:0037-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWYUOU25A4H7UO242AHCSAQPLQYRMJ6T/"},{"category":"self","summary":"SUSE Bug 1195880","url":"https://bugzilla.suse.com/1195880"}],"title":"Security update for firejail","tracking":{"current_release_date":"2022-02-16T13:25:43Z","generator":{"date":"2022-02-16T13:25:43Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2022:0037-1","initial_release_date":"2022-02-16T13:25:43Z","revision_history":[{"date":"2022-02-16T13:25:43Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"firejail-0.9.68-bp153.2.3.1.aarch64","product":{"name":"firejail-0.9.68-bp153.2.3.1.aarch64","product_id":"firejail-0.9.68-bp153.2.3.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"firejail-0.9.68-bp153.2.3.1.i586","product":{"name":"firejail-0.9.68-bp153.2.3.1.i586","product_id":"firejail-0.9.68-bp153.2.3.1.i586"}}],"category":"architecture","name":"i586"},{"branches":[{"category":"product_version","name":"firejail-0.9.68-bp153.2.3.1.ppc64le","product":{"name":"firejail-0.9.68-bp153.2.3.1.ppc64le","product_id":"firejail-0.9.68-bp153.2.3.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"firejail-0.9.68-bp153.2.3.1.s390x","product":{"name":"firejail-0.9.68-bp153.2.3.1.s390x","product_id":"firejail-0.9.68-bp153.2.3.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"firejail-0.9.68-bp153.2.3.1.x86_64","product":{"name":"firejail-0.9.68-bp153.2.3.1.x86_64","product_id":"firejail-0.9.68-bp153.2.3.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP3","product":{"name":"SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3"}},{"category":"product_name","name":"openSUSE Leap 15.3","product":{"name":"openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.3"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.aarch64 as component of SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.aarch64"},"product_reference":"firejail-0.9.68-bp153.2.3.1.aarch64","relates_to_product_reference":"SUSE Package Hub 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.i586 as component of SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.i586"},"product_reference":"firejail-0.9.68-bp153.2.3.1.i586","relates_to_product_reference":"SUSE Package Hub 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.ppc64le as component of SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.ppc64le"},"product_reference":"firejail-0.9.68-bp153.2.3.1.ppc64le","relates_to_product_reference":"SUSE Package Hub 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.s390x as component of SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.s390x"},"product_reference":"firejail-0.9.68-bp153.2.3.1.s390x","relates_to_product_reference":"SUSE Package Hub 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.x86_64 as component of SUSE Package Hub 15 SP3","product_id":"SUSE Package Hub 15 SP3:firejail-0.9.68-bp153.2.3.1.x86_64"},"product_reference":"firejail-0.9.68-bp153.2.3.1.x86_64","relates_to_product_reference":"SUSE Package Hub 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.aarch64 as component of openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.aarch64"},"product_reference":"firejail-0.9.68-bp153.2.3.1.aarch64","relates_to_product_reference":"openSUSE Leap 15.3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.i586 as component of openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.i586"},"product_reference":"firejail-0.9.68-bp153.2.3.1.i586","relates_to_product_reference":"openSUSE Leap 15.3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.ppc64le as component of openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.ppc64le"},"product_reference":"firejail-0.9.68-bp153.2.3.1.ppc64le","relates_to_product_reference":"openSUSE Leap 15.3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.s390x as component of openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.s390x"},"product_reference":"firejail-0.9.68-bp153.2.3.1.s390x","relates_to_product_reference":"openSUSE Leap 15.3"},{"category":"default_component_of","full_product_name":{"name":"firejail-0.9.68-bp153.2.3.1.x86_64 as component of openSUSE Leap 15.3","product_id":"openSUSE Leap 15.3:firejail-0.9.68-bp153.2.3.1.x86_64"},"product_reference":"firejail-0.9.68-bp153.2.3.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.3"}]}}