Fedora Linux 8637 Published by

A device-mapper-multipath security update has been released for Fedora 36.



SECURITY: Fedora 36 Update: device-mapper-multipath-0.8.7-9.fc36


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-6ec78b2586
2022-11-10 16:17:54.575869
--------------------------------------------------------------------------------

Name : device-mapper-multipath
Product : Fedora 36
Version : 0.8.7
Release : 9.fc36
URL :   http://christophe.varoqui.free.fr/
Summary : Tools to manage multipath devices using device-mapper
Description :
device-mapper-multipath provides tools to manage multipath devices by
instructing the device-mapper multipath kernel module what to do.
The tools are :
* multipath - Scan the system for multipath devices and assemble them.
* multipathd - Detects when paths fail and execs multipath to update things.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2022-41973 and CVE-2022-41974
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 26 2022 Benjamin Marzinski - 0.8.7-9
- Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch
* Fixes bz #2137414
- Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch
* Fixes bz #2137416
- Resolves: bz #2137414, #2137416
* Tue Aug 23 2022 Benjamin Marzinski - 0.8.7-8.1
- Add 0038-multipathd-Add-missing-ctype-include.patch
- Add 0039-multipathd-replace-libreadline-with-libedit.patch
* replace readline with libedit, to avoid license conflicts. readline
is licensed GPL v3, and multipathd includes code licensed gpl v2
only.
- Require libedit instead of readline
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp)
  https://bugzilla.redhat.com/show_bug.cgi?id=2123894
[ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
  https://bugzilla.redhat.com/show_bug.cgi?id=2133988
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________