El-errata: ELSA-2022-1546 Moderate: Oracle Linux 8 polkit security update
Oracle Linux Security Advisory ELSA-2022-1546
http://linux.oracle.com/errata/ELSA-2022-1546.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
polkit-0.115-13.0.1.el8_5.2.x86_64.rpm
polkit-devel-0.115-13.0.1.el8_5.2.i686.rpm
polkit-devel-0.115-13.0.1.el8_5.2.x86_64.rpm
polkit-docs-0.115-13.0.1.el8_5.2.noarch.rpm
polkit-libs-0.115-13.0.1.el8_5.2.i686.rpm
polkit-libs-0.115-13.0.1.el8_5.2.x86_64.rpm
aarch64:
polkit-0.115-13.0.1.el8_5.2.aarch64.rpm
polkit-devel-0.115-13.0.1.el8_5.2.aarch64.rpm
polkit-docs-0.115-13.0.1.el8_5.2.noarch.rpm
polkit-libs-0.115-13.0.1.el8_5.2.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/polkit-0.115-13.0.1.el8_5.2.src.rpm
Related CVEs:
CVE-2021-4115
Description of changes:
[0.115-13.0.1.el8_5.2]
- Increase timeout to avoid defunct processes [Orabug: 26930744]
[0.115-13.el8_5.2]
- necessary version bump due to build versioning
- Resolves: CVE-2021-4115
[0.115-12.el8_5.2]
- file descriptor exhaustion (GHSL-2021-077)
- Resolves: CVE-2021-4115
[0.115-12.el8_5.1]
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034
[0.115-12]
- early disconnection from D-Bus results in privilege esc.
- Resolves: CVE-2021-3560
[0.115-11]
- pkttyagent: resetting terminal erases rest of input line
- Resolves: rhbz#1757853
[0.115-10]
- Fix of jasuthority memleak
- Resolves: rhbz#1745918
[0.115-9]
- Rebuild to reflect mozjs60 s390 abi change
- Related: rhbz#1746889
[0.115-8]
- Backport changing dependency to mozjs60
- Resolves: rhbz#1729416
[0.115-7]
- pkttyagent: polkit-agent-helper-1 timeout leaves tty echo disabled
- Mitigation of regression caused by fix of CVE-2018-19788
- Resolves: rhbz#1693781
- Resolves: rhbz#1693814
[0.115-6]
- Fix of CVE-2019-6133, PID reuse via slow fork
- Resolves: rhbz#1667778
[0.115-5]
- Fix of CVE-2018-19788, priv escalation with high UIDs
- Resolves: rhbz#1656378
[0.115-4]
- Spawned zombie subprocesses not reaped
- Resolves: rhbz#1616282
[0.115-3]
- Resource leak found by static analyzer
- Resolves: rhbz#1602661
[0.115-2]
- Error message about getting authority is too elaborate (forward of #1342855)
- Bus disconnection report moved to debug mode (forward of #1249627)
[0.115-1]
- Update to 0.115 (CVE-2018-1116)
[0.114-1]
- Update to 0.114
[0.113-16]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
[0.113-15]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
[0.113-14]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
[0.113-13]
- Add the its files from upstream.
[0.113-12]
- Fix a memory leak in PolkitPermission.
Patch by Rui Matos
Resolves: #1433915
[0.113-11]
- Revert back to the state in 0.113-7, undoing the untested changes.
[0.113-10]
- Move to an upstream snapshot, rebase patches
[0.113-9]
- restore Provides: polkit-desktop-policy polkit-js-engine
[0.113-8]
- Use %license, license needs to be in -libs as it's the only guaranteed installed package
- Move to mozjs38
- Other upstream fixes
- Spec cleanups
[0.113-7]
- Fix memory leaks when calling authentication agents
Resolves: #1380166
[0.113-6]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
[0.113-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
[0.113-4]
- Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21
Resolves: #1243004
[0.113-3]
- Obsoletes: polkit < 0.112-8 (handle multilib upgrade path)
[0.113-2]
- Add a fully versioned dependency from polkit to polkit-libs
Resolves: #1241759
- Require polkit-libs, not polkit, in polkit-devel
[0.113-1]
- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256,
CVE-2015-4625)
Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810
[0.112-11]
- Add BuildRequires: systemd so that %{_unitdir} is defined, to fix the build.
[0.112-10]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
[ - 0.112-9]
- polkit doesn't release reference counters of GVariant data (#1180886)
- fix ldconfig scriptlets (move to -libs subpkg)
[0.112-8]
- Split separate -libs package, so that NetworkManager can just depend on
that, without dragging in the daemon (as well as libmozjs17). This
allows the creation of more minimal systems that want programs like NM,
but do not need the configurability of the daemon; it would be ok if only
root is authorized.
[0.112-7]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
[0.112-6]
- Rebuilt for gobject-introspection 1.41.4
[0.112-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
[0.112-4]
- backport upstream D-Bus "user bus" changes
[0.112-3]
- Fix a PolkitAgentSession race condition
Resolves: #1063193
[0.112-2]
- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
Resolves: #1033774
- Always use mozjs-17.0 even if js-devel is installed
[0.112-1]
- Update to polkit-0.112
- Resolves: #1009538, CVE-2013-4288
[0.111-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
[0.111-2]
- Fix a race on PolkitSubject type registration (#866718)
[0.111-1]
- Update to polkit-0.111
Resolves: #917888
- Use SpiderMonkey from mozjs17 instead of js
- Ship the signature in the srpm
- Try to preserve timestamps in (make install)
[0.110-4]
- Shut up rpmlint about Summary:
- Build with V=1
- Use %{_unitdir} instead of hard-coding the path
- Use the new systemd macros, primarily to run (systemctl daemon-reload)
Resolves: #857382
[0.110-4]
- Make the JavaScript engine mandatory. The polkit-js-engine package has been
removed, main polkit package Provides:polkit-js-engine for compatibility.
- Add Requires: polkit-pkla-compat
Resolves: #908808
[0.110-3]
- Don't ship pk-example-frobnicate in the "live" configuration
Resolves: #878112
[0.110-2]
- Own %{_docdir}/polkit-js-engine-*
Resolves: #907668
[0.110-1.el8_5]
- Update to upstream release 0.110
[0.109-2.el8_5]
- Build with pie and stuff
[0.109-1.el8_5]
- Update to upstream release 0.109
- Drop upstreamed patches
[0.108-3.el8_5]
- Attempt to open the correct libmozjs185 library, otherwise polkit
authz rules will not work unless js-devel is installed (fdo #57146)
[0.108-2.el8_5]
- Include gmodule-2.0 to avoid build error
[0.108-1.el8_5]
- Update to upstream release 0.108
- Drop upstreamed patches
- This release dynamically loads the JavaScript interpreter and can
cope with it not being available. In this case, polkit authorization
rules are not processed and the defaults for an action - as defined
in its .policy file - are used for authorization decisions.
- Add new meta-package, polkit-js-engine, that pulls in the required
JavaScript bits to make polkit authorization rules work. The default
install - not the minimal install - should include this package
[0.107-4]
- Don't crash if initializing the server object fails
[0.107-3.el8_5]
- Authenticate as root if e.g. the wheel group is empty (#834494)
[0.107-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
[0.107-1.el8_5]
- Update to upstream release 0.107
[0.106-2.el8_5]
- Add forgotten Requires(pre): shadow-utils
[0.106-1.el8_5]
- Update to upstream release 0.106
- Authorizations are no longer controlled by .pkla files - from now
on, use the new .rules files described in the polkit(8) man page
[0.105-1.el8_5]
- Update to upstream release 0.105
- Nuke patches that are now upstream
- Change 'PolicyKit' to 'polkit' in summary and descriptions
[0.104-6.el8_5]
- Don't leak file descriptors (bgo #671486)
[0.104-5.el8_5]
- Make the -docs subpackage noarch
[0.104-4.el8_5]
- Set error if we cannot obtain a PolkitUnixSession for a given PID (#787222)
[0.104-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
[0.104-2.el8_5]
- Nuke the ConsoleKit run-time requirement
[0.104-1.el8_5]
- Update to upstream release 0.104
- Force usage of systemd (instead of ConsoleKit) for session tracking
[0.103-1.el8_5]
- Update to upstream release 0.103
- Drop upstreamed patch
- Drop Fedora-specific policy, it is now upstream (fdo #41008)
[0.102-3]
- Rebuilt for glibc bug#747377
[0.102-2.el8_5]
- Add patch to neuter the annoying systemd behavior where stdout/stderr
is sent to the system logs
[0.102-1]
- Update to 0.102 release
[0.101-7]
- Allow setting the pretty hostname without a password for wheel,
change matches systemd in git
[0.101-6]
- Update the action id of the datetime mechanism
[0.101-5]
- CVE-2011-1485 (#697951)
[0.101-4]
- Also allow org.kde.kcontrol.kcmclock.save without password for wheel
[0.101-3]
- Fix typo in pkla file (thanks notting)
[0.101-2]
- Nuke desktop_admin_r and desktop_user_r groups - just use the
wheel group instead (#688363)
- Update the set of configuration directives that gives users
in the wheel group extra privileges
[0.101-1]
- New upstream version
[0.100-1]
- New upstream version
[0.98-7]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
[0.98-6]
- Own /usr/libexec/polkit-1
[0.98-5]
- Enable introspection
[0.98-4]
- Fix #629515 in a way that doesn't require autoreconf
[0.98-2]
- Include polkitagentenumtypes.h (#629515)
[0.98-1]
- Update to upstream release 0.98
- Co-own /usr/share/gtk-doc (#604410)
[0.97-5]
- Rebuid to work around bodhi limitations
[0.97-4]
- Fix a ConsoleKit interaction bug
[0.97-3]
- Add a patch to make pkcheck(1) work the way libvirtd uses it (#623257)
- Require GLib >= 2.25.12 instead of 2.25.11
- Ensure polkit-gnome packages earlier than 0.97 are not used with
these packages
[0.97-2]
- Rebuild
[0.97-1]
- Update to 0.97. This release contains a port from EggDBus to the
GDBus code available in recent GLib releases.
[0.96-1]
- Update to 0.96
- Disable introspection support for the time being
[0.95-2]
- Rebuild
[0.95-1]
- Update to 0.95
- Drop upstreamed patches
[0.95-0.git20090913.3]
- Fix a typo in pklocalauthority(8)
[0.95-0.git20090913.2]
- Refine how Obsolete: is used and also add Provides: (thanks Jesse
Keating and nim-nim)
[0.95-0.git20090913.1]
- Add bugfix for polkit_unix_process_new_full() (thanks Bastien Nocera)
- Obsolete old PolicyKit packages
[0.95-0.git20090913]
- Update to git snapshot
- Drop upstreamed patches
- Turn on GObject introspection
- Don't delete desktop_admin_r and desktop_user_r groups when
uninstalling polkit-desktop-policy
[0.94-4]
- Add some patches from git master
- Sort pkaction(1) output
- Bug 23867 – UnixProcess vs. SystemBusName aliasing
[0.94-3]
- Add desktop_admin_r and desktop_user_r groups along with a first cut
of default authorizations for users in these groups.
[0.94-2]
- Disable GObject Introspection for now as it breaks the build
[0.94-1]
- Update to upstream release 0.94
[0.93-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
[0.93-2]
- Rebuild
[0.93-1]
- Update to 0.93
[0.92-3]
- Don't make docs noarch (I *heart* multilib)
- Change license to LGPLv2+
[0.92-2]
- Rebuild
[0.92-1]
- Update to 0.92 release
[0.92-0.git20090527]
- Update to 0.92 snapshot
[0.91-1]
- Initial spec file.
_______________________________________________
A polkit security update has been released for Oracle Linux 8.