[SECURITY] Fedora 36 Update: device-mapper-multipath-0.8.7-9.fc36

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-6ec78b2586 2022-11-10 16:17:54.575869 -------------------------------------------------------------------------------- Name : device-mapper-multipath Product : Fedora 36 Version : 0.8.7 Release : 9.fc36 URL : http://christophe.varoqui.free.fr/ Summary : Tools to manage multipath devices using device-mapper Description : device-mapper-multipath provides tools to manage multipath devices by instructing the device-mapper multipath kernel module what to do. The tools are : * multipath - Scan the system for multipath devices and assemble them. * multipathd - Detects when paths fail and execs multipath to update things. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2022-41973 and CVE-2022-41974 -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 26 2022 Benjamin Marzinski <bmarzins(a)redhat.com&gt; - 0.8.7-9 - Add 0040-multipathd-ignore-duplicated-multipathd-command-keys.patch * Fixes bz #2137414 - Add 0041-multipath-tools-use-run-instead-of-dev-shm.patch * Fixes bz #2137416 - Resolves: bz #2137414, #2137416 * Tue Aug 23 2022 Benjamin Marzinski <bmarzins(a)redhat.com&gt; - 0.8.7-8.1 - Add 0038-multipathd-Add-missing-ctype-include.patch - Add 0039-multipathd-replace-libreadline-with-libedit.patch * replace readline with libedit, to avoid license conflicts. readline is licensed GPL v3, and multipathd includes code licensed gpl v2 only. - Require libedit instead of readline -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123894 - CVE-2022-41973 device-mapper-multipath: Symlink attack multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp) https://bugzilla.redhat.com/show_bug.cgi?id=2123894 [ 2 ] Bug #2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket https://bugzilla.redhat.com/show_bug.cgi?id=2133988 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-6ec78b2586' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------