libpolkit0-0.118-7.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11180-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpolkit0-0.118-7.2 on GA media These are all security issues fixed in the libpolkit0-0.118-7.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11180 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1116/ SUSE CVE CVE-2018-1116 page https://www.suse.com/security/cve/CVE-2018-19788/ SUSE CVE CVE-2018-19788 page https://www.suse.com/security/cve/CVE-2019-6133/ SUSE CVE CVE-2019-6133 page https://www.suse.com/security/cve/CVE-2021-3560/ SUSE CVE CVE-2021-3560 page openSUSE Tumbleweed libpolkit0-0.118-7.2 libpolkit0-32bit-0.118-7.2 polkit-0.118-7.2 polkit-devel-0.118-7.2 polkit-doc-0.118-7.2 typelib-1_0-Polkit-1_0-0.118-7.2 libpolkit0-0.118-7.2 as a component of openSUSE Tumbleweed libpolkit0-32bit-0.118-7.2 as a component of openSUSE Tumbleweed polkit-0.118-7.2 as a component of openSUSE Tumbleweed polkit-devel-0.118-7.2 as a component of openSUSE Tumbleweed polkit-doc-0.118-7.2 as a component of openSUSE Tumbleweed typelib-1_0-Polkit-1_0-0.118-7.2 as a component of openSUSE Tumbleweed A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. CVE-2018-1116 openSUSE Tumbleweed:libpolkit0-0.118-7.2 openSUSE Tumbleweed:libpolkit0-32bit-0.118-7.2 openSUSE Tumbleweed:polkit-0.118-7.2 openSUSE Tumbleweed:polkit-devel-0.118-7.2 openSUSE Tumbleweed:polkit-doc-0.118-7.2 openSUSE Tumbleweed:typelib-1_0-Polkit-1_0-0.118-7.2 low 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1116.html CVE-2018-1116 https://bugzilla.suse.com/1099031 SUSE Bug 1099031 A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. CVE-2018-19788 openSUSE Tumbleweed:libpolkit0-0.118-7.2 openSUSE Tumbleweed:libpolkit0-32bit-0.118-7.2 openSUSE Tumbleweed:polkit-0.118-7.2 openSUSE Tumbleweed:polkit-devel-0.118-7.2 openSUSE Tumbleweed:polkit-doc-0.118-7.2 openSUSE Tumbleweed:typelib-1_0-Polkit-1_0-0.118-7.2 moderate 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19788.html CVE-2018-19788 https://bugzilla.suse.com/1118274 SUSE Bug 1118274 https://bugzilla.suse.com/1118277 SUSE Bug 1118277 https://bugzilla.suse.com/1119056 SUSE Bug 1119056 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. CVE-2019-6133 openSUSE Tumbleweed:libpolkit0-0.118-7.2 openSUSE Tumbleweed:libpolkit0-32bit-0.118-7.2 openSUSE Tumbleweed:polkit-0.118-7.2 openSUSE Tumbleweed:polkit-devel-0.118-7.2 openSUSE Tumbleweed:polkit-doc-0.118-7.2 openSUSE Tumbleweed:typelib-1_0-Polkit-1_0-0.118-7.2 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6133.html CVE-2019-6133 https://bugzilla.suse.com/1070943 SUSE Bug 1070943 https://bugzilla.suse.com/1121826 SUSE Bug 1121826 https://bugzilla.suse.com/1121872 SUSE Bug 1121872 It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-3560 openSUSE Tumbleweed:libpolkit0-0.118-7.2 openSUSE Tumbleweed:libpolkit0-32bit-0.118-7.2 openSUSE Tumbleweed:polkit-0.118-7.2 openSUSE Tumbleweed:polkit-devel-0.118-7.2 openSUSE Tumbleweed:polkit-doc-0.118-7.2 openSUSE Tumbleweed:typelib-1_0-Polkit-1_0-0.118-7.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3560.html CVE-2021-3560 https://bugzilla.suse.com/1186497 SUSE Bug 1186497