This bug was fixed in the package apport - 2.20.8-0ubuntu1 --------------- apport (2.20.8-0ubuntu1) bionic; urgency=medium
* New upstream release: - SECURITY UPDATE: Denial of service via resource exhaustion and privilege escalation when handling crashes of tainted processes. - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that the user and group owning the /proc/<PID>/stat file is the same owner and group that started the process. Rather check the dump mode of the crashed process and do not write a core file if its value is 2. Thanks to Sander Bos for discovering this issue! (CVE-2017-14177, LP: #1726372) - SECURITY UPDATE: Denial of service via resource exhaustion, privilege escalation, and possible container escape when handling crashes of processes inside PID namespaces. - Change the method for determining if a crash is from a container so that there are no false positives from software using PID namespaces. Additionally, disable container crash forwarding by ignoring crashes that occur in a PID namespace. This functionality may be re-enabled in a future update. Thanks to Sander Bos for discovering this issue! (CVE-2017-14180, LP: #1726372) * apport/hookutils.py: modify package_versions to return an empty string if packages is empty. (LP: #1723822) -- Brian Murray <br...@ubuntu.com> Wed, 15 Nov 2017 12:44:24 -0800 ** Changed in: apport (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1726372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs