zsh-5.0.2-34.el7.2

エラータID: AXSA:2020-4510:02

Release date: 
Sunday, March 22, 2020 - 07:00
Subject: 
zsh-5.0.2-34.el7.2
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.

Security Fix(es):

* zsh: insecure dropping of privileges when unsetting PRIVILEGED option (CVE-2019-20044)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-20044
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().

Solution: 

Update packages.

CVEs: 
CVE-2019-20044
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().
Additional Info: 

N/A

Download: 

SRPMS
  1. zsh-5.0.2-34.el7.2.src.rpm
    MD5: 95c07e3008f73ae7c4eb0ac776b3de0b
    SHA-256: 13219a3f651d34a34645bd89f93f9d96bc3bd29470a25f163e035c1bd77f7d96
    Size: 2.99 MB

Asianux Server 7 for x86_64
  1. zsh-5.0.2-34.el7.2.x86_64.rpm
    MD5: ab733a21e39e31182237e0f8b244a909
    SHA-256: ff289ed8cce82601ee5eae27225f7b96de84acb00a28eebbf4810e034022276c
    Size: 2.38 MB