AXSA:2020-122:05

Release date: 
Wednesday, June 10, 2020 - 01:52
Subject: 
zsh-5.5.1-6.el8.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.

Security Fix(es):

* zsh: insecure dropping of privileges when unsetting PRIVILEGED option (CVE-2019-20044)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-20044
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. zsh-5.5.1-6.el8.2.src.rpm
    MD5: b2a3eda409a349f3a790a0649bf07265
    SHA-256: 4ec2380c521040d29fa622a226d519798d2f4fcfa1fd9a16289cc31364bd9d45
    Size: 2.95 MB

Asianux Server 8 for x86_64
  1. zsh-5.5.1-6.el8.2.x86_64.rpm
    MD5: 98fb0756881b279f1335a2ad14e20c97
    SHA-256: 18927b10339ea61f02805b18d7b62002d54c5fb85a68e6b490ddf3f5a1813cb7
    Size: 2.90 MB
  2. zsh-html-5.5.1-6.el8.2.noarch.rpm
    MD5: 62809807527273ef9dd11b2c375febda
    SHA-256: fbe0d8f9783aaa85360400efe50b497d6ff839411db3529b72a99885ec359894
    Size: 518.50 kB
Copyright© 2007-2015 Asianux. All rights reserved.