Util-Linux package development
 help / color / mirror / Atom feed
* [ANNOUNCE] util-linux v2.42.2 and v2.41.5
From: Karel Zak @ 2026-06-16 12:34 UTC (permalink / raw)
  To: linux-kernel, linux-fsdevel, util-linux

  The util-linux releases v2.42.2 and v2.41.5 are now available at

    https://www.kernel.org/pub/linux/utils/util-linux/v2.42/
    https://www.kernel.org/pub/linux/utils/util-linux/v2.41/

  Both releases contain security fixes for libmount and libblkid:

   CVE-2026-53613 - mount(8) TOCTOU race on target path
   CVE-2026-53612 - mount(8) TOCTOU race on post-mount owner/mode change
   CVE-2026-53614 - mount(8) SUID bypass via LIBMOUNT_FORCE_MOUNT2
   libblkid use-after-free in nested partition probing

  v2.42.2 additionally includes a follow-up fix for CVE-2026-27456
  (loop device symlink attack) -- the v2.42.1 fix used O_NOFOLLOW
  which only rejects symlinks at the last path component; this update
  uses openat2(RESOLVE_NO_SYMLINKS) to reject symlinks at any component.

  Note for v2.41 downstream maintainers: the same loopdev follow-up
  fix for CVE-2026-27456 is available on the stable/v2.41 branch
  (commit 2dacaf3ee) but did not make it into the v2.41.5 tarball.
  Please cherry-pick it into your builds.

  Release notes:
    https://www.kernel.org/pub/linux/utils/util-linux/v2.42/v2.42.2-ReleaseNotes
    https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.5-ReleaseNotes

  Feedback and bug reports, as always, are welcomed.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox