An update for pesign is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1159 Final 1.0 1.0 2023-03-17 Initial 2023-03-17 2023-03-17 openEuler SA Tool V1.0 2023-03-17 pesign security update An update for pesign is now available for openEuler-22.03-LTS-SP1. pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications. Security Fix(es): A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.(CVE-2022-3560) An update for pesign is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium pesign https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1159 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3560 https://nvd.nist.gov/vuln/detail/CVE-2022-3560 openEuler-22.03-LTS-SP1 pesign-debugsource-115-4.oe2203sp1.aarch64.rpm pesign-help-115-4.oe2203sp1.aarch64.rpm pesign-115-4.oe2203sp1.aarch64.rpm pesign-debuginfo-115-4.oe2203sp1.aarch64.rpm pesign-115-4.oe2203sp1.src.rpm pesign-debuginfo-115-4.oe2203sp1.x86_64.rpm pesign-debugsource-115-4.oe2203sp1.x86_64.rpm pesign-115-4.oe2203sp1.x86_64.rpm pesign-help-115-4.oe2203sp1.x86_64.rpm A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the pesign group. However, the script doesn t check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack. 2023-03-17 CVE-2022-3560 openEuler-22.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N pesign security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1159