An update for libcap is now available for openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1243 Final 1.0 1.0 2025-03-07 Initial 2025-03-07 2025-03-07 openEuler SA Tool V1.0 2025-03-07 libcap security update An update for libcap is now available for openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities. Security Fix(es): The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.(CVE-2025-1390) An update for libcap is now available for openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium libcap https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1243 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1390 https://nvd.nist.gov/vuln/detail/CVE-2025-1390 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 libcap-2.69-4.oe2403.x86_64.rpm libcap-debuginfo-2.69-4.oe2403.x86_64.rpm libcap-debugsource-2.69-4.oe2403.x86_64.rpm libcap-devel-2.69-4.oe2403.x86_64.rpm libcap-2.69-4.oe2403sp1.x86_64.rpm libcap-debuginfo-2.69-4.oe2403sp1.x86_64.rpm libcap-debugsource-2.69-4.oe2403sp1.x86_64.rpm libcap-devel-2.69-4.oe2403sp1.x86_64.rpm libcap-2.32-8.oe2003sp4.x86_64.rpm libcap-debuginfo-2.32-8.oe2003sp4.x86_64.rpm libcap-debugsource-2.32-8.oe2003sp4.x86_64.rpm libcap-devel-2.32-8.oe2003sp4.x86_64.rpm libcap-2.61-8.oe2203sp3.x86_64.rpm libcap-debuginfo-2.61-8.oe2203sp3.x86_64.rpm libcap-debugsource-2.61-8.oe2203sp3.x86_64.rpm libcap-devel-2.61-8.oe2203sp3.x86_64.rpm libcap-2.61-8.oe2203sp4.x86_64.rpm libcap-debuginfo-2.61-8.oe2203sp4.x86_64.rpm libcap-debugsource-2.61-8.oe2203sp4.x86_64.rpm libcap-devel-2.61-8.oe2203sp4.x86_64.rpm libcap-help-2.69-4.oe2403.noarch.rpm libcap-help-2.69-4.oe2403sp1.noarch.rpm libcap-help-2.32-8.oe2003sp4.noarch.rpm libcap-help-2.61-8.oe2203sp3.noarch.rpm libcap-help-2.61-8.oe2203sp4.noarch.rpm libcap-2.69-4.oe2403.aarch64.rpm libcap-debuginfo-2.69-4.oe2403.aarch64.rpm libcap-debugsource-2.69-4.oe2403.aarch64.rpm libcap-devel-2.69-4.oe2403.aarch64.rpm libcap-2.69-4.oe2403sp1.aarch64.rpm libcap-debuginfo-2.69-4.oe2403sp1.aarch64.rpm libcap-debugsource-2.69-4.oe2403sp1.aarch64.rpm libcap-devel-2.69-4.oe2403sp1.aarch64.rpm libcap-2.32-8.oe2003sp4.aarch64.rpm libcap-debuginfo-2.32-8.oe2003sp4.aarch64.rpm libcap-debugsource-2.32-8.oe2003sp4.aarch64.rpm libcap-devel-2.32-8.oe2003sp4.aarch64.rpm libcap-2.61-8.oe2203sp3.aarch64.rpm libcap-debuginfo-2.61-8.oe2203sp3.aarch64.rpm libcap-debugsource-2.61-8.oe2203sp3.aarch64.rpm libcap-devel-2.61-8.oe2203sp3.aarch64.rpm libcap-2.61-8.oe2203sp4.aarch64.rpm libcap-debuginfo-2.61-8.oe2203sp4.aarch64.rpm libcap-debugsource-2.61-8.oe2203sp4.aarch64.rpm libcap-devel-2.61-8.oe2203sp4.aarch64.rpm libcap-2.69-4.oe2403.src.rpm libcap-2.69-4.oe2403sp1.src.rpm libcap-2.32-8.oe2003sp4.src.rpm libcap-2.61-8.oe2203sp3.src.rpm libcap-2.61-8.oe2203sp4.src.rpm The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. 2025-03-07 CVE-2025-1390 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 Medium 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N libcap security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1243