A new release of bubblewrap is available: https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.3
Which fixes a local privilege escalation. Specifically relevant to Project Atomic, this applies only to CentOS7/RHEL7 systems which have bubblewrap installed as privileged code. Notably, we *do* install it by default as /usr/bin/bwrap in CentOS Atomic Host Alpha, but not in the primary CentOS Atomic Host release, where it exists solely as /usr/libexec/rpm-ostree/bwrap for use by rpm-ostree's package layering, but is not installed as privileged and hence is not a vulnerability vector. Fedora, because it unconditionally enables `CLONE_NEWUSER` access, is not vulnerable to this. So, expect updates to land in: - EPEL7 - CentOS AH Alpha soon.
