Fedora 32: 2020-5d9f0ce2b3 Critical DNF Security Advisory

Utility that allows users to manage packages on their systems.

It supports RPMs, modules and comps groups & environments.

createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual

pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata

support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to

0.54.2 - history: Fix dnf history rollback when a package was removed

(RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix

parsing empty lines in config files - Accept '==' as an operator in reldeps

(RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add

protect_running_kernel configuration option (RhBug:1698145) - Context part of

libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of

resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf

logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String

conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to

4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info

code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance

--querytags and --qf help output - [history] add option --reverse to history

list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't

turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention

the date/time that updates were applied - [dnf-automatic] Wait for internet

connection (RhBug:1816308) - [doc] Enhance repo variables documentation

(RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo

(RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and

-nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora

Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for

working with comps to RPMTransactionItemWrapper - Implement storing and

replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports``

for get_best_selector - Change the debug log timestamps from UTC to local time

dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs

(RhBug:1830530) - [debug] Use standard demands.resolving for transaction

handling - [debug] Do not remove install-only packages (RhBug:1844533) - return

error when dnf download failed - README: Reference Fedora Weblate instead of

Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README:

Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env

variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and

environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility

with dnf 4.4.0 / libdnf 0.54.2

* Wed Oct 7 2020 Nicola Sella - 4.4.0-1

- Update to 4.4.0

- Handle empty comps group name (RhBug:1826198)

- Remove dead history info code (RhBug:1845800)

- Improve command emmitter in dnf-automatic

- Enhance --querytags and --qf help output

- [history] add option --reverse to history list (RhBug:1846692)

- Add logfilelevel configuration (RhBug:1802074)

- Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280)

- Mention the date/time that updates were applied

- [dnf-automatic] Wait for internet connection (RhBug:1816308)

- [doc] Enhance repo variables documentation (RhBug:1848161,1848615)

- Add librepo logger for handling messages from librepo (RhBug:1816573)

- [doc] Add package-name-spec to the list of possible specs

- [doc] Do not use

- [doc] Add section to explain -n, -na and -nevra suffixes

- Add alias 'ls' for list command

- README: Reference Fedora Weblate instead of Zanata

- remove log_lock.pid after reboot(Rhbug:1863006)

- comps: Raise CompsError when removing a non-existent group

- Add methods for working with comps to RPMTransactionItemWrapper

- Implement storing and replaying a transaction

- Log failure to access last makecache time as warning

- [doc] Document Substitutions class

- Dont document removed attribute ``reports`` for get_best_selector

- Change the debug log timestamps from UTC to local time

[ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove

https://bugzilla.redhat.com/show_bug.cgi?id=1683134

[ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not

https://bugzilla.redhat.com/show_bug.cgi?id=1698145

[ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed.

https://bugzilla.redhat.com/show_bug.cgi?id=1779104

[ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information

https://bugzilla.redhat.com/show_bug.cgi?id=1795936

[ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log

https://bugzilla.redhat.com/show_bug.cgi?id=1802074

[ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet

https://bugzilla.redhat.com/show_bug.cgi?id=1816308

[ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum)

https://bugzilla.redhat.com/show_bug.cgi?id=1816573

[ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some*

https://bugzilla.redhat.com/show_bug.cgi?id=1830530

[ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package

https://bugzilla.redhat.com/show_bug.cgi?id=1833074

[ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting

https://bugzilla.redhat.com/show_bug.cgi?id=1843280

[ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels.

https://bugzilla.redhat.com/show_bug.cgi?id=1844533

[ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution

https://bugzilla.redhat.com/show_bug.cgi?id=1845562

[ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded

https://bugzilla.redhat.com/show_bug.cgi?id=1845800

[ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order

https://bugzilla.redhat.com/show_bug.cgi?id=1846692

[ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3

https://bugzilla.redhat.com/show_bug.cgi?id=1847946

[ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004

https://bugzilla.redhat.com/show_bug.cgi?id=1848161

[ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented

https://bugzilla.redhat.com/show_bug.cgi?id=1848615

[ 18 ] Bug #1851841 - zchunk issue with packagekit

https://bugzilla.redhat.com/show_bug.cgi?id=1851841

[ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs

https://bugzilla.redhat.com/show_bug.cgi?id=1859689

[ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34

https://bugzilla.redhat.com/show_bug.cgi?id=1860408

[ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot

https://bugzilla.redhat.com/show_bug.cgi?id=1863006

[ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1868639

su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/