openSUSE Security Update: Security update for libdnf
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:2685-1
Rating:             moderate
References:         #1183779 
Cross-References:   CVE-2021-20271 CVE-2021-3421 CVE-2021-3445
                   
CVSS scores:
                    CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
                    CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-3445 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-3445 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for libdnf fixes the following issues:

   - Fixed crash when loading DVD repositories

   Update to 0.62.0

   + Change order of TransactionItemReason (rh#1921063)
   + Add two new comperators for security filters (rh#1918475)
   + Apply security filters for candidates with lower priority
   + Fix: Goal - translation of messages in global maps
   + Enhance description of modular solvables
   + Improve performance for module query
   + Change mechanism of modular errata applicability (rh#1804234)
   + dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags
   + Fix a couple of memory leaks
   + Fix: Setting of librepo handle in newHandle function
   + Remove failsafe data when module is not enabled (rh#1847035)
   + Expose librepo's checksum functions via SWIG
   + Fix: Mising check of "hy_split_nevra()" return code
   + Do not allow 1 as installonly_limit value (rh#1926261)
   + Fix check whether the subkey can be used for signing
   + Hardening: add signature check with rpmcliVerifySignatures
     (CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089,
     rh#1932090, bsc#1183779)
   + Add a config option sslverifystatus, defaults to false (rh#1814383)
   + [context] Add API for distro-sync

   - Fix dependency for repo-config-zypp subpackage to work with SLE

   Update to 0.60.0

   + Fix repo.fresh() implementation
   + Fix: Fully set ssl in newHandle function
   + [conf] Add options for working with certificates used with proxy
   + Apply proxy certificate options
   + lock: Switch return-if-fail to assert to quiet gcc -fanalyzer
   + build-sys: Clean up message about Python bindings
   + Modify module NSVCA parsing - context definition (rh#1926771)
   + [context] Fix: dnf_package_is_installonly (rh#1928056)
   + Fix problematic language
   + Add getApplicablePackages to advisory and isApplicable to advisorymodule
   + Keep isAdvisoryApplicable to preserve API
   + Run ModulePackageContainerTest tests in tmpdir, merge interdependent
   + [context] Support config file option "proxy_auth_method", defaults "any"
   + Properly handle multiple collections in updateinfo.xml (rh#1804234)
   + Support main config file option "installonlypkgs"
   + Support main config file option "protected_packages"

   - Add repo-config-zypp subpackage to allow easily using Zypper repository
     configuration

   - Backport support for using certificates for repository authorization
   - Backport another fix for adding controls to installonlypkgs
   - Add patch to move directory for dnf state data to /usr/lib/sysimage
   - Backport fixes to add controls for installonlypkgs and protected_packages

   Update to version 0.58.0

   + Option: Add reset() method
   + Add OptionBinds::getOption() method
   + [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset()
   + [context] Add support for options: minrate, throttle, bandwidth, timeout
   + [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data()
   + Allow loading ext metadata even if only cache (solv) is present
   + Add ASAN_OPTIONS for test_libdnf_main
   + [context,API] Functions for accessing main/global configuration options
   + [context,API] Function for adding setopt
   + Add getter for modular obsoletes from ModuleMetadata
   + Add ModulePackage.getStaticContext() and getRequires()
   + Add compatible layer for MdDocuments v2
   + Fix modular queries with the new solver
   + Improve formatting of error string for modules
   + Change mechanism of module conflicts
   + Fix load/update FailSafe

   Update to version 0.55.2

   + Improve performance of query installed() and available()
   + Swdb: Add a method to get the current transaction
   + [modules] Add special handling for src artifacts (rh#1809314)
   + Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946)
   + Add new options module_stream_switch
   + Support allow_vendor_change setting in dnf context API

   Update to version 0.55.0

   + Add vendor to dnf API (rh#1876561)
   + Add formatting function for solver error
   + Add error types in ModulePackageContainer
   + Implement module enable for context part
   + Improve string formatting for translation
   + Remove redundant printf and change logging info to notice (rh#1827424)
   + Add allow_vendor_change option (rh#1788371) (rh#1788371)

   Update to version 0.54.2

   + history: Fix dnf history rollback when a package was removed (rh#1683134)
   + Add support for HY_GT, HY_LT in query nevra_strict
   + Fix parsing empty lines in config files
   + Accept '==' as an operator in reldeps (rh#1847946)
   + Add log file level main config option (rh#1802074)
   + Add protect_running_kernel configuration option (rh#1698145)
   + Context part of libdnf cannot assume zchunk is on (rh#1851841,
     rh#1779104)
   + Fix memory leak of resultingModuleIndex and handle g_object refs
   + Redirect librepo logs to libdnf logs with different source
   + Add hy_goal_lock
   + Enum/String conversions for Transaction Store/Replay
   + utils: Add a method to decode URLs
   + Unify hawkey.log line format with the rest of the logs

   Update to version 0.48.0

   + Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449)
   + Reset active modules when no module enabled or default (rh#1767351)
   + Add comment option to transaction (rh#1773679)
   + Failing to get module defauls is a recoverable error
   + Baseurl is not exclusive with mirrorlist/metalink (rh#1775184)
   + Add new function to reset all modules in C API
     (dnf_context_reset_all_modules)
   + [context] Fix to preserve additionalMetadata content (rh#1808677)
   + Fix filtering of DepSolvables with source rpms (rh#1812596)
   + Add setter for running kernel protection setting
   + Handle situation when an unprivileged user cannot create history
     database (rh#1634385)
   + Add query filter: latest by priority
   + Add DNF_NO_PROTECTED flag to allow empty list of protected packages
   + Remove 'dim' option from terminal colors to make them more readable
     (rh#1807774, rh#1814563)
   + [context] Error when main config file can't be opened (rh#1794864)
   + [context] Add function function dnf_context_is_set_config_file_path
   + swdb: Catch only SQLite3 exceptions and simplify the messages
   + MergedTransaction list multiple comments (rh#1773679)
   + Modify CMake to pull *.po files from weblate
   + Optimize DependencyContainer creation from an existing queue
   + fix a memory leak in dnf_package_get_requires()
   + Fix memory leaks on g_build_filename()
   + Fix memory leak in dnf_context_setup()
   + Add `hy_goal_favor` and `hy_goal_disfavor`
   + Define a cleanup function for `DnfPackageSet`
   + dnf-repo: fix dnf_repo_get_public_keys double-free
   + Do not cache RPMDB
   + Use single-quotes around string literals used in SQL statements
   + SQLite3: Do not close the database if it wasn't opened (rh#1761976)
   + Don't create a new history DB connection for in-memory DB
   + transaction/Swdb: Use a single logger variable in constructor
   + utils: Add a safe version of pathExists()
   + swdb: Handle the case when pathExists() fails on e.g. permission
   + Repo: prepend "file://" if a local path is used as baseurl
   + Move urlEncode() to utils
   + utils: Add 'exclude' argument to urlEncode()
   + Encode package URL for downloading through librepo (rh#1817130)
   + Replace std::runtime_error with libdnf::RepoError
   + Fixes and error handling improvements of the File class
   + [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864)
   + [context] support "priority" option in .repo config file (rh#1797265)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2021-2685=1



Package List:

   - openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64):

      libdnf-debuginfo-0.62.0-5.3.1
      libdnf-debugsource-0.62.0-5.3.1
      libdnf-devel-0.62.0-5.3.1
      libdnf-repo-config-zypp-0.62.0-5.3.1
      libdnf2-0.62.0-5.3.1
      libdnf2-debuginfo-0.62.0-5.3.1
      python3-hawkey-0.62.0-5.3.1
      python3-hawkey-debuginfo-0.62.0-5.3.1
      python3-libdnf-0.62.0-5.3.1
      python3-libdnf-debuginfo-0.62.0-5.3.1

   - openSUSE Leap 15.3 (noarch):

      hawkey-man-0.62.0-5.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-20271.html
   https://www.suse.com/security/cve/CVE-2021-3421.html
   https://www.suse.com/security/cve/CVE-2021-3445.html
   https://bugzilla.suse.com/1183779

openSUSE: 2021:2685-1 moderate: libdnf

August 13, 2021
An update that fixes three vulnerabilities is now available

Description

This update for libdnf fixes the following issues: - Fixed crash when loading DVD repositories Update to 0.62.0 + Change order of TransactionItemReason (rh#1921063) + Add two new comperators for security filters (rh#1918475) + Apply security filters for candidates with lower priority + Fix: Goal - translation of messages in global maps + Enhance description of modular solvables + Improve performance for module query + Change mechanism of modular errata applicability (rh#1804234) + dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags + Fix a couple of memory leaks + Fix: Setting of librepo handle in newHandle function + Remove failsafe data when module is not enabled (rh#1847035) + Expose librepo's checksum functions via SWIG + Fix: Mising check of "hy_split_nevra()" return code + Do not allow 1 as installonly_limit value (rh#1926261) + Fix check whether the subkey can be used for signing + Hardening: add signature check with rpmcliVerifySignatures (CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089, rh#1932090, bsc#1183779) + Add a config option sslverifystatus, defaults to false (rh#1814383) + [context] Add API for distro-sync - Fix dependency for repo-config-zypp subpackage to work with SLE Update to 0.60.0 + Fix repo.fresh() implementation + Fix: Fully set ssl in newHandle function + [conf] Add options for working with certificates used with proxy + Apply proxy certificate options + lock: Switch return-if-fail to assert to quiet gcc -fanalyzer + build-sys: Clean up message about Python bindings + Modify module NSVCA parsing - context definition (rh#1926771) + [context] Fix: dnf_package_is_installonly (rh#1928056) + Fix problematic language + Add getApplicablePackages to advisory and isApplicable to advisorymodule + Keep isAdvisoryApplicable to preserve API + Run ModulePackageContainerTest tests in tmpdir, merge interdependent + [context] Support config file option "proxy_auth_method", defaults "any" + Properly handle multiple collections in updateinfo.xml (rh#1804234) + Support main config file option "installonlypkgs" + Support main config file option "protected_packages" - Add repo-config-zypp subpackage to allow easily using Zypper repository configuration - Backport support for using certificates for repository authorization - Backport another fix for adding controls to installonlypkgs - Add patch to move directory for dnf state data to /usr/lib/sysimage - Backport fixes to add controls for installonlypkgs and protected_packages Update to version 0.58.0 + Option: Add reset() method + Add OptionBinds::getOption() method + [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset() + [context] Add support for options: minrate, throttle, bandwidth, timeout + [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data() + Allow loading ext metadata even if only cache (solv) is present + Add ASAN_OPTIONS for test_libdnf_main + [context,API] Functions for accessing main/global configuration options + [context,API] Function for adding setopt + Add getter for modular obsoletes from ModuleMetadata + Add ModulePackage.getStaticContext() and getRequires() + Add compatible layer for MdDocuments v2 + Fix modular queries with the new solver + Improve formatting of error string for modules + Change mechanism of module conflicts + Fix load/update FailSafe Update to version 0.55.2 + Improve performance of query installed() and available() + Swdb: Add a method to get the current transaction + [modules] Add special handling for src artifacts (rh#1809314) + Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946) + Add new options module_stream_switch + Support allow_vendor_change setting in dnf context API Update to version 0.55.0 + Add vendor to dnf API (rh#1876561) + Add formatting function for solver error + Add error types in ModulePackageContainer + Implement module enable for context part + Improve string formatting for translation + Remove redundant printf and change logging info to notice (rh#1827424) + Add allow_vendor_change option (rh#1788371) (rh#1788371) Update to version 0.54.2 + history: Fix dnf history rollback when a package was removed (rh#1683134) + Add support for HY_GT, HY_LT in query nevra_strict + Fix parsing empty lines in config files + Accept '==' as an operator in reldeps (rh#1847946) + Add log file level main config option (rh#1802074) + Add protect_running_kernel configuration option (rh#1698145) + Context part of libdnf cannot assume zchunk is on (rh#1851841, rh#1779104) + Fix memory leak of resultingModuleIndex and handle g_object refs + Redirect librepo logs to libdnf logs with different source + Add hy_goal_lock + Enum/String conversions for Transaction Store/Replay + utils: Add a method to decode URLs + Unify hawkey.log line format with the rest of the logs Update to version 0.48.0 + Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449) + Reset active modules when no module enabled or default (rh#1767351) + Add comment option to transaction (rh#1773679) + Failing to get module defauls is a recoverable error + Baseurl is not exclusive with mirrorlist/metalink (rh#1775184) + Add new function to reset all modules in C API (dnf_context_reset_all_modules) + [context] Fix to preserve additionalMetadata content (rh#1808677) + Fix filtering of DepSolvables with source rpms (rh#1812596) + Add setter for running kernel protection setting + Handle situation when an unprivileged user cannot create history database (rh#1634385) + Add query filter: latest by priority + Add DNF_NO_PROTECTED flag to allow empty list of protected packages + Remove 'dim' option from terminal colors to make them more readable (rh#1807774, rh#1814563) + [context] Error when main config file can't be opened (rh#1794864) + [context] Add function function dnf_context_is_set_config_file_path + swdb: Catch only SQLite3 exceptions and simplify the messages + MergedTransaction list multiple comments (rh#1773679) + Modify CMake to pull *.po files from weblate + Optimize DependencyContainer creation from an existing queue + fix a memory leak in dnf_package_get_requires() + Fix memory leaks on g_build_filename() + Fix memory leak in dnf_context_setup() + Add `hy_goal_favor` and `hy_goal_disfavor` + Define a cleanup function for `DnfPackageSet` + dnf-repo: fix dnf_repo_get_public_keys double-free + Do not cache RPMDB + Use single-quotes around string literals used in SQL statements + SQLite3: Do not close the database if it wasn't opened (rh#1761976) + Don't create a new history DB connection for in-memory DB + transaction/Swdb: Use a single logger variable in constructor + utils: Add a safe version of pathExists() + swdb: Handle the case when pathExists() fails on e.g. permission + Repo: prepend "file://" if a local path is used as baseurl + Move urlEncode() to utils + utils: Add 'exclude' argument to urlEncode() + Encode package URL for downloading through librepo (rh#1817130) + Replace std::runtime_error with libdnf::RepoError + Fixes and error handling improvements of the File class + [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864) + [context] support "priority" option in .repo config file (rh#1797265)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2685=1


Package List

- openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64): libdnf-debuginfo-0.62.0-5.3.1 libdnf-debugsource-0.62.0-5.3.1 libdnf-devel-0.62.0-5.3.1 libdnf-repo-config-zypp-0.62.0-5.3.1 libdnf2-0.62.0-5.3.1 libdnf2-debuginfo-0.62.0-5.3.1 python3-hawkey-0.62.0-5.3.1 python3-hawkey-debuginfo-0.62.0-5.3.1 python3-libdnf-0.62.0-5.3.1 python3-libdnf-debuginfo-0.62.0-5.3.1 - openSUSE Leap 15.3 (noarch): hawkey-man-0.62.0-5.3.1


References

https://www.suse.com/security/cve/CVE-2021-20271.html https://www.suse.com/security/cve/CVE-2021-3421.html https://www.suse.com/security/cve/CVE-2021-3445.html https://bugzilla.suse.com/1183779


Severity
Announcement ID: openSUSE-SU-2021:2685-1
Rating: moderate
Affected Products: openSUSE Leap 15.3 .

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved