RedHat: RHSA-2019-3583:01 Moderate: yum security, bug fix,

    Date05 Nov 2019
    CategoryRed Hat
    38
    Posted ByLinuxSecurity Advisories
    An update for yum is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: yum security, bug fix, and enhancement update
    Advisory ID:       RHSA-2019:3583-01
    Product:           Red Hat Enterprise Linux
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3583
    Issue date:        2019-11-05
    CVE Names:         CVE-2018-20534 CVE-2019-3817 
    =====================================================================
    
    1. Summary:
    
    An update for yum is now available for Red Hat Enterprise Linux 8.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
    Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
    
    3. Description:
    
    Yum is a command-line utility that allows the user to check for updates and
    automatically download and install updated RPM packages. Yum automatically
    obtains and downloads dependencies, prompting the user for permission as
    necessary. 
    
    The following packages have been upgraded to a later upstream version: dnf
    (4.2.7), dnf-plugins-core (4.0.8), libcomps (0.1.11), libdnf (0.35.1),
    librepo (1.10.3), libsolv (0.7.4). (BZ#1690288, BZ#1690289, BZ#1690299,
    BZ#1692402, BZ#1694019, BZ#1697946)
    
    Security Fix(es):
    
    * libcomps: use after free when merging two objmrtrees (CVE-2019-3817)
    
    * libsolv: illegal address access in pool_whatprovides in src/pool.h
    (CVE-2018-20534)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Additional Changes:
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 8.1 Release Notes linked from the References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1650266 - microdnf - sockets not supported building layer on rhel8-beta/rhel-minimal image
    1655605 - yum list available --showduplicates will list not only available packages but packages installed on the system.
    1656584 - Add support for modular errata
    1656801 - `dnf update`:  "Errors occurred during transaction" due to POSTUN scriptlet failures
    1657703 - [abrt] [faf] dnf: hdrFromFdno(): /usr/lib64/python3.6/site-packages/rpm/transaction.py killed by _rpm.error
    1657851 - yum  displays dnf  in -h
    1658579 - Be explicite about the REPODIR used in the Error message.
    1663533 - proxy bypass behavior incompatible with previous versions
    1665538 - CVE-2018-20534 libsolv: illegal address access in pool_whatprovides in src/pool.h
    1666325 - yum alias list does not work properly
    1667898 - repoquery --whatrequires only accepts one pkgspec
    1668005 - CVE-2019-3817 libcomps: use after free when merging two objmrtrees
    1670835 - [manpage] yum2dnf incorrect and missing info
    1671731 - dnf list showduplicates incorrect output
    1671839 - dnf: Typo in es_US localization
    1672649 - Add dnf.package.Package API for getting pkgid of package from repo in DNF plugin
    1673278 - [manpage] inconsistent cmdline options docs: dnf --help/man page
    1673289 - dnf enableplugin/disableplugin does not report unknown plugin
    1673902 - missing yum-copr man page
    1673913 - option tsflags missing in dnf.conf
    1673920 - confusing yum-plugin-changelog documentation
    1674562 - dnf not parsing default state of comps group correctly
    1676418 - yum-utils manpage inconsistent with other yum compat manpages
    1677199 - Fail to obtain the transaction lock after change of SELinux policy type
    1677583 - yum-builddep tries to install content from non-active stream
    1677640 - The module enable/disable works unexpectedly with slow/fast train virt module
    1678593 - do not mention switching streams with module enable
    1678596 - unable to install module content into nonstandard install root
    1678598 - Net install caused /tmp to run out of space due to flood in dnf.librepo.log
    1678689 - dnf module --help refers to module_spec while man page uses module-spec
    1679008 - no auto completion with dnf
    1679509 - [libdnf] Set skip_if_unavailable=false as default behavior for software management tools
    1684270 - [hawkey] occasional segfault when interrupting (SIGINT) dnf process (may be caused by particular plugins in use, e.g. "leaves" ones in the past)
    1686645 - Remove empty else block.
    1686779 - yum-config-manager does not accept repo names
    1688537 - reposync doesn't preserve timestamp from repo being synced
    1688823 - dnf tracebacks on invalid modular deps
    1689331 - packagekit doesn't honor skip_if_unavailable=False for local repositories
    1689931 - global parameter to define skip_if_unavailable behavior for yum
    1690288 - Rebase libsolv to >= 0.7.3
    1690289 - Rebase dnf to >= 4.2.0
    1690299 - Rebase libdnf to >= 0.28.0
    1690414 - dnf continues despite an error code from test-transaction
    1691315 - microdnf fails to install from repo which uses xml:base on location
    1692402 - Rebase dnf-plugins-core to >= 4.0.6
    1694019 - Rebase librepo to >= 1.9.5
    1694709 - [dnf] docs: update description of skip_if_unavailable
    1695720 - dnf logs excessively verbosely by default, cannot be configured, certain operations (e.g. reposync) lead to huge logs occupying excessive filesystem space
    1697946 - Rebase libcomps to >= 0.1.10
    1699348 - System upgrades, empty installroot, involving modular content require explicit --setopt=module_platform_id to work correctly
    1700250 - Redundant “]” in dnf module info output
    1700741 - When dnf plugin is upgraded via Obsolete, it is not run in the transaction phase
    1702283 - microdnf leaks memory
    1702678 - Settings are not saved with "yum config-manager --save --setopt=.
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.