RedHat: RHSA-2021-1582:01 Moderate: cpio security update | LinuxSec...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: cpio security update
Advisory ID:       RHSA-2021:1582-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1582
Issue date:        2021-05-18
CVE Names:         CVE-2019-14866 
=====================================================================

1. Summary:

An update for cpio is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The cpio packages provide the GNU cpio utility for creating and extracting
archives, or copying files from one place to another.

Security Fix(es):

* cpio: improper input validation when writing tar header fields leads to
unexpected tar generation (CVE-2019-14866)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.4 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1487673 - cpio does not preserve soft link time
1765511 - CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
cpio-2.12-10.el8.src.rpm

aarch64:
cpio-2.12-10.el8.aarch64.rpm
cpio-debuginfo-2.12-10.el8.aarch64.rpm
cpio-debugsource-2.12-10.el8.aarch64.rpm

ppc64le:
cpio-2.12-10.el8.ppc64le.rpm
cpio-debuginfo-2.12-10.el8.ppc64le.rpm
cpio-debugsource-2.12-10.el8.ppc64le.rpm

s390x:
cpio-2.12-10.el8.s390x.rpm
cpio-debuginfo-2.12-10.el8.s390x.rpm
cpio-debugsource-2.12-10.el8.s390x.rpm

x86_64:
cpio-2.12-10.el8.x86_64.rpm
cpio-debuginfo-2.12-10.el8.x86_64.rpm
cpio-debugsource-2.12-10.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYKPtiNzjgjWX9erEAQjiaw/9HrTWh2flu6ekZLC5Fv9AjNSy1OobcNFB
T0Dmne9uKK44i9/z8GWpsYTmB61m1xLUkKnxT93oDBsDzPX4A2RwPU3TtAZ3OTyC
PghuF0O8dMGY+8m5Re7Li6WBTaOmfE4/DOsHA0lJH8tU9bNzRaLsK7jtts3agt8Q
f5IyfXjX8Te7qVR2EhsmtHfV9ckle1tDMBgJdXyPIfOJRj2Syk2qWmt8/MCVCYke
NnVba5wNOsbH+qYYlMG+IRlNIzSigYufBCUt8H1DxcHjbO2k1SCftXeh6YZ/E2cY
vfAsXk5f5JBK53YYE59LpHur8rl5Z8vpGFYIK1mE/eC8LCZLzmob63VMmWzEdG3t
lIxLQemN7cxFNCG72f8RaUJAoVA/jXUXMKG+vHaFWwc5I3yf6n+b6Bhh8sv9uFeY
2fh4HEr80hdm0/jX8LWlD1KQd89z4iwhsTKbswYmhksHDMqcOy8XsRGJJKCq9sUo
Yel94Vy7xwikiNOh49GYmErCc6g6P0n4WFfLlSbvTcHy10JaoTINaHqnajYlAhRa
VpAFqIpakFtJHH3StaTAMaXkRLaJVnK2zwD6z7HdFSCeHjif2Ukh8fTmbeTJonO8
Dy3NpBXH2z/qaMr2tMqakwdy2oZECBXlsxZMNt3z+TGIKH5J7kvpMERKUIQOg0FH
bBV9zPo/kVM=
=PgJj
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-1582:01 Moderate: cpio security update

An update for cpio is now available for Red Hat Enterprise Linux 8

Summary

The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another.
Security Fix(es):
* cpio: improper input validation when writing tar header fields leads to unexpected tar generation (CVE-2019-14866)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: cpio-2.12-10.el8.src.rpm
aarch64: cpio-2.12-10.el8.aarch64.rpm cpio-debuginfo-2.12-10.el8.aarch64.rpm cpio-debugsource-2.12-10.el8.aarch64.rpm
ppc64le: cpio-2.12-10.el8.ppc64le.rpm cpio-debuginfo-2.12-10.el8.ppc64le.rpm cpio-debugsource-2.12-10.el8.ppc64le.rpm
s390x: cpio-2.12-10.el8.s390x.rpm cpio-debuginfo-2.12-10.el8.s390x.rpm cpio-debugsource-2.12-10.el8.s390x.rpm
x86_64: cpio-2.12-10.el8.x86_64.rpm cpio-debuginfo-2.12-10.el8.x86_64.rpm cpio-debugsource-2.12-10.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2021:1582-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1582
Issued Date: : 2021-05-18
CVE Names: CVE-2019-14866

Topic

An update for cpio is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1487673 - cpio does not preserve soft link time

1765511 - CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.