Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat Enterprise Linux 8 RHSA-2021-4464-02 Moderate: dnf Signature Bypass

red hat
Calendar Grey November 9, 2021
Dist Redhat Esm H88
The Blue Jacket Bulletin outlines a significant security patch for apt, targeting authentication failure vulnerabilities.
An update for dnf, dnf-plugins-core, and libdnf is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

dnf is a package manager that allows users to manage packages on their systems. It supports RPMs, modules and comps groups & environments.
Security Fix(es):
* libdnf: Signature verification bypass via signature placed in the main RPM header (CVE-2021-3445)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory moderate severity Red Hat Enterprise signature bypass dnf update libdnf issue

References

https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: dnf-4.7.0-4.el8.src.rpm dnf-plugins-core-4.0.21-3.el8.src.rpm libdnf-0.63.0-3.el8.src.rpm
aarch64: libdnf-0.63.0-3.el8.aarch64.rpm libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm libdnf-debugsource-0.63.0-3.el8.aarch64.rpm python3-hawkey-0.63.0-3.el8.aarch64.rpm python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm python3-libdnf-0.63.0-3.el8.aarch64.rpm python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm
noarch: dnf-4.7.0-4.el8.noarch.rpm dnf-automatic-4.7.0-4.el8.noarch.rpm dnf-data-4.7.0-4.el8.noarch.rpm dnf-plugins-core-4.0.21-3.el8.noarch.rpm python3-dnf-4.7.0-4.el8.noarch.rpm python3-dnf-plugin-post-transaction-actions-4.0.21-3.el8.noarch.rpm python3-dnf-plugin-versionlock-4.0.21-3.el8.noarch.rpm python3-dnf-plugins-core-4.0.21-3.el8.noarch.rpm yum-4.7.0-4.el8.noarch.rpm yum-utils-4.0.21-3.el8.noarch.rpm
ppc64le: libdnf-0.63.0-3.el8.ppc64le.rpm libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm python3-hawkey-0.63.0-3.el8.ppc64le.rpm python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm python3-libdnf-0.63.0-3.el8.ppc64le.rpm python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm
s390x: libdnf-0.63.0-3.el8.s390x.rpm libdnf-debuginfo-0.63.0-3.el8.s390x.rpm libdnf-debugsource-0.63.0-3.el8.s390x.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:4464-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4464
Issue date: 2021-11-09

Topic

An update for dnf, dnf-plugins-core, and libdnf is now available for RedHat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate severity Red Hat Enterprise signature bypass dnf update libdnf issue

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1804234 - yum false positive advisory if module enabled

1818118 - openvswitch: yum update using wrapper file to allow for stream change fails in RHEL-8

1847035 - [modularity] modulefailsafe .yaml file is not removed after module disable/reset

1893176 - dnf aborts when running update

1898293 - repomanage --old does not list the oldest package per module

1904490 - Backtrace when performing "yum module remove --all perl:common"

1906970 - dnf history wrong output if piped through more or redirected to file

1913962 - "dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers1914827 - [RHEL8] dnf reposync implicitly downloads source rpms in spite of no --source option

1918475 - dnf --security pulling in packages without security advisory

1926261 - dnf should not allow an installonly_limit less than 2

1926771 - dnf does not recognize scratch modules NSVC

1929163 - problem with transaction() hook

1929667 - Typos in dnf API documentation

1932079 - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header

1934499 - dnf autoremove wants to remove "kernel-modules-extra" if you have a rawhide kernel installed

1940345 - ip_resolve, timeout, username, password options are ignored for downloading remote "rpm"

1951409 - Rebase libdnf to >= 0.55.2

1951411 - Rebase dnf to >= 4.5.2

1951414 - Rebase dnf-plugins-core to >= 4.0.21

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here