Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
89
security advisoryupdateFedoraFedora 41: FEDORA-2024-3c18fe0d93 critical: libdnf memory issue
This is the first maintenance release of Python 3.13 Python 3.13 is the newest major release of the Python programming language, and it contains many new features and optimizations compared to Python 3.12. 3.13.1 is the latest maintenance release, containing almost 400 bugfixes, build improvements and documentation changes since 3.13.0.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-3c18fe0d93 2024-12-22 02:00:45.593936+00:00 -------------------------------------------------------------------------------- Name : libdnf Product : Fedora 41 Version : 0.73.4 Release : 2.fc41 URL : https://github.com/rpm-software-management/libdnf Summary : Library providing simplified C and Python API to libsolv Description : A Library providing simplified C and Python API to libsolv. -------------------------------------------------------------------------------- Update Information: This is the first maintenance release of Python 3.13 Python 3.13 is the newest major release of the Python programming language, and it contains many new features and optimizations compared to Python 3.12. 3.13.1 is the latest maintenance release, containing almost 400 bugfixes, build improvements and documentation changes since 3.13.0. Security content in this release gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. CVE-2024-9287: gh-124651: Properly quote template strings in venv activation scripts. gh-125140: Remove the current directory from sys.path when using PyREPL. CVE-2024-12254: Unbounded memory buffering in SelectorSocketTransport.writelines() fixed. libdnf and libcomps fixes Fix segfaults in iterators (Python 3.13.1 made this crash happen inregular usage) -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 10 2024 Miro HronÄok - 0.73.4-2 - Fix a segfault in iterator of a ConfigParser section - Fixes: rhbz#2330562 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2321657 - CVE-2024-9287 python3.13: Virtual environment (venv) activation scripts don't quote paths [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2321657 [ 2 ] Bug #2330562 - python3-libdnf segfaults when iterating over an iterator of a ConfigParser section https://bugzilla.redhat.com/show_bug.cgi?id=2330562 [ 3 ] Bug #2330927 - CVE-2024-12254 python3.13: Unbounded memory buffering in SelectorSocketTransport.writelines() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2330927 [ 4 ] Bug #2331665 - libcomps segfaults when iterating over and iterator from an iterator https://bugzilla.redhat.com/show_bug.cgi?id=2331665 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-3c18fe0d93' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . Uncover key updates in Fedora 41 for Python 3.13 and enhancements in libdnf targeting severe security vulnerabilities.. Fedora Updates, Python 3.13 Security, libdnf Maintenance, Software Security Fixes. . Severity: Critical. LinuxSecurity.com Team
Dec 22, 2024
•Critical
Fedora
202
security advisorymoderatesecurity updateopenSUSE 15.3: 2021:2685-1 Moderate: libdnf Repository Issue
An update that fixes three vulnerabilities is now available. . openSUSE Security Update: Security update for libdnf ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:2685-1 Rating: moderate References: #1183779 Cross-References: CVE-2021-20271 CVE-2021-3421 CVE-2021-3445 CVSS scores: CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-3445 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-3445 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libdnf fixes the following issues: - Fixed crash when loading DVD repositories Update to 0.62.0 + Change order of TransactionItemReason (rh#1921063) + Add two new comperators for security filters (rh#1918475) + Apply security filters for candidates with lower priority + Fix: Goal - translation of messages in global maps + Enhance description of modular solvables + Improve performance for module query + Change mechanism of modular errata applicability (rh#1804234) + dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags + Fix a couple of memory leaks + Fix: Setting of librepo handle in newHandle function + Remove failsafe data when module is not enabled (rh#1847035) + Expose librepo's checksum functions via SWIG + Fix: Mising check of "hy_split_nevra()" return code + Do not allow 1 asinstallonly_limit value (rh#1926261) + Fix check whether the subkey can be used for signing + Hardening: add signature check with rpmcliVerifySignatures (CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089, rh#1932090, bsc#1183779) + Add a config option sslverifystatus, defaults to false (rh#1814383) + [context] Add API for distro-sync - Fix dependency for repo-config-zypp subpackage to work with SLE Update to 0.60.0 + Fix repo.fresh() implementation + Fix: Fully set ssl in newHandle function + [conf] Add options for working with certificates used with proxy + Apply proxy certificate options + lock: Switch return-if-fail to assert to quiet gcc -fanalyzer + build-sys: Clean up message about Python bindings + Modify module NSVCA parsing - context definition (rh#1926771) + [context] Fix: dnf_package_is_installonly (rh#1928056) + Fix problematic language + Add getApplicablePackages to advisory and isApplicable to advisorymodule + Keep isAdvisoryApplicable to preserve API + Run ModulePackageContainerTest tests in tmpdir, merge interdependent + [context] Support config file option "proxy_auth_method", defaults "any" + Properly handle multiple collections in updateinfo.xml (rh#1804234) + Support main config file option "installonlypkgs" + Support main config file option "protected_packages" - Add repo-config-zypp subpackage to allow easily using Zypper repository configuration - Backport support for using certificates for repository authorization - Backport another fix for adding controls to installonlypkgs - Add patch to move directory for dnf state data to /usr/lib/sysimage - Backport fixes to add controls for installonlypkgs and protected_packages Update to version 0.58.0 + Option: Add reset() method + Add OptionBinds::getOption() method + [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset() + [context] Add support for options: minrate, throttle, bandwidth, timeout + [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data() + Allow loading ext metadata even if only cache (solv) is present + Add ASAN_OPTIONS for test_libdnf_main + [context,API] Functions for accessing main/global configuration options + [context,API] Function for adding setopt + Add getter for modular obsoletes from ModuleMetadata + Add ModulePackage.getStaticContext() and getRequires() + Add compatible layer for MdDocuments v2 + Fix modular queries with the new solver + Improve formatting of error string for modules + Change mechanism of module conflicts + Fix load/update FailSafe Update to version 0.55.2 + Improve performance of query installed() and available() + Swdb: Add a method to get the current transaction + [modules] Add special handling for src artifacts (rh#1809314) + Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946) + Add new options module_stream_switch + Support allow_vendor_change setting in dnf context API Update to version 0.55.0 + Add vendor to dnf API (rh#1876561) + Add formatting function for solver error + Add error types in ModulePackageContainer + Implement module enable for context part + Improve string formatting for translation + Remove redundant printf and change logging info to notice (rh#1827424) + Add allow_vendor_change option (rh#1788371) (rh#1788371) Update to version 0.54.2 + history: Fix dnf history rollback when a package was removed (rh#1683134) + Add support for HY_GT, HY_LT in query nevra_strict + Fix parsing empty lines in config files + Accept '==' as an operator in reldeps (rh#1847946) + Add log file level main config option (rh#1802074) + Add protect_running_kernel configuration option (rh#1698145) + Context part of libdnf cannot assume zchunk is on (rh#1851841, rh#1779104) + Fix memory leak of resultingModuleIndex and handle g_object refs + Redirect librepo logs to libdnf logs with different source + Addhy_goal_lock + Enum/String conversions for Transaction Store/Replay + utils: Add a method to decode URLs + Unify hawkey.log line format with the rest of the logs Update to version 0.48.0 + Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449) + Reset active modules when no module enabled or default (rh#1767351) + Add comment option to transaction (rh#1773679) + Failing to get module defauls is a recoverable error + Baseurl is not exclusive with mirrorlist/metalink (rh#1775184) + Add new function to reset all modules in C API (dnf_context_reset_all_modules) + [context] Fix to preserve additionalMetadata content (rh#1808677) + Fix filtering of DepSolvables with source rpms (rh#1812596) + Add setter for running kernel protection setting + Handle situation when an unprivileged user cannot create history database (rh#1634385) + Add query filter: latest by priority + Add DNF_NO_PROTECTED flag to allow empty list of protected packages + Remove 'dim' option from terminal colors to make them more readable (rh#1807774, rh#1814563) + [context] Error when main config file can't be opened (rh#1794864) + [context] Add function function dnf_context_is_set_config_file_path + swdb: Catch only SQLite3 exceptions and simplify the messages + MergedTransaction list multiple comments (rh#1773679) + Modify CMake to pull *.po files from weblate + Optimize DependencyContainer creation from an existing queue + fix a memory leak in dnf_package_get_requires() + Fix memory leaks on g_build_filename() + Fix memory leak in dnf_context_setup() + Add `hy_goal_favor` and `hy_goal_disfavor` + Define a cleanup function for `DnfPackageSet` + dnf-repo: fix dnf_repo_get_public_keys double-free + Do not cache RPMDB + Use single-quotes around string literals used in SQL statements + SQLite3: Do not close the database if it wasn't opened (rh#1761976) + Don't create a new history DB connection for in-memory DB +transaction/Swdb: Use a single logger variable in constructor + utils: Add a safe version of pathExists() + swdb: Handle the case when pathExists() fails on e.g. permission + Repo: prepend "file://" if a local path is used as baseurl + Move urlEncode() to utils + utils: Add 'exclude' argument to urlEncode() + Encode package URL for downloading through librepo (rh#1817130) + Replace std::runtime_error with libdnf::RepoError + Fixes and error handling improvements of the File class + [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864) + [context] support "priority" option in .repo config file (rh#1797265) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2685=1 Package List: - openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64): libdnf-debuginfo-0.62.0-5.3.1 libdnf-debugsource-0.62.0-5.3.1 libdnf-devel-0.62.0-5.3.1 libdnf-repo-config-zypp-0.62.0-5.3.1 libdnf2-0.62.0-5.3.1 libdnf2-debuginfo-0.62.0-5.3.1 python3-hawkey-0.62.0-5.3.1 python3-hawkey-debuginfo-0.62.0-5.3.1 python3-libdnf-0.62.0-5.3.1 python3-libdnf-debuginfo-0.62.0-5.3.1 - openSUSE Leap 15.3 (noarch): hawkey-man-0.62.0-5.3.1 References: https://www.suse.com/security/cve/CVE-2021-20271.html https://www.suse.com/security/cve/CVE-2021-3421.html https://www.suse.com/security/cve/CVE-2021-3445.html https://bugzilla.suse.com/1183779 . A Fedora security patch resolves two flaws found in libdnf, improving overall system reliability and safety.. libdnf updates, openSUSE security, system updates, repository fixes, moderate threats. . LinuxSecurity.com Team
Aug 13, 2021
OpenSUSE
89
security advisoryfedoraupdateFedora 33: Update Notification FEDORA-2020-b40fc174b5 - librepo 1.12.1
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : librepo Product : Fedora 33 Version : 1.12.1 Release : 1.fc33 URL : https://github.com/rpm-software-management/librepo Summary : Repodata downloading library Description : A library providing C and Python (libcURL like) API to downloading repository metadata. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias -Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't tryto list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 1.12.1-1 * Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Critical
Fedora
89
security advisoryFedoraupdate informationFedora 33 Update: Createrepo_C 0.16.1 Security Advisory for Users
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : createrepo_c Product : Fedora 33 Version : 0.16.1 Release : 1.fc33 URL : https://github.com/rpm-software-management/createrepo_c Summary : Creates a common metadata repository Description : C implementation of Createrepo. A set of utilities (createrepo_c, mergerepo_c, modifyrepo_c) for generating a common metadata repository from a directory of rpm packages and maintaining it. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source- Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference FedoraWeblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Tue Oct 6 2020 Nicola Sella - 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf[config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug#1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Critical
Fedora
89
security advisoryupdateFedoraFedora 32: 2020-5d9f0ce2b3 Severe: libdnf Update and Fixes
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d9f0ce2b3 2020-10-18 15:48:50.062311 --------------------------------------------------------------------------------Name : libdnf Product : Fedora 32 Version : 0.54.2 Release : 1.fc32 URL : https://github.com/rpm-software-management/libdnf Summary : Library providing simplified C and Python API to libsolv Description : A Library providing simplified C and Python API to libsolv. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias -Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't tryto list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 0.54.2-1 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages - Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs - Unify hawkey.log line format with the rest of the logs --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 18, 2020
Fedora
89
security advisoryupdateFedoraFedora 32: 2020-5d9f0ce2b3 Moderate: dnf-plugins-core Update
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d9f0ce2b3 2020-10-18 15:48:50.062311 --------------------------------------------------------------------------------Name : dnf-plugins-core Product : Fedora 32 Version : 4.0.18 Release : 1.fc32 URL : https://github.com/rpm-software-management/dnf-plugins-core Summary : Core Plugins for DNF Description : Core Plugins for DNF. This package enhances DNF with builddep, config-manager, copr, debug, debuginfo-install, download, needs-restarting, repoclosure, repograph, repomanage, reposync, changelog and repodiff commands. Additionally provides generate_completion_cache passive plugin. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndexand handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-onlypackages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Thu Oct 8 2020 Nicola Sella - 4.0.18-1 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list - Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) - copr: don't try to list runtime dependencies --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and nonconfigurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 18, 2020
Fedora
89
security advisoryFedorapackage managerFedora 32: 2020-5d9f0ce2b3 Critical DNF Security Advisory
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d9f0ce2b3 2020-10-18 15:48:50.062311 --------------------------------------------------------------------------------Name : dnf Product : Fedora 32 Version : 4.4.0 Release : 1.fc32 URL : https://github.com/rpm-software-management/dnf Summary : Package manager Description : Utility that allows users to manage packages on their systems. It supports RPMs, modules and comps groups & environments. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and usealias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr:don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 4.4.0-1 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs - [doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) - comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning - [doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strangeafter upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 18, 2020
•Critical
Fedora
89
security advisoryupdatecriticalCritical Advisory for Fedora 32: libdnf 2020-47a7fbf50d Released
libdnf 0.54.2-2 - Increase needed conflicting dnf version dnf 4.4.0-2 - Increase required libdnf version. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-47a7fbf50d 2020-10-15 22:33:15.459411 --------------------------------------------------------------------------------Name : libdnf Product : Fedora 32 Version : 0.54.2 Release : 2.fc32 URL : https://github.com/rpm-software-management/libdnf Summary : Library providing simplified C and Python API to libsolv Description : A Library providing simplified C and Python API to libsolv. --------------------------------------------------------------------------------Update Information: libdnf 0.54.2-2 - Increase needed conflicting dnf version dnf 4.4.0-2 -Increase required libdnf version --------------------------------------------------------------------------------ChangeLog: * Tue Oct 13 2020 Ales Matej - 0.54.2-2 - Increase needed conflicting dnf version * Wed Oct 7 2020 Nicola Sella - 0.54.2-1 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages - Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs - Unify hawkey.log line format with the rest of the logs --------------------------------------------------------------------------------References: [ 1] Bug #1887502 - After dnf upgrade to dnf-4.4.0-1.fc33.noarch, dnf is unusable https://bugzilla.redhat.com/show_bug.cgi?id=1887502 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-47a7fbf50d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 15, 2020
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!