Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 7 articles for you...
202
security advisorysoftware updatesecurity fixopenSUSE: 2021:0295-1 Important: librepo Path Issue Moderate Fix
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for librepo ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0295-1 Rating: important References: #1175475 Cross-References: CVE-2020-14352 CVSS scores: CVE-2020-14352 (NVD) : 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-14352 (SUSE): 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librepo fixes the following issues: - Upgrade to 1.12.1 + Validate path read from repomd.xml (bsc#1175475, CVE-2020-14352) - Changes from 1.12.0 + Prefer mirrorlist/metalink over baseurl (rh#1775184) + Decode package URL when using for local filename (rh#1817130) + Fix memory leak in lr_download_metadata() and lr_yum_download_remote() + Download sources work when at least one of specified is working (rh#1775184) This update was imported from the SUSE:SLE-15-SP2:Update update project. This update was imported from the openSUSE:Leap:15.2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-295=1 Package List: - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): librepo-devel-1.12.1-bp152.2.6.1 librepo0-1.12.1-bp152.2.6.1 python3-librepo-1.12.1-bp152.2.6.1 References: https://www.suse.com/security/cve/CVE-2020-14352.html https://bugzilla.suse.com/1175475 . A crucial announcement for openSUSEaddresses a vulnerability in librepo through improved path validation to ensure stronger security.. openSUSE Security Update, librepo patch, software security advisory. . Severity: Important. LinuxSecurity.com Team
Feb 15, 2021
•Important
OpenSUSE
202
security advisoryupdateupdate informationopenSUSE Leap 15.2: openSUSE-SU-2021:0277-1 Important: Librepo Path Issue
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for librepo ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0277-1 Rating: important References: #1175475 Cross-References: CVE-2020-14352 CVSS scores: CVE-2020-14352 (NVD) : 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-14352 (SUSE): 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librepo fixes the following issues: - Upgrade to 1.12.1 + Validate path read from repomd.xml (bsc#1175475, CVE-2020-14352) - Changes from 1.12.0 + Prefer mirrorlist/metalink over baseurl (rh#1775184) + Decode package URL when using for local filename (rh#1817130) + Fix memory leak in lr_download_metadata() and lr_yum_download_remote() + Download sources work when at least one of specified is working (rh#1775184) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-277=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): librepo-debuginfo-1.12.1-lp152.2.6.1 librepo-debugsource-1.12.1-lp152.2.6.1 librepo-devel-1.12.1-lp152.2.6.1 librepo0-1.12.1-lp152.2.6.1 librepo0-debuginfo-1.12.1-lp152.2.6.1 python3-librepo-1.12.1-lp152.2.6.1 python3-librepo-debuginfo-1.12.1-lp152.2.6.1 References: https://www.suse.com/security/cve/CVE-2020-14352.html https://bugzilla.suse.com/1175475 . An essential patch for librepo in openSUSE has been released to resolve CVE-2020-14352, with critical updates now accessible.. OpenSUSE Security Update, Librepo Fix, Important Update. . Severity: Important. LinuxSecurity.com Team
Feb 12, 2021
•Important
OpenSUSE
203
security advisorydirectory traversalsystem compromiseMageia: 2020-0429 Moderate: librepo Directory Traversal Threat
It was discovered that librepo was subject to a directory traversal vulnerability where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical . MGASA-2020-0429 - Updated librepo packages fix a security vulnerability Publication date: 21 Nov 2020 URL: https://advisories.mageia.org/MGASA-2020-0429.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-14352 It was discovered that librepo was subject to a directory traversal vulnerability where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files (CVE-2020-14352). References: - https://bugs.mageia.org/show_bug.cgi?id=27241 - https://lists.fedoraproject.org/archives/list/
Nov 21, 2020
Mageia
199
security advisorymoderateupdateCentOS: CESA-2020-5013 Important Update for Librepo Components
Upstream details at : https://access.redhat.com/errata/RHSA-2020:5012. CentOS Errata and Security Advisory 2020:5012 Moderate Upstream details at : https://access.redhat.com/errata/RHSA-2020:5012 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 8a0bacc73339833881bc5ae7fa62eafa7a9c0011b40065f3a69fb02d298f29d6 librepo-1.8.1-8.el7_9.i686.rpm 1eb2e0f2ab532fc7491714b9d8dae34bf6977843c4b9649fe0509d2fc7dc3b59 librepo-1.8.1-8.el7_9.x86_64.rpm 6263d570ddf0f6cf0247a3e7266a7aa7caae795462727dbb4d747261bc4aa1be librepo-devel-1.8.1-8.el7_9.i686.rpm dd5402f5bb60ada1db63c1305e3650e8804adcacfb1557affb8623621fd83155 librepo-devel-1.8.1-8.el7_9.x86_64.rpm 9db782d6307662cc280b48dbb9d5908c853c6f93c0175937ebbebb1942d0dbf1 python-librepo-1.8.1-8.el7_9.x86_64.rpm Source: 63edcffa1095b1a196c843267ba15077b216ea4bf5d97aa98d1d55bb1f6494ba librepo-1.8.1-8.el7_9.src.rpm -- Johnny Hughes CentOS Project { https://www.centos.org/ } irc: hughesjr, #
Nov 18, 2020
•Important
CentOS
98
security advisoryRed Hatdirectory traversalRed Hat Enterprise Linux 7: RHSA-2020-5012-01 moderate librepo path exploit
An update for librepo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: librepo security update Advisory ID: RHSA-2020:5012-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5012 Issue date: 2020-11-10 CVE Names: CVE-2020-14352 ==================================================================== 1. Summary: An update for librepo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The librepo library provides a C and Python API to download repository metadata. Security Fix(es): * librepo: missing path validation in repomd.xml may lead to directory traversal (CVE-2020-14352) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4.Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1866498 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: librepo-1.8.1-8.el7_9.src.rpm x86_64: librepo-1.8.1-8.el7_9.i686.rpm librepo-1.8.1-8.el7_9.x86_64.rpm librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm librepo-devel-1.8.1-8.el7_9.i686.rpm librepo-devel-1.8.1-8.el7_9.x86_64.rpm python-librepo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: librepo-1.8.1-8.el7_9.src.rpm x86_64: librepo-1.8.1-8.el7_9.i686.rpm librepo-1.8.1-8.el7_9.x86_64.rpm librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm librepo-devel-1.8.1-8.el7_9.i686.rpm librepo-devel-1.8.1-8.el7_9.x86_64.rpm python-librepo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: librepo-1.8.1-8.el7_9.src.rpm ppc64: librepo-1.8.1-8.el7_9.ppc.rpm librepo-1.8.1-8.el7_9.ppc64.rpm librepo-debuginfo-1.8.1-8.el7_9.ppc.rpm librepo-debuginfo-1.8.1-8.el7_9.ppc64.rpm ppc64le: librepo-1.8.1-8.el7_9.ppc64le.rpm librepo-debuginfo-1.8.1-8.el7_9.ppc64le.rpm s390x: librepo-1.8.1-8.el7_9.s390.rpm librepo-1.8.1-8.el7_9.s390x.rpm librepo-debuginfo-1.8.1-8.el7_9.s390.rpm librepo-debuginfo-1.8.1-8.el7_9.s390x.rpm x86_64: librepo-1.8.1-8.el7_9.i686.rpm librepo-1.8.1-8.el7_9.x86_64.rpm librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v.7): ppc64: librepo-debuginfo-1.8.1-8.el7_9.ppc.rpm librepo-debuginfo-1.8.1-8.el7_9.ppc64.rpm librepo-devel-1.8.1-8.el7_9.ppc.rpm librepo-devel-1.8.1-8.el7_9.ppc64.rpm python-librepo-1.8.1-8.el7_9.ppc64.rpm ppc64le: librepo-debuginfo-1.8.1-8.el7_9.ppc64le.rpm librepo-devel-1.8.1-8.el7_9.ppc64le.rpm python-librepo-1.8.1-8.el7_9.ppc64le.rpm s390x: librepo-debuginfo-1.8.1-8.el7_9.s390.rpm librepo-debuginfo-1.8.1-8.el7_9.s390x.rpm librepo-devel-1.8.1-8.el7_9.s390.rpm librepo-devel-1.8.1-8.el7_9.s390x.rpm python-librepo-1.8.1-8.el7_9.s390x.rpm x86_64: librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm librepo-devel-1.8.1-8.el7_9.i686.rpm librepo-devel-1.8.1-8.el7_9.x86_64.rpm python-librepo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: librepo-1.8.1-8.el7_9.src.rpm x86_64: librepo-1.8.1-8.el7_9.i686.rpm librepo-1.8.1-8.el7_9.x86_64.rpm librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: librepo-debuginfo-1.8.1-8.el7_9.i686.rpm librepo-debuginfo-1.8.1-8.el7_9.x86_64.rpm librepo-devel-1.8.1-8.el7_9.i686.rpm librepo-devel-1.8.1-8.el7_9.x86_64.rpm python-librepo-1.8.1-8.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2020-14352 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBX6qUc9zjgjWX9erEAQh9hQ//YCZwHfGTavgkbnxPfs7LsiTkBN9hsD2v KlIbRo/QtG1ylDAjyOfoGjf9XO2UaFDSdtOnPPxlMK8NIcP2a5StZwR+DKa9a/I9 u6D4FCS7hcBarCD9nHyFunO7mphvf4mO/DZG4xFKHvxc08vfhpCLVatdqaakkH7X kPdzoMr3LP6eXIjLcIo2guZ8YaAKlAgklVp+dalJt9nckHCTRNUEwFl/CFuXta/H hP+yFRyx4D8nTTTIqLYwd3KwCg0isJFOZI9ONAhTXNGyVTeyv01ylysHo7i19Bbh Ce9O6WHGiQnqxiqgmEfBbu1dmUaogTuSKL8WohS6v6Du02vTqgVtAbKDbq0BTfuT NLrFAVT5xMaXd+hTvC8G7oOsskd+qQJLleNOAWCNQ5r8Ds+IVTmClEd0Lm9XuKbg 5MzG3sgOUNyxfFVBYWGmOGtDaWk77+kKoXWp187mGRoOeNdi12I3GF7WMbxLR+fP 37PWJ5+Gs9N/ysGEjZ2GK9qXnLH18lrVk8e2a2ECjar73QniZ98RD6wb4GK5ofGf rwlMJ6VT/xfmSWcuvMPyiD9Bi53+vDhZusbEHQtAc/PerVB8xz4upVCSkQAwaomd Dx3E5cyuQEoesmGN+vfB4aque6Iv9zNG4S0T0srXw0eHT9sIjtG1CqvN3nD/sR4A fXydPgoVohg=OzWL -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Nov 10, 2020
Red Hat
89
security advisoryupdateFedoraFedora 33: Security Advisory for Livecd-Tools 2020-b40fc174b5 Update
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : livecd-tools Product : Fedora 33 Version : 27.1 Release : 8.fc33 URL : https://github.com/livecd-tools/livecd-tools Summary : Tools for building live CDs Description : Tools for generating live CDs on Fedora based systems including derived distributions such as RHEL, CentOS and others. See https://fedoraproject.org/wiki/FedoraLiveCD for more details. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelogmetadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate insteadof Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Thu Oct 8 2020 Adam Williamson - 1:27.1-8 - Backport PR #168 to fix a compatibility issue with DNF 4.4.0+ --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug#1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Important
Fedora
89
security advisoryfedoraupdateFedora 33: Update Notification FEDORA-2020-b40fc174b5 - librepo 1.12.1
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : librepo Product : Fedora 33 Version : 1.12.1 Release : 1.fc33 URL : https://github.com/rpm-software-management/librepo Summary : Repodata downloading library Description : A library providing C and Python (libcURL like) API to downloading repository metadata. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias -Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't tryto list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 1.12.1-1 * Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Critical
Fedora
89
security advisoryFedoraupdate informationFedora 33 Update: Createrepo_C 0.16.1 Security Advisory for Users
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : createrepo_c Product : Fedora 33 Version : 0.16.1 Release : 1.fc33 URL : https://github.com/rpm-software-management/createrepo_c Summary : Creates a common metadata repository Description : C implementation of Createrepo. A set of utilities (createrepo_c, mergerepo_c, modifyrepo_c) for generating a common metadata repository from a directory of rpm packages and maintaining it. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source- Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference FedoraWeblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Tue Oct 6 2020 Nicola Sella - 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf[config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug#1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!