Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
89
security advisorycriticalFedoraFedora 36: 2023-9fbc701e0d Critical: Flatpak Metadata Issues
Update to 1.12.8 * Fix CVE-2023-28100 and CVE-2023-28101. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2023-9fbc701e0d 2023-04-02 01:33:23.803349 --------------------------------------------------------------------------------Name : flatpak Product : Fedora 36 Version : 1.12.8 Release : 1.fc36 URL : https://flatpak.org/ Summary : Application deployment framework for desktop apps Description : flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information. --------------------------------------------------------------------------------Update Information: Update to 1.12.8 * Fix CVE-2023-28100 and CVE-2023-28101 --------------------------------------------------------------------------------ChangeLog: * Fri Mar 17 2023 David King - 1.12.8-1 - Update to 1.12.8 --------------------------------------------------------------------------------References: [ 1 ] Bug #2179219 - CVE-2023-28101 flatpak: Metadata with ANSI control codes can cause misleading terminal output https://bugzilla.redhat.com/show_bug.cgi?id=2179219 [ 2 ] Bug #2179220 - CVE-2023-28100 flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console https://bugzilla.redhat.com/show_bug.cgi?id=2179220 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-9fbc701e0d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Apr 02, 2023
•Critical
Fedora
89
security advisorycriticalFedoraFedora 37: 2023-b0717d8c45 Critical: Flatpak Metadata Fixes
Update to 1.14.4 * Fix CVE-2023-28100 and CVE-2023-28101. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2023-b0717d8c45 2023-03-24 01:54:14.782435 --------------------------------------------------------------------------------Name : flatpak Product : Fedora 37 Version : 1.14.4 Release : 1.fc37 URL : https://flatpak.org/ Summary : Application deployment framework for desktop apps Description : flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information. --------------------------------------------------------------------------------Update Information: Update to 1.14.4 * Fix CVE-2023-28100 and CVE-2023-28101 --------------------------------------------------------------------------------ChangeLog: * Fri Mar 17 2023 David King - 1.14.4-1 - Update to 1.14.4 --------------------------------------------------------------------------------References: [ 1 ] Bug #2179219 - CVE-2023-28101 flatpak: Metadata with ANSI control codes can cause misleading terminal output https://bugzilla.redhat.com/show_bug.cgi?id=2179219 [ 2 ] Bug #2179220 - CVE-2023-28100 flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console https://bugzilla.redhat.com/show_bug.cgi?id=2179220 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-b0717d8c45' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Mar 24, 2023
•Critical
Fedora
89
security advisoryfedorasoftware updateFedora 35: vdr-scraper2vdr Security Advisory for ImageMagick Update
ImageMagick is updated 6.9.12.28 , soname bump , many security fixes ---- Add scraper2vdr_serienposter_statt_banner.diff. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-df1fa3d3e0 2021-11-12 00:37:35.342541 --------------------------------------------------------------------------------Name : vdr-scraper2vdr Product : Fedora 35 Version : 1.0.11 Release : 14.20190128gitd9f6cb4.fc35.1 URL : https://github.com/horchi/scraper2vdr Summary : A client plugin which provides scraped metadata from EPGD to other plugins Description : Scraper2vdr acts as client and provides scraped metadata for tvshows and movies from epgd to other plugins via its service interface. The plugin cares about caching the images locally and also cleans up the images if not longer needed. epgd itself uses the thetvdb.com API for collecting series metadata and themoviedb.org API for movies. Check the websites of both services for the terms of use. --------------------------------------------------------------------------------Update Information: ImageMagick is updated 6.9.12.28 , soname bump , many security fixes ---- Add scraper2vdr_serienposter_statt_banner.diff --------------------------------------------------------------------------------ChangeLog: * Wed Nov 3 2021 Mamoru TASAKA - 1.0.11-14.20190128gitd9f6cb4.1 - rebuild for new ImageMagick * Fri Oct 29 2021 Martin Gansser - 1.0.11-14.20190128gitd9f6cb4 - Add scraper2vdr_serienposter_statt_banner.diff * Sat Oct 16 2021 Martin Gansser - 1.0.11-13.20190128gitd9f6cb4 - Rebuilt due FTI in rawhide * Tue Sep 14 2021 Sahana Prasad - 1.0.11-12.20190128gitd9f6cb4 - Rebuilt with OpenSSL 3.0.0 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-df1fa3d3e0' at the command line. For more information, refer to the dnfdocumentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Nov 11, 2021
•Important
Fedora
89
security advisoryfedoraupdateFedora 33: Update Notification FEDORA-2020-b40fc174b5 - librepo 1.12.1
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-b40fc174b5 2020-10-27 01:20:30.718110 --------------------------------------------------------------------------------Name : librepo Product : Fedora 33 Version : 1.12.1 Release : 1.fc33 URL : https://github.com/rpm-software-management/librepo Summary : Repodata downloading library Description : A library providing C and Python (libcURL like) API to downloading repository metadata. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias -Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't tryto list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 1.12.1-1 * Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b40fc174b5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 26, 2020
•Critical
Fedora
89
security advisoryupdateFedoraFedora 32: FEDORA-2020-5d9f0ce2b3 Critical: Librepo Directory Traversal
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d9f0ce2b3 2020-10-18 15:48:50.062311 --------------------------------------------------------------------------------Name : librepo Product : Fedora 32 Version : 1.12.1 Release : 1.fc32 URL : https://github.com/rpm-software-management/librepo Summary : Repodata downloading library Description : A library providing C and Python (libcURL like) API to downloading repository metadata. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source - Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias -Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference Fedora Weblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't tryto list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Wed Oct 7 2020 Nicola Sella - 1.12.1-1 * Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 18, 2020
•Critical
Fedora
89
security advisoryupdateFedoraFedora 32: FEDORA-2020-5d9f0ce2b3 Critical: createrepo_c Update
createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 - Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d9f0ce2b3 2020-10-18 15:48:50.062311 --------------------------------------------------------------------------------Name : createrepo_c Product : Fedora 32 Version : 0.16.1 Release : 2.fc32 URL : https://github.com/rpm-software-management/createrepo_c Summary : Creates a common metadata repository Description : C implementation of Createrepo. A set of utilities (createrepo_c, mergerepo_c, modifyrepo_c) for generating a common metadata repository from a directory of rpm packages and maintaining it. --------------------------------------------------------------------------------Update Information: createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to 0.54.2 - history: Fix dnf history rollback when a package was removed (RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix parsing empty lines in config files - Accept '==' as an operator in reldeps (RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add protect_running_kernel configuration option (RhBug:1698145) - Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf logs with different source- Introduce changelog metadata in commit messages -Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String conversions for Transaction Store/Replay - utils: Add a method to decode URLs -Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to 4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance --querytags and --qf help output - [history] add option --reverse to history list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention the date/time that updates were applied - [dnf-automatic] Wait for internet connection (RhBug:1816308) - [doc] Enhance repo variables documentation (RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo (RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -[doc] Do not use - [doc] Add section to explain -n, -na and -nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -comps: Raise CompsError when removing a non-existent group - Add methods for working with comps to RPMTransactionItemWrapper - Implement storing and replaying a transaction - Log failure to access last makecache time as warning -[doc] Document Substitutions class - Dont document removed attribute ``reports`` for get_best_selector - Change the debug log timestamps from UTC to local time dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -Fix debug-restore command - [config-manager] enable/disable comma separated pkgs (RhBug:1830530) - [debug] Use standard demands.resolving for transaction handling - [debug] Do not remove install-only packages (RhBug:1844533) - return error when dnf download failed - README: Reference FedoraWeblate instead of Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -Update Cmake to pull translations from weblate - Drop Python 2 support - README: Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility with dnf 4.4.0 / libdnf 0.54.2 --------------------------------------------------------------------------------ChangeLog: * Tue Oct 6 2020 Nicola Sella - 0.16.1-2 - Update wrong source file * Tue Oct 6 2020 Nicola Sella - 0.16.1 - Update to 0.16.1 - Add the section number to the manual pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata support to createrepo_c (RhBug:1795936) --------------------------------------------------------------------------------References: [ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove https://bugzilla.redhat.com/show_bug.cgi?id=1683134 [ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not https://bugzilla.redhat.com/show_bug.cgi?id=1698145 [ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed. https://bugzilla.redhat.com/show_bug.cgi?id=1779104 [ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information https://bugzilla.redhat.com/show_bug.cgi?id=1795936 [ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log https://bugzilla.redhat.com/show_bug.cgi?id=1802074 [ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet https://bugzilla.redhat.com/show_bug.cgi?id=1816308 [ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum) https://bugzilla.redhat.com/show_bug.cgi?id=1816573 [ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some* https://bugzilla.redhat.com/show_bug.cgi?id=1830530 [ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package https://bugzilla.redhat.com/show_bug.cgi?id=1833074 [ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting https://bugzilla.redhat.com/show_bug.cgi?id=1843280 [ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels. https://bugzilla.redhat.com/show_bug.cgi?id=1844533 [ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution https://bugzilla.redhat.com/show_bug.cgi?id=1845562 [ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded https://bugzilla.redhat.com/show_bug.cgi?id=1845800 [ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order https://bugzilla.redhat.com/show_bug.cgi?id=1846692 [ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3 https://bugzilla.redhat.com/show_bug.cgi?id=1847946 [ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004 https://bugzilla.redhat.com/show_bug.cgi?id=1848161 [ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented https://bugzilla.redhat.com/show_bug.cgi?id=1848615 [ 18 ] Bug #1851841 - zchunk issue with packagekit https://bugzilla.redhat.com/show_bug.cgi?id=1851841 [ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs https://bugzilla.redhat.com/show_bug.cgi?id=1859689 [ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34 https://bugzilla.redhat.com/show_bug.cgi?id=1860408 [ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot https://bugzilla.redhat.com/show_bug.cgi?id=1863006 [ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 18, 2020
•Critical
Fedora
87
security advisorycriticalDebianDebian: DSA-3708-1 Critical: MAT PDF Metadata Issue and Resolution
Hartmut Goebel discovered that MAT, a toolkit to anonymise/remove metadata from files did not remove metadata from images embededed in PDF documents. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3708-1
Nov 07, 2016
•Critical
Debian
91
security advisorysubversioninformation leakGentoo: 200409-35 Low: Subversion Metadata Information Leak
An information leak in mod_authz_svn could allow sensitive metadata of protected areas to be leaked to unauthorized users.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200409-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Subversion: Metadata information leak Date: September 29, 2004 Bugs: #65085 ID: 200409-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An information leak in mod_authz_svn could allow sensitive metadata of protected areas to be leaked to unauthorized users. Background ========= Subversion is a versioning system designed to be a replacement for CVS. mod_authz_svn is an Apache module to do path-based authentication for Subversion repositories. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-util/subversion < 1.0.8 > = 1.0.8 Description ========== There is a bug in mod_authz_svn that causes it to reveal logged metadata regarding commits to protected areas. Impact ===== Protected files themselves will not be revealed, but an attacker could use the metadata to reveal the existence of protected areas, such as paths, file versions, and the commit logs from those areas. Workaround ========= Rather than using mod_authz_svn, move protected areas into seperate repositories and use native Apache authentication to make these repositories unreadable. Resolution ========= All Subversion users should upgrade to the latest version: # emerge sync # emerge -pv "> =dev-util/subversion-1.0.8" # emerge ">=dev-util/subversion-1.0.8" References ========= [ 1 ] CAN-2004-0749 https://www.cve.org/CVERecord?id=CAN-2004-0749 [ 2 ] Subversion Advisory Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200409-35 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Sep 29, 2004
•Low
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!