You are here
Home > Preporuke > Sigurnosni nedostatak programske biblioteke librepo

Sigurnosni nedostatak programske biblioteke librepo

——————————————————————————–
Fedora Update Notification
FEDORA-2020-7906a64449
2020-10-18 15:47:50.624333
——————————————————————————–

Name : librepo
Product : Fedora 31
Version : 1.12.1
Release : 1.fc31
URL : https://protect2.fireeye.com/v1/url?k=7ad15e54-26c3ea50-7ad6c398-000babd90757-9eb4844c4da77214&q=1&e=71cbcff4-11c3-4c1d-91d4-d91256474fb6&u=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Flibrepo
Summary : Repodata downloading library
Description :
A library providing C and Python (libcURL like) API to downloading repository
metadata.

——————————————————————————–
Update Information:

– Update to 1.12.1 – Validate path read from repomd.xml (RhBug:1868639)
——————————————————————————–
ChangeLog:

* Wed Oct 7 2020 Nicola Sella <nsella@redhat.com> – 1.12.1-1
* Update to 1.12.1
– Validate path read from repomd.xml (RhBug:1868639)
——————————————————————————–
References:

[ 1 ] Bug #1868639 – CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1868639
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-7906a64449’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=bc4891a6-e05a25a2-bc4f0c6a-000babd90757-8748c034e58bcac6&q=1&e=71cbcff4-11c3-4c1d-91d4-d91256474fb6&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-5d9f0ce2b3
2020-10-18 15:48:50.062311
——————————————————————————–

Name : librepo
Product : Fedora 32
Version : 1.12.1
Release : 1.fc32
URL : https://protect2.fireeye.com/v1/url?k=c068a56e-9c7a116a-c06f38a2-000babd90757-c27537a618b75bbd&q=1&e=01f444a8-d799-4e53-b092-8f7f308b19df&u=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Flibrepo
Summary : Repodata downloading library
Description :
A library providing C and Python (libcURL like) API to downloading repository
metadata.

——————————————————————————–
Update Information:

createrepo_c 0.16.1 – Update to 0.16.1 – Add the section number to the manual
pages – Parse xml snippet in smaller parts (RhBug:1859689) – Add module metadata
support to createrepo_c (RhBug:1795936) librepo 1.12.1 – Update to 1.12.1 –
Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 – Update to
0.54.2 – history: Fix dnf history rollback when a package was removed
(RhBug:1683134) – Add support for HY_GT, HY_LT in query nevra_strict – Fix
parsing empty lines in config files – Accept ‘==’ as an operator in reldeps
(RhBug:1847946) – Add log file level main config option (RhBug:1802074) – Add
protect_running_kernel configuration option (RhBug:1698145) – Context part of
libdnf cannot assume zchunk is on (RhBug:1851841,1779104) – Fix memory leak of
resultingModuleIndex and handle g_object refs – Redirect librepo logs to libdnf
logs with different source – Introduce changelog metadata in commit messages –
Add hy_goal_lock – Update Copr targets for packit and use alias – Enum/String
conversions for Transaction Store/Replay – utils: Add a method to decode URLs –
Unify hawkey.log line format with the rest of the logs dnf 4.4.0 – Update to
4.4.0 – Handle empty comps group name (RhBug:1826198) – Remove dead history info
code (RhBug:1845800) – Improve command emmitter in dnf-automatic – Enhance
–querytags and –qf help output – [history] add option –reverse to history
list (RhBug:1846692) – Add logfilelevel configuration (RhBug:1802074) – Don’t
turn off stdout/stderr logging longer than necessary (RhBug:1843280) – Mention
the date/time that updates were applied – [dnf-automatic] Wait for internet
connection (RhBug:1816308) – [doc] Enhance repo variables documentation
(RhBug:1848161,1848615) – Add librepo logger for handling messages from librepo
(RhBug:1816573) – [doc] Add package-name-spec to the list of possible specs –
[doc] Do not use <package-nevr-spec> – [doc] Add section to explain -n, -na and
-nevra suffixes – Add alias ‘ls’ for list command – README: Reference Fedora
Weblate instead of Zanata – remove log_lock.pid after reboot(Rhbug:1863006) –
comps: Raise CompsError when removing a non-existent group – Add methods for
working with comps to RPMTransactionItemWrapper – Implement storing and
replaying a transaction – Log failure to access last makecache time as warning –
[doc] Document Substitutions class – Dont document removed attribute “reports“
for get_best_selector – Change the debug log timestamps from UTC to local time
dnf-plugins-core 4.0.18 – [needs-restarting] Fix plugin fail if needs-
restarting.d does not exist – [needs-restarting] add kernel-rt to reboot list –
Fix debug-restore command – [config-manager] enable/disable comma separated pkgs
(RhBug:1830530) – [debug] Use standard demands.resolving for transaction
handling – [debug] Do not remove install-only packages (RhBug:1844533) – return
error when dnf download failed – README: Reference Fedora Weblate instead of
Zanata – [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) –
copr: don’t try to list runtime dependencies dnf-plugins-extras 4.0.12 –
Update Cmake to pull translations from weblate – Drop Python 2 support – README:
Add Installation, Contribution, etc – Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env
variable to control system-upgrade reboot. – [system-upgrade] Upgrade groups and
environments (RhBug:1845562,1860408) livecd-tools-27.1-8 – Fix compatibility
with dnf 4.4.0 / libdnf 0.54.2
——————————————————————————–
ChangeLog:

* Wed Oct 7 2020 Nicola Sella <nsella@redhat.com> – 1.12.1-1
* Update to 1.12.1
– Validate path read from repomd.xml (RhBug:1868639)
——————————————————————————–
References:

[ 1 ] Bug #1683134 – dnf rollback works strange after upgrade/downgrade/remove
https://bugzilla.redhat.com/show_bug.cgi?id=1683134
[ 2 ] Bug #1698145 – dnf protects certain packages in container, when it should not
https://bugzilla.redhat.com/show_bug.cgi?id=1698145
[ 3 ] Bug #1779104 – PackageKit: loading of MD_TYPE_PRIMARY has failed.
https://bugzilla.redhat.com/show_bug.cgi?id=1779104
[ 4 ] Bug #1795936 – [RFE] createrepo_c should be able to handle modules information
https://bugzilla.redhat.com/show_bug.cgi?id=1795936
[ 5 ] Bug #1802074 – Excessive and non configurable logging in /var/log/dnf.log
https://bugzilla.redhat.com/show_bug.cgi?id=1802074
[ 6 ] Bug #1816308 – dnf-automatic.timer runs before the computer can connect to the internet
https://bugzilla.redhat.com/show_bug.cgi?id=1816308
[ 7 ] Bug #1816573 – [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum)
https://bugzilla.redhat.com/show_bug.cgi?id=1816573
[ 8 ] Bug #1830530 – request to re-introduce functionality – dnf [config-manager] –enable/disablerepo a-repo,b-repo,some*
https://bugzilla.redhat.com/show_bug.cgi?id=1830530
[ 9 ] Bug #1833074 – reposync –newest-only does not download the latest package
https://bugzilla.redhat.com/show_bug.cgi?id=1833074
[ 10 ] Bug #1843280 – Discrepancies in permission related problems not/reporting
https://bugzilla.redhat.com/show_bug.cgi?id=1843280
[ 11 ] Bug #1844533 – yum debug-restore removes all but one kernel even though the dump has multiple kernels.
https://bugzilla.redhat.com/show_bug.cgi?id=1844533
[ 12 ] Bug #1845562 – system-upgrade plugin should do “dnf group upgrade” as part of transaction solution
https://bugzilla.redhat.com/show_bug.cgi?id=1845562
[ 13 ] Bug #1845800 – History info tracebacks when group is upgraded/downgraded
https://bugzilla.redhat.com/show_bug.cgi?id=1845800
[ 14 ] Bug #1846692 – dnf should offer a ‘history list’ in reverse order
https://bugzilla.redhat.com/show_bug.cgi?id=1846692
[ 15 ] Bug #1847946 – libdnf behavior has changed unexpectedly in 8.3
https://bugzilla.redhat.com/show_bug.cgi?id=1847946
[ 16 ] Bug #1848161 – Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004
https://bugzilla.redhat.com/show_bug.cgi?id=1848161
[ 17 ] Bug #1848615 – dnf numeric variable substitutions are undocumented
https://bugzilla.redhat.com/show_bug.cgi?id=1848615
[ 18 ] Bug #1851841 – zchunk issue with packagekit
https://bugzilla.redhat.com/show_bug.cgi?id=1851841
[ 19 ] Bug #1859689 – cr_xml_parser_generic_from_string fails on large inputs
https://bugzilla.redhat.com/show_bug.cgi?id=1859689
[ 20 ] Bug #1860408 – Perform “dnf mark install fedora-repos-modular”-like action on upgrades to Fedora 33/34
https://bugzilla.redhat.com/show_bug.cgi?id=1860408
[ 21 ] Bug #1863006 – log_lock.pid file remain after system reboot
https://bugzilla.redhat.com/show_bug.cgi?id=1863006
[ 22 ] Bug #1868639 – CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1868639
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-5d9f0ce2b3’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=36bf41cb-6aadf5cf-36b8dc07-000babd90757-00c6b3a4d3ce4c58&q=1&e=01f444a8-d799-4e53-b092-8f7f308b19df&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa kata

Otkriven je sigurnosni nedostatak u programskom paketu kata za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog...

Close