You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa createrepo

Sigurnosni nedostatak programskog paketa createrepo

——————————————————————————–
Fedora Update Notification
FEDORA-2020-5d9f0ce2b3
2020-10-18 15:48:50.062311
——————————————————————————–

Name : createrepo_c
Product : Fedora 32
Version : 0.16.1
Release : 2.fc32
URL : https://protect2.fireeye.com/v1/url?k=c62a6c56-9a38d852-c62df19a-000babd90757-5f4f227996bee527&q=1&e=3ac644df-b077-4287-85a2-8d525c394468&u=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Fcreaterepo_c
Summary : Creates a common metadata repository
Description :
C implementation of Createrepo.
A set of utilities (createrepo_c, mergerepo_c, modifyrepo_c)
for generating a common metadata repository from a directory of
rpm packages and maintaining it.

——————————————————————————–
Update Information:

createrepo_c 0.16.1 – Update to 0.16.1 – Add the section number to the manual
pages – Parse xml snippet in smaller parts (RhBug:1859689) – Add module metadata
support to createrepo_c (RhBug:1795936) librepo 1.12.1 – Update to 1.12.1 –
Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 – Update to
0.54.2 – history: Fix dnf history rollback when a package was removed
(RhBug:1683134) – Add support for HY_GT, HY_LT in query nevra_strict – Fix
parsing empty lines in config files – Accept ‘==’ as an operator in reldeps
(RhBug:1847946) – Add log file level main config option (RhBug:1802074) – Add
protect_running_kernel configuration option (RhBug:1698145) – Context part of
libdnf cannot assume zchunk is on (RhBug:1851841,1779104) – Fix memory leak of
resultingModuleIndex and handle g_object refs – Redirect librepo logs to libdnf
logs with different source – Introduce changelog metadata in commit messages –
Add hy_goal_lock – Update Copr targets for packit and use alias – Enum/String
conversions for Transaction Store/Replay – utils: Add a method to decode URLs –
Unify hawkey.log line format with the rest of the logs dnf 4.4.0 – Update to
4.4.0 – Handle empty comps group name (RhBug:1826198) – Remove dead history info
code (RhBug:1845800) – Improve command emmitter in dnf-automatic – Enhance
–querytags and –qf help output – [history] add option –reverse to history
list (RhBug:1846692) – Add logfilelevel configuration (RhBug:1802074) – Don’t
turn off stdout/stderr logging longer than necessary (RhBug:1843280) – Mention
the date/time that updates were applied – [dnf-automatic] Wait for internet
connection (RhBug:1816308) – [doc] Enhance repo variables documentation
(RhBug:1848161,1848615) – Add librepo logger for handling messages from librepo
(RhBug:1816573) – [doc] Add package-name-spec to the list of possible specs –
[doc] Do not use <package-nevr-spec> – [doc] Add section to explain -n, -na and
-nevra suffixes – Add alias ‘ls’ for list command – README: Reference Fedora
Weblate instead of Zanata – remove log_lock.pid after reboot(Rhbug:1863006) –
comps: Raise CompsError when removing a non-existent group – Add methods for
working with comps to RPMTransactionItemWrapper – Implement storing and
replaying a transaction – Log failure to access last makecache time as warning –
[doc] Document Substitutions class – Dont document removed attribute “reports“
for get_best_selector – Change the debug log timestamps from UTC to local time
dnf-plugins-core 4.0.18 – [needs-restarting] Fix plugin fail if needs-
restarting.d does not exist – [needs-restarting] add kernel-rt to reboot list –
Fix debug-restore command – [config-manager] enable/disable comma separated pkgs
(RhBug:1830530) – [debug] Use standard demands.resolving for transaction
handling – [debug] Do not remove install-only packages (RhBug:1844533) – return
error when dnf download failed – README: Reference Fedora Weblate instead of
Zanata – [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) –
copr: don’t try to list runtime dependencies dnf-plugins-extras 4.0.12 –
Update Cmake to pull translations from weblate – Drop Python 2 support – README:
Add Installation, Contribution, etc – Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env
variable to control system-upgrade reboot. – [system-upgrade] Upgrade groups and
environments (RhBug:1845562,1860408) livecd-tools-27.1-8 – Fix compatibility
with dnf 4.4.0 / libdnf 0.54.2
——————————————————————————–
ChangeLog:

* Tue Oct 6 2020 Nicola Sella <nsella@redhat.com> – 0.16.1-2
– Update wrong source file
* Tue Oct 6 2020 Nicola Sella <nsella@redhat.com> – 0.16.1
– Update to 0.16.1
– Add the section number to the manual pages
– Parse xml snippet in smaller parts (RhBug:1859689)
– Add module metadata support to createrepo_c (RhBug:1795936)
——————————————————————————–
References:

[ 1 ] Bug #1683134 – dnf rollback works strange after upgrade/downgrade/remove
https://bugzilla.redhat.com/show_bug.cgi?id=1683134
[ 2 ] Bug #1698145 – dnf protects certain packages in container, when it should not
https://bugzilla.redhat.com/show_bug.cgi?id=1698145
[ 3 ] Bug #1779104 – PackageKit: loading of MD_TYPE_PRIMARY has failed.
https://bugzilla.redhat.com/show_bug.cgi?id=1779104
[ 4 ] Bug #1795936 – [RFE] createrepo_c should be able to handle modules information
https://bugzilla.redhat.com/show_bug.cgi?id=1795936
[ 5 ] Bug #1802074 – Excessive and non configurable logging in /var/log/dnf.log
https://bugzilla.redhat.com/show_bug.cgi?id=1802074
[ 6 ] Bug #1816308 – dnf-automatic.timer runs before the computer can connect to the internet
https://bugzilla.redhat.com/show_bug.cgi?id=1816308
[ 7 ] Bug #1816573 – [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum)
https://bugzilla.redhat.com/show_bug.cgi?id=1816573
[ 8 ] Bug #1830530 – request to re-introduce functionality – dnf [config-manager] –enable/disablerepo a-repo,b-repo,some*
https://bugzilla.redhat.com/show_bug.cgi?id=1830530
[ 9 ] Bug #1833074 – reposync –newest-only does not download the latest package
https://bugzilla.redhat.com/show_bug.cgi?id=1833074
[ 10 ] Bug #1843280 – Discrepancies in permission related problems not/reporting
https://bugzilla.redhat.com/show_bug.cgi?id=1843280
[ 11 ] Bug #1844533 – yum debug-restore removes all but one kernel even though the dump has multiple kernels.
https://bugzilla.redhat.com/show_bug.cgi?id=1844533
[ 12 ] Bug #1845562 – system-upgrade plugin should do “dnf group upgrade” as part of transaction solution
https://bugzilla.redhat.com/show_bug.cgi?id=1845562
[ 13 ] Bug #1845800 – History info tracebacks when group is upgraded/downgraded
https://bugzilla.redhat.com/show_bug.cgi?id=1845800
[ 14 ] Bug #1846692 – dnf should offer a ‘history list’ in reverse order
https://bugzilla.redhat.com/show_bug.cgi?id=1846692
[ 15 ] Bug #1847946 – libdnf behavior has changed unexpectedly in 8.3
https://bugzilla.redhat.com/show_bug.cgi?id=1847946
[ 16 ] Bug #1848161 – Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004
https://bugzilla.redhat.com/show_bug.cgi?id=1848161
[ 17 ] Bug #1848615 – dnf numeric variable substitutions are undocumented
https://bugzilla.redhat.com/show_bug.cgi?id=1848615
[ 18 ] Bug #1851841 – zchunk issue with packagekit
https://bugzilla.redhat.com/show_bug.cgi?id=1851841
[ 19 ] Bug #1859689 – cr_xml_parser_generic_from_string fails on large inputs
https://bugzilla.redhat.com/show_bug.cgi?id=1859689
[ 20 ] Bug #1860408 – Perform “dnf mark install fedora-repos-modular”-like action on upgrades to Fedora 33/34
https://bugzilla.redhat.com/show_bug.cgi?id=1860408
[ 21 ] Bug #1863006 – log_lock.pid file remain after system reboot
https://bugzilla.redhat.com/show_bug.cgi?id=1863006
[ 22 ] Bug #1868639 – CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1868639
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-5d9f0ce2b3’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=ba826450-e690d054-ba85f99c-000babd90757-45c032b7bab12fb5&q=1&e=3ac644df-b077-4287-85a2-8d525c394468&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke librepo

Otkriven je sigurnosni nedostatak programske biblioteke librepo za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje izvođenje 'directory traversal' napada....

Close