Synopsis
Moderate: yum security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for yum is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Yum is a command-line utility that allows the user to check for updates and automatically download and install updated RPM packages. Yum automatically obtains and downloads dependencies, prompting the user for permission as necessary.
The following packages have been upgraded to a later upstream version: dnf (4.2.7), dnf-plugins-core (4.0.8), libcomps (0.1.11), libdnf (0.35.1), librepo (1.10.3), libsolv (0.7.4). (BZ#1690288, BZ#1690289, BZ#1690299, BZ#1692402, BZ#1694019, BZ#1697946)
Security Fix(es):
- libcomps: use after free when merging two objmrtrees (CVE-2019-3817)
- libsolv: illegal address access in pool_whatprovides in src/pool.h (CVE-2018-20534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Enterprise Linux for x86_64 8 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1650266 - microdnf - sockets not supported building layer on rhel8-beta/rhel-minimal image
- BZ - 1655605 - yum list available --showduplicates will list not only available packages but packages installed on the system.
- BZ - 1656584 - Add support for modular errata
- BZ - 1656801 - `dnf update`: "Errors occurred during transaction" due to POSTUN scriptlet failures
- BZ - 1657703 - [abrt] [faf] dnf: hdrFromFdno(): /usr/lib64/python3.6/site-packages/rpm/transaction.py killed by _rpm.error
- BZ - 1657851 - yum displays dnf in -h
- BZ - 1658579 - Be explicite about the REPODIR used in the Error message.
- BZ - 1663533 - proxy bypass behavior incompatible with previous versions
- BZ - 1665538 - CVE-2018-20534 libsolv: illegal address access in pool_whatprovides in src/pool.h
- BZ - 1666325 - yum alias list does not work properly
- BZ - 1667898 - repoquery --whatrequires only accepts one pkgspec
- BZ - 1668005 - CVE-2019-3817 libcomps: use after free when merging two objmrtrees
- BZ - 1670835 - [manpage] yum2dnf incorrect and missing info
- BZ - 1671731 - dnf list showduplicates incorrect output
- BZ - 1671839 - dnf: Typo in es_US localization
- BZ - 1672649 - Add dnf.package.Package API for getting pkgid of package from repo in DNF plugin
- BZ - 1673278 - [manpage] inconsistent cmdline options docs: dnf --help/man page
- BZ - 1673289 - dnf enableplugin/disableplugin does not report unknown plugin
- BZ - 1673902 - missing yum-copr man page
- BZ - 1673913 - option tsflags missing in dnf.conf
- BZ - 1673920 - confusing yum-plugin-changelog documentation
- BZ - 1674562 - dnf not parsing default state of comps group correctly
- BZ - 1676418 - yum-utils manpage inconsistent with other yum compat manpages
- BZ - 1677199 - Fail to obtain the transaction lock after change of SELinux policy type
- BZ - 1677583 - yum-builddep tries to install content from non-active stream
- BZ - 1677640 - The module enable/disable works unexpectedly with slow/fast train virt module
- BZ - 1678593 - do not mention switching streams with module enable
- BZ - 1678596 - unable to install module content into nonstandard install root
- BZ - 1678598 - Net install caused /tmp to run out of space due to flood in dnf.librepo.log
- BZ - 1678689 - dnf module --help refers to module_spec while man page uses module-spec
- BZ - 1679008 - no auto completion with dnf
- BZ - 1679509 - [libdnf] Set skip_if_unavailable=false as default behavior for software management tools
- BZ - 1684270 - [hawkey] occasional segfault when interrupting (SIGINT) dnf process (may be caused by particular plugins in use, e.g. "leaves" ones in the past)
- BZ - 1686645 - Remove empty else block.
- BZ - 1686779 - yum-config-manager does not accept repo names
- BZ - 1688537 - reposync doesn't preserve timestamp from repo being synced
- BZ - 1688823 - dnf tracebacks on invalid modular deps
- BZ - 1689331 - packagekit doesn't honor skip_if_unavailable=False for local repositories
- BZ - 1689931 - global parameter to define skip_if_unavailable behavior for yum
- BZ - 1690288 - Rebase libsolv to >= 0.7.3
- BZ - 1690289 - Rebase dnf to >= 4.2.0
- BZ - 1690299 - Rebase libdnf to >= 0.28.0
- BZ - 1690414 - dnf continues despite an error code from test-transaction
- BZ - 1691315 - microdnf fails to install from repo which uses xml:base on location
- BZ - 1692402 - Rebase dnf-plugins-core to >= 4.0.6
- BZ - 1694019 - Rebase librepo to >= 1.9.5
- BZ - 1694709 - [dnf] docs: update description of skip_if_unavailable
- BZ - 1695720 - dnf logs excessively verbosely by default, cannot be configured, certain operations (e.g. reposync) lead to huge logs occupying excessive filesystem space
- BZ - 1697946 - Rebase libcomps to >= 0.1.10
- BZ - 1699348 - System upgrades, empty installroot, involving modular content require explicit --setopt=module_platform_id to work correctly
- BZ - 1700250 - Redundant “]” in dnf module info output
- BZ - 1700741 - When dnf plugin is upgraded via Obsolete, it is not run in the transaction phase
- BZ - 1702283 - microdnf leaks memory
- BZ - 1702678 - Settings are not saved with "yum config-manager --save --setopt=<repoid>.<option>=<value>"
- BZ - 1702690 - implement built-in log rotation
- BZ - 1703609 - Inconsistency between dnf-automatic command name and man page name
- BZ - 1706215 - using the @ module syntax for yum4 avoids the stream switching error protection
- BZ - 1707453 - dnf update --allowerasing just removes a package, without installing a new package.
- BZ - 1709798 - DNF cannot work with installed modularity content if repo is disabled.
- BZ - 1712055 - Confusing Error message: Failed to synchronize cache for repo 'rhel'
- BZ - 1712460 - [microdnf] - UBI containers not "inherit" the subscription automatically from subscribed satellite content host
- BZ - 1713220 - Test object to None after use it
- BZ - 1714265 - libdnf ships /usr/lib64/libdnf/plugins/README but not the parent directories
- BZ - 1714788 - Reposync should sync the entire repository to include module information. reposync should download the packages regardless of whether a module is enabled or disabled
- BZ - 1716313 - libdnf context doesn't honor skip_if_unavailable=True for local repositories
- BZ - 1717429 - dnf install errors out when a non-existent package is provided together with existing ones
- BZ - 1719830 - dnf fails to do simple commands after adding epel-7
- BZ - 1722493 - gpgcheck=0 in a /etc/yum.repos.d/ .repo file is ignored
- BZ - 1724564 - dnf module install <module> - just enable it, without installing it.
- BZ - 1724668 - dnf builddep fails trying to parse specfile
- BZ - 1725213 - dnf: Can't handle being passed 35+ file names as input for downgrade operation
- BZ - 1726141 - dnf-sack.cpp:727: Assertion `fp_primary' failed.
- BZ - 1730224 - libdnf 0.35.1 crashes with "Assertion `repoImpl->libsolvRepo == repo' failed"
- BZ - 1737328 - [abrt] dnf: endTransaction(): transaction.py:758:endTransaction:RuntimeError: TransactionItem state is not set: nodejs-1:10.15.0-1.fc29.x86_64
- BZ - 1744979 - "microdnf --help" crashes (segfault)
- BZ - 1746349 - Incorrect parsing of "--setopt" with repositories with dots
CVEs
References
Vulmon