You are here
Home > Preporuke > Sigurnosni nedostatak programske biblioteke librepo

Sigurnosni nedostatak programske biblioteke librepo

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: librepo security update
Advisory ID: RHSA-2020:3756-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3756
Issue date: 2020-09-15
CVE Names: CVE-2020-14352
=====================================================================

1. Summary:

An update for librepo is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.0) – aarch64, ppc64le, s390x, x86_64

3. Description:

The librepo library provides a C and Python API to download repository
metadata.

Security Fix(es):

* librepo: missing path validation in repomd.xml may lead to directory
traversal (CVE-2020-14352)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1866498 – CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.0):

Source:
librepo-1.9.2-2.el8_0.src.rpm

aarch64:
librepo-1.9.2-2.el8_0.aarch64.rpm
librepo-debuginfo-1.9.2-2.el8_0.aarch64.rpm
librepo-debugsource-1.9.2-2.el8_0.aarch64.rpm
python3-librepo-1.9.2-2.el8_0.aarch64.rpm
python3-librepo-debuginfo-1.9.2-2.el8_0.aarch64.rpm

ppc64le:
librepo-1.9.2-2.el8_0.ppc64le.rpm
librepo-debuginfo-1.9.2-2.el8_0.ppc64le.rpm
librepo-debugsource-1.9.2-2.el8_0.ppc64le.rpm
python3-librepo-1.9.2-2.el8_0.ppc64le.rpm
python3-librepo-debuginfo-1.9.2-2.el8_0.ppc64le.rpm

s390x:
librepo-1.9.2-2.el8_0.s390x.rpm
librepo-debuginfo-1.9.2-2.el8_0.s390x.rpm
librepo-debugsource-1.9.2-2.el8_0.s390x.rpm
python3-librepo-1.9.2-2.el8_0.s390x.rpm
python3-librepo-debuginfo-1.9.2-2.el8_0.s390x.rpm

x86_64:
librepo-1.9.2-2.el8_0.i686.rpm
librepo-1.9.2-2.el8_0.x86_64.rpm
librepo-debuginfo-1.9.2-2.el8_0.i686.rpm
librepo-debuginfo-1.9.2-2.el8_0.x86_64.rpm
librepo-debugsource-1.9.2-2.el8_0.i686.rpm
librepo-debugsource-1.9.2-2.el8_0.x86_64.rpm
python3-librepo-1.9.2-2.el8_0.x86_64.rpm
python3-librepo-debuginfo-1.9.2-2.el8_0.i686.rpm
python3-librepo-debuginfo-1.9.2-2.el8_0.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14352
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2DsktzjgjWX9erEAQhHtQ//eiYs85MS1buIoN3yGlrvp6dKV4W/WYOW
FtS70S5v2rdYloZNRGTkyjkU3cCA6tG0XAPrE60N4DF393YjfRKXqa5pWEO/eylW
+B7tkL/I+okywpE1vQezfyK0rmwNe9GvWcwLkmNJJd9JmFa18ClDNY2AMuHsIFQs
xj0/VrNOX9KKBrswiMBPva4TQvUlJb2mMUhvg4/6sJ6mfYR2VoSOOpYddPV8ZFRx
9b/HdtFCL8NfDEbDQb2JpqYuPuYkREmqfwlCKycFMdATMaybqZCy8xlOmtniUDun
uG3HdCPG9NLArSMUjsGpuP2xTvi+XTqGDxdbDwY9fuUub8s2mzo5KzQGO2g6F5aI
gGgUMfOj1lMKvw7cdGgMpeFqBK2kAUVDcpRhgW2XZ8aBitVhTcHuAkFbok0YCAJE
0KJV0o+0Egtor4KgneR73Y4UjeSDCLdgh58CpW+3rSC/7pWkGauoOG/bOlxXttHu
6iLDDrvCe87uKSpr/VJ5VWIdhB+zcE6cvbM54J35zmZtVX/htjojutwEIG7arS1Z
3DRWPpdU/+rZ21T2EQvR078GHCVqt/x4SUWp6bsdO77wPp7hl7Q/yRrDX5fhMaLa
y1V4Vo7Hdww0PCmmyTvVKip2DzE6ONRGyOhnKROMvm5LIvnS1T5s0GFxXFEwhnNv
RqE4HCOVbAY=
=4JYk
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

AutorBruno Varga
Cert idNCERT-REF-2020-09-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke libssh

Otkriven je sigurnosni nedostatak programske biblioteke libssh za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje izazivanje DoS stanja. Savjetuje...

Close