SUSE-SU-2021:2682-1 -- SLES rpm, python-rpm-debugsource, python3-rpmID: oval:org.secpod.oval:def:89047072 | Date: (C)2022-10-21 (M)2023-11-13 |
Class: PATCH | Family: unix |
This update for rpm fixes the following issues: - Changed default package verification level to "none" to be compatible to rpm-4.14.1 - Made illegal obsoletes a warning - Fixed a potential access of freed mem in ndb"s glue code - Added support for enforcing signature policy and payload verification step to transactions - Added :humansi and :hmaniec query formatters for human readable output - Added query selectors for whatobsoletes and whatconflicts - Added support for sorting caret higher than base version - rpm does no longer require the signature header to be in a contiguous region when signing Security fixes: - CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity - CVE-2021-20271: A flaw was found in RPM"s signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability - CVE-2021-20266: A flaw was found in RPM"s hdrblobInit in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.
Platform: |
SUSE Linux Enterprise Server 15 SP3 |
SUSE Linux Enterprise Desktop 15 SP3 |
Product: |
rpm |
python-rpm-debugsource |
python3-rpm |