-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: dnf security and bug fix update Advisory ID: RHSA-2021:4464-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4464 Issue date: 2021-11-09 CVE Names: CVE-2021-3445 ==================================================================== 1. Summary: An update for dnf, dnf-plugins-core, and libdnf is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: dnf is a package manager that allows users to manage packages on their systems. It supports RPMs, modules and comps groups & environments. Security Fix(es): * libdnf: Signature verification bypass via signature placed in the main RPM header (CVE-2021-3445) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1804234 - yum false positive advisory if module enabled 1818118 - openvswitch: yum update using wrapper file to allow for stream change fails in RHEL-8 1847035 - [modularity] modulefailsafe .yaml file is not removed after module disable/reset 1893176 - dnf aborts when running update 1898293 - repomanage --old does not list the oldest package per module 1904490 - Backtrace when performing "yum module remove --all perl:common" 1906970 - dnf history wrong output if piped through more or redirected to file 1913962 - "dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers 1914827 - [RHEL8] dnf reposync implicitly downloads source rpms in spite of no --source option 1918475 - dnf --security pulling in packages without security advisory 1926261 - dnf should not allow an installonly_limit less than 2 1926771 - dnf does not recognize scratch modules NSVC 1929163 - problem with transaction() hook 1929667 - Typos in dnf API documentation 1932079 - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header 1934499 - dnf autoremove wants to remove "kernel-modules-extra" if you have a rawhide kernel installed 1940345 - ip_resolve, timeout, username, password options are ignored for downloading remote "rpm" 1951409 - Rebase libdnf to >= 0.55.2 1951411 - Rebase dnf to >= 4.5.2 1951414 - Rebase dnf-plugins-core to >= 4.0.21 1957280 - DNF with versionlock silences a conflict due to a provide 1961632 - [dnf] RHEL 8.5 Tier 0 Localization 1961633 - [dnf-plugins-core] RHEL 8.5 Tier 0 Localization 1961634 - [libdnf] RHEL 8.5 Tier 0 Localization 1967454 - Backport improvements of dnf signature checking using rpmkeys 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: dnf-4.7.0-4.el8.src.rpm dnf-plugins-core-4.0.21-3.el8.src.rpm libdnf-0.63.0-3.el8.src.rpm aarch64: libdnf-0.63.0-3.el8.aarch64.rpm libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm libdnf-debugsource-0.63.0-3.el8.aarch64.rpm python3-hawkey-0.63.0-3.el8.aarch64.rpm python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm python3-libdnf-0.63.0-3.el8.aarch64.rpm python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm noarch: dnf-4.7.0-4.el8.noarch.rpm dnf-automatic-4.7.0-4.el8.noarch.rpm dnf-data-4.7.0-4.el8.noarch.rpm dnf-plugins-core-4.0.21-3.el8.noarch.rpm python3-dnf-4.7.0-4.el8.noarch.rpm python3-dnf-plugin-post-transaction-actions-4.0.21-3.el8.noarch.rpm python3-dnf-plugin-versionlock-4.0.21-3.el8.noarch.rpm python3-dnf-plugins-core-4.0.21-3.el8.noarch.rpm yum-4.7.0-4.el8.noarch.rpm yum-utils-4.0.21-3.el8.noarch.rpm ppc64le: libdnf-0.63.0-3.el8.ppc64le.rpm libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm python3-hawkey-0.63.0-3.el8.ppc64le.rpm python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm python3-libdnf-0.63.0-3.el8.ppc64le.rpm python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm s390x: libdnf-0.63.0-3.el8.s390x.rpm libdnf-debuginfo-0.63.0-3.el8.s390x.rpm libdnf-debugsource-0.63.0-3.el8.s390x.rpm python3-hawkey-0.63.0-3.el8.s390x.rpm python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm python3-libdnf-0.63.0-3.el8.s390x.rpm python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm x86_64: libdnf-0.63.0-3.el8.i686.rpm libdnf-0.63.0-3.el8.x86_64.rpm libdnf-debuginfo-0.63.0-3.el8.i686.rpm libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm libdnf-debugsource-0.63.0-3.el8.i686.rpm libdnf-debugsource-0.63.0-3.el8.x86_64.rpm python3-hawkey-0.63.0-3.el8.x86_64.rpm python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm python3-libdnf-0.63.0-3.el8.x86_64.rpm python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm Red Hat Enterprise Linux CRB (v. 8): aarch64: libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm libdnf-debugsource-0.63.0-3.el8.aarch64.rpm libdnf-devel-0.63.0-3.el8.aarch64.rpm python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm ppc64le: libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm libdnf-devel-0.63.0-3.el8.ppc64le.rpm python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm s390x: libdnf-debuginfo-0.63.0-3.el8.s390x.rpm libdnf-debugsource-0.63.0-3.el8.s390x.rpm libdnf-devel-0.63.0-3.el8.s390x.rpm python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm x86_64: libdnf-debuginfo-0.63.0-3.el8.i686.rpm libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm libdnf-debugsource-0.63.0-3.el8.i686.rpm libdnf-debugsource-0.63.0-3.el8.x86_64.rpm libdnf-devel-0.63.0-3.el8.i686.rpm libdnf-devel-0.63.0-3.el8.x86_64.rpm python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrd79zjgjWX9erEAQg+AQ//W0nZXstLWTWmCoVXo6NMtki7ToZB5Jix u7pb2hy+CKDUGqPl/KSPeKg4wvlKIb7SYEEbIKQO5Nv7r2Qnqnd0ebfNeFBT299q yesjEhbUqlOzAIVpg/ryGo4KYvuaseGP0cxuAgZME0TFdvfVGfUf+fTywRi+CP+Q 3r2IcodfFy6su3JEEK1NZXqz1l6kVzrxJrDjGHmqduvSK2tg1eKGKShRDrwQLp9Z dyev6O3rNhDAhZTgUKkVWFqTGpTNrBsf/nEmxlidb/zMDkV9bOr/08vbFUDjtqKh QdBdKfgbbvocbtdkUdrjhXSsG4arN5LwWX+tcz54TCz/sgp9+qvmpaY1d05dqcLt StouGMb33sdR12dGqE3ag9Yo9mYjWOkndfqcldTlVER2obl4JlOdWO44Pw+ELIXa Xsgj809HJe5PdyyiImrxSgaYFjG1FIX1bDzZc3fQuVOGdFAAnTY+mbzIEpSkyCFA jm6XZwYW8nGa/ITX4GV5P5Y5ybx1oB1BLonRSgE8C5C88by6D9fjDvTapgOvaxXr c7VB6s/5YhZNtz8gc0Dr75cZPHtj4sGqlp8I4yzVUL31hNu8bLxjk8KyuAmLAXxd tSu62Q8g93XFa8fumyqgMdCGKexrUFDkJKpSZdEgjRJWyYB9z/TQ5JMdDSMBKJcI h0FA3/A7KL4=IKMX -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce