6.8 - RHSA-2019:3583

Problem Description:

An update for yum is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Yum is a command-line utility that allows the user to check for updates and automatically download and install updated RPM packages. Yum automatically obtains and downloads dependencies, prompting the user for permission as necessary.

The following packages have been upgraded to a later upstream version: dnf (4.2.7), dnf-plugins-core (4.0.8), libcomps (0.1.11), libdnf (0.35.1), librepo (1.10.3), libsolv (0.7.4). (BZ#1690288, BZ#1690289, BZ#1690299, BZ#1692402, BZ#1694019, BZ#1697946)

Security Fix(es):

* libcomps: use after free when merging two objmrtrees (CVE-2019-3817)

* libsolv: illegal address access in pool_whatprovides in src/pool.h (CVE-2018-20534)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1650266 - microdnf - sockets not supported building layer on rhel8-beta/rhel-minimal image 1655605 - yum list available --showduplicates will list not only available packages but packages installed on the system. 1656584 - Add support for modular errata 1656801 - `dnf update`: "Errors occurred during transaction" due to POSTUN scriptlet failures 1657703 - [abrt] [faf] dnf: hdrFromFdno(): /usr/lib64/python3.6/site-packages/rpm/transaction.py killed by _rpm.error 1657851 - yum displays dnf in -h 1658579 - Be explicite about the REPODIR used in the Error message. 1663533 - proxy bypass behavior incompatible with previous versions 1665538 - CVE-2018-20534 libsolv: illegal address access in pool_whatprovides in src/pool.h 1666325 - yum alias list does not work properly 1667898 - repoquery --whatrequires only accepts one pkgspec 1668005 - CVE-2019-3817 libcomps: use after free when merging two objmrtrees 1670835 - [manpage] yum2dnf incorrect and missing info 1671731 - dnf list showduplicates incorrect output 1671839 - dnf: Typo in es_US localization 1672649 - Add dnf.package.Package API for getting pkgid of package from repo in DNF plugin 1673278 - [manpage] inconsistent cmdline options docs: dnf --help/man page 1673289 - dnf enableplugin/disableplugin does not report unknown plugin 1673902 - missing yum-copr man page 1673913 - option tsflags missing in dnf.conf 1673920 - confusing yum-plugin-changelog documentation 1674562 - dnf not parsing default state of comps group correctly 1676418 - yum-utils manpage inconsistent with other yum compat manpages 1677199 - Fail to obtain the transaction lock after change of SELinux policy type 1677583 - yum-builddep tries to install content from non-active stream 1677640 - The module enable/disable works unexpectedly with slow/fast train virt module 1678593 - do not mention switching streams with module enable 1678596 - unable to install module content into nonstandard install root 1678598 - Net install caused /tmp to run out of space due to flood in dnf.librepo.log 1678689 - dnf module --help refers to module_spec while man page uses module-spec 1679008 - no auto completion with dnf 1679509 - [libdnf] Set skip_if_unavailable=false as default behavior for software management tools 1684270 - [hawkey] occasional segfault when interrupting (SIGINT) dnf process (may be caused by particular plugins in use, e.g. "leaves" ones in the past) 1686645 - Remove empty else block. 1686779 - yum-config-manager does not accept repo names 1688537 - reposync doesn't preserve timestamp from repo being synced 1688823 - dnf tracebacks on invalid modular deps 1689331 - packagekit doesn't honor skip_if_unavailable=False for local repositories 1689931 - global parameter to define skip_if_unavailable behavior for yum 1690288 - Rebase libsolv to >= 0.7.3 1690289 - Rebase dnf to >= 4.2.0 1690299 - Rebase libdnf to >= 0.28.0 1690414 - dnf continues despite an error code from test-transaction 1691315 - microdnf fails to install from repo which uses xml:base on location 1692402 - Rebase dnf-plugins-core to >= 4.0.6 1694019 - Rebase librepo to >= 1.9.5 1694709 - [dnf] docs: update description of skip_if_unavailable 1695720 - dnf logs excessively verbosely by default, cannot be configured, certain operations (e.g. reposync) lead to huge logs occupying excessive filesystem space 1697946 - Rebase libcomps to >= 0.1.10 1699348 - System upgrades, empty installroot, involving modular content require explicit --setopt=module_platform_id to work correctly 1700250 - Redundant “]†in dnf module info output 1700741 - When dnf plugin is upgraded via Obsolete, it is not run in the transaction phase 1702283 - microdnf leaks memory 1702678 - Settings are not saved with "yum config-manager --save --setopt=.=" 1702690 - implement built-in log rotation 1703609 - Inconsistency between dnf-automatic command name and man page name 1706215 - using the @ module syntax for yum4 avoids the stream switching error protection 1707453 - dnf update --allowerasing just removes a package, without installing a new package. 1709798 - DNF cannot work with installed modularity content if repo is disabled. 1712055 - Confusing Error message: Failed to synchronize cache for repo 'rhel' 1712460 - [microdnf] - UBI containers not "inherit" the subscription automatically from subscribed satellite content host 1713220 - Test object to None after use it 1714265 - libdnf ships /usr/lib64/libdnf/plugins/README but not the parent directories 1714788 - Reposync should sync the entire repository to include module information. reposync should download the packages regardless of whether a module is enabled or disabled 1716313 - libdnf context doesn't honor skip_if_unavailable=True for local repositories 1717429 - dnf install errors out when a non-existent package is provided together with existing ones 1719830 - dnf fails to do simple commands after adding epel-7 1722493 - gpgcheck=0 in a /etc/yum.repos.d/ .repo file is ignored 1724564 - dnf module install - just enable it, without installing it. 1724668 - dnf builddep fails trying to parse specfile 1725213 - dnf: Can't handle being passed 35+ file names as input for downgrade operation 1726141 - dnf-sack.cpp:727: Assertion `fp_primary' failed. 1730224 - libdnf 0.35.1 crashes with "Assertion `repoImpl->libsolvRepo == repo' failed" 1737328 - [abrt] dnf: endTransaction(): transaction.py:758:endTransaction:RuntimeError: TransactionItem state is not set: nodejs-1:10.15.0-1.fc29.x86_64 1744979 - "microdnf --help" crashes (segfault) 1746349 - Incorrect parsing of "--setopt" with repositories with dots