[SECURITY] Fedora 20 Update: rpm-4.11.3-2.fc20

updates at fedoraproject.org updates at fedoraproject.org
Mon Dec 29 09:57:18 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-16838
2014-12-13 08:32:20
--------------------------------------------------------------------------------

Name        : rpm
Product     : Fedora 20
Version     : 4.11.3
Release     : 2.fc20
URL         : http://www.rpm.org/
Summary     : The RPM package management system
Description :
The RPM Package Manager (RPM) is a powerful command line driven
package management system capable of installing, uninstalling,
verifying, querying, and updating software packages. Each software
package consists of an archive of files along with information about
the package like its version, a description, etc.

--------------------------------------------------------------------------------
Update Information:

- Add check against malicious CPIO file name size
- Fix race condidition where unchecked data is exposed in the file system

--------------------------------------------------------------------------------
ChangeLog:

* Fri Dec 12 2014 Lubos Kardos <lkardos at redhat.com> - 4.11.3-2
- Add check against malicious CPIO file name size (#1168715)
- Fixes CVE-2014-8118
- Fix race condidition where unchecked data is exposed in the file system
  (#1039811)
- Fixes CVE-2013-6435
* Fri Sep  5 2014 Panu Matilainen <pmatilai at redhat.com> - 4.11.3-1
- update to 4.11.3 (http://rpm.org/wiki/Releases/4.11.3)
* Tue Feb 18 2014 Panu Matilainen <pmatilai at redhat.com> - 4.11.2-2
- reduce the double separator spec parse error into a warning (#1065563)
* Thu Feb 13 2014 Panu Matilainen <pmatilai at redhat.com> - 4.11.2-1
- update to 4.11.2 (http://rpm.org/wiki/Releases/4.11.2)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1039811 - CVE-2013-6435 rpm: race condition during the installation process
        https://bugzilla.redhat.com/show_bug.cgi?id=1039811
  [ 2 ] Bug #1168715 - CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing
        https://bugzilla.redhat.com/show_bug.cgi?id=1168715
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update rpm' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list