AXSA:2020-543:01

Release date: 
Thursday, October 1, 2020 - 07:17
Subject: 
librepo-1.11.0-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

* librepo: missing path validation in repomd.xml may lead to directory
traversal (CVE-2020-14352)

CVE-2020-14352:
A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. librepo-1.11.0-3.el8.src.rpm
    MD5: a27c34a28d18612cb7986c05470373dc
    SHA-256: bbb02763b6dd58dbf4956bac62e0d49d97cdf08fa7961ceb21d28cdd7178e018
    Size: 803.13 kB

Asianux Server 8 for x86_64
  1. librepo-1.11.0-3.el8.x86_64.rpm
    MD5: 37d06c5d7be011612b2ebaf3f8082a06
    SHA-256: 03ebd469fa0043a1e54f66ad656fc65c10c032267a833cbe09b7e926981cf892
    Size: 88.58 kB
  2. python3-librepo-1.11.0-3.el8.x86_64.rpm
    MD5: 296ccbaa0a98654fcde4c9745110c5be
    SHA-256: 06a68e4cf7474dbf0429b6c5b95151a30605d1afb03efba6709ac553a11fb900
    Size: 50.61 kB
  3. librepo-1.11.0-3.el8.i686.rpm
    MD5: b35c4c284456c2e741b36247ed93ad5d
    SHA-256: bdb37f426949d665f5d92de1d1bc397917d60b83907aef1595a5bf032428bcd7
    Size: 93.54 kB
Copyright© 2007-2015 Asianux. All rights reserved.