yum-utils-1.1.30-42.AXS4
エラータID: AXSA:2018-3265:02
Release date:
Monday, July 30, 2018 - 20:53
Subject:
yum-utils-1.1.30-42.AXS4
Affected Channels:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use.
Security Fix(es):
* yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Asianux would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.
CVE-2018-10897
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
Solution:
Update packages.
CVEs:
CVE-2018-10897
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.
Additional Info:
N/A
Download:
SRPMS
- yum-utils-1.1.30-42.AXS4.src.rpm
MD5: 2bcccc66bf8631620cbbd983195b272a
SHA-256: cfb7b27e42a9e1cc944579ecf308854f45def43c1a504d513146d995aae02940
Size: 292.21 kB
Asianux Server 4 for x86
- yum-plugin-aliases-1.1.30-42.AXS4.noarch.rpm
MD5: 6f80389501b887d455450285e97599ab
SHA-256: cdcd6be3ec401320d3a39391e41c10a2a46492d857738dc4ea0594c21fa60098
Size: 29.57 kB - yum-plugin-changelog-1.1.30-42.AXS4.noarch.rpm
MD5: e65c80f2183690930b11f4485c20a76d
SHA-256: e77000938a1846065a05ddcd78346f04055eadf913b6a8e8f0dfb041e9dc210e
Size: 32.87 kB - yum-plugin-ovl-1.1.30-42.AXS4.noarch.rpm
MD5: 33a5d96c1a0a3e7b371e3567f448b34b
SHA-256: eaac4bbf69d7dfdac0dfa7225d116dede40a6c86e02160cb5cf941799bfbf670
Size: 26.00 kB - yum-plugin-security-1.1.30-42.AXS4.noarch.rpm
MD5: 911ff0c9d92f684a4ad7a7f1d351555f
SHA-256: c69c7604117b930b5a1156299e90fac1f030d01092738fe738a15a541b414bb6
Size: 42.83 kB - yum-plugin-tmprepo-1.1.30-42.AXS4.noarch.rpm
MD5: 41b962b4fbfc19ec86b4f88de598e752
SHA-256: 4acfc3d01207189d9ca70e021da01567cf19f733c9f35bce99346845772dc70d
Size: 29.65 kB - yum-plugin-verify-1.1.30-42.AXS4.noarch.rpm
MD5: b3f9326bdf5c0514d18611c9347d85a4
SHA-256: 9f5a007900651c686e63073374fd10c5eb90ec466912c5c54322cd2e48db35ea
Size: 34.44 kB - yum-plugin-versionlock-1.1.30-42.AXS4.noarch.rpm
MD5: 2247a2eeef1b9b74fc6e3fb797c1dea2
SHA-256: d2954dc4054864e9019a48af5dff5fd0df271a8bcb72506d74dad0dd6d3e7e27
Size: 32.10 kB - yum-utils-1.1.30-42.AXS4.noarch.rpm
MD5: 44e8a474d2f296fb8bdd6165e1f54196
SHA-256: 5a883e55e0f56a885864fea7384f29d596ec43e9fdbd1cde159285dcba569f00
Size: 113.68 kB
Asianux Server 4 for x86_64
- yum-plugin-aliases-1.1.30-42.AXS4.noarch.rpm
MD5: f81106765ddc2b5eb06a2667bc662652
SHA-256: 79c8222d33f4352244d1c726d3940ad7333b80b45717afcca6dbb8a88dd21643
Size: 29.12 kB - yum-plugin-changelog-1.1.30-42.AXS4.noarch.rpm
MD5: ac9738d0d827e9c2a9105d6e141dbe9f
SHA-256: 76418c8b5d56ee026c0dc5a85eaf70e6fd7fb05f05062c72402f8ddd789cbd26
Size: 32.42 kB - yum-plugin-ovl-1.1.30-42.AXS4.noarch.rpm
MD5: 00eee12906b256589907d9b7f0c77759
SHA-256: c1b82b2459c2afe8a359664c4bfbc9cfe6ef3cb24ce9b29557f342e03a56f6b1
Size: 25.55 kB - yum-plugin-security-1.1.30-42.AXS4.noarch.rpm
MD5: e44de9562b3e8d29cfd75d770c17b50b
SHA-256: bccef8dd1a03e36ec576d3349a1362729a6f14716a16822ada1337a3284e5c4c
Size: 42.38 kB - yum-plugin-tmprepo-1.1.30-42.AXS4.noarch.rpm
MD5: 390c7123a035d258dd7259a93af09258
SHA-256: 3da855aff3be733a0480f4043f0d0e88b6571d1465960a1d98ed4c141c37b0a5
Size: 29.20 kB - yum-plugin-verify-1.1.30-42.AXS4.noarch.rpm
MD5: 9843a61a30d4e2ef0d49e1e06a8ee428
SHA-256: e757284da706414143f67a6e2b6cde7e2501a9bc8e136f67fd62886bf54bdf52
Size: 33.99 kB - yum-plugin-versionlock-1.1.30-42.AXS4.noarch.rpm
MD5: 09636ae1b1bf76c771821dc1c9d69b97
SHA-256: c9cb6ad78ba963e4b4027a00e9f4ce3a72941e08967091f65aed3fe6993c7021
Size: 31.65 kB - yum-utils-1.1.30-42.AXS4.noarch.rpm
MD5: 323e43884d7c85ed61d5b875561f7364
SHA-256: d8236b2071df2db655d30af95b43a2dd48de93dba207e1dc7ec8c8780573f2de
Size: 113.23 kB
日本語