yum-utils-1.1.31-46.el7

エラータID: AXSA:2018-3266:02

Release date: 
Monday, July 30, 2018 - 20:55
Subject: 
yum-utils-1.1.31-46.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use.

Security Fix(es):

* yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Asianux would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

CVE-2018-10897
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2018-10897
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. yum-utils-1.1.31-46.el7.src.rpm
    MD5: 28e931364a760458286f37c5e996510e
    SHA-256: bb99fa4f8765cf077227201f1f7530e289374f97e85038710289c7a336e0fdec
    Size: 345.53 kB

Asianux Server 7 for x86_64
  1. yum-plugin-aliases-1.1.31-46.el7.noarch.rpm
    MD5: 9c77dbf21a6af0f0d929431698605901
    SHA-256: 4949f0d26cd60fc5e99efaf88b862ed01fa14e872b47883344056934316f3b0f
    Size: 29.11 kB
  2. yum-plugin-changelog-1.1.31-46.el7.noarch.rpm
    MD5: 3c11d93b5f08a7cf7ae1fe69de169edc
    SHA-256: a4e510e83b3a3188cb4087ae7cda4a5f7d98400bfcf22d0c04901c9dae55fb0c
    Size: 32.50 kB
  3. yum-plugin-ovl-1.1.31-46.el7.noarch.rpm
    MD5: ce464d61a921cf1c8069559c465b77e0
    SHA-256: 6f7a526b5b9fdbf08769f6f08009d62fcdda78df2f91cdc27b4d54bd7aca4390
    Size: 25.53 kB
  4. yum-plugin-tmprepo-1.1.31-46.el7.noarch.rpm
    MD5: 0899347f463187e07926f06c9de2fdcf
    SHA-256: 69349e786cdb94dfc85f28c8b093d5dcf83d13424723b65b7e413c6bac67f6ba
    Size: 29.16 kB
  5. yum-plugin-verify-1.1.31-46.el7.noarch.rpm
    MD5: bec1a222f2465aee9c4fbef92d987b3b
    SHA-256: d7696ac27328b418aae6f4ea2ec29ab0b81dcbcff9aab3055004870d9954dd0c
    Size: 33.96 kB
  6. yum-plugin-versionlock-1.1.31-46.el7.noarch.rpm
    MD5: 3c59baf7a6c76b33c76ea40cc4638f54
    SHA-256: 7b6b7e07017ceb87c909cdd45a8a0b29214e8564bbf383f91c753b26a7df0798
    Size: 31.94 kB
  7. yum-utils-1.1.31-46.el7.noarch.rpm
    MD5: a5c60db0383051f121f271bd37fac7f7
    SHA-256: 7181548022f20cc63b5511cdca73722e97d8c15fa5ee3ac39dd0e9c2c1e06a7c
    Size: 119.27 kB