RedHat has issued an advisory today (July 30):
The RedHat bug has links to the commits that fixed the issue:
Mageia 5 and Mageia 6 are also affected.
Mageia Cauldron updated with the proposed patch into rev 1.1.31-6
rebuild in progress.
Update also submitted for mga6 (1.1.31-5.1)
Updated yum-utils packages fix security vulnerability:
A directory traversal issue was found in reposync, a part of yum-utils, where
reposync fails to sanitize paths in remote repository configuration files. If an
attacker controls a repository, they may be able to copy files outside of the
destination directory on the targeted system via path traversal. If reposync is
running with heightened privileges on a targeted system, this flaw could
potentially result in system compromise via the overwriting of critical system
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R5oe
Installation draws in a lot of other stuff and that results in error:
2 installation-transactions failed
Er is een fout opgetreden tijdens de installatie:
file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch
createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch
yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch
yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch
yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch
yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch
yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch
yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch
yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch
yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch
yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch
yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch
yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch
yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch
Does this mean the updates cannot run on an installation which did not have yum before??
How would this affect a user which would try to install yum when those packages would be included in the normal repos???
@Herman, re comment 4:
Don't know how to answer your specific queries but I tried this installation on x86_64.
I took the precaution of installing yum first then the packages named in the update list. There was a single conflict - lost the reference - but the rest succeeded.
Enabled updates testing and ran MageiaUpdate. All the packages installed cleanly.
That is far as I have got. Busy just now.
re comment 5;
I take your point about yum not being pulled in by yum-utils. Looks like it is a missing dependency. Feedback?
Yes I'll fix that ASAP