Red Hat 9062 Published by

A dnf security and bug fix update has been released for Red Hat Enterprise Linux 8.



RHSA-2021:4464-02: Moderate: dnf security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: dnf security and bug fix update
Advisory ID: RHSA-2021:4464-01
Product: Red Hat Enterprise Linux
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:4464
Issue date: 2021-11-09
CVE Names: CVE-2021-3445
=====================================================================

1. Summary:

An update for dnf, dnf-plugins-core, and libdnf is now available for Red
Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

dnf is a package manager that allows users to manage packages on their
systems. It supports RPMs, modules and comps groups & environments.

Security Fix(es):

* libdnf: Signature verification bypass via signature placed in the main
RPM header (CVE-2021-3445)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

5. Bugs fixed (  https://bugzilla.redhat.com/):

1804234 - yum false positive advisory if module enabled
1818118 - openvswitch: yum update using wrapper file to allow for stream change fails in RHEL-8
1847035 - [modularity] modulefailsafe .yaml file is not removed after module disable/reset
1893176 - dnf aborts when running update
1898293 - repomanage --old does not list the oldest package per module
1904490 - Backtrace when performing "yum module remove --all perl:common"
1906970 - dnf history wrong output if piped through more or redirected to file
1913962 - "dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers
1914827 - [RHEL8] dnf reposync implicitly downloads source rpms in spite of no --source option
1918475 - dnf --security pulling in packages without security advisory
1926261 - dnf should not allow an installonly_limit less than 2
1926771 - dnf does not recognize scratch modules NSVC
1929163 - problem with transaction() hook
1929667 - Typos in dnf API documentation
1932079 - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header
1934499 - dnf autoremove wants to remove "kernel-modules-extra" if you have a rawhide kernel installed
1940345 - ip_resolve, timeout, username, password options are ignored for downloading remote "rpm"
1951409 - Rebase libdnf to >= 0.55.2
1951411 - Rebase dnf to >= 4.5.2
1951414 - Rebase dnf-plugins-core to >= 4.0.21
1957280 - DNF with versionlock silences a conflict due to a provide
1961632 - [dnf] RHEL 8.5 Tier 0 Localization
1961633 - [dnf-plugins-core] RHEL 8.5 Tier 0 Localization
1961634 - [libdnf] RHEL 8.5 Tier 0 Localization
1967454 - Backport improvements of dnf signature checking using rpmkeys

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
dnf-4.7.0-4.el8.src.rpm
dnf-plugins-core-4.0.21-3.el8.src.rpm
libdnf-0.63.0-3.el8.src.rpm

aarch64:
libdnf-0.63.0-3.el8.aarch64.rpm
libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm
libdnf-debugsource-0.63.0-3.el8.aarch64.rpm
python3-hawkey-0.63.0-3.el8.aarch64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm
python3-libdnf-0.63.0-3.el8.aarch64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm

noarch:
dnf-4.7.0-4.el8.noarch.rpm
dnf-automatic-4.7.0-4.el8.noarch.rpm
dnf-data-4.7.0-4.el8.noarch.rpm
dnf-plugins-core-4.0.21-3.el8.noarch.rpm
python3-dnf-4.7.0-4.el8.noarch.rpm
python3-dnf-plugin-post-transaction-actions-4.0.21-3.el8.noarch.rpm
python3-dnf-plugin-versionlock-4.0.21-3.el8.noarch.rpm
python3-dnf-plugins-core-4.0.21-3.el8.noarch.rpm
yum-4.7.0-4.el8.noarch.rpm
yum-utils-4.0.21-3.el8.noarch.rpm

ppc64le:
libdnf-0.63.0-3.el8.ppc64le.rpm
libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm
libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm

s390x:
libdnf-0.63.0-3.el8.s390x.rpm
libdnf-debuginfo-0.63.0-3.el8.s390x.rpm
libdnf-debugsource-0.63.0-3.el8.s390x.rpm
python3-hawkey-0.63.0-3.el8.s390x.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm
python3-libdnf-0.63.0-3.el8.s390x.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm

x86_64:
libdnf-0.63.0-3.el8.i686.rpm
libdnf-0.63.0-3.el8.x86_64.rpm
libdnf-debuginfo-0.63.0-3.el8.i686.rpm
libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm
libdnf-debugsource-0.63.0-3.el8.i686.rpm
libdnf-debugsource-0.63.0-3.el8.x86_64.rpm
python3-hawkey-0.63.0-3.el8.x86_64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm
python3-libdnf-0.63.0-3.el8.x86_64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:
libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm
libdnf-debugsource-0.63.0-3.el8.aarch64.rpm
libdnf-devel-0.63.0-3.el8.aarch64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm

ppc64le:
libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm
libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm
libdnf-devel-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm

s390x:
libdnf-debuginfo-0.63.0-3.el8.s390x.rpm
libdnf-debugsource-0.63.0-3.el8.s390x.rpm
libdnf-devel-0.63.0-3.el8.s390x.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm

x86_64:
libdnf-debuginfo-0.63.0-3.el8.i686.rpm
libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm
libdnf-debugsource-0.63.0-3.el8.i686.rpm
libdnf-debugsource-0.63.0-3.el8.x86_64.rpm
libdnf-devel-0.63.0-3.el8.i686.rpm
libdnf-devel-0.63.0-3.el8.x86_64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2021-3445
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.