Security update for rpm SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1366-1 Final 1 1 2021-10-18T12:12:22Z current 2021-10-18T12:12:22Z 2021-10-18T12:12:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rpm This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1366 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WOGLQWSIIR4HYRWXGETEIHB6SM6A2MNK/ E-Mail link for openSUSE-SU-2021:1366-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179416 SUSE Bug 1179416 https://bugzilla.suse.com/1183543 SUSE Bug 1183543 https://bugzilla.suse.com/1183545 SUSE Bug 1183545 https://bugzilla.suse.com/1183632 SUSE Bug 1183632 https://bugzilla.suse.com/1183659 SUSE Bug 1183659 https://bugzilla.suse.com/1185299 SUSE Bug 1185299 https://bugzilla.suse.com/1187670 SUSE Bug 1187670 https://bugzilla.suse.com/1188548 SUSE Bug 1188548 https://www.suse.com/security/cve/CVE-2021-20266/ SUSE CVE CVE-2021-20266 page https://www.suse.com/security/cve/CVE-2021-20271/ SUSE CVE CVE-2021-20271 page https://www.suse.com/security/cve/CVE-2021-3421/ SUSE CVE CVE-2021-3421 page openSUSE Leap 15.2 python2-rpm-4.14.1-lp152.18.3.1 python3-rpm-4.14.1-lp152.18.3.1 rpm-4.14.1-lp152.18.3.1 rpm-32bit-4.14.1-lp152.18.3.1 rpm-build-4.14.1-lp152.18.3.1 rpm-devel-4.14.1-lp152.18.3.1 python2-rpm-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 python3-rpm-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 rpm-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 rpm-32bit-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 rpm-build-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 rpm-devel-4.14.1-lp152.18.3.1 as a component of openSUSE Leap 15.2 A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability. CVE-2021-20266 openSUSE Leap 15.2:python2-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:python3-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-32bit-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-build-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-devel-4.14.1-lp152.18.3.1 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WOGLQWSIIR4HYRWXGETEIHB6SM6A2MNK/ https://www.suse.com/security/cve/CVE-2021-20266.html CVE-2021-20266 https://bugzilla.suse.com/1183632 SUSE Bug 1183632 A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. CVE-2021-20271 openSUSE Leap 15.2:python2-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:python3-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-32bit-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-build-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-devel-4.14.1-lp152.18.3.1 low 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WOGLQWSIIR4HYRWXGETEIHB6SM6A2MNK/ https://www.suse.com/security/cve/CVE-2021-20271.html CVE-2021-20271 https://bugzilla.suse.com/1183545 SUSE Bug 1183545 A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha. CVE-2021-3421 openSUSE Leap 15.2:python2-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:python3-rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-32bit-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-build-4.14.1-lp152.18.3.1 openSUSE Leap 15.2:rpm-devel-4.14.1-lp152.18.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WOGLQWSIIR4HYRWXGETEIHB6SM6A2MNK/ https://www.suse.com/security/cve/CVE-2021-3421.html CVE-2021-3421 https://bugzilla.suse.com/1183543 SUSE Bug 1183543