[RHSA-2021:4464-02] Moderate: dnf security and bug fix update

Tue Nov 9 20:45:35 UTC 2021

An update for dnf, dnf-plugins-core, and libdnf is now available for Red
Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

dnf is a package manager that allows users to manage packages on their
systems. It supports RPMs, modules and comps groups & environments.

Security Fix(es):

* libdnf: Signature verification bypass via signature placed in the main
RPM header (CVE-2021-3445)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1804234 - yum false positive advisory if module enabled
1818118 - openvswitch: yum update using wrapper file to allow for stream change fails in RHEL-8
1847035 - [modularity] modulefailsafe .yaml file is not removed after module disable/reset
1893176 - dnf aborts when running update
1898293 - repomanage --old does not list the oldest package per module
1904490 - Backtrace when performing "yum module remove --all perl:common"
1906970 - dnf history wrong output if piped through more or redirected to file
1913962 - "dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers
1914827 - [RHEL8] dnf reposync implicitly downloads source rpms in spite of no --source option
1918475 - dnf --security pulling in packages without security advisory
1926261 - dnf should not allow an installonly_limit less than 2
1926771 - dnf does not recognize scratch modules NSVC
1929163 - problem with transaction() hook
1929667 - Typos in dnf API documentation
1932079 - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header
1934499 - dnf autoremove wants to remove "kernel-modules-extra" if you have a rawhide kernel installed
1940345 - ip_resolve, timeout, username, password options are ignored for downloading remote "rpm"
1951409 - Rebase libdnf to >= 0.55.2
1951411 - Rebase dnf to >= 4.5.2
1951414 - Rebase dnf-plugins-core to >= 4.0.21
1957280 - DNF with versionlock silences a conflict due to a provide
1961632 - [dnf] RHEL 8.5 Tier 0 Localization
1961633 - [dnf-plugins-core] RHEL 8.5 Tier 0 Localization
1961634 - [libdnf] RHEL 8.5 Tier 0 Localization
1967454 - Backport improvements of dnf signature checking using rpmkeys

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
dnf-4.7.0-4.el8.src.rpm
dnf-plugins-core-4.0.21-3.el8.src.rpm
libdnf-0.63.0-3.el8.src.rpm

aarch64:
libdnf-0.63.0-3.el8.aarch64.rpm
libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm
libdnf-debugsource-0.63.0-3.el8.aarch64.rpm
python3-hawkey-0.63.0-3.el8.aarch64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm
python3-libdnf-0.63.0-3.el8.aarch64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm

noarch:
dnf-4.7.0-4.el8.noarch.rpm
dnf-automatic-4.7.0-4.el8.noarch.rpm
dnf-data-4.7.0-4.el8.noarch.rpm
dnf-plugins-core-4.0.21-3.el8.noarch.rpm
python3-dnf-4.7.0-4.el8.noarch.rpm
python3-dnf-plugin-post-transaction-actions-4.0.21-3.el8.noarch.rpm
python3-dnf-plugin-versionlock-4.0.21-3.el8.noarch.rpm
python3-dnf-plugins-core-4.0.21-3.el8.noarch.rpm
yum-4.7.0-4.el8.noarch.rpm
yum-utils-4.0.21-3.el8.noarch.rpm

ppc64le:
libdnf-0.63.0-3.el8.ppc64le.rpm
libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm
libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm

s390x:
libdnf-0.63.0-3.el8.s390x.rpm
libdnf-debuginfo-0.63.0-3.el8.s390x.rpm
libdnf-debugsource-0.63.0-3.el8.s390x.rpm
python3-hawkey-0.63.0-3.el8.s390x.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm
python3-libdnf-0.63.0-3.el8.s390x.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm

x86_64:
libdnf-0.63.0-3.el8.i686.rpm
libdnf-0.63.0-3.el8.x86_64.rpm
libdnf-debuginfo-0.63.0-3.el8.i686.rpm
libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm
libdnf-debugsource-0.63.0-3.el8.i686.rpm
libdnf-debugsource-0.63.0-3.el8.x86_64.rpm
python3-hawkey-0.63.0-3.el8.x86_64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm
python3-libdnf-0.63.0-3.el8.x86_64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:
libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm
libdnf-debugsource-0.63.0-3.el8.aarch64.rpm
libdnf-devel-0.63.0-3.el8.aarch64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.aarch64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.aarch64.rpm

ppc64le:
libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm
libdnf-debugsource-0.63.0-3.el8.ppc64le.rpm
libdnf-devel-0.63.0-3.el8.ppc64le.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.ppc64le.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.ppc64le.rpm

s390x:
libdnf-debuginfo-0.63.0-3.el8.s390x.rpm
libdnf-debugsource-0.63.0-3.el8.s390x.rpm
libdnf-devel-0.63.0-3.el8.s390x.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.s390x.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.s390x.rpm

x86_64:
libdnf-debuginfo-0.63.0-3.el8.i686.rpm
libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm
libdnf-debugsource-0.63.0-3.el8.i686.rpm
libdnf-debugsource-0.63.0-3.el8.x86_64.rpm
libdnf-devel-0.63.0-3.el8.i686.rpm
libdnf-devel-0.63.0-3.el8.x86_64.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.i686.rpm
python3-hawkey-debuginfo-0.63.0-3.el8.x86_64.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.i686.rpm
python3-libdnf-debuginfo-0.63.0-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYYrd79zjgjWX9erEAQg+AQ//W0nZXstLWTWmCoVXo6NMtki7ToZB5Jix
u7pb2hy+CKDUGqPl/KSPeKg4wvlKIb7SYEEbIKQO5Nv7r2Qnqnd0ebfNeFBT299q
yesjEhbUqlOzAIVpg/ryGo4KYvuaseGP0cxuAgZME0TFdvfVGfUf+fTywRi+CP+Q
3r2IcodfFy6su3JEEK1NZXqz1l6kVzrxJrDjGHmqduvSK2tg1eKGKShRDrwQLp9Z
dyev6O3rNhDAhZTgUKkVWFqTGpTNrBsf/nEmxlidb/zMDkV9bOr/08vbFUDjtqKh
QdBdKfgbbvocbtdkUdrjhXSsG4arN5LwWX+tcz54TCz/sgp9+qvmpaY1d05dqcLt
StouGMb33sdR12dGqE3ag9Yo9mYjWOkndfqcldTlVER2obl4JlOdWO44Pw+ELIXa
Xsgj809HJe5PdyyiImrxSgaYFjG1FIX1bDzZc3fQuVOGdFAAnTY+mbzIEpSkyCFA
jm6XZwYW8nGa/ITX4GV5P5Y5ybx1oB1BLonRSgE8C5C88by6D9fjDvTapgOvaxXr
c7VB6s/5YhZNtz8gc0Dr75cZPHtj4sGqlp8I4yzVUL31hNu8bLxjk8KyuAmLAXxd
tSu62Q8g93XFa8fumyqgMdCGKexrUFDkJKpSZdEgjRJWyYB9z/TQ5JMdDSMBKJcI
h0FA3/A7KL4=
=IKMX
-----END PGP SIGNATURE-----