- CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
- Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code.
- Prior to this update, RPM did not allow for self-conflicts. As a result, a package could not be installed if a conflict was added against the name of this package. With this update self-conflicts are permitted. Now, packages can be installed as expected.
- The rpm2cpio.sh utility was omitted when RPM switched the default compression format for the package payload to xz. As a consequence, the utility was not able to extract files. This update adds the xz support for rpm2cpio.sh and the utility now extracts files successfully.
- Prior to this update, when installing a package containing the same files as an already installed package, the file with the less preferred architecture was overwritten silently even if the file was not a binary. With this update, only binary files can overwrite other binary files; conflicting non-identical and non-binary files print an error message.
- Previously, files, that were listed in the spec file with the %defattr(-) directive, did not keep the attributes they had in the build root. With this update, the modified RPM can now keep these attributes.
- Prior to this update, signing packages that had already been signed with the same key could cause the entire signing process to abort. With this update, RPM is modified so that packages with identical signatures are skipped and the others are signed.
- Prior to this update, passing packages with a broken signature could cause the librpm library to crash. The source code has been revised and broken signatures are now rejected.
- Previously, importing GPG keys that had already been imported before could cause RPM to fail with an error message. RPM has been modified and now imports the keys successfully.