Issued:
2020-09-08
Updated:
2020-09-08

RHSA-2020:3658 - Security Advisory

Synopsis

Important: librepo security update

Type/Severity

Security Advisory: Important

Topic

An update for librepo is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The librepo library provides a C and Python API to download repository metadata.

Security Fix(es):

  • librepo: missing path validation in repomd.xml may lead to directory traversal (CVE-2020-14352)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

Fixes

  • BZ - 1866498 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal

Red Hat Enterprise Linux for x86_64 8

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
x86_64
librepo-1.11.0-3.el8_2.i686.rpm SHA-256: dea4e4deca24251f05fdf3cb7b5dc78099f92df1d6d828416157b550d25ad5fd
librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: 5625727f60b2600767ad77647c468fa535be7db05c1c5a4c19c19a9b050ad69c
librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 73b204bb7513ff5dd9502e2bc779056b36330a3dc7d917aa84d1bc1ef08aa6ba
librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: fc6b875f0fe62cdb5efff596c972d44d2a1f3d5a3d40acb988a95dc2fc6be3b9
librepo-debugsource-1.11.0-3.el8_2.i686.rpm SHA-256: fb72142d9f907dbad979080348efdc78ed146e093b7cf8dca8478eb510625141
librepo-debugsource-1.11.0-3.el8_2.x86_64.rpm SHA-256: 8b8ec5b01aee7c7f2088352a7d4787e25ecad19b311371f19f940baba73717d3
python3-librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: f623cc38f5fc796781723a2d1d7b94d6e5f425642a98d2a5429f4dd9d5b27686
python3-librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 25a0d1d1f4e29b065780a0ecec01f72d8230963f87dee6bebc8e6b8efc79703c
python3-librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: bc8eb6ff4337f3f6dce7e107fd50ffcebf35e7bb7068e69c22d949be3a0376ce

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
x86_64
librepo-1.11.0-3.el8_2.i686.rpm SHA-256: dea4e4deca24251f05fdf3cb7b5dc78099f92df1d6d828416157b550d25ad5fd
librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: 5625727f60b2600767ad77647c468fa535be7db05c1c5a4c19c19a9b050ad69c
librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 73b204bb7513ff5dd9502e2bc779056b36330a3dc7d917aa84d1bc1ef08aa6ba
librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: fc6b875f0fe62cdb5efff596c972d44d2a1f3d5a3d40acb988a95dc2fc6be3b9
librepo-debugsource-1.11.0-3.el8_2.i686.rpm SHA-256: fb72142d9f907dbad979080348efdc78ed146e093b7cf8dca8478eb510625141
librepo-debugsource-1.11.0-3.el8_2.x86_64.rpm SHA-256: 8b8ec5b01aee7c7f2088352a7d4787e25ecad19b311371f19f940baba73717d3
python3-librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: f623cc38f5fc796781723a2d1d7b94d6e5f425642a98d2a5429f4dd9d5b27686
python3-librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 25a0d1d1f4e29b065780a0ecec01f72d8230963f87dee6bebc8e6b8efc79703c
python3-librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: bc8eb6ff4337f3f6dce7e107fd50ffcebf35e7bb7068e69c22d949be3a0376ce

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
x86_64
librepo-1.11.0-3.el8_2.i686.rpm SHA-256: dea4e4deca24251f05fdf3cb7b5dc78099f92df1d6d828416157b550d25ad5fd
librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: 5625727f60b2600767ad77647c468fa535be7db05c1c5a4c19c19a9b050ad69c
librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 73b204bb7513ff5dd9502e2bc779056b36330a3dc7d917aa84d1bc1ef08aa6ba
librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: fc6b875f0fe62cdb5efff596c972d44d2a1f3d5a3d40acb988a95dc2fc6be3b9
librepo-debugsource-1.11.0-3.el8_2.i686.rpm SHA-256: fb72142d9f907dbad979080348efdc78ed146e093b7cf8dca8478eb510625141
librepo-debugsource-1.11.0-3.el8_2.x86_64.rpm SHA-256: 8b8ec5b01aee7c7f2088352a7d4787e25ecad19b311371f19f940baba73717d3
python3-librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: f623cc38f5fc796781723a2d1d7b94d6e5f425642a98d2a5429f4dd9d5b27686
python3-librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 25a0d1d1f4e29b065780a0ecec01f72d8230963f87dee6bebc8e6b8efc79703c
python3-librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: bc8eb6ff4337f3f6dce7e107fd50ffcebf35e7bb7068e69c22d949be3a0376ce

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
s390x
librepo-1.11.0-3.el8_2.s390x.rpm SHA-256: cda8ffdb62b75c6e79157c0f29008ffb5c55d590e9ad113ec14463ae2f90e10f
librepo-debuginfo-1.11.0-3.el8_2.s390x.rpm SHA-256: ba332f2c699029166b289553ef8cb6af9e29ebe4f1c186a332a52a4ff29f19ff
librepo-debugsource-1.11.0-3.el8_2.s390x.rpm SHA-256: 12090e82f2c18d502899ee4cf8ffd3d84a46bc5707f5169e176fe774c3373c5f
python3-librepo-1.11.0-3.el8_2.s390x.rpm SHA-256: c272aa786b3c2374500a527e954c91315b656d7b5f99ff22c882b41e4b7e7c0a
python3-librepo-debuginfo-1.11.0-3.el8_2.s390x.rpm SHA-256: 6b8479dd2bbdf99fc26cea4e27813f45cffcaac697a896c8a9f9200496caef2b

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
s390x
librepo-1.11.0-3.el8_2.s390x.rpm SHA-256: cda8ffdb62b75c6e79157c0f29008ffb5c55d590e9ad113ec14463ae2f90e10f
librepo-debuginfo-1.11.0-3.el8_2.s390x.rpm SHA-256: ba332f2c699029166b289553ef8cb6af9e29ebe4f1c186a332a52a4ff29f19ff
librepo-debugsource-1.11.0-3.el8_2.s390x.rpm SHA-256: 12090e82f2c18d502899ee4cf8ffd3d84a46bc5707f5169e176fe774c3373c5f
python3-librepo-1.11.0-3.el8_2.s390x.rpm SHA-256: c272aa786b3c2374500a527e954c91315b656d7b5f99ff22c882b41e4b7e7c0a
python3-librepo-debuginfo-1.11.0-3.el8_2.s390x.rpm SHA-256: 6b8479dd2bbdf99fc26cea4e27813f45cffcaac697a896c8a9f9200496caef2b

Red Hat Enterprise Linux for Power, little endian 8

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
ppc64le
librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 826ec9a108e0b6f5b0b2a180f1e5b36252c1b333a0c62183dad6b91d2a66660e
librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 8316cd73342ca47abc2ac0b050a80daea291a6c241ff043378f3995b022c87b7
librepo-debugsource-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 197f4cc38b582904a3d2d6071192058beeef4a1ebe41ad5c4cc465294c9d9d22
python3-librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 79e12f6afd029b7de91ec6f718bdcdb249724c79dea90973f9ddd1510408277b
python3-librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 031b696815a9d48da17d4673355e2f5e6225d568f957a18fb21ddfd75adbcc23

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
ppc64le
librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 826ec9a108e0b6f5b0b2a180f1e5b36252c1b333a0c62183dad6b91d2a66660e
librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 8316cd73342ca47abc2ac0b050a80daea291a6c241ff043378f3995b022c87b7
librepo-debugsource-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 197f4cc38b582904a3d2d6071192058beeef4a1ebe41ad5c4cc465294c9d9d22
python3-librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 79e12f6afd029b7de91ec6f718bdcdb249724c79dea90973f9ddd1510408277b
python3-librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 031b696815a9d48da17d4673355e2f5e6225d568f957a18fb21ddfd75adbcc23

Red Hat Enterprise Linux Server - TUS 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
x86_64
librepo-1.11.0-3.el8_2.i686.rpm SHA-256: dea4e4deca24251f05fdf3cb7b5dc78099f92df1d6d828416157b550d25ad5fd
librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: 5625727f60b2600767ad77647c468fa535be7db05c1c5a4c19c19a9b050ad69c
librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 73b204bb7513ff5dd9502e2bc779056b36330a3dc7d917aa84d1bc1ef08aa6ba
librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: fc6b875f0fe62cdb5efff596c972d44d2a1f3d5a3d40acb988a95dc2fc6be3b9
librepo-debugsource-1.11.0-3.el8_2.i686.rpm SHA-256: fb72142d9f907dbad979080348efdc78ed146e093b7cf8dca8478eb510625141
librepo-debugsource-1.11.0-3.el8_2.x86_64.rpm SHA-256: 8b8ec5b01aee7c7f2088352a7d4787e25ecad19b311371f19f940baba73717d3
python3-librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: f623cc38f5fc796781723a2d1d7b94d6e5f425642a98d2a5429f4dd9d5b27686
python3-librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 25a0d1d1f4e29b065780a0ecec01f72d8230963f87dee6bebc8e6b8efc79703c
python3-librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: bc8eb6ff4337f3f6dce7e107fd50ffcebf35e7bb7068e69c22d949be3a0376ce

Red Hat Enterprise Linux for ARM 64 8

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
aarch64
librepo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 73bbeb49c7bfc4c5280f07ec77edefb496f07092347b8063ae13e8c8d6015f55
librepo-debuginfo-1.11.0-3.el8_2.aarch64.rpm SHA-256: e88919c6d830fd53a62cfe2a3c2e93ba31119cdcf227be866535956329d04be2
librepo-debugsource-1.11.0-3.el8_2.aarch64.rpm SHA-256: f9e86af04226ab649ac65463b2f310b3718108205b45d0df8d4050b9f83668d1
python3-librepo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 1655b2f5054594ef8ecd63af98f3695eabd310242ccae9dd24599e011dcf135f
python3-librepo-debuginfo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 28426ca233c43ba8abe3f18e7d0fcca8a5f32edde0f89364b450a710b59a92bd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
aarch64
librepo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 73bbeb49c7bfc4c5280f07ec77edefb496f07092347b8063ae13e8c8d6015f55
librepo-debuginfo-1.11.0-3.el8_2.aarch64.rpm SHA-256: e88919c6d830fd53a62cfe2a3c2e93ba31119cdcf227be866535956329d04be2
librepo-debugsource-1.11.0-3.el8_2.aarch64.rpm SHA-256: f9e86af04226ab649ac65463b2f310b3718108205b45d0df8d4050b9f83668d1
python3-librepo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 1655b2f5054594ef8ecd63af98f3695eabd310242ccae9dd24599e011dcf135f
python3-librepo-debuginfo-1.11.0-3.el8_2.aarch64.rpm SHA-256: 28426ca233c43ba8abe3f18e7d0fcca8a5f32edde0f89364b450a710b59a92bd

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
ppc64le
librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 826ec9a108e0b6f5b0b2a180f1e5b36252c1b333a0c62183dad6b91d2a66660e
librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 8316cd73342ca47abc2ac0b050a80daea291a6c241ff043378f3995b022c87b7
librepo-debugsource-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 197f4cc38b582904a3d2d6071192058beeef4a1ebe41ad5c4cc465294c9d9d22
python3-librepo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 79e12f6afd029b7de91ec6f718bdcdb249724c79dea90973f9ddd1510408277b
python3-librepo-debuginfo-1.11.0-3.el8_2.ppc64le.rpm SHA-256: 031b696815a9d48da17d4673355e2f5e6225d568f957a18fb21ddfd75adbcc23

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2

SRPM
librepo-1.11.0-3.el8_2.src.rpm SHA-256: ed14edd76424937fc0593dff3aa573e95b9a5252c84c012ebb10cbc4ec4ef98b
x86_64
librepo-1.11.0-3.el8_2.i686.rpm SHA-256: dea4e4deca24251f05fdf3cb7b5dc78099f92df1d6d828416157b550d25ad5fd
librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: 5625727f60b2600767ad77647c468fa535be7db05c1c5a4c19c19a9b050ad69c
librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 73b204bb7513ff5dd9502e2bc779056b36330a3dc7d917aa84d1bc1ef08aa6ba
librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: fc6b875f0fe62cdb5efff596c972d44d2a1f3d5a3d40acb988a95dc2fc6be3b9
librepo-debugsource-1.11.0-3.el8_2.i686.rpm SHA-256: fb72142d9f907dbad979080348efdc78ed146e093b7cf8dca8478eb510625141
librepo-debugsource-1.11.0-3.el8_2.x86_64.rpm SHA-256: 8b8ec5b01aee7c7f2088352a7d4787e25ecad19b311371f19f940baba73717d3
python3-librepo-1.11.0-3.el8_2.x86_64.rpm SHA-256: f623cc38f5fc796781723a2d1d7b94d6e5f425642a98d2a5429f4dd9d5b27686
python3-librepo-debuginfo-1.11.0-3.el8_2.i686.rpm SHA-256: 25a0d1d1f4e29b065780a0ecec01f72d8230963f87dee6bebc8e6b8efc79703c
python3-librepo-debuginfo-1.11.0-3.el8_2.x86_64.rpm SHA-256: bc8eb6ff4337f3f6dce7e107fd50ffcebf35e7bb7068e69c22d949be3a0376ce

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.