[Rpm-announce] Rpm released!

Panu Matilainen pmatilai at redhat.com
Mon Oct 22 11:24:10 UTC 2018

This is a critical security bug fix update to the stable 4.14.x branch, 
addressing a nasty regression to --setperms and --setugids functionality 
introduced in 4.14.2, plus a couple of plain old bug fixes. Users of 
4.14.2 are urged to upgrade due to the following:

In case of --setperms, all encountered symlinks will have their target
file/directory permissions set to the 0777 of the link itself (so world
writable etc but suid/sgid stripped), temporarily or permanently,
depending on whether the symlink occurs before or after it's target in
the package file list. When the link occurs before its target, there's a
short window where the target is world writable before having it's
permissions reset to original, making it particularly bad for suid/sgid

--setugids is similarly affected with link targets owner/group changing
to that of the symlink.

Normal install/upgrade etc functionality are not affected by this, only 
the --setperms and --setugids aliases.

As usual, further details and download info at


...when GH pages decides to wake up that is, it seems to be having a bit 
of a Monday blues today. Due to the importance of the update, including 
the relevant information here as well:


SHA256SUM: 1139c24b7372f89c0a697096bf9809be70ba55e006c23ff47305c1849d98acda

Apologies for the inconvenience, on behalf of the rpm-team,

	- Panu -

More information about the Rpm-announce mailing list