[Rpm-maint] RPM 4.8.1 released!

Panu Matilainen pmatilai at redhat.com
Fri Jun 11 10:41:06 UTC 2010

We're pleased to announce the availability of RPM release 4.8.1. Download
instructions and more detailed information are available from:


This is primarily a security and regression fix release, with few
other changes. Here's the executive summary of user visible changes
since RPM 4.8.0:

  * Remove SUID/SGID bits from hardlinked executables on upgrade too
    (CVE-2010-2059, RhBug:598775) [1]
  * Remove POSIX capabilities from hardlinked executables on upgrade and
    erase (CVE-2010-2059?, RhBug:598775)

General bugfixes and enhancements:
  * Fix "empty reply from server" curl-syndrome with URL retrieval,
    regression introduced in 4.6.0 (RhBug:598988)
  * Fix transaction hanging on unrelated filesystems (RhBug:547548)
  * Fix crash on URL retrieve to read-only location on install (RhBug:557118)
  * Fix verification error code not to depend on verbosity
    level (RhBug:557101)
  * Fix return from chroot() on verify (RhBug:590588)
  * Permit DOS-style line-endings in PGP ASCII armors (RhBug:532992)
  * Fix :pgpsig header format extension sometimes showing numbers for
    known hash types (RhBug:587755)
  * Fix :deptype header format extension failing to show some flag
  * Fix error message on package conflicts against installed packages
  * Fix erased packages causing misleading disk-space checking
    messages (RhBug:561160)
  * Document --conflicts option in manpage (ticket #126)

Package building:
  * Fix %defattr(-) syntax, regression introduced in  (SuseBug:594310)
  * Fix spec parser eating empty lines in %prep section, regression
    introduced in 4.6.0 (RhBug:573339)
  * Fix NOSOURCE/NOPATCH tag generation of nosrc packages, regression
    introduced in 4.6.0
  * Fix crash in the spec parser (RhBug:597835, SuseBug:582599)
  * Fix copying of translated tags into source rpms (RhBug:578299)
  * Only extract dependencies from .desktop files with Type=Application
    and Exec= entries (ticket #150)
  * Work around GNU tar debug output breaking rpmbuild -t (SuseBug:558475)

[1] This was originally reported by Michael Schröder from Suse,
     together with a complete patch, all the way back in 2004 in
     Red Hat bugzilla. Things went downhill from there, including
     dismissive analysis of the issue in the bug report, and a
     partial patch missing the upgrade case ending up in circulation
     in various distributions and eventually getting applied to the
     rpm.org tree. An unfortunate chain of events to say the
     least, but there's no helping what happened back then. We can
     only try our best to ensure such things wont happen again.

On behalf of the rpm-team,

          - Panu -

More information about the Rpm-maint mailing list