[Rpm-maint] rpm security exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059

Panu Matilainen pmatilai at laiskiainen.org
Tue Nov 2 19:18:18 UTC 2010

On Mon, 1 Nov 2010, swamy sangamesh wrote:

> Hi All,
> We come to know about rpm security exposure
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
> looks like fix is available from 4.5.x source. But unfortunately we are
> using older rpm-3.0.5, and due to some
> dependency, upgrading to newer version is extremely  difficult.
> I have not much knowledge about rpm source code.
> My question is, the fix available can also be applied to older versions 
> of rpms like-3.0.5 is their patch available for older version so if 
> anyone which can't  upgrade to latest version can apply and use it ?

Technically, sure it's possible to backport the fix to older rpm versions, 
3.0.5 or whatever. But rpm 3.x has been unmaintained for 
over ten years by now, rpm.org is not going to publish any fixes for it at 
this point.

While you of course can go ahead and backport the fix yourself (including 
paying somebody to do it), don't be fooled to think you're "safe" with 
that. There are any number of security issues of varying degrees in rpm 
3.x besides the recent CVE.

 	- Panu -

More information about the Rpm-maint mailing list