[Rpm-maint] rpm security exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
Panu Matilainen
pmatilai at laiskiainen.org
Tue Nov 2 19:18:18 UTC 2010
On Mon, 1 Nov 2010, swamy sangamesh wrote:
> Hi All,
>
> We come to know about rpm security exposure
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
> looks like fix is available from 4.5.x source. But unfortunately we are
> using older rpm-3.0.5, and due to some
> dependency, upgrading to newer version is extremely difficult.
>
> I have not much knowledge about rpm source code.
> My question is, the fix available can also be applied to older versions
> of rpms like-3.0.5 is their patch available for older version so if
> anyone which can't upgrade to latest version can apply and use it ?
Technically, sure it's possible to backport the fix to older rpm versions,
3.0.5 or whatever. But rpm 3.x has been unmaintained for
over ten years by now, rpm.org is not going to publish any fixes for it at
this point.
While you of course can go ahead and backport the fix yourself (including
paying somebody to do it), don't be fooled to think you're "safe" with
that. There are any number of security issues of varying degrees in rpm
3.x besides the recent CVE.
- Panu -
More information about the Rpm-maint
mailing list