[Rpm-maint] rpm security exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059

swamy sangamesh swamy.sangamesh at gmail.com
Wed Nov 3 04:33:33 UTC 2010

 Hi Panu,

 Thanks for your response, recently we will look forward to update our
current rpm, due to dependency of other applications as of now we need to
use 3.0.5 version.

 Hi Pinto,

 We are using it for IBM AIX Toolbox for linux applications with AIX version
5.3 and above.
 currently we are using rpm-3.0.5 source to build the binaries.

On Wed, Nov 3, 2010 at 12:48 AM, Panu Matilainen
<pmatilai at laiskiainen.org>wrote:

> On Mon, 1 Nov 2010, swamy sangamesh wrote:
>  Hi All,
>> We come to know about rpm security exposure
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
>> looks like fix is available from 4.5.x source. But unfortunately we are
>> using older rpm-3.0.5, and due to some
>> dependency, upgrading to newer version is extremely  difficult.
>> I have not much knowledge about rpm source code.
>> My question is, the fix available can also be applied to older versions of
>> rpms like-3.0.5 is their patch available for older version so if anyone
>> which can't  upgrade to latest version can apply and use it ?
> Technically, sure it's possible to backport the fix to older rpm versions,
> 3.0.5 or whatever. But rpm 3.x has been unmaintained for over ten years by
> now, rpm.org is not going to publish any fixes for it at this point.
> While you of course can go ahead and backport the fix yourself (including
> paying somebody to do it), don't be fooled to think you're "safe" with that.
> There are any number of security issues of varying degrees in rpm 3.x
> besides the recent CVE.
>        - Panu -

Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20101103/931e4002/attachment.html>

More information about the Rpm-maint mailing list