[Rpm-maint] Rpm 4.14.2.1 released!
Panu Matilainen
pmatilai at redhat.com
Mon Oct 22 11:24:10 UTC 2018
This is a critical security bug fix update to the stable 4.14.x branch,
addressing a nasty regression to --setperms and --setugids functionality
introduced in 4.14.2, plus a couple of plain old bug fixes. Users of
4.14.2 are urged to upgrade due to the following:
In case of --setperms, all encountered symlinks will have their target
file/directory permissions set to the 0777 of the link itself (so world
writable etc but suid/sgid stripped), temporarily or permanently,
depending on whether the symlink occurs before or after it's target in
the package file list. When the link occurs before its target, there's a
short window where the target is world writable before having it's
permissions reset to original, making it particularly bad for suid/sgid
binaries.
--setugids is similarly affected with link targets owner/group changing
to that of the symlink.
Normal install/upgrade etc functionality are not affected by this, only
the --setperms and --setugids aliases.
As usual, further details and download info at
http://rpm.org/wiki/Releases/4.14.2.1
...when GH pages decides to wake up that is, it seems to be having a bit
of a Monday blues today. Due to the importance of the update, including
the relevant information here as well:
http://ftp.rpm.org/releases/rpm-4.14.x/rpm-4.14.2.1.tar.bz2
SHA256SUM: 1139c24b7372f89c0a697096bf9809be70ba55e006c23ff47305c1849d98acda
Apologies for the inconvenience, on behalf of the rpm-team,
- Panu -
More information about the Rpm-maint
mailing list