Fedora 32 : 1:livecd-tools / createrepo_c / dnf / dnf-plugins-core / etc (2020-5d9f0ce2b3)

High Nessus Plugin ID 141518

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote Fedora host is missing one or more security updates.

Description

createrepo_c 0.16.1

- Update to 0.16.1

- Add the section number to the manual pages

- Parse xml snippet in smaller parts (RhBug:1859689)

- Add module metadata support to createrepo_c (RhBug:1795936)

librepo 1.12.1

- Update to 1.12.1

- Validate path read from repomd.xml (RhBug:1868639)

libdnf 0.54.2

- Update to 0.54.2

- history: Fix dnf history rollback when a package was removed (RhBug:1683134)

- Add support for HY_GT, HY_LT in query nevra_strict

- Fix parsing empty lines in config files

- Accept '==' as an operator in reldeps (RhBug:1847946)

- Add log file level main config option (RhBug:1802074)

- Add protect_running_kernel configuration option (RhBug:1698145)

- Context part of libdnf cannot assume zchunk is on (RhBug:1851841,1779104)

- Fix memory leak of resultingModuleIndex and handle g_object refs

- Redirect librepo logs to libdnf logs with different source

- Introduce changelog metadata in commit messages

- Add hy_goal_lock

- Update Copr targets for packit and use alias

- Enum/String conversions for Transaction Store/Replay

- utils: Add a method to decode URLs

- Unify hawkey.log line format with the rest of the logs

dnf 4.4.0

- Update to 4.4.0

- Handle empty comps group name (RhBug:1826198)

- Remove dead history info code (RhBug:1845800)

- Improve command emmitter in dnf-automatic

- Enhance --querytags and --qf help output

- [history] add option --reverse to history list (RhBug:1846692)

- Add logfilelevel configuration (RhBug:1802074)

- Don't turn off stdout/stderr logging longer than necessary (RhBug:1843280)

- Mention the date/time that updates were applied

- [dnf-automatic] Wait for internet connection (RhBug:1816308)

- [doc] Enhance repo variables documentation (RhBug:1848161,1848615)

- Add librepo logger for handling messages from librepo (RhBug:1816573)

- [doc] Add package-name-spec to the list of possible specs

- [doc] Do not use <package-nevr-spec>

- [doc] Add section to explain -n, -na and -nevra suffixes

- Add alias 'ls' for list command

- README: Reference Fedora Weblate instead of Zanata

- remove log_lock.pid after reboot(Rhbug:1863006)

- comps: Raise CompsError when removing a non-existent group

- Add methods for working with comps to RPMTransactionItemWrapper

- Implement storing and replaying a transaction

- Log failure to access last makecache time as warning

- [doc] Document Substitutions class

- Dont document removed attribute ``reports`` for get_best_selector

- Change the debug log timestamps from UTC to local time

dnf-plugins-core 4.0.18

- [needs-restarting] Fix plugin fail if needs-restarting.d does not exist

- [needs-restarting] add kernel-rt to reboot list

- Fix debug-restore command

- [config-manager] enable/disable comma separated pkgs (RhBug:1830530)

- [debug] Use standard demands.resolving for transaction handling

- [debug] Do not remove install-only packages (RhBug:1844533)

- return error when dnf download failed

- README: Reference Fedora Weblate instead of Zanata

- [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074)

- copr: don't try to list runtime dependencies

dnf-plugins-extras 4.0.12

- Update Cmake to pull translations from weblate

- Drop Python 2 support

- README: Add Installation, Contribution, etc

- Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env variable to control system-upgrade reboot.

- [system-upgrade] Upgrade groups and environments (RhBug:1845562,1860408)

livecd-tools-27.1-8

- Fix compatibility with dnf 4.4.0 / libdnf 0.54.2

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-5d9f0ce2b3

Plugin Details

Severity: High

ID: 141518

File Name: fedora_2020-5d9f0ce2b3.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2020/10/19

Updated: 2020/10/21

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:1:livecd-tools, p-cpe:/a:fedoraproject:fedora:createrepo_c, p-cpe:/a:fedoraproject:fedora:dnf, p-cpe:/a:fedoraproject:fedora:dnf-plugins-core, p-cpe:/a:fedoraproject:fedora:dnf-plugins-extras, p-cpe:/a:fedoraproject:fedora:libdnf, p-cpe:/a:fedoraproject:fedora:librepo, cpe:/o:fedoraproject:fedora:32

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/10/18

Vulnerability Publication Date: 2020/08/30

Reference Information

CVE: CVE-2020-14352