Updated librepo packages fix a security vulnerability
Publication date: 21 Nov 2020Modification date: 21 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-14352
Description
It was discovered that librepo was subject to a directory traversal vulnerability
where it failed to sanitize paths in remote repository metadata. An attacker
controlling a remote repository may be able to copy files outside of the
destination directory on the targeted system via path traversal. This flaw
could potentially result in system compromise via the overwriting of critical
system files (CVE-2020-14352).
References
- https://bugs.mageia.org/show_bug.cgi?id=27241
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/
- https://access.redhat.com/errata/RHSA-2020:5012
- https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14352
SRPMS
7/core
- librepo-1.10.3-1.1.mga7