公告ID: KYLIN-2020-14352
安全等级: 重要
产品: Kylin V3
发布日期: 2020年8月13日
CVE: CVE-2020-14352
CVSS3评分: 8.0
概述:
This issue is rated as having Moderate impact on Red Hat Enterprise Linux 7 because `DNF` is not installed by default. The `DNF` package is available through the Extras channel as an enhancement to YUM 3. Both Fedora and Red Hat Enterprise Linux leverage transport security and package signatures to ship software to their users in a safe way. Fedora provides a centralized, non-mirrored Fedora-run metalink service which provides a list if active mirrors and the expected cryptographic digest of the `repomd.xml` files. yum uses this information to select a mirror and verify that it serves the up-to-date, untampered `repomd.xml`. The chain of cryptographic digests is verified from there, eventually leading to verification of the .rpm file contents. Red Hat uses a different option to distribute Red Hat Enterprise Linux and its RPM-based products: a content-distribution network, managed by a trusted third party. Furthermore, the repositories provided by Red Hat use a separate public key infrastructure which is managed by Red Hat. For further information, refer to the following articles. [1] https://access.redhat.com/blogs/766093/posts/1976693 [2] https://access.redhat.com/articles/1373143 描述:
A flaw was found in librepo. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories. 系统版本:
KYLIN 3.3.x
KYLIN 3.4.x
受影响包列表:
librepo
librepo