SUSE Package Hub - openSUSE-2021-295

Update Info

openSUSE-2021-295

Security update for librepo

Type: security

Severity: important

Issued: 2021-02-15

Description:

This update for librepo fixes the following issues:

- Upgrade to 1.12.1
  + Validate path read from repomd.xml (bsc#1175475, CVE-2020-14352)
- Changes from 1.12.0
  + Prefer mirrorlist/metalink over baseurl (rh#1775184)
  + Decode package URL when using for local filename (rh#1817130)
  + Fix memory leak in lr_download_metadata() and lr_yum_download_remote()
  + Download sources work when at least one of specified is working (rh#1775184)

This update was imported from the SUSE:SLE-15-SP2:Update update project.
This update was imported from the openSUSE:Leap:15.2:Update update project.

References

CVE: CVE-2020-14352
Bugzilla: 1175475 VUL-0: CVE-2020-14352: librepo: missing path validation in repomd.xml may lead to directory traversal

Packages

librepo-1.12.1-bp152.2.6.1