RHEL 8 : yum (RHSA-2019:3583)

high Nessus Plugin ID 130555

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3583 advisory.

Yum is a command-line utility that allows the user to check for updates and automatically download and install updated RPM packages. Yum automatically obtains and downloads dependencies, prompting the user for permission as necessary.

The following packages have been upgraded to a later upstream version: dnf (4.2.7), dnf-plugins-core (4.0.8), libcomps (0.1.11), libdnf (0.35.1), librepo (1.10.3), libsolv (0.7.4). (BZ#1690288, BZ#1690289, BZ#1690299, BZ#1692402, BZ#1694019, BZ#1697946)

Security Fix(es):

* libcomps: use after free when merging two objmrtrees (CVE-2019-3817)

* libsolv: illegal address access in pool_whatprovides in src/pool.h (CVE-2018-20534)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1656801

https://bugzilla.redhat.com/show_bug.cgi?id=1657703

https://bugzilla.redhat.com/show_bug.cgi?id=1657851

https://bugzilla.redhat.com/show_bug.cgi?id=1658579

https://bugzilla.redhat.com/show_bug.cgi?id=1663533

https://bugzilla.redhat.com/show_bug.cgi?id=1665538

https://bugzilla.redhat.com/show_bug.cgi?id=1666325

https://bugzilla.redhat.com/show_bug.cgi?id=1667898

https://bugzilla.redhat.com/show_bug.cgi?id=1668005

https://bugzilla.redhat.com/show_bug.cgi?id=1670835

https://bugzilla.redhat.com/show_bug.cgi?id=1671731

https://bugzilla.redhat.com/show_bug.cgi?id=1671839

https://bugzilla.redhat.com/show_bug.cgi?id=1672649

https://bugzilla.redhat.com/show_bug.cgi?id=1673278

https://bugzilla.redhat.com/show_bug.cgi?id=1673289

https://bugzilla.redhat.com/show_bug.cgi?id=1673902

https://bugzilla.redhat.com/show_bug.cgi?id=1673913

https://bugzilla.redhat.com/show_bug.cgi?id=1673920

https://bugzilla.redhat.com/show_bug.cgi?id=1674562

https://bugzilla.redhat.com/show_bug.cgi?id=1676418

https://bugzilla.redhat.com/show_bug.cgi?id=1677199

https://bugzilla.redhat.com/show_bug.cgi?id=1677583

https://bugzilla.redhat.com/show_bug.cgi?id=1677640

https://bugzilla.redhat.com/show_bug.cgi?id=1678593

https://bugzilla.redhat.com/show_bug.cgi?id=1714265

https://bugzilla.redhat.com/show_bug.cgi?id=1714788

https://bugzilla.redhat.com/show_bug.cgi?id=1716313

https://bugzilla.redhat.com/show_bug.cgi?id=1717429

https://bugzilla.redhat.com/show_bug.cgi?id=1719830

https://bugzilla.redhat.com/show_bug.cgi?id=1722493

https://bugzilla.redhat.com/show_bug.cgi?id=1724564

https://bugzilla.redhat.com/show_bug.cgi?id=1724668

https://bugzilla.redhat.com/show_bug.cgi?id=1725213

https://bugzilla.redhat.com/show_bug.cgi?id=1726141

https://bugzilla.redhat.com/show_bug.cgi?id=1730224

https://bugzilla.redhat.com/show_bug.cgi?id=1737328

http://www.nessus.org/u?1402328a

http://www.nessus.org/u?b8d3b26b

https://access.redhat.com/errata/RHSA-2019:3583

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1650266

https://bugzilla.redhat.com/show_bug.cgi?id=1655605

https://bugzilla.redhat.com/show_bug.cgi?id=1656584

https://bugzilla.redhat.com/show_bug.cgi?id=1678596

https://bugzilla.redhat.com/show_bug.cgi?id=1678598

https://bugzilla.redhat.com/show_bug.cgi?id=1678689

https://bugzilla.redhat.com/show_bug.cgi?id=1679008

https://bugzilla.redhat.com/show_bug.cgi?id=1679509

https://bugzilla.redhat.com/show_bug.cgi?id=1684270

https://bugzilla.redhat.com/show_bug.cgi?id=1686645

https://bugzilla.redhat.com/show_bug.cgi?id=1686779

https://bugzilla.redhat.com/show_bug.cgi?id=1688537

https://bugzilla.redhat.com/show_bug.cgi?id=1688823

https://bugzilla.redhat.com/show_bug.cgi?id=1689331

https://bugzilla.redhat.com/show_bug.cgi?id=1689931

https://bugzilla.redhat.com/show_bug.cgi?id=1690288

https://bugzilla.redhat.com/show_bug.cgi?id=1690289

https://bugzilla.redhat.com/show_bug.cgi?id=1690299

https://bugzilla.redhat.com/show_bug.cgi?id=1690414

https://bugzilla.redhat.com/show_bug.cgi?id=1691315

https://bugzilla.redhat.com/show_bug.cgi?id=1692402

https://bugzilla.redhat.com/show_bug.cgi?id=1694019

https://bugzilla.redhat.com/show_bug.cgi?id=1694709

https://bugzilla.redhat.com/show_bug.cgi?id=1695720

https://bugzilla.redhat.com/show_bug.cgi?id=1697946

https://bugzilla.redhat.com/show_bug.cgi?id=1699348

https://bugzilla.redhat.com/show_bug.cgi?id=1700250

https://bugzilla.redhat.com/show_bug.cgi?id=1700741

https://bugzilla.redhat.com/show_bug.cgi?id=1702283

https://bugzilla.redhat.com/show_bug.cgi?id=1702678

https://bugzilla.redhat.com/show_bug.cgi?id=1702690

https://bugzilla.redhat.com/show_bug.cgi?id=1703609

https://bugzilla.redhat.com/show_bug.cgi?id=1706215

https://bugzilla.redhat.com/show_bug.cgi?id=1707453

https://bugzilla.redhat.com/show_bug.cgi?id=1709798

https://bugzilla.redhat.com/show_bug.cgi?id=1712055

https://bugzilla.redhat.com/show_bug.cgi?id=1712460

https://bugzilla.redhat.com/show_bug.cgi?id=1713220

https://bugzilla.redhat.com/show_bug.cgi?id=1744979

https://bugzilla.redhat.com/show_bug.cgi?id=1746349

Plugin Details

Severity: High

ID: 130555

File Name: redhat-RHSA-2019-3583.nasl

Version: 1.6

Type: local

Agent: unix

Published: 11/6/2019

Updated: 11/6/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3817

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:yum, p-cpe:/a:redhat:enterprise_linux:librepo, p-cpe:/a:redhat:enterprise_linux:dnf-automatic, p-cpe:/a:redhat:enterprise_linux:python3-dnf-plugin-versionlock, p-cpe:/a:redhat:enterprise_linux:librhsm, p-cpe:/a:redhat:enterprise_linux:dnf, p-cpe:/a:redhat:enterprise_linux:libcomps-devel, p-cpe:/a:redhat:enterprise_linux:dnf-plugins-core, p-cpe:/a:redhat:enterprise_linux:createrepo_c-libs, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:python3-hawkey, p-cpe:/a:redhat:enterprise_linux:microdnf, p-cpe:/a:redhat:enterprise_linux:python3-dnf, p-cpe:/a:redhat:enterprise_linux:createrepo_c-devel, p-cpe:/a:redhat:enterprise_linux:python3-createrepo_c, p-cpe:/a:redhat:enterprise_linux:python3-librepo, p-cpe:/a:redhat:enterprise_linux:python3-dnf-plugins-core, p-cpe:/a:redhat:enterprise_linux:python3-libdnf, p-cpe:/a:redhat:enterprise_linux:libdnf, p-cpe:/a:redhat:enterprise_linux:yum-utils, p-cpe:/a:redhat:enterprise_linux:dnf-data, p-cpe:/a:redhat:enterprise_linux:libcomps, p-cpe:/a:redhat:enterprise_linux:python3-libcomps, p-cpe:/a:redhat:enterprise_linux:createrepo_c, p-cpe:/a:redhat:enterprise_linux:libsolv

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/5/2019

Vulnerability Publication Date: 12/28/2018

Reference Information

CVE: CVE-2018-20534, CVE-2019-3817

CWE: 125, 416

RHSA: 2019:3583