Detections
Analytics

Oracle Linux 8 : yum (ELSA-2019-3583)

high Nessus Plugin ID 180746

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-3583 advisory.

 createrepo_c [0.11.0-3]
 - Backport patch to switch off timestamps on documentation in order to remove file conflicts (RhBug:1738788)

 [0.11.0-2]
 - Consistently produce valid URLs by prepending protocol. (RhBug:1632121)
 - modifyrepo_c: Prevent doubling of compression (test.gz.gz) (RhBug:1639287)
 - Correct pkg count in headers if there were invalid pkgs (RhBug:1596211)
 - Add support for modular errata (RhBug:1656584)

 dnf [4.2.7-6]
 - Remove patch to not fail when installing modular RPMs without modular metadata

 [4.2.7-5]
 - Fix: --setopt and repo with dots (RhBug:1746349)

 [4.2.7-4]
 - Prevent printing empty Error Summary (RhBug:1690414)

 [4.2.7-3]
 - Update localizations from zanata (RhBug:1689982)
 - Accept multiple specs in repoquery options (RhBug:1667898,1656801)
 - Prevent switching modules in all cases (RhBug:1706215)
 - Change synchronization of rpm transaction to swdb (RhBug:1737328)
 - Print rpm error messages during transaction (RhBug:1677199)
 - Report missing default profile as an error (RhBug:1669527,1724564)
 - Describe a behavior when plugin is removed (RhBug:1700741)

 [4.2.7-2]
 - Add patch to not fail when installing modular RPMs without modular metadata

 [4.2.7-1]
 - Update to 4.2.7
 - Fix package reinstalls during yum module remove (RhBug:1700529)
 - Fail when '-c' option is given nonexistent file (RhBug:1512457)
 - Reuse empty lock file instead of stopping dnf (RhBug:1581824)
 - Propagate comps 'default' value correctly (RhBug:1674562)
 - Better search of provides in /(s)bin/ (RhBug:1657993)
 - Add detection for armv7hcnl (RhBug:1691430)
 - Fix group install/upgrade when group is not available (RhBug:1707624)
 - Report not matching plugins when using --enableplugin/--disableplugin (RhBug:1673289) (RhBug:1467304)
 - Add support of modular FailSafe (RhBug:1623128)
 - Replace logrotate with build-in log rotation for dnf.log and dnf.rpm.log (RhBug:1702690)

 [4.2.6-1]
 - Update to 4.2.6
 - Use improved config parser that preserves order of data
 - Follow RPM security policy for package verification
 - Update modules regardless of installed profiles
 - [conf] Use environment variables prefixed with DNF_VAR_
 - Allow adjustment of repo from --repofrompath (RhBug:1689591)
 - Allow globs in setopt in repoid part
 - Add command abbreviations (RhBug:1634232)
 - Installroot now requires absolute path
 - librepo: Turn on debug logging only if debuglevel is greater than 2 (RhBug:1355764,1580022)
 - Document cachedir option (RhBug:1691365)
 - Enhance documentation - API examples
 - Enhance documentation of --whatdepends option (RhBug:1687070)
 - Update documentation: implemented plugins; options; deprecated commands (RhBug:1670835,1673278)
 - [doc] Add info of relation update_cache with fill_sack (RhBug:1658694)
 - Rename man page from dnf.automatic to dnf-automatic to match command name
 - Fix alias list command (RhBug:1666325)
 - Fix behavior of --bz option when specifying more values
 - Add protection of yum package (RhBug:1639363)
 - Fix list --showduplicates (RhBug:1655605)
 - Retain order of headers in search results (RhBug:1613860)
 - Solve traceback with the 'dnf install @module' (RhBug:1688823)
 - Fix multilib obsoletes (RhBug:1672947)
 - Do not remove group package if other packages depend on it
 - Remove duplicates from 'dnf list' and 'dnf info' outputs
 - Fix the installation of completion_helper.py
 - Fix formatting of message about free space required
 - Fix installation failiure when duplicit RPMs are specified (RhBug:1687286)
 - Fix issues with terminal hangs when attempting bash completion (RhBug:1702854)
 - Allow plugins to terminate dnf (RhBug:1701807)
 - [provides] Enhanced detecting of file provides (RhBug:1702621)
 - [provides] Sort the output packages alphabetically

 [4.0.9.2-6]
 - Backport patch to unify --help with man for module-spec (RhBug:1678689)

 dnf-plugins-core [4.0.8-3]
 - Generate yum-utils(1) instead of symlinking (RhBug:1676418)

 [4.0.8-2]
 - Update localizations from zanata (RhBug:1689984)
 - Rename dnf-utils to yum-utils (RhBug:1722093)
 - [builddep] Report all rpm errors (RhBug:1724668)
 - [config-manager] Behaviour of --setopt (RhBug:1702678)

 [4.0.8-1]
 - Update to 4.0.8
 - [reposync] Enable timestamp preserving for downloaded data (RhBug:1688537)
 - [reposync] Download packages from all streams (RhBug:1714788)
 - Make yum-copr manpage available (RhBug:1673902)
 - [needs-restarting] Add --reboothint option (RhBug:1192946) (RhBug:1639468)
 - Set the cost of _dnf_local repo to 500, to make it preferred to normal repos

 [4.0.7-1]
 - Update to 4.0.7
 - Use improved config parser that preserves order of data
 - Fix: copr disable command traceback (RhBug:1693551)
 - [doc] state repoid as repo identifier of config-manager (RhBug:1686779)
 - [leaves] Show multiply satisfied dependencies as leaves
 - [download] Fix downloading an rpm from a URL (RhBug:1678582)
 - [download] Do not download src without --source (RhBug:1666648)
 - [download] Fix problem with downloading src pkgs (RhBug:1649627)
 - [download] Fix download of src when not the latest requested (RhBug:1649627)

 libcomps [0.1.11-2]
 - Backport patch: Fix order of asserts in unit test (RhBug:1713220)

 [0.1.11-1]
 - Update to 0.1.11

 libdnf [0.35.1-8.0.1]
 - Disable rhsm [Orabug: 29901202]
 - Replaced bugzilla.redhat.com with bugzilla.oracle.com in config [Orabug: 29656932]
 - Add support for apps that use libdnf to access yum url with 'ociregion' variable [Orabug: 30121584] (Frank Deng)

 [0.35.1-8]
 - Enhanced fix of moving directories in minimal container (RhBug:1700341)

 [0.35.1-7]
 - Remove patch to not fail when installing modular RPMs without modular metadata

 [0.35.1-6]
 - Fix moving directories in minimal container (RhBug:1700341)

 [0.35.1-5]
 - Add suport for query sequence conversions

 [0.35.1-4]
 - Fix typo in error message (RhBug:1726661)
 - Update localizations from zanata (RhBug:1689991)
 - Dont disable nonexistent but required repositories (RhBug:1689331)
 - Ignore trailing blank lines of multiline value (RhBug:1722493)
 - Re-size includes map before re-computation (RhBug:1725213)

 [0.35.1-3]
 - Fix attaching and detaching of libsolvRepo and repo_internalize_trigger() (RhBug:1730224)

 [0.35.1-2]
 - Add patch to not fail when installing modular RPMs without modular metadata

 [0.35.1-1]
 - Update to 0.35.1
 - Skip invalid key files in '/etc/pki/rpm-gpg' with warning (RhBug:1644040)
 - Enable timestamp preserving for downloaded data (RhBug:1688537)
 - Fix 'database is locked' error (RhBug:1631533)
 - Replace the 'Failed to synchronize cache' message (RhBug:1712055)
 - Fix 'no such table: main.trans_cmdline' error (RhBug:1596540)
 - Fix: skip_if_unavailable=true for local repositories (RhBug:1716313)
 - Add support of modular FailSafe (RhBug:1623128)
 - Add support of DNF main config file in context; used by PackageKit and microdnf (RhBug:1689331)
 - Exit gpg-agent after repokey import (RhBug:1650266)

 [0.33.0-1]
 - Update to 0.33.0
 - Enhance sorting for module list (RhBug:1590358)
 - [DnfRepo] Add methods for alternative repository metadata type and download (RhBug:1656314)
 - Remove installed profile on module enable or disable (RhBug:1653623)
 - Enhance modular solver to handle enabled and default module streams differently (RhBug:1648839)
 - Add support of wild cards for modules (RhBug:1644588)
 - Exclude module pkgs that have conflict
 - Enhance config parser to preserve order of data, and keep comments and format
 - Improve ARM detection
 - Add support for SHA-384
 - Return empty query if incorrect reldep (RhBug:1687135)
 - ConfigParser: Improve compatibility with Python ConfigParser and dnf-plugin-spacewalk (RhBug:1692044)
 - ConfigParser: Unify default set of string represenation of boolean values
 - Fix segfault when interrupting dnf process (RhBug:1610456)
 - Installroot now requires absolute path
 - Support '_none_' value for repo option 'proxy' (RhBug:1680272)
 - Add support for Module advisories
 - Add support for xml:base attribute from primary.xml (RhBug:1691315)
 - Improve detection of Platform ID (RhBug:1688462)

 [0.22.5-6]
 - Rebuild for libsolv soname bump (in libsolve update to 0.7.4)

 librepo [1.10.3-3]
 - Backport patch: Fix: Verification of checksum from file attr

 [1.10.3-2]
 - Backport patch: Define LRO_SUPPORTS_CACHEDIR only with zchunk (RhBug:1726141,1719830)

 [1.10.3-1]
 - Update to 1.10.3
 - Exit gpg-agent after repokey import (RhBug:1650266)

 [1.10.1-1]
 - Update to 1.10.1
 - Reduce download delays
 - Add an option to preserve timestamps of the downloaded files (RhBug:1688537)
 - Append the '?' part of repo URL after the path
 - Fix memory leaks

 librhsm [0.0.3-3]
 - Generate repofile for any architecture if 'ALL' is specified

 libsolv [0.7.4-3]
 - Backport patches: Use OpenSSL for computing hashes (RhBug:1630300)

 [0.7.4-2]
 - Backport patch: Not considered excluded packages as a best candidate (RhBug:1677583)

 [0.7.4-1]
 - soname bump to '1'
 - incompatible API changes:
 * bindings: Selection.flags is now an attribute
 * repodata_lookup_num now works like the other lookup_num functions
 - new functions:
 * selection_make_matchsolvable
 * selection_make_matchsolvablelist
 * pool_whatmatchessolvable
 * repodata_search_arrayelement
 * repodata_lookup_kv_uninternalized
 * repodata_search_uninternalized
 * repodata_translate_dir
 - new repowriter interface to write solv files allowing better control over what gets written
 - support for filtered file lists with a custom filter
 - dropped support of (since a long time unused) REPOKEY_TYPE_U32
 - selected bug fixes:
 * fix nasty off-by-one error in repo_write
 * do not autouninstall packages because of forcebest updates
 * fixed a couple of null pointer derefs and potential memory leaks
 * made disfavoring recommended packages work if strong recommends is enabled
 * no longer disable infarch rules when they dont conflict with the job
 * repo_add_rpmdb: do not copy bad solvables from the old solv file
 * fix cleandeps updates not updating all packages
 - new features:
 * support rpms new '^' version separator
 * support set/get_considered_list in bindings
 * new experimental SOLVER_FLAG_ONLY_NAMESPACE_RECOMMENDED flag
 * do favor evaluation before pruning allowing to (dis)favor specific package versions
 * bindings: support pool.matchsolvable(), pool.whatmatchessolvable() pool.best_solvables() and selection.matchsolvable()
 * experimental DISTTYPE_CONDA and REL_CONDA support

 microdnf [3.0.1-3]
 - Fix microdnf --help coredump (RhBug:1744979)

 [3.0.1-2]
 - Fix minor memory leaks (RhBug:1702283)
 - Use help2man to generate a man page (RhBug:1612520)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2019-3583.html

Plugin Details

Severity: High

ID: 180746

File Name: oraclelinux_ELSA-2019-3583.nasl

Version: 1.2

Type: local

Agent: unix

Published: 9/7/2023

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3817

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:dnf-plugins-core, p-cpe:/a:oracle:linux:createrepo_c-libs, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:yum-utils, p-cpe:/a:oracle:linux:libdnf, p-cpe:/a:oracle:linux:python3-librepo, p-cpe:/a:oracle:linux:python3-libdnf, p-cpe:/a:oracle:linux:python3-libcomps, p-cpe:/a:oracle:linux:createrepo_c, p-cpe:/a:oracle:linux:librhsm, p-cpe:/a:oracle:linux:yum, p-cpe:/a:oracle:linux:python3-dnf, p-cpe:/a:oracle:linux:libcomps-devel, p-cpe:/a:oracle:linux:microdnf, p-cpe:/a:oracle:linux:createrepo_c-devel, p-cpe:/a:oracle:linux:dnf, p-cpe:/a:oracle:linux:libcomps, p-cpe:/a:oracle:linux:libsolv, p-cpe:/a:oracle:linux:python3-dnf-plugin-versionlock, p-cpe:/a:oracle:linux:dnf-data, p-cpe:/a:oracle:linux:librepo, p-cpe:/a:oracle:linux:python3-dnf-plugins-core, p-cpe:/a:oracle:linux:python3-createrepo_c, p-cpe:/a:oracle:linux:python3-hawkey, p-cpe:/a:oracle:linux:dnf-automatic

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/14/2019

Vulnerability Publication Date: 12/28/2018

Reference Information

CVE: CVE-2018-20534, CVE-2019-3817