| Release | Version |
|---|---|
| stretch | 4.12.0.2+dfsg1-2 |
| buster | 4.14.2.1+dfsg1-1 |
| bullseye | 4.16.1.2+dfsg1-3 |
| sid | 4.16.1.2+dfsg1-3 |
| Bug | stretch | buster | bullseye | sid | Description |
|---|---|---|---|---|---|
| CVE-2021-35939 | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | checks for unsafe symlinks are not performed for intermediary directories |
| CVE-2021-35938 | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | races with chown/chmod/capabilities calls during installation |
| CVE-2021-35937 | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | TOCTOU race in checks for unsafe symlinks |
| CVE-2021-20271 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | A flaw was found in RPM's signature check functionality when reading a ... |
| CVE-2021-20266 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw all ... |
| CVE-2021-3421 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | A flaw was found in the RPM package in the read functionality. This fl ... |
| Bug | stretch | buster | bullseye | sid | Description |
|---|---|---|---|---|---|
| CVE-2017-7501 | vulnerable | vulnerable | vulnerable | vulnerable | It was found that versions of rpm before 4.13.0.2 use temporary files ... |
| CVE-2017-7500 | vulnerable | vulnerable | vulnerable | vulnerable | It was found that rpm did not properly handle RPM installations when a ... |
| CVE-2010-2199 | vulnerable | vulnerable | vulnerable | vulnerable | lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadat ... |
| CVE-2010-2198 | vulnerable | vulnerable | vulnerable | vulnerable | lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadat ... |
| Bug | Description |
|---|---|
| CVE-2014-8118 | Integer overflow in RPM 4.12 and earlier allows remote attackers to ex ... |
| CVE-2013-6435 | Race condition in RPM 4.11.1 and earlier allows remote attackers to ex ... |
| CVE-2012-6088 | The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 d ... |
| CVE-2012-0815 | The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 al ... |
| CVE-2012-0061 | The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not ... |
| CVE-2012-0060 | RPM before 4.9.1.3 does not properly validate region tags, which allow ... |
| CVE-2011-3378 | RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attack ... |
| CVE-2010-2197 | rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax o ... |
| CVE-2010-2059 | lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and R ... |
| CVE-2006-5466 | Heap-based buffer overflow in the showQueryPackage function in librpm ... |
| CVE-2005-4889 | lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of ... |
| CVE-2005-2096 | zlib 1.2 and later versions allows remote attackers to cause a denial ... |
| DSA / DLA | Description |
|---|---|
| DLA-140-1 | rpm - security update |
| DSA-3129-1 | rpm - security update |