RPM 4.13.0.2 Release Notes

Download information

• rpm-4.13.0.2.tar.bz2 source
• SHA256SUM: 2f3e2c07c354d16f2305ddd93ed030c8403d59b272f2fb6722445b091ff14194

Summary of changes from RPM 4.13.0.1

Security fixes

• Restrict following symlinks to directories by ownership (CVE-2017-7500), apply same rules on verification
• Don’t follow symlinks on file creation (CVE-2017-7501)

General bugfixes

• Fix file triggers failing to match on some packages (MgBug:18797)
• Fix Ftell() past 2GB on 32bit architectures (RhBug:1492587)
• Fix failure to install old packages with zero-length files (RhBug:1352222, regression introduced in rpm 4.12.x)
• Fix segfault on non-string type passed to :shescape and :expand formats
• Fix unknown signature tags not being ignored (RhBug:1480407)
• Fallback to DB_PRIVATE on readonly DB_VERSION_MISMATCH (RhBug:1465809)
• Limit automatic fallback to DB_PRIVATE to read-only operations

Package building

• Fix invalid memory access in %trace mode

Python bindings

• Fix spec object reference counting (#114)
• Fix rpmsign module build with setup.py

Build process

• Fix testsuite with newer NSS versions which require /dev/urandom
• Fix dwz test to work with newer versions of libmagic
• Fix symlink tests for the new CVE-2017-7500 behavior