{"id":"ALSA-2024:0647","summary":"Moderate: rpm security update","details":"The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.\n\nSecurity Fix(es):\n\n* rpm: TOCTOU race in checks for unsafe symlinks (CVE-2021-35937)\n* rpm: races with chown/chmod/capabilities calls during installation (CVE-2021-35938)\n* rpm: checks for unsafe symlinks are not performed for intermediary directories (CVE-2021-35939)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","modified":"2026-01-30T01:49:30.770587Z","published":"2024-02-01T00:00:00Z","related":["CVE-2021-35937","CVE-2021-35938","CVE-2021-35939"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0647"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2021-35937"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2021-35938"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2021-35939"},{"type":"REPORT","url":"https://bugzilla.redhat.com/1964114"},{"type":"REPORT","url":"https://bugzilla.redhat.com/1964125"},{"type":"REPORT","url":"https://bugzilla.redhat.com/1964129"},{"type":"ADVISORY","url":"https://errata.almalinux.org/8/ALSA-2024-0647.html"}],"affected":[{"package":{"name":"python3-rpm","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/python3-rpm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-apidocs","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-apidocs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-build","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-build"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-build-libs","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-build-libs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-cron","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-cron"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-devel","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-devel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-libs","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-libs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-fapolicyd","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-fapolicyd"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-ima","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-ima"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-prioreset","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-prioreset"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-selinux","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-selinux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-syslog","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-syslog"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-plugin-systemd-inhibit","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-plugin-systemd-inhibit"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}},{"package":{"name":"rpm-sign","ecosystem":"AlmaLinux:8","purl":"pkg:rpm/almalinux/rpm-sign"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.3-28.el8_9"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:0647.json"}}],"schema_version":"1.7.3"}