librpmbuild9-4.17.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12245 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z librpmbuild9-4.17.1-1.1 on GA media These are all security issues fixed in the librpmbuild9-4.17.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12245 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12245 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-3521/ SUSE CVE CVE-2021-3521 page openSUSE Tumbleweed librpmbuild9-4.17.1-1.1 rpm-4.17.1-1.1 rpm-32bit-4.17.1-1.1 rpm-build-4.17.1-1.1 rpm-build-perl-4.17.1-1.1 rpm-devel-4.17.1-1.1 librpmbuild9-4.17.1-1.1 as a component of openSUSE Tumbleweed rpm-4.17.1-1.1 as a component of openSUSE Tumbleweed rpm-32bit-4.17.1-1.1 as a component of openSUSE Tumbleweed rpm-build-4.17.1-1.1 as a component of openSUSE Tumbleweed rpm-build-perl-4.17.1-1.1 as a component of openSUSE Tumbleweed rpm-devel-4.17.1-1.1 as a component of openSUSE Tumbleweed There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. CVE-2021-3521 openSUSE Tumbleweed:librpmbuild9-4.17.1-1.1 openSUSE Tumbleweed:rpm-32bit-4.17.1-1.1 openSUSE Tumbleweed:rpm-4.17.1-1.1 openSUSE Tumbleweed:rpm-build-4.17.1-1.1 openSUSE Tumbleweed:rpm-build-perl-4.17.1-1.1 openSUSE Tumbleweed:rpm-devel-4.17.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3521.html CVE-2021-3521 https://bugzilla.suse.com/1191175 SUSE Bug 1191175