From ${URL} : Description A vulnerability has been reported in YUM, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to an error within the "YumCronBase()" function when checking packages signature and can be exploited to spoof a package via e.g. Man-in-the-Middle (MitM) attacks. The vulnerability is reported in version 3.4.3. Other versions may also be affected. Solution: Fixed in the git repository. Further details available to Secunia VIM customers Provided and/or discovered by: Gabriel VLASIU within a bug report. Original Advisory: YUM: http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e5794 Gabriel VLASIU: https://bugzilla.redhat.com/show_bug.cgi?id=1052440 https://bugzilla.redhat.com/show_bug.cgi?id=1057377 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2014-0022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0022): The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.
I am not sure if we should simply treeclean this as looks like nobody cares about this package :(
Bleh, a lot of ebuilds still need this: $ grep -r sys-apps/yum */*/*.ebuild app-arch/createrepo/createrepo-0.10.3.ebuild: >=sys-apps/yum-3.4.3 app-arch/createrepo/createrepo-0.10.4.ebuild: >=sys-apps/yum-3.4.3 app-emulation/domi/domi-20060816.ebuild: sys-apps/yum app-emulation/lxc/lxc-1.0.6-r1.ebuild: ewarn "will need sys-apps/yum or dev-util/debootstrap." app-emulation/lxc/lxc-1.0.7.ebuild: ewarn "will need sys-apps/yum or dev-util/debootstrap." app-emulation/lxc/lxc-1.0.8.ebuild: ewarn "will need sys-apps/yum or dev-util/debootstrap." dev-util/febootstrap/febootstrap-2.11.ebuild: >=sys-apps/yum-3.2.21 dev-util/mock/mock-1.0.3.ebuild:RDEPEND="sys-apps/yum :S
# Michał Górny <mgorny@gentoo.org> (04 Aug 2017) # sys-apps/yum is severely outdated (last bump 2013), unmaintained # since 2010. It has vulnerabilities. Removal in 30 days. Bug #499328. # # app-arch/createrepo is the last unmasked dependency. Since it is not # useful at all without yum, it is being removed as well. Bug #620992. app-arch/createrepo sys-apps/yum
commit e70e26dba37b28340c631ad00489863ddd412cc6 Author: Sergey Popov <pinkbyte@gentoo.org> Date: Mon Aug 7 13:49:04 2017 +0300 sys-apps/yum: version bump Set Python shebang properly for /usr/bin/yum Add missing 'python' USE-flag to app-arch/rpm dependency Drop old vulnerable versions Gentoo-Bug: 499328 Gentoo-Bug: 563850 Package-Manager: Portage-2.3.6, Repoman-2.3.1