From ${URL} : A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=910446 [2] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099496.html [3] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100299.html [4] https://lwn.net/Articles/540426/ (and search for 'yum: denial of service' here) Relevant upstream patch: [5] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0
Upstream patch is there, waiting on a bump.
Security bumped to 3.4.3_p20130218. ~ only, no stable. noglsa.
