Debian Package Tracker
Register | Log in
Subscribe

rpm

package manager for RPM

Choose email to subscribe with

general
  • source: rpm (main)
  • version: 6.0.1-1
  • maintainer: RPM packaging team (DMD)
  • uploaders: Luca Boccassi [DMD]
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 4.16.1.2+dfsg1-3
  • oldstable: 4.18.0+dfsg-1+deb12u1
  • stable: 4.20.1+dfsg-3
  • testing: 6.0.1-1
  • unstable: 6.0.1-1
versioned links
  • 4.16.1.2+dfsg1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.18.0+dfsg-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.20.1+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 6.0.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • librpm-dev
  • librpm10
  • librpmbuild10
  • librpmio10
  • librpmsign10
  • python3-rpm
  • rpm (1 bugs: 0, 0, 1, 0)
  • rpm-common
  • rpm2cpio
action needed
A new upstream version is available: 6.1.0-rc1 high
A new upstream version 6.1.0-rc1 is available, you should consider packaging it.
Created: 2026-05-13 Last update: 2026-07-16 11:30
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-44604: A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
  • CVE-2026-44605:
Created: 2026-05-29 Last update: 2026-07-13 01:01
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2026-44604: A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
  • CVE-2026-44605:
Created: 2026-05-29 Last update: 2026-07-13 01:01
debian/patches: 1 patch with invalid metadata high

Among the 1 debian patch available in version 6.0.1-1 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
Created: 2025-11-07 Last update: 2025-12-17 08:00
Depends on packages which need a new maintainer normal
The packages that rpm depends on which need a new maintainer are:
  • rpmlint (#1093666)
    • Suggests: rpmlint
Created: 2025-10-26 Last update: 2026-07-16 16:50
2 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit bff5bb6b7dc6537960f420d79cd85dafefe799ea
Merge: 800a3c0 663c79e
Author: Luca Boccassi <bluca@debian.org>
Date:   Thu May 14 23:22:52 2026 +0000

    Merge branch 'master' into 'master'
    
    use dh-cruft to register & purge volatile files
    
    See merge request pkg-rpm-team/rpm!16

commit 663c79edfeeefdab86ee6cbd1544d509ba09a538
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Fri May 15 01:20:01 2026 +0200

    use dh-cruft to register & purge volatile files
Created: 2026-05-15 Last update: 2026-07-16 15:02
lintian reports 2 warnings normal
Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-02-28 Last update: 2026-02-28 06:30
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-44604: (needs triaging) A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
  • CVE-2026-44605: (needs triaging)

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-29 Last update: 2026-07-13 01:01
2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2026-44604: (needs triaging) A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
  • CVE-2026-44605: (postponed; to be fixed through a stable update)

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-29 Last update: 2026-07-13 01:01
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).
Created: 2025-12-23 Last update: 2026-03-31 15:01
news
[rss feed]
  • [2025-12-19] rpm 6.0.1-1 MIGRATED to testing (Debian testing watch)
  • [2025-12-16] Accepted rpm 6.0.1-1 (source) into unstable (Luca Boccassi)
  • [2025-11-11] rpm 6.0.0-2 MIGRATED to testing (Debian testing watch)
  • [2025-11-07] Accepted rpm 6.0.0-2 (source) into unstable (Luca Boccassi)
  • [2025-11-06] Accepted rpm 6.0.0-1 (source) into unstable (Luca Boccassi)
  • [2025-07-10] rpm 4.20.1+dfsg-3 MIGRATED to testing (Debian testing watch)
  • [2025-06-20] Accepted rpm 4.20.1+dfsg-3 (source) into unstable (Luca Boccassi)
  • [2025-04-02] rpm 4.20.1+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2025-03-28] Accepted rpm 4.20.1+dfsg-2 (source) into unstable (Luca Boccassi)
  • [2025-02-23] rpm 4.20.1+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-21] Accepted rpm 4.20.1+dfsg-1 (source) into unstable (Luca Boccassi)
  • [2025-02-19] rpm 4.20.0+dfsg-4 MIGRATED to testing (Debian testing watch)
  • [2025-02-16] Accepted rpm 4.20.0+dfsg-4 (source) into unstable (Luca Boccassi)
  • [2024-10-23] rpm 4.20.0+dfsg-3 MIGRATED to testing (Debian testing watch)
  • [2024-10-20] Accepted rpm 4.20.0+dfsg-3 (source) into unstable (Luca Boccassi)
  • [2024-10-18] rpm 4.20.0+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2024-10-16] Accepted rpm 4.20.0+dfsg-2 (source) into unstable (Luca Boccassi)
  • [2024-10-13] Accepted rpm 4.20.0+dfsg-1 (source) into unstable (Luca Boccassi)
  • [2024-05-09] rpm 4.19.1.1+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-05-05] Accepted rpm 4.19.1.1+dfsg-1 (source) into unstable (Luca Boccassi)
  • [2024-04-30] rpm 4.18.2+dfsg-2.1 MIGRATED to testing (Debian testing watch)
  • [2024-04-22] Accepted rpm 4.19.1.1+dfsg-1~exp (source amd64 all) into experimental (Debian FTP Masters) (signed by: Luca Boccassi)
  • [2024-03-01] Accepted rpm 4.18.2+dfsg-2.1 (source) into unstable (Benjamin Drung)
  • [2024-02-27] rpm 4.18.2+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2024-02-26] Accepted rpm 4.18.2+dfsg-2.1~exp1 (source) into experimental (Steve Langasek)
  • [2024-02-25] Accepted rpm 4.18.2+dfsg-2 (source) into unstable (Luca Boccassi)
  • [2024-02-05] Accepted rpm 4.18.2+dfsg-1.1~exp1 (source) into experimental (Steve Langasek)
  • [2024-01-31] Accepted rpm 4.18.0+dfsg-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Peter Pentchev)
  • [2024-01-24] rpm 4.18.2+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-01-21] Accepted rpm 4.18.2+dfsg-1 (source) into unstable (Peter Pentchev)
  • 1
  • 2
bugs [bug history graph]
  • all: 2
  • RC: 0
  • I&N: 1
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 2)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 6.0.1-1build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing