popt, rpm security update

CentOS Errata and Security Advisory CESA-2011:1349

The RPM Package Manager (RPM) is a command line driven package management
system capable of installing, uninstalling, verifying, querying, and
updating software packages.

Multiple flaws were found in the way the RPM library parsed package
headers. An attacker could create a specially-crafted RPM package that,
when queried or installed, would cause rpm to crash or, potentially,
execute arbitrary code. (CVE-2011-3378)

Note: Although an RPM package can, by design, execute arbitrary code when
installed, this issue would allow a specially-crafted RPM package to
execute arbitrary code before its digital signature has been verified.
Package downloads from the Red Hat Network remain secure due to certificate
checks performed on the secure connection.

All RPM users should upgrade to these updated packages, which contain a
backported patch to correct these issues. All running applications linked
against the RPM library must be restarted for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2011-November/080321.html
https://lists.centos.org/pipermail/centos-announce/2011-November/080322.html
https://lists.centos.org/pipermail/centos-announce/2011-October/080253.html
https://lists.centos.org/pipermail/centos-announce/2011-October/080254.html

Affected packages:
popt
rpm
rpm-apidocs
rpm-build
rpm-devel
rpm-libs
rpm-python

Upstream details at:
https://access.redhat.com/errata/RHSA-2011:1349