-
Products
JBoss Enterprise Middleware
Red Hat JBoss Fuse Developer Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal Platform Red Hat JBoss A-MQ SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Operations Network JBoss Community or JBoss enterprise -
Solutions
Migration Center
Migrate to Red Hat Enterprise Linux Migration Center Systems management Upgrading to Red Hat Enterprise Linux JBoss Enterprise Middleware IBM AIX to Red Hat Enterprise Linux HP-UX to Red Hat Enterprise Linux Solaris to Red Hat Enterprise Linux UNIX to Red Hat Enterprise Linux Start a conversation with Red Hat Migration services -
Training
Courses and training paths
Popular and new courses JBoss Middleware Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing and Virtualization curriculum Cloud Computing, Virtualization, and Storage curriculum
RPM Security Issue Fixes Available
Raliegh
United States, October 25, 2001Red Hat has created errata packages with GPG signatures for two packages in Red Hat Linux 7.2 that are lacking a GPG signature
A member of the security community has correctly pointed out that two packages in Red Hat Linux 7.2 are lacking a GPG signature: rpm-release (the label of the release) and rpmdb (the manifest of the release). Neither package contains executable code as shipped. The absence of this signature makes it possible for an attacker to create packages of the same name which, when downloaded and installed, could be used to exploit a system (though there have not been any known exploits at this time).
System administrators who do not install unsigned packages will not be affected by this issue. System adminstrators who obtain Red Hat Linux via CD or ISO image are able to verify the MD5 checksum (provided as part of the CD or ISO image) manually, but may be inconvenienced by the lack of a GPG signature. Note that all updates received via Red Hat Network are always automatically verified to have the Red Hat GPG signature intact.
In less than 24 hours, Red Hat has corrected this problem by signing these two packages and creating errata packages with GPG signatures. These packages are available immediately via Red Hat Network and public FTP sites.
Red Hat takes all security concerns seriously, and we value the contribution of the security community in helping us identify and correct potential security problems.
