ProductsDesktop Server OpenStack Platform For IBM POWER For IBM System z For SAP Business Applications Satellite Management For Scientific ComputingExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportAccelerate Automate Integrate Red Hat JBoss BPM Suite Developer Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal A-MQ Fuse BRMS Fuse Service Works Operations Network JBoss Community or JBoss enterprise Red Hat JBoss Data Virtualization
SolutionsWhy Red Hat Why open hybrid cloud? The new IT Public cloud Cloud resource library Private cloud Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Cloud applications and workloadsSolaris to Red Hat Enterprise Linux Migration overview Migrate from your UNIX platform How to migrate to Red Hat Enterprise Linux Upgrade to the latest Red Hat Enterprise Linux release JBoss Enterprise Middleware Benefits of migrating to Red Hat Enterprise Linux Migration services Start a conversation with Red Hat
TrainingPopular and new courses Red Hat JBoss Administration curriculum Core System Administration curriculum Red Hat JBoss Middleware development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing, Virtualization, and Storage curriculum
ConsultingSOA and integration Business process management Cloud and virtualization Custom Software Development Enterprise Data and Storage Systems management Migrations
RPM Security Issue Fixes Available
RalieghUnited States, October 25, 2001
Red Hat has created errata packages with GPG signatures for two packages in Red Hat Linux 7.2 that are lacking a GPG signature
A member of the security community has correctly pointed out that two packages in Red Hat Linux 7.2 are lacking a GPG signature: rpm-release (the label of the release) and rpmdb (the manifest of the release). Neither package contains executable code as shipped. The absence of this signature makes it possible for an attacker to create packages of the same name which, when downloaded and installed, could be used to exploit a system (though there have not been any known exploits at this time).
System administrators who do not install unsigned packages will not be affected by this issue. System adminstrators who obtain Red Hat Linux via CD or ISO image are able to verify the MD5 checksum (provided as part of the CD or ISO image) manually, but may be inconvenienced by the lack of a GPG signature. Note that all updates received via Red Hat Network are always automatically verified to have the Red Hat GPG signature intact.
In less than 24 hours, Red Hat has corrected this problem by signing these two packages and creating errata packages with GPG signatures. These packages are available immediately via Red Hat Network and public FTP sites.
Red Hat takes all security concerns seriously, and we value the contribution of the security community in helping us identify and correct potential security problems.