ProductsDesktop For Scientific Computing For IBM POWER For IBM System z For SAP Business Applications Red Hat Network Satellite ManagementExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportDeveloper Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal Platform Red Hat JBoss A-MQ Red Hat JBoss Fuse SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Operations Network JBoss Community or JBoss enterprise
SolutionsThe new IT Why open hybrid cloud? Why Red Hat Public cloud Cloud resource library Private cloud Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Cloud applications and workloadsApplication development Business process management Enterprise application integration Interoperability Operational efficiency Security VirtualizationSolaris to Red Hat Enterprise Linux Migration overview Migrate from your UNIX platform How to migrate to Red Hat Enterprise Linux Upgrade to the latest Red Hat Enterprise Linux release JBoss Enterprise Middleware Benefits of migrating to Red Hat Enterprise Linux Migration services Start a conversation with Red Hat
TrainingPopular and new courses Red Hat JBoss Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing, Virtualization, and Storage curriculum
ConsultingBusiness Process Management Cloud and Virtualization Custom Software Development Enterprise Data and Storage Systems Management Migrations
RPM Security Issue Fixes Available
RalieghUnited States, October 25, 2001
Red Hat has created errata packages with GPG signatures for two packages in Red Hat Linux 7.2 that are lacking a GPG signature
A member of the security community has correctly pointed out that two packages in Red Hat Linux 7.2 are lacking a GPG signature: rpm-release (the label of the release) and rpmdb (the manifest of the release). Neither package contains executable code as shipped. The absence of this signature makes it possible for an attacker to create packages of the same name which, when downloaded and installed, could be used to exploit a system (though there have not been any known exploits at this time).
System administrators who do not install unsigned packages will not be affected by this issue. System adminstrators who obtain Red Hat Linux via CD or ISO image are able to verify the MD5 checksum (provided as part of the CD or ISO image) manually, but may be inconvenienced by the lack of a GPG signature. Note that all updates received via Red Hat Network are always automatically verified to have the Red Hat GPG signature intact.
In less than 24 hours, Red Hat has corrected this problem by signing these two packages and creating errata packages with GPG signatures. These packages are available immediately via Red Hat Network and public FTP sites.
Red Hat takes all security concerns seriously, and we value the contribution of the security community in helping us identify and correct potential security problems.