drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Zertifikaten in PackageKit
Name: |
Mangelnde Prüfung von Zertifikaten in PackageKit |
|
ID: |
FEDORA-2011-8943 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 15 |
|
Datum: |
So, 3. Juli 2011, 22:38 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2515 |
|
Applikationen: |
PackageKit |
|
Originalnachricht |
------------------------------------------------------------------------------- - Fedora Update Notification FEDORA-2011-8943 2011-07-01 18:25:51 ------------------------------------------------------------------------------- -
Name : PackageKit Product : Fedora 15 Version : 0.6.15 Release : 2.fc15 URL : http://www.packagekit.org Summary : Package management service Description : PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distro, cross-architecture API.
------------------------------------------------------------------------------- - Update Information:
- Upstream yum recently changed the behaviour when checking signatures on a package. The commit added a new configuration key which only affects local packages, but the key was set by default to False. - This meant that an end user could install a local unsigned rpm package using PackageKit without a GPG trust check, and the user would be told the untrusted package is itself trusted. - To exploit this low-impact vulnerability, a user would have to manually download an unsigned package file and would still be required to authenticate to install the package. - The CVE-ID for this bug is CVE-2011-2515 - See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
------------------------------------------------------------------------------- - ChangeLog:
* Fri Jul 1 2011 Richard Hughes <rhughes@redhat.com> - 0.6.15-2 - Upstream yum recently changed the behaviour when checking signatures on a package. The commit added a new configuration key which only affects local packages, but the key was set by default to False. - This meant that an end user could install a local unsigned rpm package using PackageKit without a GPG trust check, and the user would be told the untrusted package is itself trusted. - To exploit this low-impact vulnerability, a user would have to manually download an unsigned package file and would still be required to authenticate to install the package. - The CVE-ID for this bug is CVE-2011-2515 - See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details. - Resolves #718127 * Tue Jun 7 2011 Richard Hughes <rhughes@redhat.com> - 0.6.15-1 - New upstream release. - More GIR fixes - Allow the 'any' WhatProvides kind to match provide strings - Do not prevent updating when firefox is running, we don't have all the client UI ready yet. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #718127 - CVE-2011-2515 PackageKit: installs unsigned RPM packages as though they were signed [fedora-15] https://bugzilla.redhat.com/show_bug.cgi?id=718127 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update PackageKit' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|