Mangelnde Prüfung von Zertifikaten in PackageKit
ID: | FEDORA-2011-8943 |
Distribution: | Fedora |
Plattformen: | Fedora 15 |
Datum: | So, 3. Juli 2011, 22:38 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2515 |
Applikationen: | PackageKit |
Originalnachricht |
|
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2011-8943 2011-07-01 18:25:51 -------------------------------------------------------------------------------- Name : PackageKit Product : Fedora 15 Version : 0.6.15 Release : 2.fc15 URL : http://www.packagekit.org Summary : Package management service Description : PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distro, cross-architecture API. -------------------------------------------------------------------------------- Update Information: - Upstream yum recently changed the behaviour when checking signatures on a package. The commit added a new configuration key which only affects local packages, but the key was set by default to False. - This meant that an end user could install a local unsigned rpm package using PackageKit without a GPG trust check, and the user would be told the untrusted package is itself trusted. - To exploit this low-impact vulnerability, a user would have to manually download an unsigned package file and would still be required to authenticate to install the package. - The CVE-ID for this bug is CVE-2011-2515 - See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details. -------------------------------------------------------------------------------- ChangeLog: * Fri Jul 1 2011 Richard Hughes |