Bug 1422157 (CVE-2017-2623)
Summary: | CVE-2017-2623 rpm-ostree, rpm-ostree-client: fails to check gpg package signatures when layering | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carl_song, dustymabe, jlebon, security-response-team, tjay, walters |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rpm-ostree 2017.3 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-06 04:34:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1416089, 1433392 | ||
Bug Blocks: | 1422170 |
Description
Martin Prpič
2017-02-14 15:45:57 UTC
Acknowledgments: Name: Colin Walters (Red Hat) This issue has been addressed in the following products: RHAH for RHEL 7 Via RHSA-2017:0444 https://access.redhat.com/errata/RHSA-2017:0444 Mitigation: This issue is partially mitigated on RHEL Atomic Host, where default certificate pinning ensures provenance. Corrected push is now out. _Trevor The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies there is still a patch pending for base RHEL 7. The Doc Text on this bug page also implies the issue is not limited to RHAH. Will there be a fix for base RHEL 7? (In reply to Carl Song from comment #5) > The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies > there is still a patch pending for base RHEL 7. The Doc Text on this bug > page also implies the issue is not limited to RHAH. Will there be a fix for > base RHEL 7? This issue is related only to the RHAH. It is now reflected on the CVE page as well. |