Bug 1126002 (CVE-2014-3585) - CVE-2014-3585 redhat-upgrade-tool: does not check GPG signatures on package installation
Summary: CVE-2014-3585 redhat-upgrade-tool: does not check GPG signatures on package i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3585
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20141014,repo...
Depends On: 1123915 1144549 1201821 1201822
Blocks: 1126004
TreeView+ depends on / blocked
 
Reported: 2014-08-01 14:49 UTC by Vincent Danen
Modified: 2019-06-08 20:08 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the redhat-upgrade-tool did not check GPG signatures on downloaded and installed packages during the upgrade process.
Clone Of:
Environment:
Last Closed: 2015-11-20 15:42:36 UTC


Attachments (Terms of Use)

Description Vincent Danen 2014-08-01 14:49:18 UTC
Juraj Marko reported [1] that the redhat-upgrade-tool does not implement proper GPG signature checking when upgrading from one version of Red Hat Enterprise Linux to another.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1123915

Comment 2 Vasyl Kaigorodov 2015-03-13 15:18:46 UTC
This issue was fixed in Red Hat Enterprise Linux 6 with the following errata: 

https://rhn.redhat.com/errata/RHBA-2014-1396.html

Comment 4 Wade Mealing 2015-03-17 00:08:59 UTC
Acknowledgements:

This issue was discovered by Juraj Marko of the Red Hat QE Team.

Comment 7 Vincent Danen 2015-11-20 15:42:36 UTC
This was fixed in Red Hat Enterprise Linux 7 via:

https://rhn.redhat.com/errata/RHBA-2015-2395.html


Note You need to log in before you can comment on or make changes to this bug.