This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 171530 - security: Maelstrom RPM unsigned, DoS's up2date
security: Maelstrom RPM unsigned, DoS's up2date
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Maelstrom (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Hopp
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-22 09:07 EDT by Graham Leggett
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-23 10:15:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Graham Leggett 2005-10-22 09:07:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
The current mirrored copy of the Maelstrom RPM for i386 for Fedora Core 4 is unsigned, and thus up2date bombs out when attempting to update this file.

This DoS's the up2date system until Maelstrom is removed.



Version-Release number of selected component (if applicable):
Maelstrom (standard version as shipped on FC4 DVD)

How reproducible:
Always

Steps to Reproduce:
xxx

Additional info:
Comment 1 Andre Robatino 2005-10-22 21:29:17 EDT
  You may not have the Fedora Extras GPG key installed.  If this is the case,
up2date will falsely claim that the file is unsigned, when the only problem is
that the corresponding key is not installed.  To make sure, go into
/etc/pki/rpm-gpg and install the GPG key (as root) with

rpm --install RPM-GPG-KEY-fedora-extras

  I have Maelstrom installed and didn't have this problem when installing.  In
addition I just verified that

http://download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/Maelstrom-3.0.6-8.i386.rpm

is properly signed with key 1ac70ce6.
Comment 2 Graham Leggett 2005-10-23 08:07:33 EDT
I tried to install the key (no idea why on earth the Fedora Core 4 upgrade
process doesn't install it, but regardless) and the install attempt hangs for no
apparent reason:

[root@phoebe rpm-gpg]# rpm --install RPM-GPG-KEY-fedora-extras
^C

[root@phoebe rpm-gpg]#
Comment 3 Graham Leggett 2005-10-23 10:15:38 EDT
Just figured it out - it was rpm --import instead of --install.

Closing this bug, as the problem is with the FC4 setup and not Maelstrom.

Note You need to log in before you can comment on or make changes to this bug.