It was discovered that yum-rhn-plugin does not always properly verify SSL certificate against configured trusted CA certificate when communicating with Red Hat Network (RHN) server. SSL certificate was properly verified for XML-RPC communication, but the check was not applied to the file downloads. This can possibly simplify man-in-the-middle attacks, allowing attacker to provide users with crafted repository meta-data files or RPM packages. However, GPG signatures are applied before installing any package, so an attacker could not use this to trick user to install packages from an untrusted source.
Note also that the a successful attacker could also not cause existing installed packages to be downgraded to older versions. So a successful attack could only 1) provide the victim with older but official Red Hat packages which the user did not already have installed, or deny them the ability to update specific packages. (However as the attacker has to be in the middle of the conversation to exploit this flaw they could perform a similar denial attack without exploiting this issue). CVSS2 score of low, 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
This issue only affected Red Hat Enterprise Linux 5, and not the package update mechanism as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.
Lifting embargo
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0815.html