It was found that rpm-ostree was not checking GPG signatures on packages when doing layering. Note that for RHEL Atomic Host, this issue is of lower impact due to existing "certificate pinning" that is enabled by default. While it does not provide the same type of safety measures as GPG, it is a strong, standard baseline security practice against many threat scenarios.
Acknowledgments: Name: Colin Walters (Red Hat)
This issue has been addressed in the following products: RHAH for RHEL 7 Via RHSA-2017:0444 https://access.redhat.com/errata/RHSA-2017:0444
Mitigation: This issue is partially mitigated on RHEL Atomic Host, where default certificate pinning ensures provenance.
Corrected push is now out. _Trevor
The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies there is still a patch pending for base RHEL 7. The Doc Text on this bug page also implies the issue is not limited to RHAH. Will there be a fix for base RHEL 7?
(In reply to Carl Song from comment #5) > The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies > there is still a patch pending for base RHEL 7. The Doc Text on this bug > page also implies the issue is not limited to RHAH. Will there be a fix for > base RHEL 7? This issue is related only to the RHAH. It is now reflected on the CVE page as well.