Linux Today: Linux News On Internet Time.

Red Hat Comments on Unsigned Packages, Provides Signed Errata Packages

Oct 24, 2001, 21:54 (11 Talkback[s])

Received from Schwartz Communications, Red Hat's publicists:

A member of the security community has correctly pointed out that two packages in Red Hat Linux 7.2 are lacking a GPG signature: rpm-release (the label of the release) and rpmdb (the manifest of the release).

Neither package contains executable code as shipped. The absence of this signature makes it possible for an attacker to create packages of the same name which, when downloaded and installed, could be used to exploit a system (though there have not been any known exploits at this time). System administrators who do not install unsigned packages will not be affected by this issue. System adminstrators who obtain Red Hat Linux via CD or ISO image are able to verify the MD5 checksum (provided as part of the CD or ISO image) manually, but may be inconvenienced by the lack of a GPG signature. Note that all updates received via Red Hat Network are always automatically verified to have the Red Hat GPG signature intact.

In less than 24 hours, Red Hat has corrected this problem by signing these two packages and creating errata packages with GPG signatures. These packages are available immediately via Red Hat Network and public FTP sites.

Red Hat takes all security concerns seriously, and we value the contribution of the security community in helping us identify and correct potential security problems.

Melissa London
Director of Corporate Public Relations

Related Stories: