Red Hat Comments on Unsigned Packages, Provides Signed Errata Packages
Oct 24, 2001, 21:54 (11 Talkback[s])
Received from Schwartz Communications, Red Hat's publicists:
A member of the security community has correctly
pointed out that two packages in Red Hat Linux 7.2 are lacking a
GPG signature: rpm-release (the label of the release) and rpmdb
(the manifest of the release).
Neither package contains executable code as shipped. The absence
of this signature makes it possible for an attacker to create
packages of the same name which, when downloaded and installed,
could be used to exploit a system (though there have not been any
known exploits at this time). System administrators who do not
install unsigned packages will not be affected by this issue.
System adminstrators who obtain Red Hat Linux via CD or ISO image
are able to verify the MD5 checksum (provided as part of the CD or
ISO image) manually, but may be inconvenienced by the lack of a GPG
signature. Note that all updates received via Red Hat Network are
always automatically verified to have the Red Hat GPG signature
In less than 24 hours, Red Hat has corrected this problem by
signing these two packages and creating errata packages with GPG
signatures. These packages are available immediately via Red Hat
Network and public FTP sites.
Red Hat takes all security concerns seriously, and we value the
contribution of the security community in helping us identify and
correct potential security problems.
Director of Corporate Public Relations