REDHAT-BUG-1941098: Medium severity RPM RPM Package Manager vulnerability
RPM does not require subkeys to have a valid binding signature. This could potentially result in a signature being wrongly trusted in the following (rather contrived) scenario: A malicious subkey (to which an attacker has the secret key) is added to a legitimate public key, via a process that rejects main keys but not subkeys and does not itself check binding signatures. The main key is exported and then imported into RPM.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-1941098?
REDHAT-BUG-1941098 is considered a security vulnerability due to potential signature trust issues.
How do I fix REDHAT-BUG-1941098?
To mitigate REDHAT-BUG-1941098, ensure that RPM is updated to the latest version that addresses this issue.
What software is affected by REDHAT-BUG-1941098?
REDHAT-BUG-1941098 affects the RPM Package Manager.
What does REDHAT-BUG-1941098 entail?
REDHAT-BUG-1941098 involves RPM not requiring subkeys to have a valid binding signature, which may lead to untrusted signatures being accepted.
Who is responsible for REDHAT-BUG-1941098?
The vulnerability, REDHAT-BUG-1941098, is managed by the RPM Package Manager's development team.