View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001090 | channel: elrepo/el7 | elrepo-release | public | 2021-04-29 05:47 | 2021-05-09 13:07 |
| Reporter | blorp | Assigned To | pperry | ||
| Priority | high | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Summary | 0001090: Sign repository metadata to allow repo_gpgcheck=1 | ||||
| Description | CVE-2021-20271 https://access.redhat.com/security/cve/cve-2021-20271 will not be fixed in EL7. It can be mitigated by setting repo_gpgcheck=1 for yum but currently ELRepo does not sign their repository metadata. This issue is to request the ELRepo project to sign their repository metadata and provide repodata/repomd.xml.asc. Additionally, DISA STIGs require this and it is a "high" severity finding if not enabled: https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71981 | ||||
| Steps To Reproduce | Add in /etc/yum.conf: repo_gpgcheck=1 Using the repository gives a 404 due to missing repodata/repomd.xml.asc and repository metadata is not verified. System is vulnerable to RCE in malformed repository data. | ||||
| Tags | No tags attached. | ||||
| Reported upstream | |||||
|
|
Acknowledged - we are working on this and hope to have repository metadata signed soon. Will update here once we have more. |
|
|
Signed repository metadata is now in place allowing repo_gpgcheck=1 to be set. Please can you test and feed back. We may tweak things as our scripts to sign the metadata evolve. |
|
|
At least the elrepo-kernel x86_64 repository works right with repo_gpgsign. |
|
|
Thank you. Closing as fixed for now. If you have any issues, please do not hesitate to reopen of file a new bug |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-04-29 05:47 | blorp | New Issue | |
| 2021-04-29 05:47 | blorp | Status | new => assigned |
| 2021-04-29 05:47 | blorp | Assigned To | => pperry |
| 2021-04-29 18:31 | toracat | Status | assigned => acknowledged |
| 2021-05-01 11:47 | pperry | Note Added: 0007577 | |
| 2021-05-09 08:52 | pperry | Note Added: 0007581 | |
| 2021-05-09 10:41 | blorp | Note Added: 0007582 | |
| 2021-05-09 13:07 | pperry | Note Added: 0007583 | |
| 2021-05-09 13:07 | pperry | Status | acknowledged => resolved |
| 2021-05-09 13:07 | pperry | Resolution | open => fixed |
