RedHat: RHSA-2014-1004:01 Important: yum-updatesd security update
Summary
The yum-updatesd package provides a daemon which checks for available
updates and can notify you when they are available via email, syslog,
or dbus.
It was discovered that yum-updatesd did not properly perform RPM package
signature checks. When yum-updatesd was configured to automatically install
updates, a remote attacker could use this flaw to install a malicious
update on the target system using an unsigned RPM or an RPM signed with an
untrusted key. (CVE-2014-0022)
All yum-updatesd users are advised to upgrade to this updated package,
which contains a backported patch to correct this issue. After installing
this update, the yum-updatesd service will be restarted automatically.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
References
https://www.redhat.com/security/data/cve/CVE-2014-0022.html https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
yum-updatesd-0.9-6.el5_10.src.rpm
noarch:
yum-updatesd-0.9-6.el5_10.noarch.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
yum-updatesd-0.9-6.el5_10.src.rpm
noarch:
yum-updatesd-0.9-6.el5_10.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
Topic
An updated yum-updatesd package that fixes one security issue is nowavailable for Red Hat Enterprise Linux 5.The Red Hat Security Response Team has rated this update as havingImportant security impact. A Common Vulnerability Scoring System (CVSS)base score, which gives a detailed severity rating, is available from theCVE link in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux (v. 5 server) - noarch
Red Hat Enterprise Linux Desktop (v. 5 client) - noarch
Bugs Fixed
1057377 - CVE-2014-0022 yum: yum-cron installs unsigned packages