rpms/PackageKit
7
0
Fork 1
Code Issues Pull Requests Releases Activity
Package management service
164 Commits 7 Branches 16 Tags 618 KiB
Diff 100%
52da7c5f6d
Go to file
Richard Hughes 52da7c5f6d Upstream yum recently changed the behaviour when checking signatures 
on a package. The commit added a new configuration key which only
affects local packages, but the key was set by default to False.
This meant that an end user could install a local unsigned rpm package
using PackageKit without a GPG trust check, and the user would be told
the untrusted package is itself trusted.
To exploit this low-impact vulnerability, a user would have to
manually download an unsigned package file and would still be required
to authenticate to install the package.
The CVE-ID for this bug is CVE-2011-2515
See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
Resolves #718127
2011-07-01 10:27:26 +01:00
.gitignore New upstream release. 2011-06-07 09:25:11 +01:00
0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch Upstream yum recently changed the behaviour when checking signatures 2011-07-01 10:27:26 +01:00
PackageKit-0.3.8-Fedora-Vendor.conf.patch customize Vendor.conf for Fedora 2008-10-24 21:54:04 +00:00
PackageKit-0.4.4-Fedora-turn-off-time.conf.patch - New upstream version 2009-02-23 11:10:24 +00:00
PackageKit.spec Upstream yum recently changed the behaviour when checking signatures 2011-07-01 10:27:26 +01:00
sources New upstream release. 2011-06-07 09:25:11 +01:00