Topic: Sign repository metadata - CVE-2021-20271 mitigation

Red Hat refuses to fix CVE-2021-20271 https://access.redhat.com/security/cve/cve-2021-20271 in EL7 so the only mitigation is to use repo_gpgcheck=1 for yum. This could lead to remote code execution on the machine using Remi repository if a Remi repository mirror was compromised.

But the Remi's RPM repository does not currently sign the repository metadata so repo_gpgcheck cannot be enabled.

Could the repository metadata please be signed? This would mitigate a whole class of potential security issues.

In essence it would mean to just sign the repodata/repomd.xml with the repository signing key and this would create the repodata/repomd.xml.asc signature file.

Re: Sign repository metadata - CVE-2021-20271 mitigation

Will see if this can be easily done in my tooling chain

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 34 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: Sign repository metadata - CVE-2021-20271 mitigation

I prefer to track such request in the issue tracker, so https://github.com/remicollet/remirepo/issues/175

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 34 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi