Topic: Sign repository metadata - CVE-2021-20271 mitigation

Red Hat refuses to fix CVE-2021-20271 https://access.redhat.com/security/cve/cve-2021-20271 in EL7 so the only mitigation is to use repo_gpgcheck=1 for yum. This could lead to remote code execution on the machine using Remi repository if a Remi repository mirror was compromised.

But the Remi's RPM repository does not currently sign the repository metadata so repo_gpgcheck cannot be enabled.

Could the repository metadata please be signed? This would mitigate a whole class of potential security issues.

In essence it would mean to just sign the repodata/repomd.xml with the repository signing key and this would create the repodata/repomd.xml.asc signature file.

Re: Sign repository metadata - CVE-2021-20271 mitigation

Will see if this can be easily done in my tooling chain

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: Sign repository metadata - CVE-2021-20271 mitigation

I prefer to track such request in the issue tracker, so https://github.com/remicollet/remirepo/issues/175

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi