• magsu
  • New member
  • Offline
  • Registered: 2019-12-23
  • Posts: 4

Topic: Sign repository metadata - CVE-2021-20271 mitigation

Red Hat refuses to fix CVE-2021-20271 https://access.redhat.com/security/cve/cve-2021-20271 in EL7 so the only mitigation is to use repo_gpgcheck=1 for yum. This could lead to remote code execution on the machine using Remi repository if a Remi repository mirror was compromised.

But the Remi's RPM repository does not currently sign the repository metadata so repo_gpgcheck cannot be enabled.

Could the repository metadata please be signed? This would mitigate a whole class of potential security issues.

In essence it would mean to just sign the repodata/repomd.xml with the repository signing key and this would create the repodata/repomd.xml.asc signature file.

  • Remi
  • Remi
  • Administrateur
  • Offline
  • From: Champagne...
  • Registered: 2009-04-28
  • Posts: 3,773

Re: Sign repository metadata - CVE-2021-20271 mitigation

Will see if this can be easily done in my tooling chain

Desktop: Fedora 37 + rpmfusion + remi-test
Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Remi's Website

  • Remi
  • Remi
  • Administrateur
  • Offline
  • From: Champagne...
  • Registered: 2009-04-28
  • Posts: 3,773

Re: Sign repository metadata - CVE-2021-20271 mitigation

I prefer to track such request in the issue tracker, so https://github.com/remicollet/remirepo/issues/175

Desktop: Fedora 37 + rpmfusion + remi-test
Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Remi's Website