Updated up2date packages for Red Hat Linux 8.0 and 9 fix RPM GPG signature verification.
The Red Hat Update Agent, up2date, automatically queries the Red Hat Network servers and determines which packages need to be updated on your machine. up2date versions 3.0.7 and 3.1.23 incorrectly check RPM GPG signatures. These are the versions found in Red Hat Linux 8.0 and 9. This bug allows packages which have no GPG signature to be installed by up2date if they are provided by the Red Hat Network servers. The intended behaviour is that only packages signed with the Red Hat package signing key will be installed. For an attacker to make use of this flaw, they would have to make unsigned packages appear on the Red Hat Network. Connections to the Red Hat Network servers are authenticated and verified by the use of SSL, so it is not possible to intercept the connection to Red Hat Network servers and give unsigned packages. To make use of this flaw, an attacker would have to compromise the Red Hat Network servers at Red Hat. Because of these factors, the risk of exploiting this bug is low. However, we advise that all users of up2date update to these erratum packages. Note that all other variations of package signature checks work correctly. The fix was to change the code so that packages with no GPG signature are rejected in the same way as those with bad GPG signatures (the up2date client refuses to install them). Red Hat would like to thank Barry Nathan for finding and reporting this error.