Security 10809 Published by

Red Hat has released updated up2date packages for Red Hat Linux 8.0 and 9



up2date versions 3.0.7 and 3.1.23 incorrectly check RPM GPG signatures. These are the versions found in Red Hat Linux 8.0 and 9.

This bug allows packages which have no GPG signature to be installed by up2date if they are provided by the Red Hat Network servers. The intended behaviour is that only packages signed with the Red Hat package signing key will be installed.
Read more