rhsa-2014_1004
Vulnerability from csaf_redhat
Published
2014-08-05 03:34
Modified
2024-11-22 08:18
Summary
Red Hat Security Advisory: yum-updatesd security update
Notes
Topic
An updated yum-updatesd package that fixes one security issue is now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
The yum-updatesd package provides a daemon which checks for available
updates and can notify you when they are available via email, syslog,
or dbus.
It was discovered that yum-updatesd did not properly perform RPM package
signature checks. When yum-updatesd was configured to automatically install
updates, a remote attacker could use this flaw to install a malicious
update on the target system using an unsigned RPM or an RPM signed with an
untrusted key. (CVE-2014-0022)
All yum-updatesd users are advised to upgrade to this updated package,
which contains a backported patch to correct this issue. After installing
this update, the yum-updatesd service will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated yum-updatesd package that fixes one security issue is now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The yum-updatesd package provides a daemon which checks for available\nupdates and can notify you when they are available via email, syslog,\nor dbus.\n\nIt was discovered that yum-updatesd did not properly perform RPM package\nsignature checks. When yum-updatesd was configured to automatically install\nupdates, a remote attacker could use this flaw to install a malicious\nupdate on the target system using an unsigned RPM or an RPM signed with an\nuntrusted key. (CVE-2014-0022)\n\nAll yum-updatesd users are advised to upgrade to this updated package,\nwhich contains a backported patch to correct this issue. After installing\nthis update, the yum-updatesd service will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1004",
"url": "https://access.redhat.com/errata/RHSA-2014:1004"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1057377",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1057377"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1004.json"
}
],
"title": "Red Hat Security Advisory: yum-updatesd security update",
"tracking": {
"current_release_date": "2024-11-22T08:18:13+00:00",
"generator": {
"date": "2024-11-22T08:18:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:1004",
"initial_release_date": "2014-08-05T03:34:37+00:00",
"revision_history": [
{
"date": "2014-08-05T03:34:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-08-05T03:34:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:18:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop (v. 5 client)",
"product_id": "5Client-5.10.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "yum-updatesd-1:0.9-6.el5_10.noarch",
"product": {
"name": "yum-updatesd-1:0.9-6.el5_10.noarch",
"product_id": "yum-updatesd-1:0.9-6.el5_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yum-updatesd@0.9-6.el5_10?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "yum-updatesd-1:0.9-6.el5_10.src",
"product": {
"name": "yum-updatesd-1:0.9-6.el5_10.src",
"product_id": "yum-updatesd-1:0.9-6.el5_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yum-updatesd@0.9-6.el5_10?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "yum-updatesd-1:0.9-6.el5_10.noarch as a component of Red Hat Enterprise Linux Desktop (v. 5 client)",
"product_id": "5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch"
},
"product_reference": "yum-updatesd-1:0.9-6.el5_10.noarch",
"relates_to_product_reference": "5Client-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yum-updatesd-1:0.9-6.el5_10.src as a component of Red Hat Enterprise Linux Desktop (v. 5 client)",
"product_id": "5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src"
},
"product_reference": "yum-updatesd-1:0.9-6.el5_10.src",
"relates_to_product_reference": "5Client-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yum-updatesd-1:0.9-6.el5_10.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch"
},
"product_reference": "yum-updatesd-1:0.9-6.el5_10.noarch",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yum-updatesd-1:0.9-6.el5_10.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src"
},
"product_reference": "yum-updatesd-1:0.9-6.el5_10.src",
"relates_to_product_reference": "5Server-5.10.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0022",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2014-01-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1057377"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "yum: yum-cron installs unsigned packages",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 6 and 7.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0022"
},
{
"category": "external",
"summary": "RHBZ#1057377",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1057377"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0022",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0022"
}
],
"release_date": "2014-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-08-05T03:34:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1004"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Client-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.noarch",
"5Server-5.10.Z:yum-updatesd-1:0.9-6.el5_10.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "yum: yum-cron installs unsigned packages"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.