RPM Package Manager签名验证用户反馈不足的漏洞

漏洞信息详情

RPM Package Manager签名验证用户反馈不足的漏洞

• CNNVD编号：CNNVD-200212-462
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2002-2204
  
• 漏洞类型：
  
  
  环境条件错误
  
• 发布时间：
  
  2002-12-31
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2007-05-22
  
• 厂        商：
  
  redhat
• 漏洞来源：
  Published by Andre…

RPM Package Manager 4.0.4版本的默认–checksig设置不用列出签名者就检测包的签名是有效的，远程攻击者使其看起来是一个来自于值得信赖的源的恶意包。

By passing either ‘-v’ or ‘-vv’ to the rpm utility, detailed signature information will be displayed.
Reportedly, the default behavior of the ‘-checksig’ flag will be modified in RPM 4.1. Version 4.1 is currently under development.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
@securityfocus.com>

来源: BID
名称: 5594
链接:http://www.securityfocus.com/bid/5594

来源: XF
名称: rpm-improper-sig-verification(10011)
链接:http://www.iss.net/security_center/static/10011.php