N/A

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

N/A

证书验证不恰当

rpm-ostree和rpm-ostree-client 安全漏洞

Project Atomic rpm-ostree是一个影像系统包。 rpm-ostree 2017.3之前版本和rpm-ostree-client 2017.3之前版本中存在安全绕过漏洞，该漏洞源于程序没有正确的检查GPG签名。远程攻击者可利用该漏洞绕过安全限制，并执行未授权的操作。

N/A

N/A