[SECURITY] Fedora 41 Update: rpm-ostree-2025.5-2.fc41

rpm-ostree is a hybrid image/package system. It supports "composing" packages on a build server into an OSTree repository, which can then be replicated by client systems with atomic upgrades. Additionally, unlike many "pure" image systems, with rpm-ostree each client system can layer on additiona...

[SECURITY] Fedora 39 Update: rpm-ostree-2024.4-6.fc39

rpm-ostree is a hybrid image/package system. It supports "composing" packages on a build server into an OSTree repository, which can then be replicated by client systems with atomic upgrades. Additionally, unlike many "pure" image systems, with rpm-ostree each client system can layer on additiona...

Default credentials

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certifica...

CVE-2017-2623

The CVE-2017-2623 issue affects rpm-ostree and rpm-ostree-client older than 2017.3, where GPG signatures on layered packages were not checked properly. This could allow unsigned or poorly signed content to be accepted instead of rejected. The severity and impact are described in multiple sources ...

[SECURITY] Fedora 24 Update: rpm-ostree-2017.3-2.fc24

rpm-ostree is a hybrid image/package system. It supports "composing" packages on a build server into an OSTree repository, which can then be replicated by client systems with atomic upgrades. Additionally, unlike many "pure" image systems, with rpm-ostree each client system can layer on additiona...

CVE-2017-2623

It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is...