5 matches found
CLSA-2026-1777545003 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
CLSA-2026-1777539405 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
CLSA-2026-1777539108 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
rpm4 -- Multiple Vulnerabilities
rpm project reports: Fix intermediate symlinks not verified CVE-2021-35939. Fix subkey binding signatures not checked on PGP public keys CVE-2021-3521. Refactor file and directory operations to use fd-based APIs throughout CVE-2021-35938...
rpm: RPM does not require subkeys to have a valid binding signature
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature."1 RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey t...