CVE-2008-3270
First published: Tue Jul 29 2008(Updated: )
It was discovered that yum-rhn-plugin does not always properly verify SSL certificate against configured trusted CA certificate when communicating with Red Hat Network (RHN) server. SSL certificate was properly verified for XML-RPC communication, but the check was not applied to the file downloads. This can possibly simplify man-in-the-middle attacks, allowing attacker to provide users with crafted repository meta-data files or RPM packages. However, GPG signatures are applied before installing any package, so an attacker could not use this to trick user to install packages from an untrusted source.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Enterprise Linux | =5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=457113
- http://www.redhat.com/support/errata/RHSA-2008-0815.html
- http://www.securityfocus.com/bid/30695
- http://securitytracker.com/id?1020698
- http://secunia.com/advisories/31472
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10864
- http://rhn.redhat.com/errata/RHSA-2008-0815.html
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-3270
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0