Bug #4824
No package verification nor download integrity on CentOS/RHEL repositories
| Status: | Closed | Start date: | 09/26/2016 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: |  Vlastimil Holer | % Done: | 0% | |
| Category: | Packaging | |||
| Target version: | Release 5.4 | |||
| Resolution: | Pull request: | https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa | ||
| Affected Versions: | OpenNebula 4.0, OpenNebula 4.10, OpenNebula 4.12, OpenNebula 4.14, OpenNebula 4.2, OpenNebula 4.4, OpenNebula 4.6, OpenNebula 4.8, OpenNebula 5.0 |
Description
There is a major security issue regarding the packages for CentOS/RHEL.
Not only is there no GPG signature that can be checked, but HTTPS is not enabled as well.
Someone can effectively man in the middle the repository and no one would be able to tell the difference. This can allow for remote code execution in sensitive environments.
The proper fix for this, and what any major project should be doing is, to sign the packages with GPG and enable the key check. You can require a key download as part of the step, just ensure it is either done over HTTPS or that there is another way to check the key integrity.
If this is somehow not feasible, one can enable HTTPS on the repository server. Since Let's Encrypt has become public there is no reason for software source to not be served securely nor without signatures.
Cheers,
~H
History
#1
Updated by Jimb0 Hon1nbo over 4 years ago
surprised this isn't even assigned. Since the packages for APT have a signing key this should be a relatively trivial fix for such a massive security issue.
Right now this could be considered an RCE with a very high CVSS score.
#3
Updated by Ruben S. Montero over 4 years ago
- Category set to Packaging
#4
Updated by Javi Fontan over 4 years ago
- Assignee set to Javi Fontan
From now on the new repositories will have both the rpm packages and repository signed. The key is the same as Debian repos (https://downloads.opennebula.org/repo/Debian/repo.key).
Also the downloads server can now be accessed using https (Let's Encrypt certificates).
I'll leave this ticket open to update the documentation and testing environment. Here is the repo conf to use as base for documentation:
[opennebula] name=opennebula baseurl=https://downloads.opennebula.org/repo/... enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://downloads.opennebula.org/repo/Debian/repo.key
Is repo_gpgkey really needed?
#5
Updated by Javi Fontan over 4 years ago
- Assignee changed from Javi Fontan to Vlastimil Holer
#6
Updated by Vlastimil Holer over 4 years ago
- Pull request set to https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa
- https is used for (apt/yum) repositories and
- gpgcheck=1 is enabled (leaving repo_gpgcheck commented) for yum.
https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa
#7
Updated by Vlastimil Holer over 4 years ago
- Status changed from Pending to Closed
Change in documentation merged by Javi, closing.
Thank you.