View Issue Details

IDProjectCategoryView StatusLast Update
0015603administrationsecuritypublic2018-12-17 20:46
Reportertill 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0015603: Insecure repo configuration for CentOS-Ceph-Luminous and centos-qemu-ev-test and possible other repos
DescriptionThe file CentOS-Ceph-Luminous.repo contains two repositories that do not enable GPG checks. The first one could also use HTTPS for the base URL and the other one (the source repo) will automatically be enabled when using yum-builddep, therefore putting users at risk who want to install the bulddeps of unrelated packages:

[centos-ceph-luminous-test]
name=CentOS-$releasever - Ceph Luminous Testing
baseurl=http://buildlogs.centos.org/centos/$releasever/storage/$basearch/ceph-luminous/
gpgcheck=0
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage

[centos-ceph-luminous-source]
name=CentOS-$releasever - Ceph Luminous Source
baseurl=http://vault.centos.org/$contentdir/$releasever/storage/Source/ceph-luminous/
gpgcheck=0
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage


CentOS-QEMU-EV.repo contains this:
[centos-qemu-ev-test]
name=CentOS-$releasever - QEMU EV Testing
baseurl=http://buildlogs.centos.org/centos/$releasever/virt/$basearch/kvm-common/
gpgcheck=0
enabled=0

Additional InformationPlease:

1) enable gpgcheck for all repos
2) use https for the base URL where possible (should work for the test repo)
3) Update the Wiki link in the repo file to use HTTPS
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-12-17 20:46 till New Issue