CVE-2013-1910
https://notcve.org/view.php?id=CVE-2013-1910
yum does not properly handle bad metadata, which allows an attacker to cause a denial of service and possibly have other unspecified impact via a Trojan horse file in the metadata of a remote repository. yum no maneja apropiadamente los metadatos incorrectos, lo que permite a un atacante causar una denegación de servicio y posiblemente tener otro impacto no especificado por medio de un archivo de tipo caballo de Troya en los metadatos de un repositorio remoto. • http://www.openwall.com/lists/oss-security/2013/03/29/4 http://www.securityfocus.com/bid/58533 https://access.redhat.com/security/cve/cve-2013-1910 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1910 https://exchange.xforce.ibmcloud.com/vulnerabilities/83348 https://security-tracker.debian.org/tracker/CVE-2013-1910 • CWE-20: Improper Input Validation •
CVE-2014-0022 – yum: yum-cron installs unsigned packages
https://notcve.org/view.php?id=CVE-2014-0022
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package. La función installUpdates en yum-cron/yum-cron.py en yum 3.4.3 y anteriores no chequea apropiadamente el valor de retorno de la función sigCheckPkg, lo cual permite a atacantes remotos sortear la restricción de firmado de paquetes RMP a través de un paquete no firmado. It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key. • http://secunia.com/advisories/56637 http://www.securityfocus.com/bid/65119 http://yum.baseurl.org/gitweb?p=yum.git%3Ba=commitdiff%3Bh=9df69e5794 https://bugzilla.redhat.com/show_bug.cgi?id=1052440 https://bugzilla.redhat.com/show_bug.cgi?id=1057377 https://access.redhat.com/security/cve/CVE-2014-0022 • CWE-20: Improper Input Validation CWE-347: Improper Verification of Cryptographic Signature •