The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Libzypp | Novell | 11.2 | 11.2 |
Libzypp | Novell | 12.2 | 12.2 |
Libzypp | Novell | * | 12.15.0 |
Libzypp | Novell | 12.1 | 12.1 |
Libzypp | Novell | 11.4 | 11.4 |
Libzypp | Novell | 11.3 | 11.3 |
Libzypp | Novell | 12.3 | 12.3 |