Demi M. Obenour

**Name of the Vulnerable Software and Affected Versions** RPM (affected versions not specified) **Description** The issue is related to a flaw in RPM's signature functionality, where OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. This could allow an attacker to add a malicious subkey to a legitimate public key, causing RPM to wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Xorg-x11-server (affected versions not specified) Description: A privilege escalation flaw was found due to a lack of authentication for X11 clients, allowing an attacker to take control of an X application by impersonating the server it is expecting to connect to. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libdnf versions prior to 0.60.1 **Description** The issue is related to an error in the signature verification function of the libdnf library, which manages packages. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The flaw enables an attacker to achieve code execution by altering the header information of an RPM package and tricking a user or system into installing it, posing a risk to confidentiality, integrity, and system availability. **Recommendations** For versions prior to 0.60.1, update to version 0.60.1 or later to resolve the issue. As a temporary workaround, consider restricting the installation of RPM packages from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RPM (affected versions not specified) **Description** A flaw was found in RPM's hdrblobInit() function in lib/header.c, which allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability. Exploitation of the vulnerability may allow a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RPM versions prior to 4.17.0-alpha **Description** A flaw was found in the RPM package's read functionality, allowing an attacker to cause RPM database corruption by convincing a victim to install a seemingly verifiable package or compromising an RPM repository. The highest threat from this issue is to data integrity. Exploitation may also allow a remote attacker to impact data integrity due to incorrect cryptographic signature verification of data. **Recommendations** For versions prior to 4.17.0-alpha, update to version 4.17.0-alpha or later to resolve the issue. As a temporary workaround, consider restricting access to RPM repositories and verifying the integrity of packages before installation to minimize the risk of exploitation.