Description
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature."[1] RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. 1.
Solution(s)
huawei-euleros-2_0_sp9-upgrade-python3-rpmhuawei-euleros-2_0_sp9-upgrade-rpmhuawei-euleros-2_0_sp9-upgrade-rpm-libshuawei-euleros-2_0_sp9-upgrade-rpm-plugin-systemd-inhibit
Referenceshttps://attackerkb.com/topics/cve-2021-3521CVE - 2021-3521EulerOS-SA-2022-1035