Skip to content

CVE-2021-20271 and PostgreSQL YUM/DNF repo

Recently I received a report about a flaw in RPM's signature check functionality when reading a package file.

To fix this issue, I built and released new repository RPMs for the following platforms:
- RHEL/Rocky Linux/CentOS/Oracle Linux 8 - x86_64 (42.0.17)
- RHEL/CentOS/Oracle Linux 7 - x86_64 (42.0.17.1)
- Fedora 34, 33 and 32 (42.0.15)

Basically the repo config files now include the

repo_gpgcheck = 1

parameter, per the information above. I also used this opportunity to update the email address in the GPG key file.

However, this update may require manual changes to the repo config files. If you have edited the config file before, the new config file won’t overwrite the existing file, and instead will create a new configuration file with .rpmnew extension:




In this case, please merge your changes in the old configuration file to the new one, and move the new file to the old file:

- For RHEL/Rocky Linux/CentOS/Oracle Linux:

mv /etc/yum.repos.d/pgdg-redhat-all.repo.rpmnew /etc/yum.repos.d/pgdg-redhat-all.repo

- Fedora:

mv /etc/yum.repos.d/pgdg-fedora-all.repo.rpmnew /etc/yum.repos.d/pgdg-fedora-all.repo

You will not need this step if you have not edited the config file.
When you run dnf/yum without -y parameter, you’ll be asked to confirm the GPG key for PGDG repos:



If you specify -y, you won’t have to type y at each prompt. This is a one-time operation, and won’t be needed in the future (hopefully)!
If you have any questions, please report to us.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options