32.Lock Code Circular

Red Hat has used RPM for software package distribution for decades, but thanks to CloudLinux developer Dmitry Antipov we now know that RPM contained a nasty hidden security bug since Day One. A repair patch for this major security hole has been submitted, but Antipov fears that it may be months before the fix is released.

In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL)CentOS StreamAlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole. 

Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS's parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher.