On the security topic, just figured I would share here, as it does go into the whole, "make sure your code is signed, and end users don't bypass the security checks".
https://www.darkreading.com/attacks-breaches/cisa-zoho-manageengine-rce-bug-... [https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt834bf7d7...]https://www.darkreading.com/attacks-breaches/cisa-zoho-manageengine-rce-bug-under-active-exploit CISA: Zoho ManageEngine RCE Bug Is Under Active Exploithttps://www.darkreading.com/attacks-breaches/cisa-zoho-manageengine-rce-bug-under-active-exploit The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a critical Zoho ManageEngine remote code execution (RCE) flaw, first disclosed in June, is now under active attack. www.darkreading.com
Nicholas Jahn IT professional A.S. Network Specialist (www.madisoncollege.edu) ________________________________ From: Troy Dawson tdawson@redhat.com Sent: Monday, September 26, 2022 12:41 PM To: EPEL Development List epel-devel@lists.fedoraproject.org Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
That is a very good point. I think the following are better steps rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2FRPM-GPG-KEY-EPEL-9&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mqfDJvfB9kOEtLdghjgS7W2HQCariGG%2BcouPau4xWBI%3D&reserved=0 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpmhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fepel-release-latest-9.noarch.rpm&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1v8v5xUswULKCFRrZgb15MTVjRNRKImZF6V78SZz4s0%3D&reserved=0
Troy On Mon, Sep 26, 2022 at 10:28 AM Nick Jahn <nick.jahn@hotmail.commailto:nick.jahn@hotmail.com> wrote: Wouldn't it be a better option to show in the documentation how to download and install the GPG key first, so you don't have to use the nogpgcheck option? Security people like secure options better. 😉
Nicholas Jahn IT professional A.S. Network Specialist (www.madisoncollege.eduhttps://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.madisoncollege.edu%2F&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r4PPFetthmJBIaffVt%2BN8hPwn%2F3gjrcXBRAVJoTtOpw%3D&reserved=0) ________________________________ From: Troy Dawson <tdawson@redhat.commailto:tdawson@redhat.com> Sent: Monday, September 26, 2022 11:46 AM To: EPEL Development List <epel-devel@lists.fedoraproject.orgmailto:epel-devel@lists.fedoraproject.org> Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
I was able to reproduce the error. If you do a RHEL install, and select a security profile, it will automatically turn on gpg checking for everything.[1] You then get the error you were showing.
To get around this you need to add the --nogpgcheck option
dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpmhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fepel-release-latest-9.noarch.rpm&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1v8v5xUswULKCFRrZgb15MTVjRNRKImZF6V78SZz4s0%3D&reserved=0
Thank you for letting us know. We'll be sure to update the documentation.
Troy
[1] - https://www.mankier.com/5/dnf.conf#Options_for_Both_%5BMain%5D_and_Repo-loca...https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mankier.com%2F5%2Fdnf.conf%23Options_for_Both_%255BMain%255D_and_Repo-localpkg_gpgcheck&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sjT3BPAoKy8HVZ%2F%2FA11uLkd92k3e88kor5ifEfWvYtc%3D&reserved=0
On Mon, Sep 26, 2022 at 7:25 AM Nick Jahn <nick.jahn@hotmail.commailto:nick.jahn@hotmail.com> wrote: I will wipe out this VM, and re-install RHEL 9 and see if it happens again. I already know it isn't security based issues, as none of my systems caught anything (I'm a Security Architect), and I was able to download the GPG key using WGET, and install it using RPM --import.
I'm fairly certain the issue was that the GPG key was not getting deployed.
Nicholas Jahn IT professional A.S. Network Specialist (www.madisoncollege.eduhttps://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.madisoncollege.edu%2F&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r4PPFetthmJBIaffVt%2BN8hPwn%2F3gjrcXBRAVJoTtOpw%3D&reserved=0) ________________________________ From: Stephen Smoogen <ssmoogen@redhat.commailto:ssmoogen@redhat.com> Sent: Monday, September 26, 2022 8:59 AM To: EPEL Development List <epel-devel@lists.fedoraproject.orgmailto:epel-devel@lists.fedoraproject.org> Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
On Mon, 26 Sept 2022 at 09:31, Nick Jahn <nick.jahn@hotmail.commailto:nick.jahn@hotmail.com> wrote: Tried that, still getting GPG check FAILED. It seems that the security key is not getting deployed correctly.
I manually went to the EPEL repo path https://dl.fedoraproject.org/pub/epel/https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2F&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KgRML9F1r2ZyvqPF%2FNlYAHFh0FZKkUZROfPT7w0lZJI%3D&reserved=0 and found the EPEL 9 Key, downloaded it and installed the key, and now the connection is working. The reason I reached out in the first place was to let you know that the deployment was not working as designed, as I know the EPEL Key is supposed to download and install when you perform the installation of the REPO (which was not happening). This needs to be fixed or you need to update the documentation to let others know that they need to download and install the RPM GPG KEY for EPEL 9 before using the rest of the guide......
OK I am doing a retest of the instructions with a fresh Alma 9 install. I have installed it with minimal functionality and done a `dnf update` to get it up to the latest packages. Then I have rebooted it and done the following commands: ``` [root@localhost ~]# sudo dnf config-manager --set-enabled crb [root@localhost ~]# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpmhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fepel-release-latest-9.noarch.rpm&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1v8v5xUswULKCFRrZgb15MTVjRNRKImZF6V78SZz4s0%3D&reserved=0 AlmaLinux 9 - CRB 3.3 MB/s | 2.5 MB 00:00 Last metadata expiration check: 0:00:01 ago on Mon 26 Sep 2022 09:52:47 AM EDT. epel-release-latest-9.noarch.rpm 124 kB/s | 18 kB 00:00 Dependencies resolved. ============================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================== Installing: epel-release noarch 9-4.el9 @commandline 18 k
Transaction Summary ============================================================================================================================================================================================== Install 1 Package
Total size: 18 k Installed size: 25 k Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : epel-release-9-4.el9.noarch 1/1 Running scriptlet: epel-release-9-4.el9.noarch 1/1 Many EPEL packages require the CodeReady Builder (CRB) repository. It is recommended that you run /usr/bin/crb enable to enable the CRB repository.
Verifying : epel-release-9-4.el9.noarch 1/1
Installed: epel-release-9-4.el9.noarch
Complete! [root@localhost ~]# dnf install screen Last metadata expiration check: 0:00:21 ago on Mon 26 Sep 2022 09:53:52 AM EDT. Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Installing: screen x86_64 4.8.0-6.el9 epel 649 k
Transaction Summary ====================================================================================================== Install 1 Package
Total download size: 649 k Installed size: 957 k Is this ok [y/N]: y Downloading Packages: screen-4.8.0-6.el9.x86_64.rpm 1.8 MB/s | 649 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.2 MB/s | 649 kB 00:00 Extra Packages for Enterprise Linux 9 - x86_64 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x3228467C: Userid : "Fedora (epel9) <epel@fedoraproject.orgmailto:epel@fedoraproject.org>" Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9 Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: screen-4.8.0-6.el9.x86_64 1/1 Installing : screen-4.8.0-6.el9.x86_64 1/1 Running scriptlet: screen-4.8.0-6.el9.x86_64 1/1 Verifying : screen-4.8.0-6.el9.x86_64 1/1
Installed: screen-4.8.0-6.el9.x86_64
Complete! ``` So the instructions as printed work, if everything else works fine. However, it is clear that something did not work for your system, but I am not sure how to pinpoint what it is for better documentation. If you can repeat the problem and see what difference in install from what I tried is, we can better do this.
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.orgmailto:epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.orgmailto:epel-devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FL2hFQ%2B%2FO30B%2BTX6TbWv0fUzGrpp9ttAHwmKHsvKnt4%3D&reserved=0 List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mH5mB9nggIMg9KAz29VLcvhPGw8XDHcsnSjIE6M03es%3D&reserved=0 List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject...https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fepel-devel%40lists.fedoraproject.org&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485601918%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=U2hHSx%2F2NNKupfZTCmzWpbn0MM2AD8jRqmELC%2BxS4Cg%3D&reserved=0 Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issuehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485758131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=apyzA%2Bs%2BNROMdaLdKCcFGnvkXSC0qup9rKdt0xs7S%2Fc%3D&reserved=0 _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.orgmailto:epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.orgmailto:epel-devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485758131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XtNORf8ORVLTETwsXJV4yXcuQtXKHNC78fvr49xYPew%3D&reserved=0 List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485758131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cw196pH4ElpMfNXt62y%2Bg2qtfytFcp2yH1odhuGaOds%3D&reserved=0 List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject...https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fepel-devel%40lists.fedoraproject.org&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485758131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6X%2BAu272HKQ4yQsiN0cMoFEv6UXQaRF%2F2Np%2F7wr2grQ%3D&reserved=0 Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issuehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C01%7C%7Cf3aa3ba65e904420853508da9fe6767d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637998109485758131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=apyzA%2Bs%2BNROMdaLdKCcFGnvkXSC0qup9rKdt0xs7S%2Fc%3D&reserved=0