CVE-2021-3445: 
NixOS vulnerability analysis and mitigation

CVE-2021-3445 is a security vulnerability discovered in libdnf's signature verification functionality affecting versions before 0.60.1. The vulnerability was identified in early 2021 and affects the package management system used in various Linux distributions (NVD, Red Hat).

The vulnerability exists in libdnf's signature verification mechanism where an attacker could bypass signature verification by placing a signature in the main RPM header. This flaw is specifically exploitable when RPM's package verification level is set to 'digest' or 'none'. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows an attacker to achieve code execution by altering the header information of an RPM package and tricking a user or system into installing it. The vulnerability poses significant risks to system confidentiality, integrity, and availability (NVD).

A mitigation for this vulnerability is to set %pkgverifylevel to 'all' or '%pkgverifylevel signature' in /etc/rpm/macros. The permanent fix is available in libdnf version 0.60.1 and later. Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux through RHSA-2021:4464 (Red Hat Bugzilla, Red Hat Advisory).