Upstream yum recently changed the behaviour when checking signatures
on a package. The commit added a new configuration key which only
affects local packages, but the key was set by default to False.
This meant that an end user could install a local unsigned rpm package
using PackageKit without a GPG trust check, and the user would be told
the untrusted package is itself trusted.
To exploit this low-impact vulnerability, a user would have to
manually download an unsigned package file and would still be required
to authenticate to install the package.
The CVE-ID for this bug is CVE-2011-2515
See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
Resolves #718127