The University of Arizona is publishing a study on security problems with
package management systems. The core problem would appear to be that tools like
yum and apt will happily install versions of packages with known vulnerabilities
if they think that's the most recent version available. And feeding such
packages to the package managers is not a big challenge: "To give an example of
how easy it is for a malicious party to obtain a mirror, we ran an experiment
where we created a fake administrator and company name and leased a server from
a hosting provider. We were able to get our mirror listed on every distribution
we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were
contacted by thousands of clients, even including military and government
computers!"
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
07-15-2008, 12:54 PM
Christoph Höger
Study: Attacks on package managers
Hi,
obviously that means metadata needs good signatures as packages do,
right? That should be easy to implement. Also metadata should be
versioned and that version should be updated on a regulary (e.g. daily)
base. (I don't know if it already is) Than one could simply diff the
metadata(-hash) of two or more servers with a trusted base server to
figure out if someone holds back updates.
So that should not be _that_ big problem at all, right?
Christoph
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
Study: Attacks on package managers
