FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-15-2008, 11:47 AM
Harald Hoyer
 
Default Study: Attacks on package managers

http://lwn.net/Articles/289883/

The University of Arizona is publishing a study on security problems with
package management systems. The core problem would appear to be that tools like
yum and apt will happily install versions of packages with known vulnerabilities
if they think that's the most recent version available. And feeding such
packages to the package managers is not a big challenge: "To give an example of
how easy it is for a malicious party to obtain a mirror, we ran an experiment
where we created a fake administrator and company name and leased a server from
a hosting provider. We were able to get our mirror listed on every distribution
we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were
contacted by thousands of clients, even including military and government
computers!"


http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-15-2008, 12:54 PM
Christoph Höger
 
Default Study: Attacks on package managers

Hi,

obviously that means metadata needs good signatures as packages do,
right? That should be easy to implement. Also metadata should be
versioned and that version should be updated on a regulary (e.g. daily)
base. (I don't know if it already is) Than one could simply diff the
metadata(-hash) of two or more servers with a trusted base server to
figure out if someone holds back updates.

So that should not be _that_ big problem at all, right?

Christoph

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 05:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org