On Fri, Aug 22, 2008 at 6:08 PM, Rahul Sundaram
wrote:
The RHEL signing keys have, however, been used by an unauthorized
party to sign unauthorized packages. Some people would say that that
qualified as "compromised" on any reasonable definition.
Yes but if it requires physical access, there is no need to generate a new
key.
There are bogus packages already signed and quite possibly out in the
wild ... what do you mean there's no need to generate a new key?
All I would say it really depends on the setup and I gave you a link
earlier with some details. Besides this is primarily a Fedora
announcement. RHEL details are elsewhere.
Rahul
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 05:32 PM
"Miles Sabin"
Infrastructure report, 2008-08-22 UTC 1200
On Fri, Aug 22, 2008 at 6:18 PM, Rahul Sundaram
<sundaram@fedoraproject.org> wrote:
>> There are bogus packages already signed and quite possibly out in the
>> wild ... what do you mean there's no need to generate a new key?
>
> All I would say it really depends on the setup and I gave you a link earlier
> with some details.
With some details of the system that we've just discovered has been compromised.
Yes, that increases my confidence enormously ... thank you so much.
Cheers,
Miles
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 05:35 PM
"Mikkel L. Ellertson"
Infrastructure report, 2008-08-22 UTC 1200
Alexandre Dulaunoy wrote:
>
> Yep. Just wondering how the attacker retrieved the passphrase for Red Hat.
>
I am not sure they did retrieve the passphrase. It is possible that
the key was already unlocked by another process, and they managed to
sign a couple of packages in that time. (gpg-agent) I do not know
how easy it would be to grab the information to connect to a running
gpg-agent... from a new login.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 05:37 PM
Rahul Sundaram
Infrastructure report, 2008-08-22 UTC 1200
Miles Sabin wrote:
On Fri, Aug 22, 2008 at 6:18 PM, Rahul Sundaram
<sundaram@fedoraproject.org> wrote:
There are bogus packages already signed and quite possibly out in the
wild ... what do you mean there's no need to generate a new key?
All I would say it really depends on the setup and I gave you a link earlier
with some details.
With some details of the system that we've just discovered has been compromised.
Yes, that increases my confidence enormously ... thank you so much.
Boosting your confidence level isn't the purpose. Sharing information
is. As long as you understand what is being shared, job done.
Rahul
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 06:39 PM
Laszlo BERES
Infrastructure report, 2008-08-22 UTC 1200
Miles Sabin wrote:
The RHEL signing keys have, however, been used by an unauthorized
party to sign unauthorized packages. Some people would say that that
qualified as "compromised" on any reasonable definition.
Signing is a thing, distributing a signed package through the official
ways is another. The latter didn't happen as we know.
--
BÉRES László RHCE, RHCX senior IT engineer, trainer
Red Hat, Fedora, CentOS, SELinux: http://sys-admin.hu
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 07:52 PM
Les Mikesell
Infrastructure report, 2008-08-22 UTC 1200
Laszlo BERES wrote:
Miles Sabin wrote:
The RHEL signing keys have, however, been used by an unauthorized
party to sign unauthorized packages. Some people would say that that
qualified as "compromised" on any reasonable definition.
Signing is a thing, distributing a signed package through the official
ways is another. The latter didn't happen as we know.
But we do know that a large number of DNS servers are still vulnerable
to spoofing. How do you know that what you think was an official mirror
delivering your rpm update wasn't an imposter, spoofed in DNS.
--
Les Mikesell
lesmikesell@gmail.com
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 08:04 PM
Laszlo BERES
Infrastructure report, 2008-08-22 UTC 1200
Les Mikesell wrote:
But we do know that a large number of DNS servers are still vulnerable
to spoofing. How do you know that what you think was an official mirror
delivering your rpm update wasn't an imposter, spoofed in DNS.
You're absolutely right, but if I assume we're talking about RHEL
infrastructure, in this case the attacker has to spoof the
up2date's/yum's RHN certificate, too.
--
BÉRES László RHCE, RHCX senior IT engineer, trainer
Red Hat, Fedora, CentOS, SELinux: http://sys-admin.hu
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-22-2008, 11:36 PM
Joel Rees
Infrastructure report, 2008-08-22 UTC 1200
On Aug 22, 2008, at 9:00 PM, Paul W. Frields wrote:
[Information on the intrusion, etc.]
This time through has been a little bit rough. Nothing like a first
time ...
Not all the information I want, yet, but definitely much better than
what Microsoft gives out.
Thanks.
Joel Rees
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-24-2008, 02:39 PM
"Miles Sabin"
Infrastructure report, 2008-08-22 UTC 1200
On Fri, Aug 22, 2008 at 7:39 PM, Laszlo BERES <beres.laszlo@sys-admin.hu> wrote:
> Miles Sabin wrote:
>> The RHEL signing keys have, however, been used by an unauthorized
>> party to sign unauthorized packages. Some people would say that that
>> qualified as "compromised" on any reasonable definition.
>
> Signing is a thing, distributing a signed package through the official ways
> is another. The latter didn't happen as we know.
We know nothing of the sort. In fact the RH announcement suggests
exactly the opposite ... why else distribute a script to check for
compromised RHEL packages?
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
08-24-2008, 02:47 PM
Rui Miguel Silva Seabra
Infrastructure report, 2008-08-22 UTC 1200
On Sun, Aug 24, 2008 at 03:39:05PM +0100, Miles Sabin wrote:
> On Fri, Aug 22, 2008 at 7:39 PM, Laszlo BERES <beres.laszlo@sys-admin.hu> wrote:
> > Miles Sabin wrote:
> >> The RHEL signing keys have, however, been used by an unauthorized
> >> party to sign unauthorized packages. Some people would say that that
> >> qualified as "compromised" on any reasonable definition.
> >
> > Signing is a thing, distributing a signed package through the official ways
> > is another. The latter didn't happen as we know.
>
> We know nothing of the sort. In fact the RH announcement suggests
> exactly the opposite ... why else distribute a script to check for
> compromised RHEL packages?
Because even though they believe it wasn't distributed, they like to
play it safe, assume it was and provide some help detecting the bad
packages?
Oh my bad, they should probably just consider a blue sky scenario...
--
All Hail Discordia!
Today is Sweetmorn, the 17th day of Bureaucracy in the YOLD 3174
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Infrastructure report, 2008-08-22 UTC 1200
