messed up signatures in fedora updates
gboyce at badbelly.com
gboyce at badbelly.com
Thu Nov 20 08:08:14 EST 2003
On Wed, 19 Nov 2003, eric wrote:
> "For an attacker to make use of this flaw, they would have to make
> unsigned packages appear on the Red Hat Network. Connections to the Red
> Hat Network servers are authenticated and verified by the use of SSL, so
> it is not possible to intercept the connection to Red Hat Network
> servers and give unsigned packages. To make use of this flaw, an
> attacker would have to compromise the Red Hat Network servers at Red
> Hat. Because of these factors, the risk of exploiting this bug is low."
I'm not entirely certain, but I believe that up2date on Fedora is pulling
from a yum repository rather than a redhat network up2date server.
(up2date in fedora definitely has the ability to use a yum server, or an
apt repository for that matter).
If this is the case, then SSL portion of the check here isn't valid, and
it could be possible for someone with access to your DNS server to point
you to a new repository with modified packages.
--
Greg
More information about the Discuss
mailing list