Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

messed up signatures in fedora updates

On Wed, 19 Nov 2003, eric wrote:

> "For an attacker to make use of this flaw, they would have to make
> unsigned packages appear on the Red Hat Network. Connections to the Red
> Hat Network servers are authenticated and verified by the use of SSL, so
> it is not possible to intercept the connection to Red Hat Network
> servers and give unsigned packages.  To make use of this flaw, an
> attacker would have to compromise the Red Hat Network servers at Red
> Hat. Because of these factors, the risk of exploiting this bug is low."

I'm not entirely certain, but I believe that up2date on Fedora is pulling 
from a yum repository rather than a redhat network up2date server.  
(up2date in fedora definitely has the ability to use a yum server, or an 
apt repository for that matter).

If this is the case, then SSL portion of the check here isn't valid, and 
it could be possible for someone with access to your DNS server to point 
you to a new repository with modified packages.


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /