<div dir="ltr">I'll add to this as I read (between the lines) and understand:<br><br>Bad versions of ssh binaries were made available for subscriber use from RedHat servers. This did not involve a compromise of their key system. My "between the lines" part suggests that their internal source repository was compromised and the bad code was then compiled through normal channels which dodged needing to break into their hardware-keyed signing process.<br>
<br>As RedHat does NOT distribute binaries by means other than RHN subscription, this suggests that because the trojaned code was compiled through their normal channels it was released through the RHN process. I have seen one machine in the field running the code that matched their md5sum on the binariy and I know that machine was pulling from a sattelite server (which pulls from RHN).<br>
<br>RedHat does not curently use yum for their repositories. Yum is used by Fedora.<br><br><div class="gmail_quote">On Sun, Aug 31, 2008 at 9:34 PM, Jeff Lightner <span dir="ltr"><<a href="mailto:jlightner@water.com">jlightner@water.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I'd think so.<br>
<br>
Remember however that the "download" issue is only if you're NOT getting<br>
your downloads via RedHat Network (RHN) subscriptions. If you are<br>
getting them via subscriptions then what you got was never compromised.<br>
If you've been getting your "downloads" via yum from official<br>
repositories then they weren't compromised based on my read of the<br>
official alert issued by RedHat.<br>
<div><div></div><div class="Wj3C7c"><br>
-----Original Message-----<br>
From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] On Behalf Of<br>
Scott Castaline<br>
Sent: Sunday, August 31, 2008 5:18 PM<br>
To: Atlanta Linux Enthusiasts<br>
Subject: [ale] Recent events with RH/Fedora servers.<br>
<br>
With the recent events happening with theses servers would a downloaded<br>
image file that was downloaded during the time frame involved and again<br>
on 8/29/08 share the same SHA1 hash could I consider the first one as<br>
safe to use?<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div>----------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------<br>
<div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III <br><br>
</div>