<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;}
p
        {mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>The fact you got it via a satellite makes
me wonder if they consider that to be one of the “non-standard”
distribution methods. It would suck if so since they push satellite so hard.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I think I’ll check my machines –
I’d assumed they were OK but if you got it via satellite its possible
RedHat was either wrong or just plain lied about who was affected.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
ale-bounces@ale.org [mailto:ale-bounces@ale.org] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Jim Kinney<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, September 02, 2008
1:48 PM<br>
<b><span style='font-weight:bold'>To:</span></b> ale@ale.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [ale] Recent events
with RH/Fedora servers.</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>2008/9/2 Jeff Lightner <<a href="mailto:jlightner@water.com">jlightner@water.com</a>><o:p></o:p></span></font></p>
<div link=blue vlink=blue>
<div>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'>Incorrect on several counts:</span></font><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>yep. Bozohat was firmly attached to my head. Thanks for the
corrections. I did have fun at dragoncon, though! <o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<div link=blue vlink=blue>
<div>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'> </span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'>RedHat does distribute binaries. It does also
OFFER source RPMs but I'd be willing to bet most Fedora/RedHat folks install
from the standard RPMs.</span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'> </span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'>RedHat explicitly states in their notification that users who
get their packages via normal subscription channels are NOT affected and it is
only because some people don't do it that way that they issued notice at
all. My read is that up2date and yum hitting official repositories (the
"normal" way to do it) were not affected. The folks I could
think that might be would be those who go get one off downloads from their web
site.</span></font><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I do have one machine that was updating through rhn satellite that got
the bad binary. it's been taken care of but I'm unclear on how it got the bad
one since they think the rhn streams are clean. <o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<div link=blue vlink=blue>
<div>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'> </span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'>RedHat as of RHEL5 does in fact use yum instead of up2date.</span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'> </span></font><o:p></o:p></p>
<p><font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'> </span></font><o:p></o:p></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p><b><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
font-weight:bold'>From:</span></font></b><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> <a
href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>
[mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>]
<b><span style='font-weight:bold'>On Behalf Of </span></b>Jim Kinney<br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, September 01, 2008
8:49 PM<br>
<b><span style='font-weight:bold'>To:</span></b> <a href="mailto:ale@ale.org"
target="_blank">ale@ale.org</a><br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [ale] Recent events
with RH/Fedora servers.</span></font><o:p></o:p></p>
</div>
<div>
<div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'> <o:p></o:p></span></font></p>
<div>
<p style='margin-bottom:12.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>I'll add to this as I read (between the lines) and
understand:<br>
<br>
Bad versions of ssh binaries were made available for subscriber use from RedHat
servers. This did not involve a compromise of their key system. My
"between the lines" part suggests that their internal source
repository was compromised and the bad code was then compiled through normal
channels which dodged needing to break into their hardware-keyed signing
process.<br>
<br>
As RedHat does NOT distribute binaries by means other than RHN subscription,
this suggests that because the trojaned code was compiled through their normal
channels it was released through the RHN process. I have seen one machine in
the field running the code that matched their md5sum on the binariy and I know
that machine was pulling from a sattelite server (which pulls from RHN).<br>
<br>
RedHat does not curently use yum for their repositories. Yum is used by Fedora.<o:p></o:p></span></font></p>
<div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>On Sun,
Aug 31, 2008 at 9:34 PM, Jeff Lightner <<a href="mailto:jlightner@water.com"
target="_blank">jlightner@water.com</a>> wrote:<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>I'd think
so.<br>
<br>
Remember however that the "download" issue is only if you're NOT
getting<br>
your downloads via RedHat Network (RHN) subscriptions. If you are<br>
getting them via subscriptions then what you got was never compromised.<br>
If you've been getting your "downloads" via yum from official<br>
repositories then they weren't compromised based on my read of the<br>
official alert issued by RedHat.<o:p></o:p></span></font></p>
<div>
<div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><br>
-----Original Message-----<br>
From: <a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>
[mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>]
On Behalf Of<br>
Scott Castaline<br>
Sent: Sunday, August 31, 2008 5:18 PM<br>
To: Atlanta Linux Enthusiasts<br>
Subject: [ale] Recent events with RH/Fedora servers.<br>
<br>
With the recent events happening with theses servers would a downloaded<br>
image file that was downloaded during the time frame involved and again<br>
on 8/29/08 share the same SHA1 hash could I consider the first one as<br>
safe to use?<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></span></font></p>
</div>
</div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>----------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------<o:p></o:p></span></font></p>
<div>
<div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></span></font></p>
</div>
</div>
</div>
<p style='margin-bottom:12.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><br>
<br clear=all>
<br>
-- <br>
-- <br>
James P. Kinney III <o:p></o:p></span></font></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></span></font></p>
</blockquote>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
<br clear=all>
<br>
-- <br>
-- <br>
James P. Kinney III <o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>