<div dir="ltr"><br><br><div class="gmail_quote">2008/9/2 Jeff Lightner <span dir="ltr"><<a href="mailto:jlightner@water.com">jlightner@water.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="blue" lang="EN-US">
<div>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Incorrect on several counts:</span></font></p></div></div></blockquote><div>yep. Bozohat was firmly attached to my head. Thanks for the corrections. I did have fun at dragoncon, though! <br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div link="blue" vlink="blue" lang="EN-US"><div><p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"></span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">RedHat does distribute binaries. It does
also OFFER source RPMs but I'd be willing to bet most Fedora/RedHat folks
install from the standard RPMs.</span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">RedHat explicitly states in their
notification that users who get their packages via normal subscription channels
are NOT affected and it is only because some people don't do it that way
that they issued notice at all. My read is that up2date and yum hitting
official repositories (the "normal" way to do it) were not
affected. The folks I could think that might be would be those who go get one
off downloads from their web site.</span></font></p></div></div></blockquote><div>I do have one machine that was updating through rhn satellite that got the bad binary. it's been taken care of but I'm unclear on how it got the bad one since they think the rhn streams are clean. <br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div link="blue" vlink="blue" lang="EN-US"><div><p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"></span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">RedHat as of RHEL5 does in fact use yum
instead of up2date.</span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<div>
<div style="text-align: center;" align="center"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">
<hr size="2" width="100%" align="center">
</span></font></div>
<p><b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma;">
<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>] <b><span style="font-weight: bold;">On Behalf Of </span></b>Jim Kinney<br>
<b><span style="font-weight: bold;">Sent:</span></b> Monday, September 01, 2008
8:49 PM<br>
<b><span style="font-weight: bold;">To:</span></b> <a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re: [ale] Recent events
with RH/Fedora servers.</span></font></p>
</div><div><div></div><div class="Wj3C7c">
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;"> </span></font></p>
<div>
<p style="margin-bottom: 12pt;"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">I'll add to this as I
read (between the lines) and understand:<br>
<br>
Bad versions of ssh binaries were made available for subscriber use from RedHat
servers. This did not involve a compromise of their key system. My
"between the lines" part suggests that their internal source
repository was compromised and the bad code was then compiled through normal
channels which dodged needing to break into their hardware-keyed signing
process.<br>
<br>
As RedHat does NOT distribute binaries by means other than RHN subscription,
this suggests that because the trojaned code was compiled through their normal
channels it was released through the RHN process. I have seen one machine in
the field running the code that matched their md5sum on the binariy and I know
that machine was pulling from a sattelite server (which pulls from RHN).<br>
<br>
RedHat does not curently use yum for their repositories. Yum is used by Fedora.</span></font></p>
<div>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">On Sun, Aug 31, 2008 at 9:34 PM, Jeff
Lightner <<a href="mailto:jlightner@water.com" target="_blank">jlightner@water.com</a>>
wrote:</span></font></p>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">I'd think so.<br>
<br>
Remember however that the "download" issue is only if you're NOT
getting<br>
your downloads via RedHat Network (RHN) subscriptions. If you are<br>
getting them via subscriptions then what you got was never compromised.<br>
If you've been getting your "downloads" via yum from official<br>
repositories then they weren't compromised based on my read of the<br>
official alert issued by RedHat.</span></font></p>
<div>
<div>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
-----Original Message-----<br>
From: <a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>] On Behalf Of<br>
Scott Castaline<br>
Sent: Sunday, August 31, 2008 5:18 PM<br>
To: Atlanta Linux Enthusiasts<br>
Subject: [ale] Recent events with RH/Fedora servers.<br>
<br>
With the recent events happening with theses servers would a downloaded<br>
image file that was downloaded during the time frame involved and again<br>
on 8/29/08 share the same SHA1 hash could I consider the first one as<br>
safe to use?<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a></span></font></p>
</div>
</div>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">----------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span></font></p>
<div>
<div>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a></span></font></p>
</div>
</div>
</div>
<p style="margin-bottom: 12pt;"><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
<br clear="all">
<br>
-- <br>
-- <br>
James P. Kinney III </span></font></p>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III <br><br>
</div>