<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Incorrect on several counts:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>RedHat does distribute binaries. It does
also OFFER source RPMs but I’d be willing to bet most Fedora/RedHat folks
install from the standard RPMs.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>RedHat explicitly states in their
notification that users who get their packages via normal subscription channels
are NOT affected and it is only because some people don’t do it that way
that they issued notice at all. My read is that up2date and yum hitting
official repositories (the “normal” way to do it) were not
affected. The folks I could think that might be would be those who go get one
off downloads from their web site.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>RedHat as of RHEL5 does in fact use yum
instead of up2date.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
ale-bounces@ale.org [mailto:ale-bounces@ale.org] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Jim Kinney<br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, September 01, 2008
8:49 PM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">ale@ale.org</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [ale] Recent events
with RH/Fedora servers.</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>I'll add to this as I
read (between the lines) and understand:<br>
<br>
Bad versions of ssh binaries were made available for subscriber use from RedHat
servers. This did not involve a compromise of their key system. My
"between the lines" part suggests that their internal source
repository was compromised and the bad code was then compiled through normal
channels which dodged needing to break into their hardware-keyed signing
process.<br>
<br>
As RedHat does NOT distribute binaries by means other than RHN subscription,
this suggests that because the trojaned code was compiled through their normal
channels it was released through the RHN process. I have seen one machine in
the field running the code that matched their md5sum on the binariy and I know
that machine was pulling from a sattelite server (which pulls from RHN).<br>
<br>
RedHat does not curently use yum for their repositories. Yum is used by Fedora.<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Sun, Aug 31, 2008 at 9:34 PM, <st1:PersonName w:st="on">Jeff
Lightner</st1:PersonName> <<a href="mailto:jlightner@water.com">jlightner@water.com</a>>
wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I'd think so.<br>
<br>
Remember however that the "download" issue is only if you're NOT
getting<br>
your downloads via RedHat Network (RHN) subscriptions. If you are<br>
getting them via subscriptions then what you got was never compromised.<br>
If you've been getting your "downloads" via yum from official<br>
repositories then they weren't compromised based on my read of the<br>
official alert issued by RedHat.<o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
-----Original Message-----<br>
From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [mailto:<a
href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] On Behalf Of<br>
Scott Castaline<br>
Sent: Sunday, August 31, 2008 5:18 PM<br>
To: Atlanta Linux Enthusiasts<br>
Subject: [ale] Recent events with RH/Fedora servers.<br>
<br>
With the recent events happening with theses servers would a downloaded<br>
image file that was downloaded during the time frame involved and again<br>
on 8/29/08 share the same SHA1 hash could I consider the first one as<br>
safe to use?<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>----------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------<o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></span></font></p>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
<br clear=all>
<br>
-- <br>
-- <br>
James P. Kinney III <o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>