[ale] Recent events with RH/Fedora servers.

Jeff Lightner jlightner at water.com
Tue Sep 2 08:55:13 EDT 2008


Incorrect on several counts:

 

RedHat does distribute binaries.   It does also OFFER source RPMs but
I'd be willing to bet most Fedora/RedHat folks install from the standard
RPMs.

 

RedHat explicitly states in their notification that users who get their
packages via normal subscription channels are NOT affected and it is
only because some people don't do it that way that they issued notice at
all.  My read is that up2date and yum hitting official repositories (the
"normal" way to do it) were not affected.  The folks I could think that
might be would be those who go get one off downloads from their web
site.

 

RedHat as of RHEL5 does in fact use yum instead of up2date.

 

 

________________________________

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim
Kinney
Sent: Monday, September 01, 2008 8:49 PM
To: ale at ale.org
Subject: Re: [ale] Recent events with RH/Fedora servers.

 

I'll add to this as I read (between the lines) and understand:

Bad versions of ssh binaries were made available for subscriber use from
RedHat servers. This did not involve a compromise of their key system.
My "between the lines" part suggests that their internal source
repository was compromised and the bad code was then compiled through
normal channels which dodged needing to break into their hardware-keyed
signing process.

As RedHat does NOT distribute binaries by means other than RHN
subscription, this suggests that because the trojaned code was compiled
through their normal channels it was released through the RHN process. I
have seen one machine in the field running the code that matched their
md5sum on the binariy and I know that machine was pulling from a
sattelite server (which pulls from RHN).

RedHat does not curently use yum for their repositories. Yum is used by
Fedora.

On Sun, Aug 31, 2008 at 9:34 PM, Jeff Lightner <jlightner at water.com>
wrote:

I'd think so.

Remember however that the "download" issue is only if you're NOT getting
your downloads via RedHat Network (RHN) subscriptions.  If you are
getting them via subscriptions then what you got was never compromised.
If you've been getting your "downloads" via yum from official
repositories then they weren't compromised based on my read of the
official alert issued by RedHat.


-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
Scott Castaline
Sent: Sunday, August 31, 2008 5:18 PM
To: Atlanta Linux Enthusiasts
Subject: [ale] Recent events with RH/Fedora servers.

With the recent events happening with theses servers would a downloaded
image file that was downloaded during the time frame involved and again
on 8/29/08 share the same SHA1 hash could I consider the first one as
safe to use?
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale

----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
----------------------------------


_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale




-- 
-- 
James P. Kinney III 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080902/faea2266/attachment-0001.html 


More information about the Ale mailing list