Return-Path: <sentto-279987-3341-1003890220-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 23 Oct 2001 19:26:13 -0700 (PDT) Received: (qmail 16463 invoked by uid 510); 24 Oct 2001 02:23:08 -0000 Received: from n12.groups.yahoo.com (216.115.96.62) by 204.181.12.215 with SMTP; 24 Oct 2001 02:23:08 -0000 X-eGroups-Return: sentto-279987-3341-1003890220-fc=all.net@returns.onelist.com Received: from [10.1.1.221] by n12.groups.yahoo.com with NNFMP; 24 Oct 2001 02:23:40 -0000 X-Sender: fastflyer28@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_0_1); 24 Oct 2001 02:23:40 -0000 Received: (qmail 32418 invoked from network); 24 Oct 2001 02:23:24 -0000 Received: from unknown (10.1.10.27) by 10.1.1.221 with QMQP; 24 Oct 2001 02:23:24 -0000 Received: from unknown (HELO web14507.mail.yahoo.com) (216.136.224.70) by mta2 with SMTP; 24 Oct 2001 02:23:24 -0000 Message-ID: <20011024022320.1038.qmail@web14507.mail.yahoo.com> Received: from [12.78.123.7] by web14507.mail.yahoo.com via HTTP; Tue, 23 Oct 2001 19:23:20 PDT To: iwar@yahoogroups.com In-Reply-To: <5.1.0.14.2.20011023205304.026f8060@mail-dnh.mv.net> From: "e.r." <fastflyer28@yahoo.com> X-Yahoo-Profile: fastflyer28 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 23 Oct 2001 19:23:20 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] [fc:Red.Hat.7.2.GnuPG.signed.RPM.verification.fails.on.distribution.fil es] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Give "Billy Williams" at Red Hat a call. He is one of the head honcho's and also says "no problem. Have you even noticed that when someone say "no problem" that a major disaster is about to strike, or the person does not understand english. Red Hat does have a problem and so far, they are simply saying -no problem. It is nice linux when it works albeit Linux trying to give you that homey fee of Windows, but not quite geting there. --- Brian McWilliams <brian@pc-radio.com> wrote: > Red Hat claims this is not a big deal: > > http://www.newsbytes.com/news/01/171431.html > > But Seifried has just published a rebuttal that says it could be: > > http://www.seifried.org/security/articles/20011023-devil-in-details.html > > Brian > > > At 08:21 PM 10/23/01, you wrote: > >Kurt Seifried Security Advisory 002 (KSSA-002) > ><a > >href="http://www.seifried.org/security/advisories/kssa-002.html">http://www.seifried.org/security/advisories/kssa-002.html> > > > > > > > > >By Kurt Seifried, <a > >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> > >- > ---------------------------------------------------------------------- > >- ---------- > > > >Title: > >Red Hat 7.2 GnuPG signed RPM verification fails on distribution > files > > > >Issue date: > >Oct 23, 2001 > > > >History of advisory: > >Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed > >various packages were not GnuPG signed. > > > >Author: > >Kurt Seifried <a > >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> > > > > > > > > >Credits: > >N/A > > > >Overview: > >Red Hat 7.2 distribution files on popular ftp sites such as > >ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is > >unlikely that this is an attack as the number of sites involved > makes > >it likely someone would have noticed and notified the community. > >Either Red Hat did not sign these packages, or someone subverted the > >distribution process before the files got to various sites. For Red > >Hat 7.1 please note that all files were correctly signed with the > Red > >Hat GnuPG security key. > > > >Vendor Contact: > ><a > >href="mailto:security@redhat.com?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">security@redhat.com</a> > > > >Impact: > >An attacker can create RPM's that will not appear any different from > >the real ones, as they do not need to be signed. Finding the MD5 > sums > >of the files in trusted locations is very difficult (I cannot find > >any lists). > > > >Details: > >Red Hat has released Red Hat 7.2, a much anticipated release. > >Typically all the rpm distribution files are signed, making it very > >easy to verify their correctness. Since numerous packages are not > >signed it becomes trivial for an attacker to replace packages on a > >distribution site with no-one being able to easily verify that they > >have been subverted. An attacker would not even need to modify or > add > >files to the package, instead they could add a preinstall, > >postinstall, preuninstall or postuninstall script that would be > >capable of compromising the system since these scripts run with root > >privileges. Packages include rpmdb-redhat and redhat-release. > > > >Solutions and workarounds: > >None available. Red Hat needs to sign the packages properly with > >GnuPG. > > > >References: > >N/A > > > >- > ---------------------------------------------------------------------- > >- ---------- > > > >Permission is granted for copying and circulating this Bulletin to > >the Internet community for the purpose of alerting them to problems, > >if and only if, the bulletin is not edited or changed in any way, is > >attributed to Kurt Seifried, and provided such reproduction and/or > >distribution is performed for non-commercial purposes. > > > >Any other use of this information is prohibited. Kurt Seifried is > not > >liable for any misuse of this information by any third party. > > > >- > ---------------------------------------------------------------------- > >- ---------- > > > >Back > > > >Last updated 10/23/2001 > > > >Copyright Kurt Seifried 2001 > > > >Kurt Seifried, <a > >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> > >A15B BEE5 B391 B9AD B0EF > >AEB0 AD63 0B4E AD56 E574 > ><a > >href="http://www.seifried.org/security/">http://www.seifried.org/security/> > > > > > >------------------ > >http://all.net/ > > > >Your use of Yahoo! Groups is subject to > http://docs.yahoo.com/info/terms/ > > __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST