 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Wed, 19 Nov 2003, eric wrote: > "For an attacker to make use of this flaw, they would have to make > unsigned packages appear on the Red Hat Network. Connections to the Red > Hat Network servers are authenticated and verified by the use of SSL, so > it is not possible to intercept the connection to Red Hat Network > servers and give unsigned packages. To make use of this flaw, an > attacker would have to compromise the Red Hat Network servers at Red > Hat. Because of these factors, the risk of exploiting this bug is low." I'm not entirely certain, but I believe that up2date on Fedora is pulling from a yum repository rather than a redhat network up2date server. (up2date in fedora definitely has the ability to use a yum server, or an apt repository for that matter). If this is the case, then SSL portion of the check here isn't valid, and it could be possible for someone with access to your DNS server to point you to a new repository with modified packages. -- Greg
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
