[ale] Recent events with RH/Fedora servers.

Jim Kinney jim.kinney at gmail.com
Tue Sep 2 13:48:19 EDT 2008 

2008/9/2 Jeff Lightner <jlightner at water.com>

>  Incorrect on several counts:
>
yep. Bozohat was firmly attached to my head. Thanks for the corrections. I
did have fun at dragoncon, though!

>
>
> RedHat does distribute binaries.   It does also OFFER source RPMs but I'd
> be willing to bet most Fedora/RedHat folks install from the standard RPMs.
>
>
>
> RedHat explicitly states in their notification that users who get their
> packages via normal subscription channels are NOT affected and it is only
> because some people don't do it that way that they issued notice at all.  My
> read is that up2date and yum hitting official repositories (the "normal" way
> to do it) were not affected.  The folks I could think that might be would be
> those who go get one off downloads from their web site.
>
I do have one machine that was updating through rhn satellite that got the
bad binary. it's been taken care of but I'm unclear on how it got the bad
one since they think the rhn streams are clean.

>
>
> RedHat as of RHEL5 does in fact use yum instead of up2date.
>
>
>
>
>  ------------------------------
>
> *From:* ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of *Jim
> Kinney
> *Sent:* Monday, September 01, 2008 8:49 PM
> *To:* ale at ale.org
> *Subject:* Re: [ale] Recent events with RH/Fedora servers.
>
>
>
> I'll add to this as I read (between the lines) and understand:
>
> Bad versions of ssh binaries were made available for subscriber use from
> RedHat servers. This did not involve a compromise of their key system. My
> "between the lines" part suggests that their internal source repository was
> compromised and the bad code was then compiled through normal channels which
> dodged needing to break into their hardware-keyed signing process.
>
> As RedHat does NOT distribute binaries by means other than RHN
> subscription, this suggests that because the trojaned code was compiled
> through their normal channels it was released through the RHN process. I
> have seen one machine in the field running the code that matched their
> md5sum on the binariy and I know that machine was pulling from a sattelite
> server (which pulls from RHN).
>
> RedHat does not curently use yum for their repositories. Yum is used by
> Fedora.
>
> On Sun, Aug 31, 2008 at 9:34 PM, Jeff Lightner <jlightner at water.com>
> wrote:
>
> I'd think so.
>
> Remember however that the "download" issue is only if you're NOT getting
> your downloads via RedHat Network (RHN) subscriptions.  If you are
> getting them via subscriptions then what you got was never compromised.
> If you've been getting your "downloads" via yum from official
> repositories then they weren't compromised based on my read of the
> official alert issued by RedHat.
>
>
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Scott Castaline
> Sent: Sunday, August 31, 2008 5:18 PM
> To: Atlanta Linux Enthusiasts
> Subject: [ale] Recent events with RH/Fedora servers.
>
> With the recent events happening with theses servers would a downloaded
> image file that was downloaded during the time frame involved and again
> on 8/29/08 share the same SHA1 hash could I consider the first one as
> safe to use?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you are
> not the intended recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be unlawful. If you
> have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
>
>
> --
> --
> James P. Kinney III
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>


-- 
-- 
James P. Kinney III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080902/eebd2b9c/attachment.html

More information about the Ale mailing list