lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: michael at bluesuperman.com (Michael Gale)
Subject: Fw: Red Hat Linux end-of-life update and
 transition planning

So you think up2date is secure and has no problems, please refer to the 
<snip>
From: bugzilla@...hat.com
To: redhat-watch-list@...hat.com, bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Cc: 
Subject: [Full-Disclosure] [RHSA-2003:255-01] up2date improperly checks GPG signature of packages
Date: Fri, 8 Aug 2003 12:36 -0400
Sender: full-disclosure-admin@...ts.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          up2date improperly checks GPG signature of packages
</snip>

This just proves that Network Admins should NOT reply %100 on up2date to keep there servers healthy -- how about you do some work on them instead of expecting your linux distro developer to keep YOUR system up2date !!!

Like I said before -- "People who started off on RH usually never learned anything"

RH-users: Help Help my rpm is broken 
slackware-users: it is ok, download the source, compile, and install
RH-users: what is this "source" you speak off - and compile - hmmmm I have to check my RH manual on that one. Oh wait I can't compile, because my lib's are all of the place.

I will gladly burn you a slackware ISO and ship it over if you like.

Michael

On Tue, 4 Nov 2003 00:47:36 -0500
"Joshua Levitsky" <jlevitsk@...hie.com> wrote:

> ----- Original Message ----- 
> From: "Michael Gale" <michael@...esuperman.com>
> Sent: Monday, November 03, 2003 11:51 PM
> Subject: Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and
> transition planning
> 
> 
> > So you are saying you trust up2date to take care of all your machine
> updates ? That is like saying you trust Microsoft auto update to handle your
> servers. What happens when they release a bad patch ? or one that hoses your
> machine.
> 
> That's why Red Hat network has an interface where you pick what updates get
> deployed to each machine or to each group of machines. You authorize /
> schedule a patch on up2date and it will grab it. Alternatively you can run
> up2date --update on your boxes if you just want to fetch everything if you
> know all existing patches are good for your environment.
> 
> 
> > This way I can test and packages before they get installed and I KNOW THE
> SOURCE of the packages. There is no "ops .. RedHat servers have been hacked
> and I just installed ...".
> 
> 
> up2date uses GPG signatures to ensure the content is signed by Red Hat. Are
> you saying they would hack the up2date servers and compromise the private
> key?
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ