| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTimWEjdRG0wXYtgcuLdDMt+fLrA31R5NwEmpiKXq@mail.gmail.com> Date: Mon, 1 Nov 2010 12:32:19 -0400 From: Jeffrey Walton <noloader@...il.com> To: Jhfjjf Hfdsjj <taser3000@...oo.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Evilgrade 2.0 - the update explotation framework is back On Mon, Nov 1, 2010 at 12:26 PM, Jhfjjf Hfdsjj <taser3000@...oo.com> wrote: > > >>On Sun, Oct 31, 2010 at 10:36 AM, <Valdis.Kletnieks@...edu> wrote: >> >On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: >>> >>> >Just signing the update packages prevents this attack, so it's not that hard >>>> to fix. >>> >>> Except if a signing key gets compromised, as happened to one Linux vendor >>> recently, causing a lot of kerfluffle... > >>??? Are you ptoposing to throw the baby out with the bath water ??? I >>would not have expected that from *.edu. > > I do not believe anyone is 'ptoposing' anything. All he said was that package > signing should not be taken as a silver bullet, for experience has shown that > the key's themselves are capable of being compromised if a vendor is > successfully attacked. > > Exactly what I would expect from *.edu I read differently, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists