Study: Attacks on package managers
Harald Hoyer
harald at redhat.com
Tue Jul 15 11:47:41 UTC 2008
http://lwn.net/Articles/289883/
The University of Arizona is publishing a study on security problems with
package management systems. The core problem would appear to be that tools like
yum and apt will happily install versions of packages with known vulnerabilities
if they think that's the most recent version available. And feeding such
packages to the package managers is not a big challenge: "To give an example of
how easy it is for a malicious party to obtain a mirror, we ran an experiment
where we created a fake administrator and company name and leased a server from
a hosting provider. We were able to get our mirror listed on every distribution
we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were
contacted by thousands of clients, even including military and government
computers!"
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
More information about the fedora-devel-list
mailing list