[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Eternal 'good file hashes' list



On Tue, 2009-10-20 at 10:45 +0200, Ralf Ertzinger wrote: 
> Hi.
> 
> On Tue, 20 Oct 2009 10:20:17 +0200, Tomas Mraz wrote:
> 
> > What would this be good for? Actually for some files it would be a
> > known bad file hashes because these files (binaries or scripts) would
> > contain known vulnerabilities and so knowing that you have a file
> > that was once included in Fedora does not guarantee you almost
> > anything.
> 
> I'm not sure I follow you here. Containing a known vulnerability in a
> binary file has nothing to do with the hash.

I simply meant that if the attacker wanted to compromise your system he
could just revert some binary or script to a vulnerable version which
was previously included in Fedora. So having the files on your system to
match hashes from older package releases does not provide you any
security. For a real security you need to match the hashes against
current package versions.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]