[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On 25 July 2008, Mike McGrath wrote:
> On Fri, 25 Jul 2008, Mike McGrath wrote:
> 
> > On Fri, 25 Jul 2008, Josh Bressers wrote:
> >
> > > On 21 July 2008, Josh Bressers wrote:
> > > > On 19 July 2008, "Justin Cappos" wrote:
> > > > >
> > > > > By the way, did you remove the ability for mirror admins to select a
> > > > > subnet where they'll serve all of the traffic?   We're particularly
> > > > > concerned about this issue in the short term.   We took our mirror
> > > > > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > > > > for ourselves.
> > > > >
> > > >
> 
> AFAIK, this service is still in place and working fine.  Though I am a
> little confused about the question.  It sounds like you'd like to direct
> all subnet traffic to a specific mirror.  But you're also saying you took
> your mirror down.  Are you worried people in your subnet are being
> directed to a down mirror?
> 

No, the problem is what happens when a malicious mirror claims a subnet?
This is currently being viewed as a security issue due to this research:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

-- 
    JB


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]