[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On 25 July 2008, seth vidal wrote:
> 
>  But as you've already mentioned we're stuck with the question of EOL'd
> releases and how to deal with things deeply out of date.
> 
> I can make yum throw out warnings and alerts but at what point does it
> actually STOP doing anything and does that not open us up to a different
> kind of DoS?
> 

This is of course a policy decision that can be dictated via a
configuration file.  There is also the issue of what happens when the
client keeps getting back "old" data?  It need to go find some new data as
in our attack scenario, they are running something that needs updating.  I
would think that the client should try some number of mirrors, if they all
return the same old data, it's probably EOL or something similar.  If an
attacker has enough control over you to prevent you connecting to arbitrary
mirrors, you likely have bigger issues than this.

> 
> We need to make sure that whatever we implement is trivially done so by
> people running a local downstream branch of fedora or centos or
> what-have-you. Or, as you say, we've saved ourselves and screwed
> everyone else.
> 

Yes, I'm starting to think we should be having this discussion with yum
upstream.  Now that I have a grasp of what MirrorManager does, I don't
think there's really anything to fix there.  We need to fix the client.

Seth, which list would you suggest to move this discussion so I can stop
pestering the infrastructure folks?

Thanks.

-- 
    JB


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]