[ale] Recent events with RH/Fedora servers.

Scott Castaline hscast at charter.net
Tue Sep 2 14:24:05 EDT 2008 

Jim Kinney wrote:
> 
> 
> 2008/9/2 Jeff Lightner <jlightner at water.com <mailto:jlightner at water.com>>
> 
>     Incorrect on several counts:
> 
> yep. Bozohat was firmly attached to my head. Thanks for the corrections. 
> I did have fun at dragoncon, though!
> 
>      
> 
>     RedHat does distribute binaries.   It does also OFFER source RPMs
>     but I'd be willing to bet most Fedora/RedHat folks install from the
>     standard RPMs.
> 
>      
> 
>     RedHat explicitly states in their notification that users who get
>     their packages via normal subscription channels are NOT affected and
>     it is only because some people don't do it that way that they issued
>     notice at all.  My read is that up2date and yum hitting official
>     repositories (the "normal" way to do it) were not affected.  The
>     folks I could think that might be would be those who go get one off
>     downloads from their web site.
> 
> I do have one machine that was updating through rhn satellite that got 
> the bad binary. it's been taken care of but I'm unclear on how it got 
> the bad one since they think the rhn streams are clean.
> 
>      
> 
>     RedHat as of RHEL5 does in fact use yum instead of up2date.
> 
>      
> 
>      
> 
>     ------------------------------------------------------------------------
> 
>     *From:* ale-bounces at ale.org <mailto:ale-bounces at ale.org>
>     [mailto:ale-bounces at ale.org <mailto:ale-bounces at ale.org>] *On Behalf
>     Of *Jim Kinney
>     *Sent:* Monday, September 01, 2008 8:49 PM
>     *To:* ale at ale.org <mailto:ale at ale.org>
>     *Subject:* Re: [ale] Recent events with RH/Fedora servers.
> 
>      
> 
>     I'll add to this as I read (between the lines) and understand:
> 
>     Bad versions of ssh binaries were made available for subscriber use
>     from RedHat servers. This did not involve a compromise of their key
>     system. My "between the lines" part suggests that their internal
>     source repository was compromised and the bad code was then compiled
>     through normal channels which dodged needing to break into their
>     hardware-keyed signing process.
> 
>     As RedHat does NOT distribute binaries by means other than RHN
>     subscription, this suggests that because the trojaned code was
>     compiled through their normal channels it was released through the
>     RHN process. I have seen one machine in the field running the code
>     that matched their md5sum on the binariy and I know that machine was
>     pulling from a sattelite server (which pulls from RHN).
> 
>     RedHat does not curently use yum for their repositories. Yum is used
>     by Fedora.
> 
>     On Sun, Aug 31, 2008 at 9:34 PM, Jeff Lightner <jlightner at water.com
>     <mailto:jlightner at water.com>> wrote:
> 
>     I'd think so.
> 
>     Remember however that the "download" issue is only if you're NOT getting
>     your downloads via RedHat Network (RHN) subscriptions.  If you are
>     getting them via subscriptions then what you got was never compromised.
>     If you've been getting your "downloads" via yum from official
>     repositories then they weren't compromised based on my read of the
>     official alert issued by RedHat.
> 
> 
>     -----Original Message-----
>     From: ale-bounces at ale.org <mailto:ale-bounces at ale.org>
>     [mailto:ale-bounces at ale.org <mailto:ale-bounces at ale.org>] On Behalf Of
>     Scott Castaline
>     Sent: Sunday, August 31, 2008 5:18 PM
>     To: Atlanta Linux Enthusiasts
>     Subject: [ale] Recent events with RH/Fedora servers.
> 
>     With the recent events happening with theses servers would a downloaded
>     image file that was downloaded during the time frame involved and again
>     on 8/29/08 share the same SHA1 hash could I consider the first one as
>     safe to use?
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
> 
>     ----------------------------------
>     CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
>     confidential information and is for the sole use of the intended
>     recipient(s). If you are not the intended recipient, any disclosure,
>     copying, distribution, or use of the contents of this information is
>     prohibited and may be unlawful. If you have received this electronic
>     transmission in error, please reply immediately to the sender that
>     you have received the message in error, and delete it. Thank you.
>     ----------------------------------
> 
> 
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
> 
> 
> 
> 
>     -- 
>     -- 
>     James P. Kinney III
> 
> 
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
> 
> 
> 
> 
> -- 
> -- 
> James P. Kinney III
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
Ok, at the risk of sounding totally ignorant, does that mean any Fedora 
9 install images that I downloaded during the time in question should be 
considered unsafe and immediately destroyed to oblivion, or can they be 
considered safe? Also any installs that may have been down with the 
original F 9 release images are the massive amounts of updates 
considered hazardous to my health?

More information about the Ale mailing list