[ale] Recent events with RH/Fedora servers.

Jeff Lightner jlightner at water.com
Tue Sep 2 14:28:46 EDT 2008 

The fact you got it via a satellite makes me wonder if they consider
that to be one of the "non-standard" distribution methods.    It would
suck if so since they push satellite so hard.

 

I think I'll check my machines - I'd assumed they were OK but if you got
it via satellite its possible RedHat was either wrong or just plain lied
about who was affected.

 

________________________________

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim
Kinney
Sent: Tuesday, September 02, 2008 1:48 PM
To: ale at ale.org
Subject: Re: [ale] Recent events with RH/Fedora servers.

 

 

2008/9/2 Jeff Lightner <jlightner at water.com>

Incorrect on several counts:

yep. Bozohat was firmly attached to my head. Thanks for the corrections.
I did have fun at dragoncon, though! 

	 

	RedHat does distribute binaries.   It does also OFFER source
RPMs but I'd be willing to bet most Fedora/RedHat folks install from the
standard RPMs.

	 

	RedHat explicitly states in their notification that users who
get their packages via normal subscription channels are NOT affected and
it is only because some people don't do it that way that they issued
notice at all.  My read is that up2date and yum hitting official
repositories (the "normal" way to do it) were not affected.  The folks I
could think that might be would be those who go get one off downloads
from their web site.

I do have one machine that was updating through rhn satellite that got
the bad binary. it's been taken care of but I'm unclear on how it got
the bad one since they think the rhn streams are clean. 

	 

	RedHat as of RHEL5 does in fact use yum instead of up2date.

	 

	 

	
________________________________


	From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf
Of Jim Kinney
	Sent: Monday, September 01, 2008 8:49 PM
	To: ale at ale.org
	Subject: Re: [ale] Recent events with RH/Fedora servers.

	 

	I'll add to this as I read (between the lines) and understand:
	
	Bad versions of ssh binaries were made available for subscriber
use from RedHat servers. This did not involve a compromise of their key
system. My "between the lines" part suggests that their internal source
repository was compromised and the bad code was then compiled through
normal channels which dodged needing to break into their hardware-keyed
signing process.
	
	As RedHat does NOT distribute binaries by means other than RHN
subscription, this suggests that because the trojaned code was compiled
through their normal channels it was released through the RHN process. I
have seen one machine in the field running the code that matched their
md5sum on the binariy and I know that machine was pulling from a
sattelite server (which pulls from RHN).
	
	RedHat does not curently use yum for their repositories. Yum is
used by Fedora.

	On Sun, Aug 31, 2008 at 9:34 PM, Jeff Lightner
<jlightner at water.com> wrote:

	I'd think so.
	
	Remember however that the "download" issue is only if you're NOT
getting
	your downloads via RedHat Network (RHN) subscriptions.  If you
are
	getting them via subscriptions then what you got was never
compromised.
	If you've been getting your "downloads" via yum from official
	repositories then they weren't compromised based on my read of
the
	official alert issued by RedHat.

	
	-----Original Message-----
	From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf
Of
	Scott Castaline
	Sent: Sunday, August 31, 2008 5:18 PM
	To: Atlanta Linux Enthusiasts
	Subject: [ale] Recent events with RH/Fedora servers.
	
	With the recent events happening with theses servers would a
downloaded
	image file that was downloaded during the time frame involved
and again
	on 8/29/08 share the same SHA1 hash could I consider the first
one as
	safe to use?
	_______________________________________________
	Ale mailing list
	Ale at ale.org
	http://mail.ale.org/mailman/listinfo/ale

	----------------------------------
	CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
	----------------------------------

	
	_______________________________________________
	Ale mailing list
	Ale at ale.org
	http://mail.ale.org/mailman/listinfo/ale

	
	
	
	-- 
	-- 
	James P. Kinney III 

	
	_______________________________________________
	Ale mailing list
	Ale at ale.org
	http://mail.ale.org/mailman/listinfo/ale




-- 
-- 
James P. Kinney III 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080902/724e4370/attachment.html

More information about the Ale mailing list