Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fw: Red Hat Linux end-of-life update and transition planning

From: Michael Gale <michael () bluesuperman com>
Date: Tue, 4 Nov 2003 00:00:56 -0700
So you think up2date is secure and has no problems, please refer to the 
<snip>
From: bugzilla () redhat com
To: redhat-watch-list () redhat com, bugtraq () securityfocus com, full-disclosure () lists netsys com
Cc: 
Subject: [Full-disclosure] [RHSA-2003:255-01] up2date improperly checks GPG signature of packages
Date: Fri, 8 Aug 2003 12:36 -0400
Sender: full-disclosure-admin () lists netsys com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          up2date improperly checks GPG signature of packages
</snip>

This just proves that Network Admins should NOT reply %100 on up2date to keep there servers healthy -- how about you do 
some work on them instead of expecting your linux distro developer to keep YOUR system up2date !!!

Like I said before -- "People who started off on RH usually never learned anything"

RH-users: Help Help my rpm is broken 
slackware-users: it is ok, download the source, compile, and install
RH-users: what is this "source" you speak off - and compile - hmmmm I have to check my RH manual on that one. Oh wait I 
can't compile, because my lib's are all of the place.

I will gladly burn you a slackware ISO and ship it over if you like.

Michael

On Tue, 4 Nov 2003 00:47:36 -0500
"Joshua Levitsky" <jlevitsk () joshie com> wrote:


----- Original Message ----- 
From: "Michael Gale" <michael () bluesuperman com>
Sent: Monday, November 03, 2003 11:51 PM
Subject: Re: [Full-disclosure] Fw: Red Hat Linux end-of-life update and
transition planning



So you are saying you trust up2date to take care of all your machine

updates ? That is like saying you trust Microsoft auto update to handle your
servers. What happens when they release a bad patch ? or one that hoses your
machine.

That's why Red Hat network has an interface where you pick what updates get
deployed to each machine or to each group of machines. You authorize /
schedule a patch on up2date and it will grab it. Alternatively you can run
up2date --update on your boxes if you just want to fetch everything if you
know all existing patches are good for your environment.



This way I can test and packages before they get installed and I KNOW THE

SOURCE of the packages. There is no "ops .. RedHat servers have been hacked
and I just installed ...".


up2date uses GPG signatures to ensure the content is signed by Red Hat. Are
you saying they would hack the up2date servers and compromise the private
key?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: