YUM security issues...
Josh Bressers
bressers at redhat.com
Fri Jul 25 15:43:40 UTC 2008
On 25 July 2008, Mike McGrath wrote:
> On Fri, 25 Jul 2008, Mike McGrath wrote:
>
> > On Fri, 25 Jul 2008, Josh Bressers wrote:
> >
> > > On 21 July 2008, Josh Bressers wrote:
> > > > On 19 July 2008, "Justin Cappos" wrote:
> > > > >
> > > > > By the way, did you remove the ability for mirror admins to select a
> > > > > subnet where they'll serve all of the traffic? We're particularly
> > > > > concerned about this issue in the short term. We took our mirror
> > > > > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > > > > for ourselves.
> > > > >
> > > >
>
> AFAIK, this service is still in place and working fine. Though I am a
> little confused about the question. It sounds like you'd like to direct
> all subnet traffic to a specific mirror. But you're also saying you took
> your mirror down. Are you worried people in your subnet are being
> directed to a down mirror?
>
No, the problem is what happens when a malicious mirror claims a subnet?
This is currently being viewed as a security issue due to this research:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
--
JB
More information about the Fedora-infrastructure-list
mailing list