YUM security issues...
Josh Bressers
bressers at redhat.com
Sat Jul 26 17:06:08 UTC 2008
On 25 July 2008, seth vidal wrote:
>
> But as you've already mentioned we're stuck with the question of EOL'd
> releases and how to deal with things deeply out of date.
>
> I can make yum throw out warnings and alerts but at what point does it
> actually STOP doing anything and does that not open us up to a different
> kind of DoS?
>
This is of course a policy decision that can be dictated via a
configuration file. There is also the issue of what happens when the
client keeps getting back "old" data? It need to go find some new data as
in our attack scenario, they are running something that needs updating. I
would think that the client should try some number of mirrors, if they all
return the same old data, it's probably EOL or something similar. If an
attacker has enough control over you to prevent you connecting to arbitrary
mirrors, you likely have bigger issues than this.
>
> We need to make sure that whatever we implement is trivially done so by
> people running a local downstream branch of fedora or centos or
> what-have-you. Or, as you say, we've saved ourselves and screwed
> everyone else.
>
Yes, I'm starting to think we should be having this discussion with yum
upstream. Now that I have a grasp of what MirrorManager does, I don't
think there's really anything to fix there. We need to fix the client.
Seth, which list would you suggest to move this discussion so I can stop
pestering the infrastructure folks?
Thanks.
--
JB
More information about the Fedora-infrastructure-list
mailing list