| |||||||||||||
|
| |||||||||||||
Study: Attacks on package managersStudy: Attacks on package managersPosted Jul 14, 2008 23:54 UTC (Mon) by arjan (subscriber, #36785)In reply to: Study: Attacks on package managers by mdomsch Parent article: Study: Attacks on package managers
would be nice if yum would get a digest of the package list from the master (together with the mirror list etc) which it then can use to reject anything other than the real package list... if a mirror doesn't have the right one the client could them report back to MM (triggering a rescan prematurely possibly) and get another mirror...
(Log in to post comments)
Study: Attacks on package managers Posted Jul 15, 2008 0:35 UTC (Tue) by mdomsch (subscriber, #5920) [Link] yes, Seth Vidal, James Antill and I discussed this today and we will see what can be added in yum & mirrormanager to reduce the problem surface. Seems adding a digest of the repomd.xml file to be returned in the mirrorlist query is one part. Returning mirrorlist over https (assuming the python urlgrabber code does cert checking) is another. Dealing with slightly stale (e.g. all except the masters for a period while the content syncs out) mirrors will be more of a challenge, so need to find a way to mitigate problems from the user's perspective (content that was valid 5 minutes ago might not be anymore, but to the user it's still OK...)
Study: Attacks on package managers Posted Jul 15, 2008 2:20 UTC (Tue) by jmorris42 (subscriber, #2203) [Link] Is there anything going to be done about the information disclosure problem? Is there anything that CAN be done about the information disclosure? HTTPS connects can stop random points from noticing a host asking for an update but that won't stop a mirror site itself from realizing that by asking for a package it means the requester is running a previous version and is vulnerable. Even a mirror on a 'reputable' network can itself be compromised. In the end the whole concept of mirrors depends on trusting unknown machines. Crypto can mitigate some of the more gross dangers but leaves a false sense of security regarding more subtle risks.
Study: Attacks on package managers Posted Jul 15, 2008 11:01 UTC (Tue) by tzafrir (subscriber, #11501) [Link] This seems to be a high level of paranoia. apt-tor, anybody?
|
|
||||||||||||