Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
So the ssh packages are/were vulnerable?
What happened with Fedora - and Red Hat too
Posted Aug 22, 2008 13:20 UTC (Fri) by motk (subscriber, #51120)
Read for content, and Don't Panic.
SSH Packages Vulnerable?
Posted Aug 22, 2008 13:21 UTC (Fri) by Felix_the_Mac (guest, #32242)
The Red Hat statements say that the packages are being replaced as a precaution.
They do not state that the package contents have been altered in any fashion.
Posted Aug 22, 2008 13:38 UTC (Fri) by AlexHudson (subscriber, #41828)
I think they're saying that someone built some bad ssh packages and managed to get the system
to sign them before they got shut out. I don't think they're saying those packages got
distributed via Red Hat.
So, unless you're getting your RPMs from some dodgy place, it's not a problem. I guess the
main worry would be people cracking a system and installing those RPMs - they'd be difficult
to tell apart from the real thing without those check scripts Red Hat put up.
It sounds like the Fedora systems stood up to the attack pretty well, though.
Posted Aug 22, 2008 13:46 UTC (Fri) by AlexHudson (subscriber, #41828)
Heh, scratch that - they didn't actually say that the ssh rpms were bad, just that the
attacker had (re?)signed them.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds