[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
- To: "Joshua Levitsky" <jlevitsk@joshie.com>
- Subject: Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
- From: Michael Gale <michael@bluesuperman.com>
- Date: Tue, 4 Nov 2003 00:00:56 -0700
So you think up2date is secure and has no problems, please refer to the
<snip>
From: bugzilla@redhat.com
To: redhat-watch-list@redhat.com, bugtraq@securityfocus.com,
full-disclosure@lists.netsys.com
Cc:
Subject: [Full-Disclosure] [RHSA-2003:255-01] up2date improperly checks GPG
signature of packages
Date: Fri, 8 Aug 2003 12:36 -0400
Sender: full-disclosure-admin@lists.netsys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: up2date improperly checks GPG signature of packages
</snip>
This just proves that Network Admins should NOT reply %100 on up2date to keep
there servers healthy -- how about you do some work on them instead of
expecting your linux distro developer to keep YOUR system up2date !!!
Like I said before -- "People who started off on RH usually never learned
anything"
RH-users: Help Help my rpm is broken
slackware-users: it is ok, download the source, compile, and install
RH-users: what is this "source" you speak off - and compile - hmmmm I have to
check my RH manual on that one. Oh wait I can't compile, because my lib's are
all of the place.
I will gladly burn you a slackware ISO and ship it over if you like.
Michael
On Tue, 4 Nov 2003 00:47:36 -0500
"Joshua Levitsky" <jlevitsk@joshie.com> wrote:
> ----- Original Message -----
> From: "Michael Gale" <michael@bluesuperman.com>
> Sent: Monday, November 03, 2003 11:51 PM
> Subject: Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and
> transition planning
>
>
> > So you are saying you trust up2date to take care of all your machine
> updates ? That is like saying you trust Microsoft auto update to handle your
> servers. What happens when they release a bad patch ? or one that hoses your
> machine.
>
> That's why Red Hat network has an interface where you pick what updates get
> deployed to each machine or to each group of machines. You authorize /
> schedule a patch on up2date and it will grab it. Alternatively you can run
> up2date --update on your boxes if you just want to fetch everything if you
> know all existing patches are good for your environment.
>
>
> > This way I can test and packages before they get installed and I KNOW THE
> SOURCE of the packages. There is no "ops .. RedHat servers have been hacked
> and I just installed ...".
>
>
> up2date uses GPG signatures to ensure the content is signed by Red Hat. Are
> you saying they would hack the up2date servers and compromise the private
> key?
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html