Robert Hensing's Blog

Software Security . . . and stuff.

RedHat Package Signing Server - Pwnd

RedHat Package Signing Server - Pwnd

  • Comments 1
  • Likes

EDIT: Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html
"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html"

Original blurb which sort of contradicts the above burb . . . wow . . .just . . . wow:
Oh . . . My . . . God: https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

Will anyone pay attention to this?  Does anyone care?  Probably not . . . I can't imagine what the fallout would be if our WU / MU / AU servers got pwnd like this.  It's like . . . the package signing server and stuff.  At least they seem to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones.  Wow.

Been a busy two weeks - been on the road - working till 2am - thus the lack of blog material.  I heard from someone very clueful that I should give Microsoft a FOGA for the .NET stuff Dowd and Sotirov found and demo'd at Blackhat . . . still haven't read that paper . . . I swear I will on the plane home. :(

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment