RedHat Package Signing Server - Pwnd

EDIT: Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html
"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html"

Original blurb which sort of contradicts the above burb . . . wow . . .just . . . wow:
Oh . . . My . . . God: https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

Will anyone pay attention to this?  Does anyone care?  Probably not . . . I can't imagine what the fallout would be if our WU / MU / AU servers got pwnd like this.  It's like . . . the package signing server and stuff.  At least they seem to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones.  Wow.

Been a busy two weeks - been on the road - working till 2am - thus the lack of blog material.  I heard from someone very clueful that I should give Microsoft a FOGA for the .NET stuff Dowd and Sotirov found and demo'd at Blackhat . . . still haven't read that paper . . . I swear I will on the plane home. :(

Published 22 August 08 12:05 by Robert_Hensing

Comments

# RedHat, che fine hai fatto? « kazzim! said on August 25, 2008 3:07 PM:

PingBack from http://kazzim.wordpress.com/2008/08/25/redhat-che-fine-hai-fatto/

Anonymous comments are disabled

Search

This Blog

Tags

No tags have been created or used yet.

Syndication

Page view tracker