Björn Persson wrote: > Mikkel L. Ellertson wrote: >> Marcelo M. Garcia wrote: >>> http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss >> Two things bother me about this. First of all, most users are not >> using the same mirror all the time, so there would only be a brief >> window that the system would be vulnerable. The second thing is that >> yum is not going to install an older package, and the package >> version is not dependent on the file name. It is part of the >> information in the RPM. So they could delay the installation of an >> update on some systems. By default, yum picks a mirror at random >> from the mirror list to help spread the load on the mirrors. > > I found this in their FAQ: > > | Q: I use a service that distributes my requests to different mirrors for my > | distribution (like MirrorManager). That means I'm not vulnerable, right? > > | A: The good aspect of these systems is that it may spread your requests > | across multiple mirrors in the normal case. However, when testing some of > | these systems, we were able to target the clients that used our mirror and > | exclude them from using other mirrors. This means that if an attacker wants > | to target your organization, these services may help the attacker do so. > > It's not clear whether Yum is vulnerable to getting locked to the malicious > mirror, or how they did it. > > Björn Persson > By default, the mirrir list is fetched from http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch and a mirror is picked at random from the list. You can override the mirror used with the fast-mirror plugin, or by editing the repo configuration file. So yum is probably not one of the clients they could do that to. Now, if you used a DNS bug to hijack mirrors.fedoraproject.org, then you could lock in the mirror used by suppling a list that only contained pointers to the malicious mirror. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
