Mikkel L. Ellertson wrote: > Marcelo M. Garcia wrote: > > http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss > > Two things bother me about this. First of all, most users are not > using the same mirror all the time, so there would only be a brief > window that the system would be vulnerable. The second thing is that > yum is not going to install an older package, and the package > version is not dependent on the file name. It is part of the > information in the RPM. So they could delay the installation of an > update on some systems. By default, yum picks a mirror at random > from the mirror list to help spread the load on the mirrors. I found this in their FAQ: | Q: I use a service that distributes my requests to different mirrors for my | distribution (like MirrorManager). That means I'm not vulnerable, right? | A: The good aspect of these systems is that it may spread your requests | across multiple mirrors in the normal case. However, when testing some of | these systems, we were able to target the clients that used our mirror and | exclude them from using other mirrors. This means that if an attacker wants | to target your organization, these services may help the attacker do so. It's not clear whether Yum is vulnerable to getting locked to the malicious mirror, or how they did it. Björn Persson
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list