Re: Is YUM really a secure pacakage manager ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 Hi,
 
 Lately i did some research on security issues related to
 differnt package managers including YUM and found out that
 there can be some vulnerabilities in YUM. So far YUM checks
 the signature which is on each individual package,In this
 model, the package manager has no signatures to check until
 it gets to the point where it downloads the actual packages
 it intends to install.
 Keeping this in mind the vulnerabilities that are possible
 are as follows:
 
 ---->Metadata Manipulation Attack:  The attack in
 this case involves a malicious party responding to a package
 manager’s request by making their own metadata, There are
 two main things attackers can do First, they can
 mix-and-match the versions of packages that are listed.
 Second, they can trick clients into thinking that packages
 have different dependencies and provide different
 functionality than they really do.
 In mixing-and-matching vulnerable package versions by
 listing them in the same metadata given to a client,
 attackers make it more likely that, whatever new package a
 client installs, it is installing a version with a known
 vulnerability.
 
 ---->Freeze Attack: In this an attacker can keep giving
 the client a single version of the metadata starting at one
 point in time (that is, “freezing” the metadata), the
 attacker can prevent the client from knowing about new
 metadata and thus new packages that are available that fix
 known vulnerabilities.
 
 ---->Endless data Attack: It involves a malicious party
 responding to a client request, be it for metadata or for a
 package, with an endless stream of data. The possible
 effects include filling up the partition where the package
 manager saves downloaded files or exhausting memory.
 
 
 These are few "possible" vulnerabilities which can be found
 in YUM.
 
 Thanks 
 
 



      Get your new Email address!
Grab the Email name you've always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux