The Red Hat-supported Fedora Project has started issuing updates to its Linux distribution again, after a hiatus of several weeks caused by a hacker break-in. Late yesterday, Fedora emailed its users to let them know that it would soon issue updates for its most recent Fedora 8 and 9 operating systems.
Fedora emailing its users? Sounds simple, but how do they get hold of the email addresses of the Fedora users? Trojan? (j/k)
Pretty simple actually, they sent an email to [email protected].
The announcement is here:
https://www.redhat.com/archives/fedora-announce-list/2008-September/…
From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.
Isn’t that a golden opportunity for whoever stole the key to inflict further damage?
Plus, all Malory needs to do is intercept the new key and replace it with his own and use it to sign malicious updates with it.
If I’m missing some key detail that makes all of the above mute please let me know.
That compromised key is useless given the fact Fedora infrastructure already generated a new version. That cracker would have to pretend to be fedora-announce-list but that will put him/her on criminal action.
https://www.redhat.com/archives/fedora-announce-list/2008-September/…
I’m not familiar with the update process in fedora, but if its not done over ssl, they could man in the middle and replace the good packages signed with the old key with bad packages signed with the old key.
Pretending to be someone else by email isn’t really all that complicated. Actually it is really easy.
The project does not believe that the keys are compromised. Neverthless, it is being changed as a precautionary measure. The couple of transitionary packages are still signed with the old key since Fedora does not allow unsigned packages by default and then everything from then onwards will use the new key.
If I’m missing some key detail that makes all of the above mute please let me know.
I think you meant to say moot. For a second there I was confused and thought you were telling your details to quiet down.
I am keeping Slackware.
-2501