[Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
michael at bluesuperman.com
Tue Nov 4 07:00:56 GMT 2003
So you think up2date is secure and has no problems, please refer to the
From: bugzilla at redhat.com
To: redhat-watch-list at redhat.com, bugtraq at securityfocus.com, full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] [RHSA-2003:255-01] up2date improperly checks GPG signature of packages
Date: Fri, 8 Aug 2003 12:36 -0400
Sender: full-disclosure-admin at lists.netsys.com
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: up2date improperly checks GPG signature of packages
This just proves that Network Admins should NOT reply %100 on up2date to keep there servers healthy -- how about you do some work on them instead of expecting your linux distro developer to keep YOUR system up2date !!!
Like I said before -- "People who started off on RH usually never learned anything"
RH-users: Help Help my rpm is broken
slackware-users: it is ok, download the source, compile, and install
RH-users: what is this "source" you speak off - and compile - hmmmm I have to check my RH manual on that one. Oh wait I can't compile, because my lib's are all of the place.
I will gladly burn you a slackware ISO and ship it over if you like.
On Tue, 4 Nov 2003 00:47:36 -0500
"Joshua Levitsky" <jlevitsk at joshie.com> wrote:
> ----- Original Message -----
> From: "Michael Gale" <michael at bluesuperman.com>
> Sent: Monday, November 03, 2003 11:51 PM
> Subject: Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and
> transition planning
> > So you are saying you trust up2date to take care of all your machine
> updates ? That is like saying you trust Microsoft auto update to handle your
> servers. What happens when they release a bad patch ? or one that hoses your
> That's why Red Hat network has an interface where you pick what updates get
> deployed to each machine or to each group of machines. You authorize /
> schedule a patch on up2date and it will grab it. Alternatively you can run
> up2date --update on your boxes if you just want to fetch everything if you
> know all existing patches are good for your environment.
> > This way I can test and packages before they get installed and I KNOW THE
> SOURCE of the packages. There is no "ops .. RedHat servers have been hacked
> and I just installed ...".
> up2date uses GPG signatures to ensure the content is signed by Red Hat. Are
> you saying they would hack the up2date servers and compromise the private
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.