NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Various (Microsoft, SGI, Debian, SuSE)> 2008-q3

[security-announce] Package management security on SUSE Linux

From: Ludwig Nussel (ludwig.nusselsuse.de)
Date: Tue Jul 15 2008 - 10:10:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear openSUSE and SUSE Linux Enterprise users,

Several news sites recently published articles citing a report about
attacks on package managers [1]. Some unfortunately chose a wording
that could be misunderstood as if a rogue mirror server could trick
YaST into installing malicious software when applying regular
(security-)updates.

This is not the case. All official update repositories for SUSE
Linux based products use cryptographically signed packages and meta
data. YaST verifies the cryptographic signatures and rejects any
file whose signature doesn't match. Therefore it's not possible for
a rogue mirror to introduce malicious software.

Another problem outlined in the report was that mirror servers could
intentionally serve an old version of the update repository.
Therefore clients using that mirror would not get the latest
security updates and potentially stay vulnerable to known and
presumably already fixed problems.

SUSE already addresses this issue too.
- Firstly, YaST will not automatically downgrade installed packages.
  Therefore an outdated repository can not undo an already applied
  security fix.
- Secondly, starting with version 10.3 openSUSE uses a central
  download redirector that directly serves the meta data. Stale
  mirrors are therefore detected immediately. To avoid sending
  clients to mirrors that do not have certain files (yet), the
  download redirector also continuously monitors it's mirrors. It
  only redirects to servers that are known to have the file in
  question.

For SUSE Linux enterprise products only servers owned by Novell
are used via secure https connections.

cu
Ludwig

[1] http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iQEVAwUBSHy9/Hey5gA9JdPZAQI9BQgAlKXZGWmMEQjvl/ImOPwrz/wnAN166En0
gaxBAlEjTVnd/Yv9QXigZGevdMTObsSm2rJFXFKtMBovE3oavMLcyEx48PM4pvTA
6cTgQNskK0XSd0ofOO64uU2uJMFq2g3DvIYZeN1vUuS874/nKR7/myzVxFlAJ3S8
/YSGTFYydIo6U77i06eRir+IjipGoDqCJShwMarm6KjOpjmB89MpcMC+fg/JbLIP
VClvPHyG+pPzyLASTivaXERdiNYVG6s8wEGJQjmMEqrmuS+8O1YcDKvOsKZdbz1t
vTttZDNX0ej/1bSh7qnjggj6tU3crDfffzRbp6cyDGNj452BPRtROg==
=iBNm
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribeopensuse.org
For additional commands, e-mail: opensuse-security-announce+helpopensuse.org

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]