What's the point on this for us, CentOS users ? http://www.redhat.com/security/data/openssh-blacklist.html Regards, kfx
On Fri, Aug 22, 2008 at 05:43:08PM +0200, kfx wrote:> What's the point on this for us, CentOS users ? > > http://www.redhat.com/security/data/openssh-blacklist.htmlThat will only test for compiled RPMS of certain OpenSSH packages. Those RPMS have been signed by the PGP key, so either the key server or the build server were compromised (possibly they are the same, I don't know). I'd do a detailed review of the SRPMS and patches during this period... Rui -- Kallisti! Today is Prickle-Prickle, the 15th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
> What's the point on this for us, CentOS users ?I'd like to know if CentOS has been affected by RH's compromise. Can someone please comment? AFAIK, CentOS builds from RHEL SRPMs right? So as Rui mentioned the script that RH provided is useless. They do give the version info of the compromised packages: # The signed tampered packages were: # # openssh-3.9p1-8.RHEL4.24 for i386, x86_64 architecture # openssh-3.9p1-9.el4 for i386, x86_64 architecture # openssh-4.3p2-26 for x86_64 architecture # openssh-4.3p2-26.el5 for x86_64 architecture Of course I have all of these on my local CentOS mirror right now. It would be nice to know if I'm serving compromised packages. RH doesn't mention whether the SRPMs were compromised. If they were I suspect CentOS is affected also. Thanks in advance, Scott
Reasonably Related Threads
- Backing up a running KVM guest
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- /usr/bin/id behavior since CentOS 5.2 upgrade
- Need clarifications: Xen and winXP HVM: pci direct access, USB, desktop resolution