Vulnerabilities Found in All Package Managers 2008-07-10 17:54 justin samuel
justin samuel writes "CERT has posted to their blog about vulnerabilities found in all popular package managers (apt, yum, YaST, etc.) by University of Arizona researchers. The researchers have released a study that discusses the many security problems they discovered. Among these vulnerabilities, exploitable by malicious mirrors or man-in-the-middle attackers, are some which take advantage of poor usage of cryptographic signatures, leaving the package managers vulnerable to replay attacks. An attacker could use the discovered vulnerabilities to crash a user's system or potentially obtain root access. The researchers showed how easy it is to gain control of an official mirror. Using a fictitious identity, they got their own server listed as an official mirror for all of the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and openSUSE). — Disclaimer: I'm one of the researchers."
