Attacks on Linux Package Managers?

Discussion in 'other security issues & news' started by tlu, Jul 16, 2008.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

    The recommendation to use only trustworthy official repositories is definitely correct. I don't know how other distros handle the mirror-server problem. But as far as Ubuntu is concerned, there are centralized security updates via security.ubuntu.com (and not via mirror servers). Thus, an attacker would have to perform a man-in-the-middle-attack between s.u.c. and my computer - very unlikely ;). For non-security updates the first sentence applies (i.e. to stick with the default servers or - if you're paranoid - with archive.ubuntu.com).

    But again - other distros might be more affected. Any users of these distros who can deliver some insight?
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hey Tomas, yesterday yast the package manager for opensuse told me there was a security issue with the package manager itself and then updated it along with various other updates.
     
  3. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    So far I can't see anything taking place in either of our Mandriva or Kubuntu boxes related to the package manager...
     
  4. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    sorry bout the double post... using XP Pro... since SP3, we get nothing but glitches across the board... I cant wait until I'm 100% linux on the entire infrastructure...
     
  5. tlu

    tlu Guest

    Yes,definitely a good choice.:thumb:
     
Loading...
Thread Status:
Not open for further replies.