The University of Arizona is publishing a study on security problems with package management systems. The core problem would appear to be that tools like yum and apt will happily install versions of packages with known vulnerabilities if they think that's the most recent version available. And feeding such packages to the package managers is not a bit challenge: "To give an example of how easy it is for a malicious party to obtain a mirror, we ran an experiment where we created a fake administrator and company name and leased a server from a hosting provider. We were able to get our mirror listed on every distribution we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were contacted by thousands of clients, even including military and government computers!"
News stories are provided by third parties, used with permission,
and copyright of their various respective owners.
Answers 2000 Limited has not necessarily reviewed,
and does not necessarily endorse or
agree with any content of, or views expressed in, all such items.
Answers 2000 Limited has not
necessarily reviewed,
and does not necessarily endorse or
agree with any content of, or views expressed in, comments posted by users.
