|
FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
http://www.cs.arizona.edu/people/jus...-managers.html
It doesn't actually say FreeBsd, just "We examined ten popular package managers (APT, YUM, YaST, etc.) for Linux and BSD systems and found vulnerabilities in all of them." |
|
||||
I think it's referring to dated packages in mirrors being insecure.
__________________
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity." MacBook Pro (Darwin 9), iMac (Darwin 9), iPod Touch (Darwin 9), Dell Optiplex GX620 (FreeBSD 7.1-STABLE) |
|
|||
No, it's saying a malicious mirror can deliver old packages with known security flaws when you update and them use the known flaws to attack your machine or, network.
|
|
||||
my personal opinion
It's all a crock full of buffalo pucky, the link posted by hunteronline is the same one I saw on slashdot when following my RSS feeds. The reply problem is a valid concern because if you do get an attacker with enough access to your system, they can tamper with your system files -- never mind mucking with package management enough to send you outdated files. If any software used to decide what is up to date and what is not is up to date can't tell the difference. There best be a carefully made 'tainted' package that appears to be new, a bug in the code, or some really stupid people IMHO. Mirror control? Well if the people can't be bothered to make sure that the mirrors they are promoting are as valid as the checksums and other security methods YOU should be publishing to ensure validity of packages and metadata. Then you deserve to have all of your users file your distribution under /dev/null and find one that doesn't do it half assed. FreeBSD ports uses md5 and sha256 checksums and if memory serves it also does size check on the distfile as part of validating it. To side step that an attacker needs to compromise the local system and adjust the distinfo or compromise the data being received during a portsnap/csup/cvs of the ports tree, the source of the distinfo, go main in the middle, or trick a moron with proper access into doing or allowing it to be done manually. This is one reason I like portsnap, updates are signed -- I don't know if csup/cvsup supports that. The first rule of security, use your freaking brain cells. Like the lump of gray matter roughly three feet above your buttocks. A brain is _such_ a terrible thing to waste! Code:
Things You Can Do Today: Code:
* Use repositories you trust. Use only mirrors that belong to reputable organizations. Don't randomly choose mirrors, even from official lists. The official lists of public repositories often contain many superficially verified mirrors. Code:
* Manually update your systems (and local mirror caches). Know when package updates become available and what the versions should be. Manually verify and install the updated packages (or add them to your local mirror cache that your systems update from) rather than relying on automated updates. We have observed mirrors many months out of date for some distributions, so you should check periodically that your mirror is being updated. If the mirror is out of date, someoneshould bloody well notice it huh? Code:
* Use signed repository metadata. If your package manager or distribution does not yet support signed metadata but only signed packages, at least require signed packages until signed metadata is supported. Code:
* Use HTTPS for mirror communication. Unfortunately, this is generally only available with paid support services (and only protects you against man-in-the-middle attacks, not malicious mirrors). However, by running a distribution with HTTPS support on their mirrors, a man-in-the-middle attacker cannot easily launch an attack as though it were a mirror. Code:
In the future: * Use package managers that sign repository metadata. Unsigned repository metadata gives malicious parties more leverage in their attacks. [/code] the package management *system* is responsible for this, not the package manager program necessarily but it must be done within the system somewhere ! Code:
* Use package managers that implement metadata expiration. If there is no way in a package manager for metadata to ever expire, replay attacks will be able to go unnoticed. Code:
* Use distributions that properly make use of the package manager's security features. If a distribution doesn't sign repository metadata or expire these signed files even though the package manager supports doing so, it doesn't help you stay secure. If the distribution doesn't do jack crap, find another that does and shout loudly. *disclaimer* I can be a very picky son of a biscuit eater when it comes to *trying* for a correct implementation instead of living with a forever half assed approach. I appologize if I have offended anyone.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
mk.conf not found | mtm0 | NetBSD Package System (pkgsrc) | 2 | 4th September 2009 04:42 PM |
linux compat and linux-only drivers | fbsduser | FreeBSD General | 9 | 22nd January 2009 05:42 PM |
kernel not found | isamu | FreeBSD Installation and Upgrading | 13 | 24th October 2008 12:24 AM |
I finally found it!!! | crayoxide | FreeBSD General | 8 | 23rd July 2008 05:41 AM |
pkg-get command not found | whispersGhost | Solaris | 2 | 11th June 2008 01:06 PM |