Re: Is YUM really a secure pacakage manager ?
by Akshay Wattal
Hi,
Lately i did some research on security issues related to
differnt package managers including YUM and found out that
there can be some vulnerabilities in YUM. So far YUM checks
the signature which is on each individual package,In this
model, the package manager has no signatures to check until
it gets to the point where it downloads the actual packages
it intends to install.
Keeping this in mind the vulnerabilities that are possible
are as follows:
---->Metadata Manipulation Attack: The attack in
this case involves a malicious party responding to a package
manager’s request by making their own metadata, There are
two main things attackers can do First, they can
mix-and-match the versions of packages that are listed.
Second, they can trick clients into thinking that packages
have different dependencies and provide different
functionality than they really do.
In mixing-and-matching vulnerable package versions by
listing them in the same metadata given to a client,
attackers make it more likely that, whatever new package a
client installs, it is installing a version with a known
vulnerability.
---->Freeze Attack: In this an attacker can keep giving
the client a single version of the metadata starting at one
point in time (that is, “freezing” the metadata), the
attacker can prevent the client from knowing about new
metadata and thus new packages that are available that fix
known vulnerabilities.
---->Endless data Attack: It involves a malicious party
responding to a client request, be it for metadata or for a
package, with an endless stream of data. The possible
effects include filling up the partition where the package
manager saves downloaded files or exhausting memory.
These are few "possible" vulnerabilities which can be found
in YUM.
Thanks
Get your new Email address!
Grab the Email name you've always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/
14 years, 8 months
F11: Updating: caching problem with sqlite
by lanas
Hello,
I've just installed F11 x86_64. First thing I want to do after
install is to say 'yes' to apply all the updates I was notified about.
573 updates. I'm looking forward at having an updated system, so I've
choosen 'yes' when KPackageKit popped up automatically.
Alas, problem.
'There was a (possibly temporary) problem ...'
Details
'Caching enabled but no local cache of /var/cache/yum/fedora/(lots of
digits)/filelists.sqlite.bz2'
If that package is causing trouble, I'd like to remove it from the
update process. I don't use sqlite. Things is, KPackageKit does not
show the packages in alphabetical order and there's no search method.
I will not scroll 573 items to find sqlite.
So how can the update be done and, what is this problem anyways ?
Thanks for all suggestions and help. F11 looks nice as far as the
artwork is concerned. Looks promising.
Cheers.
14 years, 8 months
kde 4.3 pager
by George Avrunin
I'm sure this is pilot error of some sort, but I can't figure it out.
I'm running F11, x86_64, fully updated. I use 12 desktops. Until I did
the update that brought in KDE 4.3, I had a nice pager widget (not on the
panel) with 4 rows and 3 columns, the small images of the desktops
filled the widget, and I could adjust the size. With 4.3, KDE seems to
insist on a particular shape for the pager--the 12 desktops in this 4x3
configuration take up about half of it and it is not in the same aspect
ratio as my display. Also, there's a minimum size it won't let me go
below. I created a new user and tried to make a pager with 12 desktops
this way and got the same thing, so I *think* it's not something else in
my configuration. (If I put a pager on the panel, it doesn't seem to use
any extra space, but it's too small for me to use.)
How do I get rid of the extra space the pager widget is insisting on
using? And why can't I make it smaller?
George
14 years, 8 months