hey all...
not sure if this is the appropriate spot to share or not, but was the closest I could find "security @ fedora"....
while working on a project, I searched for "Fedora" ami images in the new-ish AWS region us-east-2 ("ohio"), and was pleasantly surprised to find the easily discoverable and recognizable ami "Fedora release 26 (ami-f3a18096)" (as well as a a "Fedora release 25".....)
upon booting, I was concerned to find an extra ssh authorized key in ~fedora/.ssh/authorized_keys, and soon realized this was _not_ a sanctioned Fedora release (as confirmed from https://alt.fedoraproject.org/cloud/).
While yes, this is my fault for not starting from a trusted reference to find a reliable AMI, I found this a pretty easy pit to fall into.
Don't know if there's a remedy, other than getting real Fedora images into the frontier AWS regions, but thought that I should share...
--b
I guess it isn't really a "security" thing in a Fedora context; Fedora doesn't ship whatever this is, so there's no fix that Fedora can apply to anything within Fedora to make it go away.
However, Fedora could potentially leverage its trademark. I've opened https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council know; it would be up to them to decide whether there is an actionable issue here. If not, I guess some kind of information campaign would be reasonable, which I guess might also be something the Council would pursue.
- J<
All this sounds like reasonable responses... Thanks! --b
On Fri, Sep 8, 2017 at 6:16 PM, Jason L Tibbitts III tibbs@math.uh.edu wrote:
I guess it isn't really a "security" thing in a Fedora context; Fedora doesn't ship whatever this is, so there's no fix that Fedora can apply to anything within Fedora to make it go away.
However, Fedora could potentially leverage its trademark. I've opened https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council know; it would be up to them to decide whether there is an actionable issue here. If not, I guess some kind of information campaign would be reasonable, which I guess might also be something the Council would pursue.
- J<
Interestingly, here's an attack along the same lines.....
https://lwn.net/Articles/733853/
On Fri, Sep 8, 2017 at 6:33 PM, Bowe Strickland bowe@redhat.com wrote:
All this sounds like reasonable responses... Thanks! --b
On Fri, Sep 8, 2017 at 6:16 PM, Jason L Tibbitts III tibbs@math.uh.edu wrote:
I guess it isn't really a "security" thing in a Fedora context; Fedora doesn't ship whatever this is, so there's no fix that Fedora can apply to anything within Fedora to make it go away.
However, Fedora could potentially leverage its trademark. I've opened https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council know; it would be up to them to decide whether there is an actionable issue here. If not, I guess some kind of information campaign would be reasonable, which I guess might also be something the Council would pursue.
- J<
security@lists.fedoraproject.org