|Main Archive Page > Month Archives > full-disclosure-uk archives|
RedHat's package signing key was used to sign trojaned OpenSSH packages. RedHat does not think these were distributed via the Red Hat Network auto-update service.
On Fri, Aug 22, 2008 at 10:37 AM, coderman <firstname.lastname@example.org> wrote:
> On Fri, Aug 22, 2008 at 7:41 AM, Juha-Matti Laurio
> <email@example.com> wrote:
> > ...
> > "One of the compromised Fedora servers was a system used for signing
> Fedora packages."
> deploying all new signing keys to every fedora install. this is akin
> to verisign deploying a new root.
> thanks for such a prompt update guys!
> (aug14 discovery to aug22 announce...)
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/