Hmm....... RedHat's package signing key was used to sign trojaned OpenSSH packages. RedHat does not think these were distributed via the Red Hat Network auto-update service.
On Fri, Aug 22, 2008 at 10:37 AM, coderman <[EMAIL PROTECTED]> wrote: > On Fri, Aug 22, 2008 at 7:41 AM, Juha-Matti Laurio > <[EMAIL PROTECTED]> wrote: > > ... > > "One of the compromised Fedora servers was a system used for signing > Fedora packages." > > deploying all new signing keys to every fedora install. this is akin > to verisign deploying a new root. > > thanks for such a prompt update guys! > > (aug14 discovery to aug22 announce...) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
