On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <[EMAIL PROTECTED]> said:
> > 3. Could it be considered as a security risk to let a newly installed server, > > request information from an arbitrary server that I have no control over ? > security in the way that your server might end up getting exploited because > of it? > no, i dont think so.. > security in a way that you might get caught using an illegal copy of a > win2003 server? > yup. You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right? http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2 You *do* realize that Apple's 'Software Update' had issues with failing to use PKI to identify the download server, resulting in a possible MITM attack, right? http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2 You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had trojan'ed distributions put on their *official* download site? http://www.cert.org/advisories/CA-2002-30.html http://www.cert.org/advisories/CA-2002-28.html http://www.cert.org/advisories/CA-2002-24.html http://www.cert.org/advisories/CA-1999-01.html Still don't think there's a security risk in downloading an unverified patch from a server not under your control? Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages...
pgp00000.pgp
Description: PGP signature
