Language Selection

English French German Italian Portuguese Spanish

Red Hat's security issue

Filed under
Linux
Security

Last month, Red Hat issued a security bulletin. Not all that went on is clear, but it seems that the servers used to develop and distribute Fedora and Red Hat were accessed by a person with criminal intent. The perpetrator created trap-door versions of the SSH (remote login program) packages that would compromise the security of Red Hat's customers, and signed them with Fedora's cryptographic key. These packages were made available via Fedora archive and they may (I've not proof) have reached some number of Fedora customers. Obviously they were intended to be widely distributed and to compromise the security of all Red Hat and Fedora systems. Red Hat issued a script that users can run to detect the compromised packages.

But there are continuing problems with Red Hat's handling of the situation.

Best practice of computer security professionals is to fully disclose what went wrong and how you're preventing it from happening again. This tells customer security officers what they need to audit the security practices of their vendor, and to secure their own facilities. The worst practice, for which Microsoft is the prototype, is to stay mum and not admit any problems.

Red Hat's being mum. Fedora's being forced to be mum, because their own board has not been given full details and of course they are mostly controlled by Red Hat.

Full Post




Also:

Security breaches bring out the proprietary attitude in all of us. When security is breached we instinctively hide the details, and build a metaphorical police line around it, telling onlookers to move along.

The security attitude runs counter to the open source attitude. Open source demands that bugs be seen and lessons shared. The security attitude fears this release of information because the evil doers might get it.

With that in mind let’s move to the umbrage of Bruce Byfield during what Slashdot termed last month’s Fedora-Red Hat crisis.

Fedora and our security attitude


More in Tux Machines

Is your company an open source parasite?

Getting involved in the open source projects that matter to a company, in other words, gives them more ability to influence their future today, even as dependence on a vendor results in putting one's future in the hands of that vendor to resolve on their timetable. It's simply not smart business, not if an open source alternative exists and your company already depends upon it. In sum, the GitHub contributor counts should be much higher, and not merely for those in the business of selling software (or tech, generally). Any company defined by software—and that's your company, too—needs to get more involved in both using and contributing open source software. Read more

LibreELEC Embedded Linux OS Now Compatible with Windows 10 Fall Creators Update

The LibreELEC 8.2.1 update is based on the latest Kodi 17.6 "Krypton" open-source and cross-platform media center software and it mostly patches some Samba (SMB) "file exists" share errors on Windows 10 Fall Creators Update by updating the protocol to Samba 4.6.10, implementing SMB client options for minimum SMB protocol and an SMB legacy security option with NTLMv1, and disabling SPNEGO. "LibreELEC 8.2.x includes changes that allow the Kodi SMB client and our embedded Samba server to support SMB2/3 connections; deprecating SMB1 to improve security and performance. This is necessary to cope with changes Microsoft introduced in the Windows 10 ‘Fall Creators Update’ to resolve SMB1 security issues," explained the developers. Read more

Canonical Releases Major Kernel Update for Ubuntu 16.04 to Fix 13 Security Flaws

The update is a major one patching a total of 13 security flaws, including race conditions in Linux kernel's ALSA subsystem, the packet fanout implementation, and the key management subsystem, as well as use-after-free vulnerabilities in both the USB serial console driver and the ALSA subsystem. Various other issues were also patched for Linux kernel's key management subsystem, the Ultra Wide Band driver, the ALSA subsystem, the USB unattached storage driver, and the USB subsystem, which received the most attention in this update as several security flaws were recently disclosed. Read more

Graphics: NVIDIA and AMD