|
Message-ID: <ff65c54d-e709-4721-93a8-ebb36fa51f54@email.android.com> Date: Mon, 19 Aug 2013 21:04:07 -0400 From: Landon Hurley <ljrhurley@...il.com> To: oss-security@...ts.openwall.com Subject: Re: PostgreSQL insecure install via yum (multiple problems) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kurt Seifried <kseifried@...hat.com> wrote: >Problem: > >So I wanted to install PostgreSQL 9.2 to test something. So I google >"postgresql 9.2 rpm" and get sent to: > >http://yum.postgresql.org/repopackages.php > >which is not available by HTTPS at all. Not ideal but ok, I download >it over HTTP because I can check the signature on the file right? > >Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even google >site:postgresql.org 442df0f8 and all you get are archived emails with >the warning that the signature can't be checked. No copy of the key. Kurt, pgp.mit.edu is deprecated. I recommend searching 0x442df0f8 on pool.sks-keyservers.net which does return a key. landon >Solution: > >Can PostgreSQL please setup HTTPS immediately for this site, and also >publish the GPG key used to sign their RPMs in a secure manner (e.g. >on the HTTPS site)? > >To replicate: > >$ wget >https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm > >Fails. > >$ wget >https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm > >Gets the file but: > >$ rpm -K pgdg-centos92-9.2-6.noarch.rpm >pgdg-centos92-9.2-6.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK >(MISSING KEYS: GPG#442df0f8) > >Signing RPM's isn't very useful if you never make the signing key >available! > > >-- >Kurt Seifried Red Hat Security Response Team (SRT) >PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 - -- Violence is the last refuge of the incompetent. -----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQJBBAEBCgArBQJSEsCHJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrNiiEACZzVMdYrf6LoDKOTaKENvHtJOXYIHzG5QLH+C0 /uwyC/TES3RdbW5zMyvMT1Nh+zz9w2jSgYIu/BSgFzXt3+GXhySi/s/rftf1+fr5 K/38OyteKkgbvKJBbvmljTaEoL8rpflXrlR8nL9ozUcv7hLO6If9sQFD+3f5Klfd 6jx3k0F5g2SLmQLO00o6tC4ro9PhJlU7g05ji75bHQA9S3hwYx8fM75OZN/4hC4U fRXHOLLbPfDOOIdM0McHRiMhayMYskoVU7UhV229zZlCf+rD3odcr/eu46wGE/cF RmMScyEV3IFuPJAUl4F+ph/j2eKPJ92t73ZtqTbXeIaYL/5AGbbAb8q6BQSoO7oL BNftzSdEoisjy9xCCUdrnnih2roNUxVwCzpCyrSRbxbnaagA8+UPOGyvk96jA+Ky jAYfgefmIHZ374iaMLhE6KdzqzIcxtZkA3xbjiCgzwJioHbSB0aImsZjaf60G5KX TOPwUWc8qFfShhBl0UanTispdMZtdgxEvs+FRluDypQevU0DnFFnu4ZCD7kXEuCO cWkORMQt3Av5Nyc7QWi5nhpG6P1d1a9CUGsag9xIGQjbsCaqg4k2X26Uy2M5DPb4 xfm2jwTvkSd/3fw4eB4hBiqnkWVtKUKUNqIgSa+9uG5fjRy0vdjNLMH2OdHuT5p3 DgyjGQ== =K8qK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.