Slashdot Mirror

← Back to Stories (view on slashdot.org)

Package Managers As Achilles Heel

Posted by timothy on from the dip-your-computer-in-the-styx dept.

An anonymous reader writes "Researchers from the University of Arizona have released a study that takes a look at the security of ten popular package managers. They were able to show all ten were vulnerable to attacks from a mirror or man-in-the-middle that allow an attacker to (along with other things) crash the system or obtain root access. Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE). This raised the question: What keeps you up at night, the thought of attacks on your package manager or previously discussed and patched vulnerability in DNS?" justin samuel (one of the Arizona researchers) also points out a synopsis on CERT's blog.

26 of 263 comments (clear)

  1. Answer by Anonymous Coward · · Score: 5, Funny

    What keeps you up at night, the thought of attacks on your package?

    Yes.

    1. Re:Answer by adminstring · · Score: 5, Funny

      You must have kittens...

      --
      My truck is like a series of tubes.
    2. Re:Answer by jd · · Score: 5, Funny

      The correct modern spelling is kitteh, and you apparently solve that problem by supplying them with elebenty cheezburgers.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:Answer by mrbluze · · Score: 4, Funny

      Iran's missile keeps me up at night more than my Ubuntu's package manager.

      That depends on whether you live next door to one launchpad or the the other.

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    4. Re:Answer by jank1887 · · Score: 1, Funny

      Iran's package manager keeps my missile up at night...

    5. Re:Answer by robert899 · · Score: 2, Funny

      You must have kittens...

      No, he's an acquaintance of Jesse Jackson.

  2. I better update now by Krneki · · Score: 5, Funny

    ... oh wait!

    --
    Love many, trust a few, do harm to none.
  3. I don't know about you but... by angusthefuzz · · Score: 1, Funny

    I can't sleep because of the "thought of attacks on my package"...

  4. "project" managers by heroine · · Score: 2, Funny

    The headline should be project managers as achilles heal.

  5. Re:Compile from source yourself! by Anonymous Coward · · Score: 2, Funny

    It doesn't help at all. The grand parent is a twelve year old that discovered Gentoo yesterday. Gentoo is '1337' yo.

  6. Re:So, Linux is not more secure? by Anonymous Coward · · Score: 2, Funny

    Yes. Yes you must.

  7. Re:Compile from source yourself! by 77Punker · · Score: 5, Funny

    You've got him all wrong. He's a twelve year old with a PhD that reads and understand every line of code before he allows it to execute on his own hardware.

  8. Re:Neither by HappySmileMan · · Score: 4, Funny

    I bet your girlfriend doesn't keep you up at night either... It's ok, someday you'll find someone who loves you

  9. Re:Neither by HappySmileMan · · Score: 2, Funny

    I'm almost certain I posted that as AC...

  10. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  11. Re:Neither by neokushan · · Score: 4, Funny

    I'm almost certain you didn't.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  12. Re:Neither by pipatron · · Score: 2, Funny

    I'm fairly certain you didn't.

    --
    c++; /* this makes c bigger but returns the old value */
  13. Slackware by FPCat · · Score: 5, Funny

    Good thing I'm running Slackware!

  14. Re:Compile from source yourself! by Anonymous Coward · · Score: 5, Funny

    Noob, he doesn't need source. I'm a 13 year old PhD and I assure you even I can read binaries.

  15. Re:Neither by __NR_kill · · Score: 2, Funny

    Neither keep me up at night, I have a girlfriend and things to get done.

    Perhaps you should consider changing your girlfriend, mine can always keep me up.

    (for those without sense of humour up is used as erected)

  16. Re:Neither by MisterSchmoo · · Score: 4, Funny

    Neither keep me up at night, I have a girlfriend and things to get done.

    Perhaps you should consider changing your girlfriend, mine can always keep me up.

    (for those without sense of humour up is used as erected)

    Do you often find yourself having to explain your erections?

  17. Re:Compile from source yourself! by shadwstalkr · · Score: 5, Funny

    Also, you have to trust your compiler, which you *had* to get from someone else.

    Nah, I wrote my own compiler directly in machine code. I didn't trust my keyboard manufacturer either, so I tapped out Morse code on a homemade key. I made the BIOS out of coconuts, but that was just because that douchebag Gilligan said it couldn't be done.

    -Roy Hinkley

  18. Re:Neither by mrbluze · · Score: 3, Funny

    I'm moderately certain you didn't.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  19. Re:Neither by gustolove · · Score: 2, Funny

    I'm somewhat certain you didn't.

  20. Kittens? Ha! by GameboyRMH · · Score: 2, Funny

    Let me know when you have a 14lb. cat with bigass claws who likes to sit in your lap and use you as a scratching post.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  21. Re:Neither by Lobster+Quadrille · · Score: 2, Funny

    I don't think you did.

    --
    "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497