Enterprise Linux Log

Jul 28 2008   4:34PM GMT

Package managers: Downloaders beware

Suzanne Wheeler Suzanne Wheeler Profile: Suzanne Wheeler

Package management—the process of determining which update packages should be installed on a host and then downloading and installing those package—invites a dilemma : OSes need to updated, but the process of updating them can invite security breaches.

A recent study at the University of Arizona explored nine feasible attacks on the popular package managers APT and YUM. As part of their research, the study’s conductors posed as a group of administrators from a nonexistent company and leased a server from a hosting provider. Thousands of clients, including government agencies, downloaded upgrades, which prompted their operating systems to endlessly replicate data, misidentify dependencies, and install unnecessary software. It also left these clients vulnerable to other attacks on their systems, including hackers gaining root access to OSes, system crashes and erased files . Researchers concluded that many public storage spaces for upgrade downloads are in fact maliciously established “mirrors,” or software repositories , that have become infected with sources of attack. You can prevent most of these issues by downloading from only signed metadata repositories, the study counseled. A signature verifies that the repository was created benevolently.

Protecting against mirror threats
In response, readers suggested a number of additional ways to protect a package manager from such threats.

  • An OpenSUSE page suggested its internally developed tool, download redirector.
  • One blogger wrote that the risks posed by infected repositories are not great enough to merit changes to package manager security.
  • Another acknowledged the risk and argued that simply allowing the number of open source package manager products available to increase will maintain or improve current open source package manager security.
  • A Gentoo administrator promoted rotating mirrors to ensure security.

Package manager security, as pointed out by this report, is crucial to the success of your operating system. With the present drive for continuous upgrades for your data center, you may feel pressure to download from the most accessible source available. Don’t: the risk of downloading insecure software is greater than the time it will take to check out the above links.

For more on package managers, check out these links: How to manage software on Ubuntu Server with “aptitude” and “apt-get”

Managing Software on Ubuntu Server Edition

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: