oss-sec mailing list archives

Re: CVE for Kali Linux

From: Justin Steven <justin () justinsteven com>
Date: Sun, 22 Mar 2015 12:04:54 +1000

Kali, like its upstream (Debian), signs packages using gpg.

https://wiki.debian.org/SecureApt

Kali provides sha1sums over https at their site to verify the .iso
download, as well as providing gpg signatures for .iso files

--
Justin

On 22 March 2015 at 11:59, Kurt Seifried <kseifried () redhat com> wrote:

From RISKS, looks like it needs a CVE

Date: Tue, 17 Mar 2015 07:37:50 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Kali Linux security is a joke!

FYI -- Your best chance to hack the hackers...

  "Downloading Kali Linux"

  "Alert!  Always make certain you are downloading Kali Linux from official
  sources, as well as verifying md5sums against official values.  It would
  be easy for a malicious entity to modify a Kali install to contain
  malicious code, and host it unofficially."
  http://docs.kali.org/category/introduction

---

No kidding!

So how come whenever you do apt-get install in Kali Linux, it accesses
http://security.kali.org and http://http.kali.org ??

Hasn't Kali heard about MITM attacks against http ??

What's the point of verifying md5 sums against "official values", if Kali
can't even get the "official values" securely ??

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Current thread:

CVE for Kali Linux Kurt Seifried (Mar 21)
- Re: CVE for Kali Linux Justin Steven (Mar 21)
  - Re: CVE for Kali Linux Kurt Seifried (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Russ Allbery (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Florian Weimer (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Amos Jeffries (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Michael Samuel (Mar 21)

(Thread continues...)