Re: CVE for Kali Linux

[Marcus Meissner <meissner () suse de>]

On Tue, Mar 24, 2015 at 12:13:06AM +0300, Alexander Cherepanov wrote:
> On 2015-03-23 13:38, Marcus Meissner wrote:
> > > There are some attacks even if you verify signatures, e.g. serving
> > > old, known-vulnerable versions. HTTPS can help here (until
> > > signatures start to be widely accompanied by expiring timestamps or
> > > something).
> >
> > SUSE has added an expiry tag in the YUM metadata for such cases.
>
> It's nice to see progress in this area. Does SUSE guard against
> other attacks from [1] too?
>
> [1] https://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf

Our statements from 2008 (7 years ago) still stand and our package
manager does the full repository signing since 2006 already.

https://lizards.opensuse.org/2008/07/16/package-management-security-on-opensuse/

"Endless Data Attack" is open, as it is hard to solve for openSUSE with
its public mirror system.

The expiry was something added a bit later after the paper to address
the downgrade and replay attacks.

Ciao, Marcus