Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Aug 2013 18:58:22 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        security@...tgresql.org
Subject: PostgreSQL insecure install via yum (multiple problems)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem:

So I wanted to install PostgreSQL 9.2 to test something. So I google
"postgresql 9.2 rpm" and get sent to:

http://yum.postgresql.org/repopackages.php

which is not available by HTTPS at all. Not ideal but ok, I download
it over HTTP because I can check the signature on the file right?

Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even google
site:postgresql.org 442df0f8 and all you get are archived emails with
the warning that the signature can't be checked. No copy of the key.

Solution:

Can PostgreSQL please setup HTTPS immediately for this site, and also
publish the GPG key used to sign their RPMs in a secure manner (e.g.
on the HTTPS site)?

To replicate:

$ wget
https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm

Fails.

$ wget
https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm

Gets the file but:

$ rpm -K pgdg-centos92-9.2-6.noarch.rpm
pgdg-centos92-9.2-6.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
(MISSING KEYS: GPG#442df0f8)

Signing RPM's isn't very useful if you never make the signing key
available!


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSEr8uAAoJEBYNRVNeJnmTzLQP/228FfA/y66CgrCrvrvp6xba
wTcp7bNC/cS/if5Lbgq+tyg93T/MSDE+KmTjV2M+2O68Ui2QsXem7E6w400E1jJN
S25o5lQK5cvE8wHAVk9xtTTdZIOdvRAStcnGOLEV0/FZ7vVevTnfvySj8gA21mcR
BQVeZ7qJ2rY41fOOCa29cE9v3g/lrGqV5NoIMDX749IlEz0OQihGGvmxtD+aOwds
YhCq8HrJYdnjKuNOQoAvuuTLGwbgGl4Ay6S1i/UAMmMCan57bf1SA6phLxet4BMr
arraVYO+n30kVbCyU3sHmSz+nJsOKN3bdy/lhk+0FtbF0yO/1UEi4wqCeb1JQSXA
fq0lBXBbe3zGr69yZbh/TwDxKggsJ/FMWX0HmfKuk99vHXFRa2lmhqSA3DJRgvVe
ypAyc3I4CovcWNwFmINQFafN8sK/1mjpq7PtsHa6kg2JWQ9M69yEEzFTrVQD7ssx
xhaj9IKKLwtnEZSUkf2YnV1lSUrMMzlAMQwcV91hWPp/Ybj/UmJvCMV0Q54g6KVk
uyvEEvkKhiEj2ChljXPhCReU2XYbKPD/1wF9CjmD01aR3LBi6SwzSJ1o402H5sTK
SXZk9WmOAw2yOA937mjpm1Hy+nwRST3YuGoerQ86h1aYJ2zwOkv86figZ1r9Cldy
rl0O7qoGTY3wOAG8csxX
=8Hvl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.