Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 19 Aug 2013 21:04:07 -0400
From: Landon Hurley <ljrhurley@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: PostgreSQL insecure install via yum (multiple problems)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Kurt Seifried <kseifried@...hat.com> wrote:
>Problem:
>
>So I wanted to install PostgreSQL 9.2 to test something. So I google
>"postgresql 9.2 rpm" and get sent to:
>
>http://yum.postgresql.org/repopackages.php
>
>which is not available by HTTPS at all. Not ideal but ok, I download
>it over HTTP because I can check the signature on the file right?
>
>Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even google
>site:postgresql.org 442df0f8 and all you get are archived emails with
>the warning that the signature can't be checked. No copy of the key.

Kurt,
pgp.mit.edu is deprecated. I recommend searching 0x442df0f8 on
 pool.sks-keyservers.net which does return a key.

landon



>Solution:
>
>Can PostgreSQL please setup HTTPS immediately for this site, and also
>publish the GPG key used to sign their RPMs in a secure manner (e.g.
>on the HTTPS site)?
>
>To replicate:
>
>$ wget
>https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm
>
>Fails.
>
>$ wget
>https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm
>
>Gets the file but:
>
>$ rpm -K pgdg-centos92-9.2-6.noarch.rpm
>pgdg-centos92-9.2-6.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
>(MISSING KEYS: GPG#442df0f8)
>
>Signing RPM's isn't very useful if you never make the signing key
>available!
>
>
>--
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


- --
Violence is the last refuge of the incompetent.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQJBBAEBCgArBQJSEsCHJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu
Y29tPgAKCRA3qYf9H1SVrNiiEACZzVMdYrf6LoDKOTaKENvHtJOXYIHzG5QLH+C0
/uwyC/TES3RdbW5zMyvMT1Nh+zz9w2jSgYIu/BSgFzXt3+GXhySi/s/rftf1+fr5
K/38OyteKkgbvKJBbvmljTaEoL8rpflXrlR8nL9ozUcv7hLO6If9sQFD+3f5Klfd
6jx3k0F5g2SLmQLO00o6tC4ro9PhJlU7g05ji75bHQA9S3hwYx8fM75OZN/4hC4U
fRXHOLLbPfDOOIdM0McHRiMhayMYskoVU7UhV229zZlCf+rD3odcr/eu46wGE/cF
RmMScyEV3IFuPJAUl4F+ph/j2eKPJ92t73ZtqTbXeIaYL/5AGbbAb8q6BQSoO7oL
BNftzSdEoisjy9xCCUdrnnih2roNUxVwCzpCyrSRbxbnaagA8+UPOGyvk96jA+Ky
jAYfgefmIHZ374iaMLhE6KdzqzIcxtZkA3xbjiCgzwJioHbSB0aImsZjaf60G5KX
TOPwUWc8qFfShhBl0UanTispdMZtdgxEvs+FRluDypQevU0DnFFnu4ZCD7kXEuCO
cWkORMQt3Av5Nyc7QWi5nhpG6P1d1a9CUGsag9xIGQjbsCaqg4k2X26Uy2M5DPb4
xfm2jwTvkSd/3fw4eB4hBiqnkWVtKUKUNqIgSa+9uG5fjRy0vdjNLMH2OdHuT5p3
DgyjGQ==
=K8qK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.