Date: Sun, 22 Mar 2015 12:04:54 +1000 From: Justin Steven <justin@...tinsteven.com> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE for Kali Linux Kali, like its upstream (Debian), signs packages using gpg. https://wiki.debian.org/SecureApt Kali provides sha1sums over https at their site to verify the .iso download, as well as providing gpg signatures for .iso files -- Justin On 22 March 2015 at 11:59, Kurt Seifried <kseifried@...hat.com> wrote: > From RISKS, looks like it needs a CVE > > Date: Tue, 17 Mar 2015 07:37:50 -0700 > From: Henry Baker <hbaker1@...eline.com> > Subject: Kali Linux security is a joke! > > FYI -- Your best chance to hack the hackers... > > "Downloading Kali Linux" > > "Alert! Always make certain you are downloading Kali Linux from official > sources, as well as verifying md5sums against official values. It would > be easy for a malicious entity to modify a Kali install to contain > malicious code, and host it unofficially." > http://docs.kali.org/category/introduction > > --- > > No kidding! > > So how come whenever you do apt-get install in Kali Linux, it accesses > http://security.kali.org and http://http.kali.org ?? > > Hasn't Kali heard about MITM attacks against http ?? > > What's the point of verifying md5 sums against "official values", if Kali > can't even get the "official values" securely ?? > > > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ