[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] owning ubuntu apt-key net-update (maybe apt-get update related)
- To: GloW - XD <doomxd@xxxxxxxxx>
- Subject: Re: [Full-disclosure] owning ubuntu apt-key net-update (maybe apt-get update related)
- From: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Date: Sun, 25 Sep 2011 12:29:59 +0300
On Sat, Sep 24, 2011 at 07:49:19AM +1000, GloW - XD wrote:
> Aha, sounds like typical (unfortunately), the case of the 'sads' on Ubuntus
> behalf.
> This is what unfortunately stops somany people from reporting, just that
> BIT of acknowledgemnt, even just a thanks on theyre webpage, but instead
> they people think "oh well, this guy has probably raped 5000 boxes then
> given us this" , it must be the approach of some companies, or they have
> very pathetic secteams, (in ubuntus cause, -no comment rofl).
> anyhow thx for clearing that up.
> cheers,
> xd
>
>
10x.
btw, there is strange behaviour with colliding gpg key IDs.
the first one totally shadows the second one, which might potentially be
exploitable.
a possible scenario might be to trick the user to import the forged key ID
first.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/