Quick Links

Re: Insecure instructions for installing YUM repo

From:	Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>
To:	Michael Gauthier <mike(at)silverorange(dot)com>, pgsql-pkg-yum(at)postgresql(dot)org
Subject:	Re: Insecure instructions for installing YUM repo
Date:	2016-02-19 09:48:56
Message-ID:	1455875336.9107.60.camel@gunduz.org
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-pkg-yum

Hi,

On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote:
> The instructions on http://yum.postgresql.org/howtoyum.php for
> installing the PostgreSQL YUM repository are insecure.
>
> You are asking people to download and install the repo RPM package over
> HTTP. A MITM attack could serve an arbitrary RPM and trick users into
> installing arbitrary software.

Thanks for the heads up. I updated the links on that page, so that they point
to https://download.postgresql.org . Does it work for you?

Please let us know if you see more issues with this.

Regards,
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR

In response to

Insecure instructions for installing YUM repo at 2016-02-19 06:03:24 from Michael Gauthier

Responses

Re: Insecure instructions for installing YUM repo at 2016-02-19 18:33:55 from Michael Gauthier

Browse pgsql-pkg-yum by date

	From	Date	Subject
Next Message	Devrim GÜNDÜZ	2016-02-19 09:49:52	Re: yum package for orafce 3.2.1
Previous Message	Kazuki Uehara	2016-02-19 07:07:58	yum package for orafce 3.2.1