Thread: Insecure instructions for installing YUM repo

Insecure instructions for installing YUM repo

From
Michael Gauthier
Date:
Hi!

The instructions on http://yum.postgresql.org/howtoyum.php for
installing the PostgreSQL YUM repository are insecure.

You are asking people to download and install the repo RPM package over
HTTP. A MITM attack could serve an arbitrary RPM and trick users into
installing arbitrary software.

The first option to fix this is to continue to use HTTP, but tell people
to get the signing key and verify the key and package *before*
installation. For this to work, you should publish your public key and
fingerprint prominently on the site. If possible, provide the key over
HTTPS so the key verification step can be skipped. Step-by-step
instructions should be included like:

  1. download our public key with fingerprint FOO
  2. verify our public key at https://pgp.mit.edu/ or some other source
you trust
  3. import our key into the RPM DB:
     rpm --import keyfile.key
  4. download the RPM package for your distribution
  5. verify the RPM package:
     rpm -K postgres.rpm
  6. install the RPM package

The second way to fix the issue is to provide the repo RPM package over
HTTPS. This option would be much easier for most users and will require
less documentation.

Please see
https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/
for more details about why the current instructions are inadequate.

Thanks,
Mike


Re: Insecure instructions for installing YUM repo

From
Devrim GÜNDÜZ
Date:
Hi,

On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote:
> The instructions on http://yum.postgresql.org/howtoyum.php for 
> installing the PostgreSQL YUM repository are insecure.
>
> You are asking people to download and install the repo RPM package over 
> HTTP. A MITM attack could serve an arbitrary RPM and trick users into 
> installing arbitrary software.

Thanks for the heads up. I updated the links on that page, so that they point
to https://download.postgresql.org . Does it work for you?

Please let us know if you see more issues with this.

Regards,
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR



Attachment

Re: Insecure instructions for installing YUM repo

From
Michael Gauthier
Date:
On 2/19/2016 5:48 AM, Devrim GÜNDÜZ wrote:
>
> Hi,
>
> On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote:
>> The instructions on http://yum.postgresql.org/howtoyum.php for
>> installing the PostgreSQL YUM repository are insecure.
>>
>> You are asking people to download and install the repo RPM package over
>> HTTP. A MITM attack could serve an arbitrary RPM and trick users into
>> installing arbitrary software.
>
> Thanks for the heads up. I updated the links on that page, so that they point
> to https://download.postgresql.org . Does it work for you?
>
> Please let us know if you see more issues with this.
>
> Regards,
>
Hi Devrim,

Thanks for the quick update to use HTTPS! This is indeed much better
than before and works for me.

Cheers,
Mike