IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [package-manager]

A package manager is a tool that automates the installation, updating and removal of software.

47 questions
1
vote
1 answer

Safety of packages through yum

Recently, a yum update installed an update to R1Soft's server backup management software on a Redhat 7 server I am dealing with, and rkhunter is giving me a warning about a suspicious file. I've asked about the legitimacy of that warning in this…
SCruz
  • 159
  • 5
1
vote
1 answer

What is "Linux Cert Store Sync" when installing "mono" package in my Linux?

While installing some package in my Arch Linux system, I noticed certificates import operation that added 157 new CAs, that is strange for me: Synchronize local certs with certs from local Linux trust store. What are these certificates and why do…
DLAccident
  • 11
  • 1
  • 2
1
vote
3 answers

Is Linux kernel supported by Linux Mint 17 LTS vulnerable?

During a local security check performed by nessus on a Linux Mint Qiana 17 LTS system, even if the host is perfectly updated, I have found 34 vulnerabilities about the kernel. For example: USN-2946-1 ( CVE-2015-8812, CVE-2016-2085, CVE-2016-2550,…
Sibwara
  • 1,316
  • 7
  • 19
1
vote
1 answer

Cryptography behind RedHat subscription system (DRM)?

I have to do a project like a subscription manager. Ideally this should work like RedHat subscriptions. I'm having a hard time figuring out how it was implemented. How do they manage to avoid a customer modifying the subscription components in a…
Thilina
  • 153
  • 3
0
votes
0 answers

How to check if a certain vulnerability has been fixed with a backport?

I have a server that runs Ubuntu Server 20.04 LTS. This version of nginx provided by the official repository is 1.18.0, which in turn is vulnerable to CVE-2021-23017. However, the changelog says that the version provided by the Ubuntu repository…
Horvath Zeldjinovic
  • 169
  • 3
0
votes
0 answers

How do you lock down PyPI access?

Another question (Is it possible to block non-PyPI requests during pip install?) asked about locking down non-PyPI pip installs for security reasons. This doesn't deal with the problem of malicious packages within PyPI itself. So, I would like to…
Compholio
  • 101
  • 1
0
votes
0 answers

what are the risk associated with installing flatpaks at user level

flatkill has been floating around for a while, and honestly it was the reason I was personally resistant to using flatpak packages for a while. I'm wondering though, most of the article is written from the perspective that you are installing flatpak…
Joshua Ferguson
  • 1
  • 1
0
votes
1 answer

Loop device added at package installation - is it a security threat?

I just noticed a strange loop device that was added to my machine today. It is mounted under /run/media//CENA_X86FREE_EN-US_DV9 and seems to contain Windows files, probably a Windows installer with a bit more than 4.1GB used space (directories…
kaiya
  • 422
  • 1
  • 3
  • 11
0
votes
0 answers

Cross signing practice for PGP package signing keys?

I consider WEB of trust as a failed initiative (search for SKS key poisoning mass occurred in 2019). PGP is used to sign software in source (commits / tags in Git/Mercirual) & binary (compiled artifacts) forms. Currently when I download software…
gavenkoa
  • 113
  • 6
0
votes
0 answers

Possibility of Man-in-the-middle Attack on Homebrew

It has been brought up in the past that package managers such as pip are vulnerable to man in the middle attacks (see https://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/). This is due to all packages being…
Harrison G
  • 67
  • 6
0
votes
1 answer

Does pacman enforce cryptographic authentication and integrity validation by default for all packages? (arch linux)

Does the built-in pacman package manager in Arch-based systems require successful cryptographic authentication and integrity validation for all packages? I know that software downloaded with apt-get packages must be cryptographically verified…
Michael Altfield
  • 826
  • 4
  • 19
0
votes
0 answers

Does yarn (Node.js package manager) provide cryptographic authentication and integrity validation?

Does the yarn package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I see a lot of guides providing installation instructions with steps asking the…
Michael Altfield
  • 826
  • 4
  • 19
0
votes
0 answers

Security implications of homebrew

I want to install homebrew in the safest possible way (single user system). It is often criticized that homebrew takes precedence over /usr/bin and /bin (in /etc/path) and therefore any malware can simply put binaries or libraries there. For…
hidisem627
  • 1
0
votes
0 answers

looking for computer readable lists of CVE to package name sources

Redhat has a very nice xml containing all known CVEs and the package version they are fixed in (https://www.redhat.com/security/data/metrics/rpm-to-cve.xml). I would like to know if any other Linux distro (or even Windows) has something equivalent…
drdrek
  • 165
  • 4
0
votes
0 answers

Does `npm install` retrieve binaries or sources?

I am starting to use npm install a lot for development, but I fear about its security consequences. Does npm install retrieve binaries or sources? If it's binaries, it's already a deal breaker for me. If it's sources, what level of scrutiny is the…
knocte
  • 161
  • 7
1 2
3
4