Article Title: Most Linux package managers have security risks. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Software bugs often lead to security vulnerabilities, and the package manager can be used to automatically upgrade and install software and fix previous vulnerabilities. However, if the package manager is no longer secure, the entire system may be more threatened.
Researchers at the University of Arizona recently conducted a study to check the security of multiple Linux and BSD package managers, including APT, YUM, and YaST, the problem was found in the package manager of all tests.
While most package managers use a signature mechanism to ensure security, it is said that using CVE-2008-0166 vulnerabilities allows attackers to successfully sign software packages containing malicious content, especially when users use a third-party image source, the security of the upgrade package is not guaranteed. In addition, most Linux distributions do not have enough efforts to check personal or organizational image update sites. Therefore, attackers can easily become officially authenticated image sites.
To illustrate the severity of the problem, the researchers used a fake administrator and company name using the rented server, however, all the released versions (including Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) that have been tried have been listed in the official image list.