The Heartbleed exploit (CVE-2014-0160) makes SSL connections using OpenSSL vulnerable to private key leakage.
Does it mean that official update channels in RHEL/CentOS/etc. and Debian/Ubuntu shall be considered compromised?
Asked
Active
Viewed 647 times
1 Answers
6
Packages and lists in the Debian / Ubuntu repositories are signed by GPG keys. The transport is not secured with SSL (packages are transferred over just over plain ftp or http). I am not that familiar with RHEL / CentOS, but if RPMs are signed too, then the same should apply.
Lekensteyn
- 20,830
-
3RPMs are indeed signed with GPG. – Deer Hunter Apr 08 '14 at 08:22