RE: [CentOS] RH's servers breached
On Tue, 2008-08-26 at 13:54 +1200, Tony Wicks wrote: > >> > > >> >So there are new packages anyway in spite of the other bits. > >> > >> Hi all, have I missed something or is there a CentOS update for 5x but > none > >> for 4x ? I've made sure my mirror is synced and looked around at a few > >> others but can't seem to see an update ? > > > >I just fired up my 4.6 and did yum update. No ssh packages, so the > >problem is not yours. > > Do any of the maintainers have a comment on the 4x SSH update availability ? > I have a couple of SSH bastion servers that I have shut down until the > update is out just in case so was wondering as to when it would turn up. I wouldn't worry about it too much unless there are unrelated security fixes. The SSH updates are against 4.7, so it would most likely be the case that your current 4.6-based sshd package is still pretty solid... The issue was against the then-current sshd packages... which would have been issued after the ones you're currently using... -I ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] RH's servers breached
>> > >> >So there are new packages anyway in spite of the other bits. >> >> Hi all, have I missed something or is there a CentOS update for 5x but none >> for 4x ? I've made sure my mirror is synced and looked around at a few >> others but can't seem to see an update ? > >I just fired up my 4.6 and did yum update. No ssh packages, so the >problem is not yours. Do any of the maintainers have a comment on the 4x SSH update availability ? I have a couple of SSH bastion servers that I have shut down until the update is out just in case so was wondering as to when it would turn up. thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] RH's servers breached
On Mon, 2008-08-25 at 08:32 +1200, Tony Wicks wrote: > > > > >So there are new packages anyway in spite of the other bits. > > Hi all, have I missed something or is there a CentOS update for 5x but none > for 4x ? I've made sure my mirror is synced and looked around at a few > others but can't seem to see an update ? I just fired up my 4.6 and did yum update. No ssh packages, so the problem is not yours. I *suspect* that a decision was made to release them with 4.7 (s/b close since they have been working towards this for awhile IIUC). Seems reasonable if it's very close and *if* they made that decision. > -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] RH's servers breached
>> I see an announcement for the packages on the announce list, but no more >> information anywhere from the CentOS team (Planet or ML). Are these >> packages "just to be safe" or was there something actually found? > >There's a CVE associated with a different (unrelated) bug in how ssh >handled forwarded x11 sessions. The upstream announcement is here -> >http://rhn.redhat.com/errata/RHSA-2008-0855.html. > >So there are new packages anyway in spite of the other bits. Hi all, have I missed something or is there a CentOS update for 5x but none for 4x ? I've made sure my mirror is synced and looked around at a few others but can't seem to see an update ? -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
On Fri, Aug 22, 2008 at 5:15 PM, Paul Norton <[EMAIL PROTECTED]> wrote: > I see an announcement for the packages on the announce list, but no more > informamtion anywhere from the CentOS team (Planet or ML). Are these > packages "just to be safe" or was there something actually found? There's a CVE associated with a different (unrelated) bug in how ssh handled forwarded x11 sessions. The upstream announcement is here -> http://rhn.redhat.com/errata/RHSA-2008-0855.html. So there are new packages anyway in spite of the other bits. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
On Fri, 22 Aug 2008, Paul Norton wrote: On Aug 22, 2008, at 12:25 PM, Jim Perrin wrote: Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later. I see an announcement for the packages on the announce list, but no more informamtion anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found? We have released updated packages because updated packages have been released upstream. We have no reason to believe that any CentOS servers, packages or keys have been compromised. We have been completing a full audit of our build systems that has so far not shown any evidence of any issues. Regards Lance -- uklinux.net - The ISP of choice for the discerning Linux user. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
On Aug 22, 2008, at 12:25 PM, Jim Perrin wrote: Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later. I see an announcement for the packages on the announce list, but no more informamtion anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found? -- Paul Norton Systems Administrator Neoverve - www.neoverve.com Neoverve Blog - http://blog.neoverve.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
On Fri, Aug 22, 2008 at 1:59 PM, Scott Beardsley <[EMAIL PROTECTED]> wrote: >> What's the point on this for us, CentOS users ? > > I'd like to know if CentOS has been affected by RH's compromise. Can someone > please comment? AFAIK, CentOS builds from RHEL SRPMs right? So as Rui > mentioned the script that RH provided is useless. They do give the version > info of the compromised packages: Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later. If you want to check this out on your own, see -> http://www.securiteam.com/exploits/5MP0E20CAM.html for details, or for the short version run 'strings /usr/sbin/sshd | grep bella' -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
> What's the point on this for us, CentOS users ? I'd like to know if CentOS has been affected by RH's compromise. Can someone please comment? AFAIK, CentOS builds from RHEL SRPMs right? So as Rui mentioned the script that RH provided is useless. They do give the version info of the compromised packages: # The signed tampered packages were: # # openssh-3.9p1-8.RHEL4.24 for i386, x86_64 architecture # openssh-3.9p1-9.el4 for i386, x86_64 architecture # openssh-4.3p2-26 for x86_64 architecture # openssh-4.3p2-26.el5 for x86_64 architecture Of course I have all of these on my local CentOS mirror right now. It would be nice to know if I'm serving compromised packages. RH doesn't mention whether the SRPMs were compromised. If they were I suspect CentOS is affected also. Thanks in advance, Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RH's servers breached
On Fri, Aug 22, 2008 at 05:43:08PM +0200, kfx wrote: > What's the point on this for us, CentOS users ? > > http://www.redhat.com/security/data/openssh-blacklist.html That will only test for compiled RPMS of certain OpenSSH packages. Those RPMS have been signed by the PGP key, so either the key server or the build server were compromised (possibly they are the same, I don't know). I'd do a detailed review of the SRPMS and patches during this period... Rui -- Kallisti! Today is Prickle-Prickle, the 15th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos