Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 11:27:26PM -0400, Matt Zimmerman wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. Ah, got it, it wasn't in the mirror hierarchy so I missed it initially. Thanks. 5730c8c0c7484494cca7a7e2d7459c64 gnu/texinfo/texinfo-4.6.tar.gz [Signed on Wed Aug 13 14:27:46 2003 EDT using DSA key ID D679F6CF] That's from the upstream maintainer, Karl Berry. Doesn't seem to be in a web of trust but it should be fine nevertheless. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 11:27:26PM -0400, Matt Zimmerman wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. Ah, got it, it wasn't in the mirror hierarchy so I missed it initially. Thanks. 5730c8c0c7484494cca7a7e2d7459c64 gnu/texinfo/texinfo-4.6.tar.gz [Signed on Wed Aug 13 14:27:46 2003 EDT using DSA key ID D679F6CF] That's from the upstream maintainer, Karl Berry. Doesn't seem to be in a web of trust but it should be fine nevertheless. -- 2. That which causes joy or happiness.
Re: ftp.gnu.org cracked
On 18/08/03 13:58:16, Matt Zimmerman wrote: If we're going to make a statement about it, we should have some facts to release. For example, if someone would like to verify the validity of the GNU source tarballs that we ship against the checksums published by GNU, that would be great. I think this is a task for the respective maintainers of GNU software in Debian, but if someone pops up that'd really help. My suggestion otherwise is that someone sends an alert message to - devel-announce explaining that: - maintainers of GNU software in Debian should verify the correctness of their packages in the Debian archive. - Debian members who accessed a Debian machine from gnuftp are encouraged to change their password. -- Robert Millan [..] but the delight and pride of Aule is in the deed of making, and in the thing made, and neither in possession nor in his own mastery; wherefore he gives and hoards not, and is free from care, passing ever on to some new work. -- J.R.R.T, Ainulindale (Silmarillion) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 03:10:36AM +0200, Josip Rodin wrote: On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 Now, it's possible that it was tampered with before the mirror even got to it... I suppose I could ask the upstream maintainer to confirm the md5sum from their local copy? (Please Cc: any replies, I'm not subscribed.) There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
Josip Rodin wrote: FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: As far as I could tell from the bugtraq posting, ftp.gnu.org has been cracked since March. In effect your copy is not safe. So, you'll need to verify it with the developers somehow. -- Alf
Re: ftp.gnu.org cracked
On 18/08/03 13:58:16, Matt Zimmerman wrote: If we're going to make a statement about it, we should have some facts to release. For example, if someone would like to verify the validity of the GNU source tarballs that we ship against the checksums published by GNU, that would be great. I think this is a task for the respective maintainers of GNU software in Debian, but if someone pops up that'd really help. My suggestion otherwise is that someone sends an alert message to - devel-announce explaining that: - maintainers of GNU software in Debian should verify the correctness of their packages in the Debian archive. - Debian members who accessed a Debian machine from gnuftp are encouraged to change their password. -- Robert Millan [..] but the delight and pride of Aule is in the deed of making, and in the thing made, and neither in possession nor in his own mastery; wherefore he gives and hoards not, and is free from care, passing ever on to some new work. -- J.R.R.T, Ainulindale (Silmarillion)
Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 03:10:36AM +0200, Josip Rodin wrote: On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 Now, it's possible that it was tampered with before the mirror even got to it... I suppose I could ask the upstream maintainer to confirm the md5sum from their local copy? (Please Cc: any replies, I'm not subscribed.) There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. -- - mdz
Re: ftp.gnu.org cracked
On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: Then the question is, how are we going to cope with that risk? If it worries you, look at the GNU packages with new .orig's uploaded in the last couple of months and check their md5's. It's not rocket science, and we've made the tools available for some time. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 Now, it's possible that it was tampered with before the mirror even got to it... I suppose I could ask the upstream maintainer to confirm the md5sum from their local copy? (Please Cc: any replies, I'm not subscribed.) -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
Josip Rodin wrote: FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: As far as I could tell from the bugtraq posting, ftp.gnu.org has been cracked since March. In effect your copy is not safe. So, you'll need to verify it with the developers somehow. -- Alf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: Then the question is, how are we going to cope with that risk? If it worries you, look at the GNU packages with new .orig's uploaded in the last couple of months and check their md5's. It's not rocket science, and we've made the tools available for some time. Mike Stone
Re: ftp.gnu.org cracked
On Mon, Aug 18, 2003 at 05:29:14AM +, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 Now, it's possible that it was tampered with before the mirror even got to it... I suppose I could ask the upstream maintainer to confirm the md5sum from their local copy? (Please Cc: any replies, I'm not subscribed.) -- 2. That which causes joy or happiness.
Fwd: ftp.gnu.org cracked
from debian-private:
On Mon, Aug 18, 2003 at 02:51:55AM +, Robert Millan wrote:
Hi there,
As you might have already heard, a root compromise, which presumably has been
there for two months, was recently detected in {ftp,alpha}.gnu.org
(read http://ftp.gnu.org/MISSING-FILES.README for details)
The following paragraph should draw attention for Debian:
The modus operandi of the cracker shows that (s)he was interested primarily
in using gnuftp to collect passwords and as a launching point to attack other
machines.
1) Some Debian developers do also have GNU accounts, in case any of them
had the (bad, bad) idea of accessing a Debian machine from ftp.gnu.org
this could compromise the Debian machine park.
2) Any unsigned sources in ftp.gnu.org could have been trojaned during
the March-July period, and most of GNU packages have their corresponding
packages in the Debian archive. It is clear there's a risk that the Debian
archive could have been compromised.
What do you suggest to do? First, can this dicussion be disclosed? (e.g:
into debian-security). Then how can we deal with these two problems? Would
an alert message to -devel-announce suffice?
--
Robert Millan
[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work.
-- J.R.R.T, Ainulindale (Silmarillion)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
[ Moving to debian-security ] On Mon, Aug 18, 2003 at 12:35:44PM +1000, Russell Coker wrote: On Mon, 18 Aug 2003 12:51, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. It is clear there's a risk that the Debian archive could have been compromised. The current evidence suggests that this has not happened. However there is a risk of a trojan having been put in an application that has new versions released often which resulted in the trojaned version being over-written in the normal course of operations. Also there is the possibility that a trojaned version was put online and then the original was restored by the attacker, I think that this is unlikely as restoring the original version would probably be more likely to get them caught. Then the question is, how are we going to cope with that risk? The minimal action that comes to my mind is an alert in -devel-announce, any other ideas around? What do you suggest to do? First, can this dicussion be disclosed? (e.g: into debian-security). Then how can we deal with these two problems? Would an alert message to -devel-announce suffice? The hack of the GNU server is no secret, and neither is our reliance on GNU software. I think that anyone who knows anything about Debian can work out the issues for themselves. Therefore trying to keep this secret gains us nothing and only gives a risk of more concern. I suggest publicising everything. ok. moved this thread to debian-security. -- Robert Millan [..] but the delight and pride of Aule is in the deed of making, and in the thing made, and neither in possession nor in his own mastery; wherefore he gives and hoards not, and is free from care, passing ever on to some new work. -- J.R.R.T, Ainulindale (Silmarillion) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
[ Moving to debian-security ] On Mon, Aug 18, 2003 at 12:35:44PM +1000, Russell Coker wrote: On Mon, 18 Aug 2003 12:51, Robert Millan wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. It is clear there's a risk that the Debian archive could have been compromised. The current evidence suggests that this has not happened. However there is a risk of a trojan having been put in an application that has new versions released often which resulted in the trojaned version being over-written in the normal course of operations. Also there is the possibility that a trojaned version was put online and then the original was restored by the attacker, I think that this is unlikely as restoring the original version would probably be more likely to get them caught. Then the question is, how are we going to cope with that risk? The minimal action that comes to my mind is an alert in -devel-announce, any other ideas around? What do you suggest to do? First, can this dicussion be disclosed? (e.g: into debian-security). Then how can we deal with these two problems? Would an alert message to -devel-announce suffice? The hack of the GNU server is no secret, and neither is our reliance on GNU software. I think that anyone who knows anything about Debian can work out the issues for themselves. Therefore trying to keep this secret gains us nothing and only gives a risk of more concern. I suggest publicising everything. ok. moved this thread to debian-security. -- Robert Millan [..] but the delight and pride of Aule is in the deed of making, and in the thing made, and neither in possession nor in his own mastery; wherefore he gives and hoards not, and is free from care, passing ever on to some new work. -- J.R.R.T, Ainulindale (Silmarillion)
