You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
82 lines
3.2 KiB
82 lines
3.2 KiB
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
|
|
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
|
|
|
|
<glsa id="200312-01">
|
|
<title>rsync.gentoo.org: rotation server compromised</title>
|
|
<synopsis>
|
|
A server in the rsync.gentoo.org rotation was compromised.
|
|
</synopsis>
|
|
<product type="infrastructure">rsync mirror</product>
|
|
<announced>2003-12-02</announced>
|
|
<revised>2003-12-02: 01</revised>
|
|
<affected>
|
|
<service type="rsync" fixed="yes"/>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
The rsync.gentoo.org rotation of servers provides an up to date Portage
|
|
tree using the rsync file transfer protocol.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
On December 2nd at approximately 03:45 UTC, one of the servers that makes up
|
|
the rsync.gentoo.org rotation was compromised via a remote exploit. At this
|
|
point, we are still performing forensic analysis. However, the compromised
|
|
system had both an IDS and a file integrity checker installed and we have a
|
|
very detailed forensic trail of what happened once the box was breached, so
|
|
we are reasonably confident that the portage tree stored on that box was
|
|
unaffected.
|
|
</p>
|
|
<p>
|
|
The attacker appears to have installed a rootkit and modified/deleted some
|
|
files to cover their tracks, but left the server otherwise untouched. The
|
|
box was in a compromised state for approximately one hour before it was
|
|
discovered and shut down. During this time, approximately 20 users
|
|
synchronized against the portage mirror stored on this box. The method used
|
|
to gain access to the box remotely is still under investigation. We will
|
|
release more details once we have ascertained the cause of the remote
|
|
exploit.
|
|
</p>
|
|
<p>
|
|
This box is not an official Gentoo infrastructure box and is instead donated
|
|
by a sponsor. The box provides other services as well and the sponsor has
|
|
requested that we not publicly identify the box at this time. Because the
|
|
Gentoo part of this box appears to be unaffected by this exploit, we are
|
|
currently honoring the sponsor's request. That said, if at any point, we
|
|
determine that any file in the portage tree was modified in any way, we will
|
|
release full details about the compromised server.
|
|
</p>
|
|
</description>
|
|
<impact type="low">
|
|
<p>
|
|
There is no known impact at this time.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
There is no known workaround at this time.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
Again, based on the forensic analysis done so far, we are reasonably
|
|
confident that no files within the Portage tree on the box were affected.
|
|
However, the server has been removed from all rsync.*.gentoo.org rotations
|
|
and will remain so until the forensic analysis has been completed and the
|
|
box has been wiped and rebuilt. Thus, users preferring an extra level of
|
|
security may ensure that they have a correct and accurate portage tree by
|
|
running:
|
|
</p>
|
|
<code>
|
|
# emerge sync</code>
|
|
<p>
|
|
Which will perform a sync against another server and ensure that all files
|
|
are up to date.
|
|
</p>
|
|
</resolution>
|
|
<references/>
|
|
</glsa>
|