From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 15:05:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 68214312 for ; Tue, 20 Nov 2012 15:05:38 +0000 (UTC) (envelope-from mk@acc.umu.se) Received: from mail.acc.umu.se (mail.acc.umu.se [130.239.18.156]) by mx1.freebsd.org (Postfix) with ESMTP id 174138FC08 for ; Tue, 20 Nov 2012 15:05:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by amavisd-new (Postfix) with ESMTP id 6C618C51; Tue, 20 Nov 2012 15:47:39 +0100 (MET) X-Virus-Scanned: amavisd-new at acc.umu.se Received: from acc.umu.se (kennedy.acc.umu.se [IPv6:2001:6b0:e:2018::157]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mk) by mail.acc.umu.se (Postfix) with ESMTPSA id 87AFAC4F; Tue, 20 Nov 2012 15:47:38 +0100 (MET) Date: Tue, 20 Nov 2012 15:47:37 +0100 From: Marcus Karlsson To: richard bader Subject: Re: Clarrification on whether portsnap was affected by the 2012 compromise Message-ID: <20121120144736.GI24300@acc.umu.se> References: <50AB6029.4090608@tipstrade.net> <20121120121530.GC88593@in-addr.com> <50AB7BFC.7040506@tipstrade.net> <50AB8AAB.7050102@bader-muenchen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50AB8AAB.7050102@bader-muenchen.de> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 15:05:38 -0000 On Tue, Nov 20, 2012 at 02:50:35PM +0100, richard bader wrote: > Am 20.11.2012 13:47, schrieb John Bayly: > >On 20/11/12 12:15, Gary Palmer wrote: > >>On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote: > >>>Regarding the 2012 compromise, I'm a little confused as to what was and > >>>wasn't affected: > >>> > >>>>From the release: > >>>>or of any ports compiled from trees obtained via any means other than > >>>>through svn.freebsd.org or one of its mirrors > >>>Does that mean that any ports updated using the standard "portsnap > >>>fetch" may have been affected, I'm guessing yes. > >>> > >>" We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted." > >I suppose that implies that the previous portsnap snapshots couldn't be > >[completely] trusted. Basically I wanted to know whether I had to go > >through all the ports I've updated from the snapshots within the given > >time frame and to a portupgrade --force on them. In the end I decided > >yes (luckily it's only on a single box)-unsubscribe@freebsd.org" > So what ist the way to get a 'secure' portscollection? > first update with 'portsnap -f /etc/portsnap.conf fetch update ' > and then 'portupgrade -caDf' If we assume that ports have been compromised then just rebuilding them won't fix anything that they might have done to your system while they were installed. So in that case you would have to completely reinstall the system from known good install media, build everything again and restore as much as possible from backup. Marcus