From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 10:04:27 2012 Return-Path: Delivered-To: FreeBSD-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F76C828; Sat, 17 Nov 2012 10:04:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4E0DC8FC12; Sat, 17 Nov 2012 10:04:27 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qAHA4Qhu082363; Sat, 17 Nov 2012 10:04:26 GMT (envelope-from security-advisories@freebsd.org) Received: (from gavin@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qAHA4QH4082362; Sat, 17 Nov 2012 10:04:26 GMT (envelope-from security-advisories@freebsd.org) Date: Sat, 17 Nov 2012 10:04:26 GMT Message-Id: <201211171004.qAHA4QH4082362@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gavin set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Officer To: FreeBSD Security Subject: Security Incident on FreeBSD Infrastructure Precedence: bulk X-Mailman-Approved-At: Sat, 17 Nov 2012 10:31:58 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: secteam@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 10:04:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 11th of November, an intrusion was detected on two machines within the FreeBSD.org cluster. The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution. We have found no evidence of any modifications that would put any end user at risk. However, we do urge all users to read the report available at http://www.freebsd.org/news/2012-compromise.html and decide on any required actions themselves. We will continue to update that page as further information becomes known. We do not currently believe users have been affected given current forensic analysis, but we will provide updated information if this changes. As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to further improve our resilience to potential attacks. We plan, therefore, to more rapidly deprecate a number of legacy services, such as cvsup distribution of FreeBSD source, in favour of our more robust Subversion, freebsd-update, and portsnap models. More information is available at http://www.freebsd.org/news/2012-compromise.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 iEYEARECAAYFAlCm0dAACgkQFdaIBMps37KrYgCfTEkJ/odP2XMrYQ1FIvD89AJb GUUAn2r4YLeDEfQriWZIIXR0Hj1/rSWT =cLZF -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 15:06:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 48C8D76F for ; Sat, 17 Nov 2012 15:06:02 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id 188EA8FC08 for ; Sat, 17 Nov 2012 15:06:02 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1TZjy1-000BRh-4p for freebsd-security@freebsd.org; Sat, 17 Nov 2012 10:05:57 -0500 Date: Sat, 17 Nov 2012 10:05:57 -0500 From: Gary Palmer To: freebsd-security@freebsd.org Subject: Recent security announcement and csup/cvsup? Message-ID: <20121117150556.GE24320@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 15:06:02 -0000 Hi, Can someone explain why the cvsup/csup infrastructure is considered insecure if the person had access to the *package* building cluster? Is it because the leaked key also had access to something in the chain that goes to cvsup, or is it because the project is not auditing the cvsup system and so the default assumption is that it cannot be trusted to not be compromised? If it is the latter, someone from the community could check rather than encourage everyone who has been using csup/cvsup to wipe and reinstall their boxes. Unfortunately the wipe option is not possible for me right now and my backups do go back to before the 19th of September Thanks Gary From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 15:14:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 58203BA5; Sat, 17 Nov 2012 15:14:02 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id A18C28FC13; Sat, 17 Nov 2012 15:14:01 +0000 (UTC) Received: by mail-bk0-f54.google.com with SMTP id je9so688202bkc.13 for ; Sat, 17 Nov 2012 07:14:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6/UbBUL8OqIqAx16Iw3wX13kLeqL27qUWWH7cP661eg=; b=Durg741HMot/9Qt8VwzMbYVKrR97zVs2+9km+CQIeMbXpP62moKCUfEp+eialIrTec /ZFfOt3v38D0CBj1Nq4b461aYMeLzvzpEUjRGsIyH9QnUJ0+wPH6xe20IwQ7lWIpb23P wqaLWnoZFa+6ek11jkegExuZNvPpyQ4c7cWZGiqAhTLwRlDkvai16216y/vlTwPVu9ft cH8mHDFlRUpgKXLhxbpRPnkCzStEgDIB9mTiKrJFggX6/HvihMdPS73gG++hNslcYZhb b/uUtxLMh9yleFZIEik99aQpiBs4I+7ZHzCC+jfXyNED0mP/e2SK5cnofQc+GEj7UDeQ dcUg== MIME-Version: 1.0 Received: by 10.204.130.140 with SMTP id t12mr1675560bks.39.1353165240431; Sat, 17 Nov 2012 07:14:00 -0800 (PST) Received: by 10.204.50.197 with HTTP; Sat, 17 Nov 2012 07:14:00 -0800 (PST) Received: by 10.204.50.197 with HTTP; Sat, 17 Nov 2012 07:14:00 -0800 (PST) In-Reply-To: <20121117150556.GE24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> Date: Sat, 17 Nov 2012 15:14:00 +0000 Message-ID: Subject: Re: Recent security announcement and csup/cvsup? From: Chris Rees To: Gary Palmer X-Mailman-Approved-At: Sat, 17 Nov 2012 15:21:43 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 15:14:02 -0000 On 17 Nov 2012 15:06, "Gary Palmer" wrote: > > Hi, > > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? > > If it is the latter, someone from the community could check rather than > encourage everyone who has been using csup/cvsup to wipe and reinstall > their boxes. Unfortunately the wipe option is not possible for me right > now and my backups do go back to before the 19th of September Checks are being made, but CVS makes it slow work. It's incredibly unlikely that there will be a problem, but the Project has to be cautious in recommendations. Chris From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 15:43:50 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 00844518 for ; Sat, 17 Nov 2012 15:43:49 +0000 (UTC) (envelope-from m-freebsd@fuglos.org) Received: from m.fuglos.org (m.fuglos.org [217.11.61.114]) by mx1.freebsd.org (Postfix) with ESMTP id B2A0E8FC16 for ; Sat, 17 Nov 2012 15:43:49 +0000 (UTC) Received: by m.fuglos.org (Postfix, from userid 1001) id 312DF35B7C3; Sat, 17 Nov 2012 17:07:16 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by m.fuglos.org (Postfix) with ESMTP id 2518335B7C2 for ; Sat, 17 Nov 2012 17:07:16 +0100 (CET) Date: Sat, 17 Nov 2012 17:07:16 +0100 (CET) From: "M. Schulte" X-X-Sender: mel@m.fuglos.org To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? In-Reply-To: <20121117150556.GE24320@in-addr.com> Message-ID: References: <20121117150556.GE24320@in-addr.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 15:43:50 -0000 Hi, > Can someone explain why the cvsup/csup infrastructure is considered > insecure [...] Speaking of cvsup security -- correct me if I'm wrong, but as far as I know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd be very happy about more and more people moving over to the portsnap camp. Best, mel [0] http://en.wikipedia.org/wiki/Portsnap http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 23:05:55 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32B78643 for ; Sat, 17 Nov 2012 23:05:55 +0000 (UTC) (envelope-from trevor@jpj.net) Received: from blues.jpj.net (rrcs-24-105-167-14.nys.biz.rr.com [24.105.167.14]) by mx1.freebsd.org (Postfix) with ESMTP id AB8118FC08 for ; Sat, 17 Nov 2012 23:05:54 +0000 (UTC) Received: from blues.jpj.net (localhost [127.0.0.1]) by blues.jpj.net (8.14.5/8.14.5) with ESMTP id qAHN5mKk048484 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Sat, 17 Nov 2012 18:05:48 -0500 (EST) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.14.5/8.12.3/Submit) with ESMTP id qAHN5mum048481 for ; Sat, 17 Nov 2012 18:05:48 -0500 (EST) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Sat, 17 Nov 2012 18:05:48 -0500 (EST) From: Trevor Johnson X-X-Sender: trevor@blues To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? In-Reply-To: Message-ID: References: <20121117150556.GE24320@in-addr.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Scanned-By: MIMEDefang 2.73 on 24.105.167.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (blues.jpj.net [127.0.0.1]); Sat, 17 Nov 2012 18:05:53 -0500 (EST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 23:05:55 -0000 Chris Rees wrote: > On 17 Nov 2012 15:06, "Gary Palmer" wrote: >> >> Hi, >> >> Can someone explain why the cvsup/csup infrastructure is considered > insecure >> if the person had access to the *package* building cluster? Is it because >> the leaked key also had access to something in the chain that goes to > cvsup, >> or is it because the project is not auditing the cvsup system and so the >> default assumption is that it cannot be trusted to not be compromised? >> >> If it is the latter, someone from the community could check rather than >> encourage everyone who has been using csup/cvsup to wipe and reinstall >> their boxes. Unfortunately the wipe option is not possible for me right >> now and my backups do go back to before the 19th of September > > Checks are being made, but CVS makes it slow work. It sounds as though someone is reading all the RCS files. Is that what's happening? As I understand it, the doc, ports and src CVS repositories are now being generated from Subversion. According to the Web page about the breach, the Subversion repos are known to be intact. If known-good CVS trees from the time of the switchover to Subversion are available, couldn't updated CVS repos be made by running svn_cvsinject as described at http://sam.zoy.org/writings/programming/svn2cvs.html ? It says: If your CVS repository ever gets corrupted, you can reinject every SVN commit by restoring your backuped CVS tree and calling svn_cvsinject again for every revision since you used cvs2svn. It seems that this would be far less error-prone, and far less labor-intensive, than eyeballing everything. Is the plan to eventually shut down the anoncvs and CVsup services entirely? If so, shall the Gnats database be made available to the public through other means besides the query-pr CGI? I ask this after looking at http://www.freebsd.org/doc/en/articles/committers-guide/article.html#gnats . -- Trevor Johnson From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 23:53:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7BED857B for ; Sat, 17 Nov 2012 23:53:40 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 3D2198FC0C for ; Sat, 17 Nov 2012 23:53:39 +0000 (UTC) Received: (qmail 6386 invoked by uid 1001); 17 Nov 2012 23:43:13 -0000 Date: Sat, 17 Nov 2012 15:43:13 -0759 From: David Thiel To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121117234248.GB11298@redundancy.redundancy.org> References: <20121117150556.GE24320@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20121117150556.GE24320@in-addr.com> X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 23:53:40 -0000 On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David