From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 12:15:37 2012 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5FF44BAA for ; Tue, 20 Nov 2012 12:15:37 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2D80B8FC0C for ; Tue, 20 Nov 2012 12:15:37 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Tamjj-00018f-1f; Tue, 20 Nov 2012 07:15:31 -0500 Date: Tue, 20 Nov 2012 07:15:30 -0500 From: Gary Palmer To: John Bayly Subject: Re: Clarrification on whether portsnap was affected by the 2012 compromise Message-ID: <20121120121530.GC88593@in-addr.com> References: <50AB6029.4090608@tipstrade.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50AB6029.4090608@tipstrade.net> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: FreeBSD-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 12:15:37 -0000 On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote: > Regarding the 2012 compromise, I'm a little confused as to what was and > wasn't affected: > > >From the release: > > or of any ports compiled from trees obtained via any means other than > > through svn.freebsd.org or one of its mirrors > Does that mean that any ports updated using the standard "portsnap > fetch" may have been affected, I'm guessing yes. > " We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted. "