From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 12:48:08 2012 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 60D7B1DB; Tue, 20 Nov 2012 12:48:08 +0000 (UTC) (envelope-from john.bayly@tipstrade.net) Received: from intra.tipstrade.net (unknown [IPv6:2a01:348:2c2:100::3]) by mx1.freebsd.org (Postfix) with ESMTP id 1AB7F8FC15; Tue, 20 Nov 2012 12:48:08 +0000 (UTC) Received: from intra.tipstrade.net (localhost [127.0.0.1]) by intra.tipstrade.net (Postfix) with ESMTP id 013C6DB9FD3; Tue, 20 Nov 2012 12:47:58 +0000 (GMT) Received: from [192.168.0.30] (unknown [192.168.0.30]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: john.bayly@tipstrade.net) by intra.tipstrade.net (Postfix) with ESMTPSA id CDD9DDB9DF2; Tue, 20 Nov 2012 12:47:57 +0000 (GMT) Message-ID: <50AB7BFC.7040506@tipstrade.net> Date: Tue, 20 Nov 2012 12:47:56 +0000 From: John Bayly User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2 MIME-Version: 1.0 To: Gary Palmer Subject: Re: Clarrification on whether portsnap was affected by the 2012 compromise References: <50AB6029.4090608@tipstrade.net> <20121120121530.GC88593@in-addr.com> In-Reply-To: <20121120121530.GC88593@in-addr.com> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Mailman-Approved-At: Tue, 20 Nov 2012 13:01:06 +0000 Cc: FreeBSD-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 12:48:08 -0000 On 20/11/12 12:15, Gary Palmer wrote: > On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote: >> Regarding the 2012 compromise, I'm a little confused as to what was and >> wasn't affected: >> >> >From the release: >>> or of any ports compiled from trees obtained via any means other than >>> through svn.freebsd.org or one of its mirrors >> Does that mean that any ports updated using the standard "portsnap >> fetch" may have been affected, I'm guessing yes. >> > " We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted. " I suppose that implies that the previous portsnap snapshots couldn't be [completely] trusted. Basically I wanted to know whether I had to go through all the ports I've updated from the snapshots within the given time frame and to a portupgrade --force on them. In the end I decided yes (luckily it's only on a single box)