From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 13:50:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67860873 for ; Tue, 20 Nov 2012 13:50:17 +0000 (UTC) (envelope-from richard@bader-muenchen.de) Received: from gate1.bader-muenchen.de (host-213-179-151-243.customer.m-online.net [213.179.151.243]) by mx1.freebsd.org (Postfix) with ESMTP id E1CDC8FC12 for ; Tue, 20 Nov 2012 13:50:15 +0000 (UTC) Received: from [127.0.0.1] (border.bader.loc [192.168.16.98]) by gate1.bader-muenchen.de (8.14.5/8.14.5) with ESMTP id qAKDo83S041237; Tue, 20 Nov 2012 14:50:09 +0100 (CET) (envelope-from richard@bader-muenchen.de) Message-ID: <50AB8AAB.7050102@bader-muenchen.de> Date: Tue, 20 Nov 2012 14:50:35 +0100 From: richard bader User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Clarrification on whether portsnap was affected by the 2012 compromise References: <50AB6029.4090608@tipstrade.net> <20121120121530.GC88593@in-addr.com> <50AB7BFC.7040506@tipstrade.net> In-Reply-To: <50AB7BFC.7040506@tipstrade.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 20 Nov 2012 14:12:05 +0000 Cc: richard@bader-muenchen.de X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 13:50:17 -0000 Am 20.11.2012 13:47, schrieb John Bayly: > On 20/11/12 12:15, Gary Palmer wrote: >> On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote: >>> Regarding the 2012 compromise, I'm a little confused as to what was and >>> wasn't affected: >>> >>> >From the release: >>>> or of any ports compiled from trees obtained via any means other than >>>> through svn.freebsd.org or one of its mirrors >>> Does that mean that any ports updated using the standard "portsnap >>> fetch" may have been affected, I'm guessing yes. >>> >> " We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted." > I suppose that implies that the previous portsnap snapshots couldn't be > [completely] trusted. Basically I wanted to know whether I had to go > through all the ports I've updated from the snapshots within the given > time frame and to a portupgrade --force on them. In the end I decided > yes (luckily it's only on a single box)-unsubscribe@freebsd.org" So what ist the way to get a 'secure' portscollection? first update with 'portsnap -f /etc/portsnap.conf fetch update ' and then 'portupgrade -caDf' -- Dipl.Ing.Bader Richard GmbH, Helferichstrasse 32, 80999 Muenchen Tel.: +49 89 892205 31 Fax.: +49 89 892205 33 http://www.bader-muenchen.de