Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Nov 2012 15:47:37 +0100
From:      Marcus Karlsson <mk@acc.umu.se>
To:        richard bader <richard@bader-muenchen.de>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Clarrification on whether portsnap was affected by the 2012 compromise
Message-ID:  <20121120144736.GI24300@acc.umu.se>
In-Reply-To: <50AB8AAB.7050102@bader-muenchen.de>
References:  <50AB6029.4090608@tipstrade.net> <20121120121530.GC88593@in-addr.com> <50AB7BFC.7040506@tipstrade.net> <50AB8AAB.7050102@bader-muenchen.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 20, 2012 at 02:50:35PM +0100, richard bader wrote:
> Am 20.11.2012 13:47, schrieb John Bayly:
> >On 20/11/12 12:15, Gary Palmer wrote:
> >>On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote:
> >>>Regarding the 2012 compromise, I'm a little confused as to what was and
> >>>wasn't affected:
> >>>
> >>>>From the release:
> >>>>or of any ports compiled from trees obtained via any means other than
> >>>>through svn.freebsd.org or one of its mirrors
> >>>Does that mean that any ports updated using the standard "portsnap
> >>>fetch" may have been affected, I'm guessing yes.
> >>>
> >>" We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted."
> >I suppose that implies that the previous portsnap snapshots couldn't be
> >[completely] trusted. Basically I wanted to know whether I had to go
> >through all the ports I've updated from the snapshots within the given
> >time frame and to a portupgrade --force on them. In the end I decided
> >yes (luckily it's only on a single box)-unsubscribe@freebsd.org"
> So what ist the way to get a 'secure' portscollection?
> first update with  'portsnap -f /etc/portsnap.conf  fetch update '
> and then 'portupgrade -caDf'

If we assume that ports have been compromised then just rebuilding them
won't fix anything that they might have done to your system while they
were installed. So in that case you would have to completely reinstall
the system from known good install media, build everything again and
restore as much as possible from backup.

Marcus



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121120144736.GI24300>