From owner-freebsd-security@FreeBSD.ORG Sun Nov 18 18:26:46 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BAB9C3DB; Sun, 18 Nov 2012 18:26:46 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 17C728FC13; Sun, 18 Nov 2012 18:26:45 +0000 (UTC) Received: by mail-bk0-f54.google.com with SMTP id je9so896144bkc.13 for ; Sun, 18 Nov 2012 10:26:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=/51kezh219uZfiQ52+07+lrM8qK/g9Jcm6Cnyv6whMI=; b=Pv49L0Lr0YKU2CWfV8vXb+XSI7tyzvMwpav2GfPTXXdikXJg+nXt5/8fKxEcCr0ojG 6XqCvT2Zn7XJM0ylIF9hbSUlgOhpWSvkd3udeukLjL8BmUjQbWqeCTD7e1qR8ZGl4H4b 6bQPKg0f4T8G+o8vw6ztSjzUpjXt/XIUM0OIJdWea5BFL2d3sVydVeQQrG/rpRWtjTn8 t5wPQFQjnc5p338em9JnufI1u7LGc04y3VBXZ+Y5pza8/ulOGSp5gSA8DL0s47YsLOL4 unHiwARC1/UKR+aAFvcO0DXbAPd1VqPK/g1JDGUz/E7RZ5FKC3Zcf4oEKLvpHlxgP/Fj F/Bw== Received: by 10.205.120.3 with SMTP id fw3mr731904bkc.40.1353263204817; Sun, 18 Nov 2012 10:26:44 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.50.197 with HTTP; Sun, 18 Nov 2012 10:26:14 -0800 (PST) In-Reply-To: <20121118181711.GG24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> <20121118181711.GG24320@in-addr.com> From: Chris Rees Date: Sun, 18 Nov 2012 18:26:14 +0000 Message-ID: Subject: Re: Recent security announcement and csup/cvsup? To: Gary Palmer Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Sun, 18 Nov 2012 19:49:22 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Nov 2012 18:26:46 -0000 On 18 November 2012 18:17, Gary Palmer wrote: > On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: >> On 17 Nov 2012 15:06, "Gary Palmer" wrote: >> > >> > Hi, >> > >> > Can someone explain why the cvsup/csup infrastructure is considered >> insecure >> > if the person had access to the *package* building cluster? Is it because >> > the leaked key also had access to something in the chain that goes to >> cvsup, >> > or is it because the project is not auditing the cvsup system and so the >> > default assumption is that it cannot be trusted to not be compromised? >> > >> > If it is the latter, someone from the community could check rather than >> > encourage everyone who has been using csup/cvsup to wipe and reinstall >> > their boxes. Unfortunately the wipe option is not possible for me right >> > now and my backups do go back to before the 19th of September >> >> Checks are being made, but CVS makes it slow work. >> >> It's incredibly unlikely that there will be a problem, but the Project has >> to be cautious in recommendations. > > Thanks Chris for the update. May I politely suggest that the web page > as I read it yesterday was more along the lines of "assume your machine is > rooted, reinstall it". The reality is the message should have been "we > cannot prove cvs/cvsup was not affected yet, but we are continuing to > investigate. If you want to be really sure you weren't affected, reinstall > from known clean media. Else wait for further updates". > > While I understand some people, especially the more security minded people, > want to deprecate all access that isn't signed and secured, its no reason > to cause people unnecessary work/panic. Plus signing is only as good as > the security of the systems doing the builds and signing the content. > Its just been proven that they may not be as secure as expected. I'm afraid that you have to do your own risk assessment-- for the Project to recommend anything else would be irresponsible, and a major disaster should anything turn out to be compromised several months down the line... Having said that, on a personal note I don't think I'll be reinstalling in a hurry, but I'm also not handling banking details etc. As I said, you have to assess your own risk :) Chris