Hi folks,
robbat2 is finish up analysis (robbat2 can you please ping me with your
status) of the recent compromise and we should release a news update fairly
soon, the press is starting covering the story as "OMG critical servers of
Gentoo hare pwn3d" which is really not the case.
So can I ask you to prepare a news update and send it to me, robbat2 and the
infra/security team for review? (still waiting for robbat2 final analysis
results).
Anyway, here are the facts:
a) there's no evidence of other than local account privileges being accessed
b) those privileges apparently have not been used at all, it seems that only
some script kiddies tried and failed
c) the server is not critical to gentoo and it provided only informational
services, it's in no way connected to active development, package creation or
portage mirrors
d) because of c) we have the luxury of *treating* this as a full compromise
and take proper mitigation steps which consistend in revoking the few
credentials that were on it (not sufficient anyway to gain access to other
boxes even if cracked.
So yes, there was a vuln, it was embarassing (and it will prompt better code
review), but no damange has been (apparently) perpetrated...and if so it's
anyway not affecting critical operations and well within containment.
Now I have no hope that the press will pick the update but the least we can
do is publish a follow up on the site.
PR, can you draft something and send it for review?
Robbat2, can you confirm my analysis?
Thanks to all
--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list
robbat2 is finish up analysis (robbat2 can you please ping me with your
status) of the recent compromise and we should release a news update fairly
soon, the press is starting covering the story as "OMG critical servers of
Gentoo hare pwn3d" which is really not the case.
So can I ask you to prepare a news update and send it to me, robbat2 and the
infra/security team for review? (still waiting for robbat2 final analysis
results).
Anyway, here are the facts:
a) there's no evidence of other than local account privileges being accessed
b) those privileges apparently have not been used at all, it seems that only
some script kiddies tried and failed
c) the server is not critical to gentoo and it provided only informational
services, it's in no way connected to active development, package creation or
portage mirrors
d) because of c) we have the luxury of *treating* this as a full compromise
and take proper mitigation steps which consistend in revoking the few
credentials that were on it (not sufficient anyway to gain access to other
boxes even if cracked.
So yes, there was a vuln, it was embarassing (and it will prompt better code
review), but no damange has been (apparently) perpetrated...and if so it's
anyway not affecting critical operations and well within containment.
Now I have no hope that the press will pick the update but the least we can
do is publish a follow up on the site.
PR, can you draft something and send it for review?
Robbat2, can you confirm my analysis?
Thanks to all
--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list