Reply With QuoteAren't archives GPG signed? It would be a terrible security flaw if they weren't, and I can't see a system as robust as Debian overlooking something like this.
It seems the debian server infrastructure has been compromised. Do not apt-get anything from the official security servers right now. And take a very close look at anything that you installed from there during the last 2 days. Here's the official announcement:
http://cert.uni-stuttgart.de/files/f...y-20031121.txt
Relevant mailing list threads:
http://news.gmane.org/onethread.php?...0wanadoo.fr%3E
http://news.gmane.org/onethread.php?...ecurity.net%3E
Aren't archives GPG signed? It would be a terrible security flaw if they weren't, and I can't see a system as robust as Debian overlooking something like this.
There are md5sums for all security packages. But afaik there's no automated md5sum check during updates. I run an apt-get server at work that I download all relevant security updates to, make an md5sum check and only then have the other servers grab the updates from this host.
hmm even my lowly distro has md5sum checking during upgrade (it was just introduced recently after being in development for som time).
pacman>apt
Even with MD5SUM, it can be compromised. What MD5 does is just count the number of bits and match it with original numbers. A cracker can modify the source, put in useless fill-ins to match the number of bits that MD5 will check and made it looks official.
[quote author=Compunuts link=board=5;threadid=8171;start=0#msg74613 date=1070263087]
Even with MD5SUM, it can be compromised. What MD5 does is just count the number of bits and match it with original numbers. A cracker can modify the source, put in useless fill-ins to match the number of bits that MD5 will check and made it looks official.
[/quote]
I doubt it's as simple as that. Correct me if I'm wrong but afaik nobody found a way to do a "(md5sum)^(-1)" (I mean when you have the hash and want to draw conclusions on the file (the bit pattern) that lead to this hash). This leaves a trial and error approach which seems a rediculous attempt given that only two bit patterns in 2^(128)+1 lead to the same hash.
Anyways, there is apt-secure and debsig-verify. Both verify the package integrety by means of md5sum checks or gpg key signature check prior to installation. I'm not sure how far advanced the devolopment of these packages is but I doubt there are official versions for woody.
The Security Team set up a page with information on the compromise and the clean-up status. The thing that really worries me is this passage: "a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit."
Somehow?? -- maybe there's a local root exploit in the wild...
So everybody, watch out.
So it turns out it was a kernel exploit...and one that Andrew Morton found and fixed in 2.4.23! Upgrade those boxes all...local root exploit on anything but the latest and greatest.
Now Debian is finally free again. I tell you it's been a pretty crappy week to be using Debian with the entire project frozen like a deer in the headlights. No debian websites being updated, people.debian.org down, apt-repositories not being updated. Hopefully things will get back to 100% soon.
[quote author=Tyr_7BE link=board=5;threadid=8171;start=0#msg74644 date=1070344014]
So it turns out it was a kernel exploit...and one that Andrew Morton found and fixed in 2.4.23![/quote]
Yeah, it was first clasified as low level risk. Now it's becomes high alert.
The exploit only works on 2.4 kernels lower than 23. My gateway box is 2.2.20 so I'm good ...... ( now you know why Debian stable is STABLE ). ;D
I know what you mean ....Now Debian is finally free again. I tell you it's been a pretty crappy week to be using Debian with the entire project frozen like a deer in the headlights.
Now I feel better but not knowing what was wrong was the worst of all.
Posting Permissions
Bookmarks