Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa/glsa-200312-01.xml
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa/glsa-200312-01.xml')
-rw-r--r--metadata/glsa/glsa-200312-01.xml78
1 files changed, 78 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200312-01.xml b/metadata/glsa/glsa-200312-01.xml
new file mode 100644
index 000000000000..ae25b6df6eb4
--- /dev/null
+++ b/metadata/glsa/glsa-200312-01.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="200312-01">
+ <title>rsync.gentoo.org: rotation server compromised</title>
+ <synopsis>
+ A server in the rsync.gentoo.org rotation was compromised.
+ </synopsis>
+ <product type="infrastructure">rsync mirror</product>
+ <announced>2003-12-02</announced>
+ <revised count="01">2003-12-02</revised>
+ <affected>
+ <service type="rsync" fixed="yes"/>
+ </affected>
+ <background>
+ <p>
+ The rsync.gentoo.org rotation of servers provides an up to date Portage
+ tree using the rsync file transfer protocol.
+ </p>
+ </background>
+ <description>
+ <p>
+ On December 2nd at approximately 03:45 UTC, one of the servers that makes up
+ the rsync.gentoo.org rotation was compromised via a remote exploit. At this
+ point, we are still performing forensic analysis. However, the compromised
+ system had both an IDS and a file integrity checker installed and we have a
+ very detailed forensic trail of what happened once the box was breached, so
+ we are reasonably confident that the portage tree stored on that box was
+ unaffected.
+ </p>
+ <p>
+ The attacker appears to have installed a rootkit and modified/deleted some
+ files to cover their tracks, but left the server otherwise untouched. The
+ box was in a compromised state for approximately one hour before it was
+ discovered and shut down. During this time, approximately 20 users
+ synchronized against the portage mirror stored on this box. The method used
+ to gain access to the box remotely is still under investigation. We will
+ release more details once we have ascertained the cause of the remote
+ exploit.
+ </p>
+ <p>
+ This box is not an official Gentoo infrastructure box and is instead donated
+ by a sponsor. The box provides other services as well and the sponsor has
+ requested that we not publicly identify the box at this time. Because the
+ Gentoo part of this box appears to be unaffected by this exploit, we are
+ currently honoring the sponsor's request. That said, if at any point, we
+ determine that any file in the portage tree was modified in any way, we will
+ release full details about the compromised server.
+ </p>
+ </description>
+ <impact type="low">
+ <p>
+ There is no known impact at this time.
+ </p>
+ </impact>
+ <workaround>
+ <p>
+ There is no known workaround at this time.
+ </p>
+ </workaround>
+ <resolution>
+ <p>
+ Again, based on the forensic analysis done so far, we are reasonably
+ confident that no files within the Portage tree on the box were affected.
+ However, the server has been removed from all rsync.*.gentoo.org rotations
+ and will remain so until the forensic analysis has been completed and the
+ box has been wiped and rebuilt. Thus, users preferring an extra level of
+ security may ensure that they have a correct and accurate portage tree by
+ running:
+ </p>
+ <code>
+ # emerge sync</code>
+ <p>
+ Which will perform a sync against another server and ensure that all files
+ are up to date.
+ </p>
+ </resolution>
+ <references/>
+</glsa>