diff options
Diffstat (limited to 'metadata/glsa/glsa-200312-01.xml')
-rw-r--r-- | metadata/glsa/glsa-200312-01.xml | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200312-01.xml b/metadata/glsa/glsa-200312-01.xml new file mode 100644 index 000000000000..ae25b6df6eb4 --- /dev/null +++ b/metadata/glsa/glsa-200312-01.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="200312-01"> + <title>rsync.gentoo.org: rotation server compromised</title> + <synopsis> + A server in the rsync.gentoo.org rotation was compromised. + </synopsis> + <product type="infrastructure">rsync mirror</product> + <announced>2003-12-02</announced> + <revised count="01">2003-12-02</revised> + <affected> + <service type="rsync" fixed="yes"/> + </affected> + <background> + <p> + The rsync.gentoo.org rotation of servers provides an up to date Portage + tree using the rsync file transfer protocol. + </p> + </background> + <description> + <p> + On December 2nd at approximately 03:45 UTC, one of the servers that makes up + the rsync.gentoo.org rotation was compromised via a remote exploit. At this + point, we are still performing forensic analysis. However, the compromised + system had both an IDS and a file integrity checker installed and we have a + very detailed forensic trail of what happened once the box was breached, so + we are reasonably confident that the portage tree stored on that box was + unaffected. + </p> + <p> + The attacker appears to have installed a rootkit and modified/deleted some + files to cover their tracks, but left the server otherwise untouched. The + box was in a compromised state for approximately one hour before it was + discovered and shut down. During this time, approximately 20 users + synchronized against the portage mirror stored on this box. The method used + to gain access to the box remotely is still under investigation. We will + release more details once we have ascertained the cause of the remote + exploit. + </p> + <p> + This box is not an official Gentoo infrastructure box and is instead donated + by a sponsor. The box provides other services as well and the sponsor has + requested that we not publicly identify the box at this time. Because the + Gentoo part of this box appears to be unaffected by this exploit, we are + currently honoring the sponsor's request. That said, if at any point, we + determine that any file in the portage tree was modified in any way, we will + release full details about the compromised server. + </p> + </description> + <impact type="low"> + <p> + There is no known impact at this time. + </p> + </impact> + <workaround> + <p> + There is no known workaround at this time. + </p> + </workaround> + <resolution> + <p> + Again, based on the forensic analysis done so far, we are reasonably + confident that no files within the Portage tree on the box were affected. + However, the server has been removed from all rsync.*.gentoo.org rotations + and will remain so until the forensic analysis has been completed and the + box has been wiped and rebuilt. Thus, users preferring an extra level of + security may ensure that they have a correct and accurate portage tree by + running: + </p> + <code> + # emerge sync</code> + <p> + Which will perform a sync against another server and ensure that all files + are up to date. + </p> + </resolution> + <references/> +</glsa> |