From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 15:14:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 58203BA5; Sat, 17 Nov 2012 15:14:02 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id A18C28FC13; Sat, 17 Nov 2012 15:14:01 +0000 (UTC) Received: by mail-bk0-f54.google.com with SMTP id je9so688202bkc.13 for ; Sat, 17 Nov 2012 07:14:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6/UbBUL8OqIqAx16Iw3wX13kLeqL27qUWWH7cP661eg=; b=Durg741HMot/9Qt8VwzMbYVKrR97zVs2+9km+CQIeMbXpP62moKCUfEp+eialIrTec /ZFfOt3v38D0CBj1Nq4b461aYMeLzvzpEUjRGsIyH9QnUJ0+wPH6xe20IwQ7lWIpb23P wqaLWnoZFa+6ek11jkegExuZNvPpyQ4c7cWZGiqAhTLwRlDkvai16216y/vlTwPVu9ft cH8mHDFlRUpgKXLhxbpRPnkCzStEgDIB9mTiKrJFggX6/HvihMdPS73gG++hNslcYZhb b/uUtxLMh9yleFZIEik99aQpiBs4I+7ZHzCC+jfXyNED0mP/e2SK5cnofQc+GEj7UDeQ dcUg== MIME-Version: 1.0 Received: by 10.204.130.140 with SMTP id t12mr1675560bks.39.1353165240431; Sat, 17 Nov 2012 07:14:00 -0800 (PST) Received: by 10.204.50.197 with HTTP; Sat, 17 Nov 2012 07:14:00 -0800 (PST) Received: by 10.204.50.197 with HTTP; Sat, 17 Nov 2012 07:14:00 -0800 (PST) In-Reply-To: <20121117150556.GE24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> Date: Sat, 17 Nov 2012 15:14:00 +0000 Message-ID: Subject: Re: Recent security announcement and csup/cvsup? From: Chris Rees To: Gary Palmer X-Mailman-Approved-At: Sat, 17 Nov 2012 15:21:43 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 15:14:02 -0000 On 17 Nov 2012 15:06, "Gary Palmer" wrote: > > Hi, > > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? > > If it is the latter, someone from the community could check rather than > encourage everyone who has been using csup/cvsup to wipe and reinstall > their boxes. Unfortunately the wipe option is not possible for me right > now and my backups do go back to before the 19th of September Checks are being made, but CVS makes it slow work. It's incredibly unlikely that there will be a problem, but the Project has to be cautious in recommendations. Chris