news update about the compromise

Hi folks,

robbat2 is finish up analysis (robbat2 can you please ping
me with your
status) of the recent compromise and we should release a
news update fairly
soon, the press is starting covering the story as "OMG
critical servers of
Gentoo hare pwn3d" which is really not the case.

So can I ask you to prepare a news update and send it to me,
robbat2 and the
infra/security team for review? (still waiting for robbat2
final analysis
results).

Anyway, here are the facts:

a) there's no evidence of other than local account
privileges being accessed

b) those privileges apparently have not been used at all, it
seems that only
some script kiddies tried and failed

c) the server is not critical to gentoo and it provided only
informational
services, it's in no way connected to active development,
package creation or
portage mirrors

d) because of c) we have the luxury of *treating* this as a
full compromise
and take proper mitigation steps which consistend in
revoking the few
credentials that were on it (not sufficient anyway to gain
access to other
boxes even if cracked.


So yes, there was a vuln, it was embarassing (and it will
prompt better code
review), but no damange has been (apparently)
perpetrated...and if so it's
anyway not affecting critical operations and well within
containment.

Now I have no hope that the press will pick the update but
the least we can
do is publish a follow up on the site.

PR, can you draft something and send it for review?

Robbat2, can you confirm my analysis?

Thanks to all

-- 
Andrea Barisani <lcarsgentoo.org>             
              .*.
Gentoo Linux Infrastructure Developer                       
  V
                                                            
(   )
PGP-Key 0x864C9B9E http://dev.ge
ntoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E       
^^_^^
      "Pluralitas non est ponenda sine
necessitate"
-- 
gentoo-securitygentoo.org mailing list

On Mon, Aug 20, 2007 at 08:22:02PM +0000, Andrea Barisani
wrote:

Folks I had not a single reply about this. I cannot avoid to
stress that the
more we wait the worse it gets image wise.

Robbat2 can you provide a status update?

Bye and Thanks to all

> 
> Hi folks,
> 
> robbat2 is finish up analysis (robbat2 can you please
ping me with your
> status) of the recent compromise and we should release
a news update fairly
> soon, the press is starting covering the story as
"OMG critical servers of
> Gentoo hare pwn3d" which is really not the case.
> 
> So can I ask you to prepare a news update and send it
to me, robbat2 and the
> infra/security team for review? (still waiting for
robbat2 final analysis
> results).
> 
> Anyway, here are the facts:
> 
> a) there's no evidence of other than local account
privileges being accessed
> 
> b) those privileges apparently have not been used at
all, it seems that only
> some script kiddies tried and failed
> 
> c) the server is not critical to gentoo and it provided
only informational
> services, it's in no way connected to active
development, package creation or
> portage mirrors
> 
> d) because of c) we have the luxury of *treating* this
as a full compromise
> and take proper mitigation steps which consistend in
revoking the few
> credentials that were on it (not sufficient anyway to
gain access to other
> boxes even if cracked.
> 
> 
> So yes, there was a vuln, it was embarassing (and it
will prompt better code
> review), but no damange has been (apparently)
perpetrated...and if so it's
> anyway not affecting critical operations and well
within containment.
> 
> Now I have no hope that the press will pick the update
but the least we can
> do is publish a follow up on the site.
> 
> PR, can you draft something and send it for review?
> 
> Robbat2, can you confirm my analysis?
> 
> Thanks to all
> 
> -- 
> Andrea Barisani <lcarsgentoo.org>             
              .*.
> Gentoo Linux Infrastructure Developer                  
       V
>                                                        
     (   )
> PGP-Key 0x864C9B9E http://dev.ge
ntoo.org/~lcars/pubkey.asc   (   )
>     0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E  
     ^^_^^
>       "Pluralitas non est ponenda sine
necessitate"
> -- 
> gentoo-infrastructuregentoo.org mailing list
> 

-- 
Andrea Barisani <lcarsgentoo.org>             
              .*.
Gentoo Linux Infrastructure Developer                       
  V
                                                            
(   )
PGP-Key 0x864C9B9E http://dev.ge
ntoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E       
^^_^^
      "Pluralitas non est ponenda sine
necessitate"
-- 
gentoo-securitygentoo.org mailing list