Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - Mailing list pgsql-advocacy
| From | Bruce Momjian |
|---|---|
| Subject | Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 |
| Date | |
| Msg-id | 200308142131.h7ELVHR10240@candle.pha.pa.us Whole thread Raw |
| In response to | Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 (Justin Clift <justin@postgresql.org>) |
| List | pgsql-advocacy |
Agreed on Wu-FTP problems. BSD/OS switched to away from it long ago. Glad Red Hat has done the same. --------------------------------------------------------------------------- Justin Clift wrote: > Ouch. > > Wu-FTPd has probably the worst track record on the planet for FTP vulnerabilities. > > :( > > There are quite a few others out there. From memory, Red Hat 9 has changed to one called "VSFTPd" by default. > > Personally, in regards to knowing which FTP server is the best, I'm better to leave it to others to figure that one out. > > :) > > Regards and best wishes, > > Justin Clift > > > The Hermit Hacker wrote: > > any idea what version of ftp they are/were running? I may be blind, but I > > dont' see it in the announce, and its not showing up when you ftp into > > them :( We're running a fairly recent wu-ftpd, but just want to make > > sure: > > > > Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003 > > > > On Thu, 14 Aug 2003, Justin Clift wrote: > > > > > >>Hi guys, > >> > >>Not sure if people have or haven't seen this already. > >> > >>The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently. > >> > >>:-( > >> > >>Regards and best wishes, > >> > >>Justin Clift > >> > >> > >> > >>>-----Original Message----- > >>>From: auscert@auscert.org.au > >>>Sent: Thursday, 14 August 2003 1:59 pm > >>>To: auscert-subscriber@auscert.org.au > >>>Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise > >>> > >>>-----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>=========================================================================== > >>> AUSCERT External Security Bulletin Redistribution > >>> > >>> ESB-2003.0563 -- CERT Advisory CA-2003-21 > >>> GNU Project FTP Server Compromise > >>> 14 August 2003 > >>> > >>>=========================================================================== > >>> > >>> AusCERT Security Bulletin Summary > >>> --------------------------------- > >>> > >>>Product: GNU Software > >>>Publisher: CERT/CC > >>>Impact: Root Compromise > >>> Execute Arbitrary Code/Commands > >>>Access Required: Remote > >>> > >>>- --------------------------BEGIN INCLUDED TEXT-------------------- > >>> > >>>- -----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise > >>> > >>> Original issue date: August 13, 2003 > >>> Last revised: -- > >>> Source: CERT/CC > >>> > >>> A complete revision history is at the end of this file. > >>> > >>>Overview > >>> > >>> The CERT/CC has received a report that the system housing the primary > >>> FTP servers for the GNU software project was compromised. > >>> > >>>I. Description > >>> > >>> The GNU Project, principally sponsored by the Free Software Foundation > >>> (FSF), produces a variety of freely available software. The CERT/CC > >>> has learned that the system housing the primary FTP servers for the > >>> GNU software project, gnuftp.gnu.org, was root compromised by an > >>> intruder. The more common host names of ftp.gnu.org and alpha.gnu.org > >>> are aliases for the same compromised system. The compromise is > >>> reported to have occurred in March of 2003. > >>> > >>> The FSF has released an announcement describing the incident. > >>> > >>> Because this system serves as a centralized archive of popular > >>> software, the insertion of malicious code into the distributed > >>> software is a serious threat. As the above announcement indicates, > >>> however, no source code distributions are believed to have been> > >>> maliciously modified at this time. > >>> > >>>II. Impact > >>> > >>> The potential exists for an intruder to have inserted back doors, > >>> Trojan horses, or other malicious code into the source code > >>> distributions of software housed on the compromised system. > >>> > >>>III. Solution > >>> > >>> We encourage sites using the GNU software obtained from the > >>> compromised system to verify the integrity of their distribution. > >>> > >>> Sites that mirror the source code are encouraged to verify the > >>> integrity of their sources. We also encourage users to inspect any and > >>> all other software that may have been downloaded from the compromised > >>> site. Note that it is not always sufficient to rely on the timestamps > >>> or file sizes when trying to determine whether or not a copy of the > >>> file has been modified. > >>> > >>>Verifying checksums > >>> > >>> The FSF has produced PGP-signed lists of known-good MD5 hashes of the > >>> software packages housed on the compromised server. These lists can be > >>> found at > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> Note that both of these files and the announcement above are signed by > >>> Bradley Kuhn, Executive Director of the FSF, with the following PGP > >>> key: > >>> > >>>pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> > >>> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387 > >>>uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org> > >>>uid Bradley M. Kuhn <bkuhn@gnu.org> > >>>sub 2048g/75CA9CB3 1999-12-09 > >>> > >>> The CERT/CC believes this key to be valid. > >>> > >>> As a matter of good security practice, the CERT/CC encourages users to > >>> verify, whenever possible, the integrity of downloaded software. For > >>> more information, see IN-2001-06. > >>> > >>>Appendix A. - Vendor Information > >>> > >>> This appendix contains information provided by vendors for this > >>> advisory. As vendors report new information to the CERT/CC, we will > >>> update this section and note the changes in our revision history. If a > >>> particular vendor is not listed below, we have not received their > >>> comments. > >>> > >>>Free Software Foundation > >>> > >>> > >>> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have > >>> all been verified, and their md5sums and the reasons we believe the > >>> md5sums can be trusted are in: > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> We are updating that file and the site as we confirm good md5sums of > >>> additional files. It is theoretically possible that downloads between > >>> March 2003 and July 2003 might have been source-compromised, so we > >>> encourage everyone to re-download sources and compare with the current > >>> copies for files on the site. > >>> > >>>Appendix B. References > >>> > >>> * FSF announcement regarding the incident - > >>> ftp://ftp.gnu.org/MISSING-FILES.README > >>> * CERT Incident Note IN-2001-06 - > >>> http://www.cert.org/incident_notes/IN-2001-06.html > >>> _________________________________________________________________ > >>> > >>> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software > >>> Foundation for their timely assistance in this matter. > >>> _________________________________________________________________ > >>> > >>> Feedback can be directed to the author: Chad Dougherty. > >>> ______________________________________________________________________ > >>> > >>> This document is available from: > >>> http://www.cert.org/advisories/CA-2003-21.html > >>> ______________________________________________________________________ > >>> > >>>CERT/CC Contact Information > >>> > >>> Email: cert@cert.org > >>> Phone: +1 412-268-7090 (24-hour hotline) > >>> Fax: +1 412-268-6989> > >>> Postal address: > >>> CERT Coordination Center > >>> Software Engineering Institute > >>> Carnegie Mellon University > >>> Pittsburgh PA 15213-3890 > >>> U.S.A. > >>> > >>> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > >>> EDT(GMT-4) Monday through Friday; they are on call for emergencies > >>> during other hours, on U.S. holidays, and on weekends. > >>> > >>>Using encryption > >>> > >>> We strongly urge you to encrypt sensitive information sent by email. > >>> Our public PGP key is available from > >>> http://www.cert.org/CERT_PGP.key > >>> > >>> If you prefer to use DES, please call the CERT hotline for more > >>> information. > >>> > >>>Getting security information > >>> > >>> CERT publications and other security information are available from > >>> our web site > >>> http://www.cert.org/ > >>> > >>> To subscribe to the CERT mailing list for advisories and bulletins, > >>> send email to majordomo@cert.org. Please include in the body of your > >>> message > >>> > >>> subscribe cert-advisory > >>> > >>> * "CERT" and "CERT Coordination Center" are registered in the U.S. > >>> Patent and Trademark Office. > >>> ______________________________________________________________________ > >>> > >>> NO WARRANTY > >>> Any material furnished by Carnegie Mellon University and the Software > >>> Engineering Institute is furnished on an "as is" basis. Carnegie > >>> Mellon University makes no warranties of any kind, either expressed or > >>> implied as to any matter including, but not limited to, warranty of > >>> fitness for a particular purpose or merchantability, exclusivity or > >>> results obtained from use of the material. Carnegie Mellon University > >>> does not make any warranty of any kind with respect to freedom from > >>> patent, trademark, or copyright infringement. > >>> ______________________________________________________________________ > >>> > >>> Conditions for use, disclaimers, and sponsorship information > >>> > >>> Copyright 2002 Carnegie Mellon University. > >>> > >>> Revision History > >>>August 13, 2003: Initial release > >>> > >>>- -----BEGIN PGP SIGNATURE----- > >>>Version: PGP 6.5.8 > >>> > >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt > >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r > >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ > >>>OeyQrFbsq54= > >>>=/72G > >>>- -----END PGP SIGNATURE----- > >>> > >>>- --------------------------END INCLUDED TEXT-------------------- > >>> > >>>You have received this e-mail bulletin as a result of your organisation's > >>>registration with AusCERT. The mailing list you are subscribed to is > >>>maintained within your organisation, so if you do not wish to continue > >>>receiving these bulletins you should contact your local IT manager. If > >>>you do not know who that is, please send an email to auscert@auscert.org.au > >>>and we will forward your request to the appropriate person. > >>> > >>>This security bulletin is provided as a service to AusCERT's members. As > >>>AusCERT did not write the document quoted above, AusCERT has had no control > >>>over its content. The decision to follow or act on information or advice > >>>contained in this security bulletin is the responsibility of each user or > >>>organisation, and should be considered in accordance with your organisation's > >>>site policies and procedures. AusCERT takes no responsibility for consequences > >>>which may arise from following or acting on information or advice contained in > >>>this security bulletin. > >>> > >>>NOTE: This is only the original release of the security bulletin. It may > >>>not be updated when updates to the original are made. If downloading at > >>>a later date, it is recommended that the bulletin is retrieved directly > >>>from the author's website to ensure that the information is still current. > >>> > >>>Contact information for the authors of the original document is included > >>>in the Security Bulletin above. If you have any questions or need further> > >>>information, please contact them directly. > >>> > >>>Previous advisories and external security bulletins can be retrieved from: > >>> > >>> http://www.auscert.org.au/render.html?cid=1980 > >>> > >>>If you believe that your computer system has been compromised or attacked in > >>>any way, we encourage you to let us know by completing the secure National IT > >>>Incident Reporting Form at: > >>> > >>> http://www.auscert.org.au/render.html?it=3192 > >>> > >>>Internet Email: auscert@auscert.org.au > >>>Facsimile: (07) 3365 7031 > >>>Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > >>> AusCERT personnel answer during Queensland business > >>> hours which are GMT+10:00 (AEST). On call after hours > >>> for member emergencies only. > >>>-----BEGIN PGP SIGNATURE----- > >>>Comment: http://www.auscert.org.au/render.html?it=1967 > >>> > >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8 > >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx > >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw > >>>1iSJeKfo/Mg= > >>>=pn8Y > >>>-----END PGP SIGNATURE----- > >> > >> > >>---------------------------(end of broadcast)--------------------------- > >>TIP 2: you can get off all lists at once with the unregister command > >> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > >> > > > > > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy > > Systems Administrator @ hub.org > > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-advocacy by date: