[gull] Fwd: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
Gregor Bruhin
gb at swisszone.ch
Thu Aug 14 09:34:01 CEST 2003
Mieux vaut être prévenu !
> From: CERT Advisory <cert-advisory at cert.org>
> Date: Wed Aug 13, 2003 11:49:14 PM Europe/Zurich
> To: cert-advisory at cert.org
> Subject: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
>
> Original issue date: August 13, 2003
> Last revised: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
> Overview
>
> The CERT/CC has received a report that the system housing the
> primary
> FTP servers for the GNU software project was compromised.
>
> I. Description
>
> The GNU Project, principally sponsored by the Free Software
> Foundation
> (FSF), produces a variety of freely available software. The
> CERT/CC
> has learned that the system housing the primary FTP servers for
> the
> GNU software project, gnuftp.gnu.org, was root compromised by
> an
> intruder. The more common host names of ftp.gnu.org and
> alpha.gnu.org
> are aliases for the same compromised system. The compromise
> is
> reported to have occurred in March of 2003.
>
> The FSF has released an announcement describing the incident.
>
> Because this system serves as a centralized archive of
> popular
> software, the insertion of malicious code into the
> distributed
> software is a serious threat. As the above announcement
> indicates,
> however, no source code distributions are believed to have
> been
> maliciously modified at this time.
>
> II. Impact
>
> The potential exists for an intruder to have inserted back
> doors,
> Trojan horses, or other malicious code into the source
> code
> distributions of software housed on the compromised system.
>
> III. Solution
>
> We encourage sites using the GNU software obtained from
> the
> compromised system to verify the integrity of their distribution.
>
> Sites that mirror the source code are encouraged to verify
> the
> integrity of their sources. We also encourage users to inspect any
> and
> all other software that may have been downloaded from the
> compromised
> site. Note that it is not always sufficient to rely on the
> timestamps
> or file sizes when trying to determine whether or not a copy of
> the
> file has been modified.
>
> Verifying checksums
>
> The FSF has produced PGP-signed lists of known-good MD5 hashes of
> the
> software packages housed on the compromised server. These lists can
> be
> found at
>
> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
>
> Note that both of these files and the announcement above are signed
> by
> Bradley Kuhn, Executive Director of the FSF, with the following
> PGP
> key:
>
> pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn at fsf.org>
> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41
> B387
> uid Bradley M. Kuhn (bkuhn99)
> <bkuhn at ebb.org>
> uid Bradley M. Kuhn <bkuhn at gnu.org>
> sub 2048g/75CA9CB3 1999-12-09
>
> The CERT/CC believes this key to be valid.
>
> As a matter of good security practice, the CERT/CC encourages users
> to
> verify, whenever possible, the integrity of downloaded software.
> For
> more information, see IN-2001-06.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for
> this
> advisory. As vendors report new information to the CERT/CC, we
> will
> update this section and note the changes in our revision history.
> If a
> particular vendor is not listed below, we have not received
> their
> comments.
>
> Free Software Foundation
>
>
> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02
> have
> all been verified, and their md5sums and the reasons we believe the
> md5sums can be trusted are in:
>
> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
>
> We are updating that file and the site as we confirm good md5sums of
> additional files. It is theoretically possible that downloads
> between
> March 2003 and July 2003 might have been source-compromised, so we
> encourage everyone to re-download sources and compare with the
> current
> copies for files on the site.
>
> Appendix B. References
>
> * FSF announcement regarding the incident
> -
> ftp://ftp.gnu.org/MISSING-FILES.README
> * CERT Incident Note IN-2001-06 -
> http://www.cert.org/incident_notes/IN-2001-06.html
> _________________________________________________________________
>
> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free
> Software
> Foundation for their timely assistance in this matter.
> _________________________________________________________________
>
> Feedback can be directed to the author: Chad Dougherty.
>
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2003-21.html
>
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert at cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
> /
> EDT(GMT-4) Monday through Friday; they are on call for
> emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by
> email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for
> more
> information.
>
> Getting security information
>
> CERT publications and other security information are available
> from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and
> bulletins,
> send email to majordomo at cert.org. Please include in the body of
> your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the
> U.S.
> Patent and Trademark Office.
>
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the
> Software
> Engineering Institute is furnished on an "as is" basis.
> Carnegie
> Mellon University makes no warranties of any kind, either expressed
> or
> implied as to any matter including, but not limited to, warranty
> of
> fitness for a particular purpose or merchantability, exclusivity
> or
> results obtained from use of the material. Carnegie Mellon
> University
> does not make any warranty of any kind with respect to freedom
> from
> patent, trademark, or copyright infringement.
>
> ______________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2002 Carnegie Mellon University.
>
> Revision History
> August 13, 2003: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> OeyQrFbsq54=
> =/72G
> -----END PGP SIGNATURE-----
>
More information about the gull
mailing list