Recent security announcement and csup/cvsup?
Chris Rees
utisoft at gmail.com
Sun Nov 18 18:26:46 UTC 2012
On 18 November 2012 18:17, Gary Palmer <gpalmer at freebsd.org> wrote:
> On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote:
>> On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer at freebsd.org> wrote:
>> >
>> > Hi,
>> >
>> > Can someone explain why the cvsup/csup infrastructure is considered
>> insecure
>> > if the person had access to the *package* building cluster? Is it because
>> > the leaked key also had access to something in the chain that goes to
>> cvsup,
>> > or is it because the project is not auditing the cvsup system and so the
>> > default assumption is that it cannot be trusted to not be compromised?
>> >
>> > If it is the latter, someone from the community could check rather than
>> > encourage everyone who has been using csup/cvsup to wipe and reinstall
>> > their boxes. Unfortunately the wipe option is not possible for me right
>> > now and my backups do go back to before the 19th of September
>>
>> Checks are being made, but CVS makes it slow work.
>>
>> It's incredibly unlikely that there will be a problem, but the Project has
>> to be cautious in recommendations.
>
> Thanks Chris for the update. May I politely suggest that the web page
> as I read it yesterday was more along the lines of "assume your machine is
> rooted, reinstall it". The reality is the message should have been "we
> cannot prove cvs/cvsup was not affected yet, but we are continuing to
> investigate. If you want to be really sure you weren't affected, reinstall
> from known clean media. Else wait for further updates".
>
> While I understand some people, especially the more security minded people,
> want to deprecate all access that isn't signed and secured, its no reason
> to cause people unnecessary work/panic. Plus signing is only as good as
> the security of the systems doing the builds and signing the content.
> Its just been proven that they may not be as secure as expected.
I'm afraid that you have to do your own risk assessment-- for the
Project to recommend anything else would be irresponsible, and a major
disaster should anything turn out to be compromised several months
down the line...
Having said that, on a personal note I don't think I'll be
reinstalling in a hurry, but I'm also not handling banking details
etc. As I said, you have to assess your own risk :)
Chris
More information about the freebsd-security
mailing list