What's the point on this for us, CentOS users ?
I'd like to know if CentOS has been affected by RH's compromise. Can someone please comment? AFAIK, CentOS builds from RHEL SRPMs right? So as Rui mentioned the script that RH provided is useless. They do give the version info of the compromised packages:
# The signed tampered packages were: # # openssh-3.9p1-8.RHEL4.24 for i386, x86_64 architecture # openssh-3.9p1-9.el4 for i386, x86_64 architecture # openssh-4.3p2-26 for x86_64 architecture # openssh-4.3p2-26.el5 for x86_64 architecture
Of course I have all of these on my local CentOS mirror right now. It would be nice to know if I'm serving compromised packages. RH doesn't mention whether the SRPMs were compromised. If they were I suspect CentOS is affected also.
Thanks in advance, Scott
On Fri, Aug 22, 2008 at 1:59 PM, Scott Beardsley scott@cse.ucdavis.edu wrote:
What's the point on this for us, CentOS users ?
I'd like to know if CentOS has been affected by RH's compromise. Can someone please comment? AFAIK, CentOS builds from RHEL SRPMs right? So as Rui mentioned the script that RH provided is useless. They do give the version info of the compromised packages:
Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later.
If you want to check this out on your own, see -> http://www.securiteam.com/exploits/5MP0E20CAM.html for details, or for the short version run 'strings /usr/sbin/sshd | grep bella'
On Aug 22, 2008, at 12:25 PM, Jim Perrin wrote:
Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later.
I see an announcement for the packages on the announce list, but no more informamtion anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found?
On Fri, 22 Aug 2008, Paul Norton wrote:
On Aug 22, 2008, at 12:25 PM, Jim Perrin wrote:
Russ has posted some information about this to planet.centos.org, but basically at this point it does not appear to affect the CentOS population. Karanbir has been crawling through the build system to verify this, and we may release an announcement about this later.
I see an announcement for the packages on the announce list, but no more informamtion anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found?
We have released updated packages because updated packages have been released upstream.
We have no reason to believe that any CentOS servers, packages or keys have been compromised.
We have been completing a full audit of our build systems that has so far not shown any evidence of any issues.
Regards Lance
On Fri, Aug 22, 2008 at 5:15 PM, Paul Norton paul@neoverve.com wrote:
I see an announcement for the packages on the announce list, but no more informamtion anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found?
There's a CVE associated with a different (unrelated) bug in how ssh handled forwarded x11 sessions. The upstream announcement is here -> http://rhn.redhat.com/errata/RHSA-2008-0855.html.
So there are new packages anyway in spite of the other bits.
I see an announcement for the packages on the announce list, but no more information anywhere from the CentOS team (Planet or ML). Are these packages "just to be safe" or was there something actually found?
There's a CVE associated with a different (unrelated) bug in how ssh handled forwarded x11 sessions. The upstream announcement is here -> http://rhn.redhat.com/errata/RHSA-2008-0855.html.
So there are new packages anyway in spite of the other bits.
Hi all, have I missed something or is there a CentOS update for 5x but none for 4x ? I've made sure my mirror is synced and looked around at a few others but can't seem to see an update ?
On Mon, 2008-08-25 at 08:32 +1200, Tony Wicks wrote:
<snip>
So there are new packages anyway in spite of the other bits.
Hi all, have I missed something or is there a CentOS update for 5x but none for 4x ? I've made sure my mirror is synced and looked around at a few others but can't seem to see an update ?
I just fired up my 4.6 and did yum update. No ssh packages, so the problem is not yours.
I *suspect* that a decision was made to release them with 4.7 (s/b close since they have been working towards this for awhile IIUC). Seems reasonable if it's very close and *if* they made that decision.
<snip>
So there are new packages anyway in spite of the other bits.
Hi all, have I missed something or is there a CentOS update for 5x but
none
for 4x ? I've made sure my mirror is synced and looked around at a few others but can't seem to see an update ?
I just fired up my 4.6 and did yum update. No ssh packages, so the problem is not yours.
Do any of the maintainers have a comment on the 4x SSH update availability ? I have a couple of SSH bastion servers that I have shut down until the update is out just in case so was wondering as to when it would turn up.
thanks
On Tue, 2008-08-26 at 13:54 +1200, Tony Wicks wrote:
So there are new packages anyway in spite of the other bits.
Hi all, have I missed something or is there a CentOS update for 5x but
none
for 4x ? I've made sure my mirror is synced and looked around at a few others but can't seem to see an update ?
I just fired up my 4.6 and did yum update. No ssh packages, so the problem is not yours.
Do any of the maintainers have a comment on the 4x SSH update availability ? I have a couple of SSH bastion servers that I have shut down until the update is out just in case so was wondering as to when it would turn up.
I wouldn't worry about it too much unless there are unrelated security fixes. The SSH updates are against 4.7, so it would most likely be the case that your current 4.6-based sshd package is still pretty solid... The issue was against the then-current sshd packages... which would have been issued after the ones you're currently using...
-I
-
Ian Forde -
Jim Perrin -
Lance Davis -
Paul Norton -
Scott Beardsley -
Tony Wicks -
William L. Maltby