[CentOS] CentOS-announce Digest, Vol 42, Issue 6

Sat Aug 23 12:00:57 UTC 2008
centos-announce-request at centos.org <centos-announce-request at centos.org>

Send CentOS-announce mailing list submissions to
	centos-announce at centos.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
	centos-announce-request at centos.org

You can reach the person managing the list at
	centos-announce-owner at centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2008:0855 Critical CentOS 5 x86_64 openssh	Update
      (Karanbir Singh)
   2. CESA-2008:0855 Critical CentOS 5 i386 openssh	Update
      (Karanbir Singh)
   3. CentOS position on systems intrusion at Red Hat (Karanbir Singh)


----------------------------------------------------------------------

Message: 1
Date: Fri, 22 Aug 2008 21:45:22 +0100
From: Karanbir Singh <kbsingh at centos.org>
Subject: [CentOS-announce] CESA-2008:0855 Critical CentOS 5 x86_64
	openssh	Update
To: centos-announce at centos.org
Message-ID: <20080822204522.GA21052 at base.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2008:0855 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0855.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

x86_64:
161c953e8c1c47c09542020837e9920b  openssh-4.3p2-26.el5_2.1.x86_64.rpm
12b02fb6e6d1e8354539cd4cba304803  openssh-askpass-4.3p2-26.el5_2.1.x86_64.rpm
c281a62dc3c21f1225ea309757b755d1  openssh-clients-4.3p2-26.el5_2.1.x86_64.rpm
01b3486f17ecb4adc7c59074525b7fd9  openssh-server-4.3p2-26.el5_2.1.x86_64.rpm

Source:
278cfb304350f3604fb64ebaee3f1b77  openssh-4.3p2-26.el5_2.1.src.rpm


-- 
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos at irc.freenode.net



------------------------------

Message: 2
Date: Fri, 22 Aug 2008 21:45:22 +0100
From: Karanbir Singh <kbsingh at centos.org>
Subject: [CentOS-announce] CESA-2008:0855 Critical CentOS 5 i386
	openssh	Update
To: centos-announce at centos.org
Message-ID: <20080822204522.GA21035 at base.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2008:0855 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0855.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

i386:
d45c32890088d835ce8bc4a569173775  openssh-4.3p2-26.el5_2.1.i386.rpm
7f8194567e7797d834c22090d9c55b69  openssh-askpass-4.3p2-26.el5_2.1.i386.rpm
c145d732591711659b5fe756a4e9a085  openssh-clients-4.3p2-26.el5_2.1.i386.rpm
2b1fdc9b245f2c8cd873ea7f8e3b900c  openssh-server-4.3p2-26.el5_2.1.i386.rpm

Source:
278cfb304350f3604fb64ebaee3f1b77  openssh-4.3p2-26.el5_2.1.src.rpm


-- 
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos at irc.freenode.net



------------------------------

Message: 3
Date: Fri, 22 Aug 2008 23:15:29 +0100
From: Karanbir Singh <kbsingh at centos.org>
Subject: [CentOS-announce] CentOS position on systems intrusion at Red
	Hat
To: CentOS-Announce <centos-announce at centos.org>,	CentOS mailing list
	<centos at centos.org>
Message-ID: <48AF3A81.3090903 at centos.org>
Content-Type: text/plain; charset=ISO-8859-1

Earlier in the day today Red Hat made an announcement [1] that there had been an
intrusion into some of their computer systems last week. In the same
announcement they mention that some of the packages for OpenSSH on RHEL-4 ( i386
and x86_64 ) as well as RHEL-5 ( x86_64 ) were signed by the intruder. In their
announcement they also clarified that they were confident that none of these,
potentially compromised, packages made their way into or through RHN to client
and customer machines. As a security measure a script [3] was made available
along with a semi-detailed description of the issue [2].

We take security issues very seriously, and as soon as we were made aware of the
situation I undertook a complete audit of the entire CentOS4/5 Build and Signing
infrastructure. We can now assure everyone that no compromise has taken place
anywhere within the CentOS Infrastructure. Our entire setup is located behind
multiple firewalls, and only accessible from a very small number of
places, by only a few people. Also included in this audit were all entry points
to the build services, signing machines, primary release machines and
connectivity between all these hosts.

Since OpenSSH is a critical component of any Linux machine, we considered it
essential to audit the last two released package sets (
openssh-4.3p2-26.el5.src.rpm, openssh-4.3p2-26.el5_2.1.src.rpm ). I have just
finished this code audit, and can assure everyone that there is no compromised
code included in either of these packages. A similar check is also being done
for the CentOS-4 sources.

Packages released today, by upstream, ( based on :
openssh-4.3p2-26.el5_2.1.src.rpm, openssh-3.9p1-11.el4_7.src.rpm ) address two
issues. Firstly they contain a fix for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 . And secondly, in
the remote event that someone had indeed got compromised packages via RHN, their
packages would get updated to a known good state. We wanted to get these
packages out right away to address the first issue, and also to cover users
converting non updated RHEL installs to CentOS in the next few weeks/months.
Release of these packages into the mirror.centos.org network does *not* imply
that CentOS users are affected by the intrusion at Red Hat.

Finally, while we feel confident that there is no possibility of this compromise
having been passed onto the CentOS userbase, we still encourage users to verify
their packages independently using whatever resources they might have available.

--

[1]: https://rhn.redhat.com/errata/RHSA-2008-0855.html

[2]: http://www.redhat.com/security/data/openssh-blacklist.html

[3]: https://www.redhat.com/security/data/openssh-blacklist-1.0.sh :Its
important to note that this script *only* checks for packages built within
Red Hat, and will *not* be a reliable source of verification on CentOS since we
rebuild from sources, using no Red Hat binary.

-- 
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos at irc.freenode.net



------------------------------

_______________________________________________
CentOS-announce mailing list
CentOS-announce at centos.org
http://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 42, Issue 6
**********************************************