[CentOS] Question on security issue alert from recent centos-announce

Sat Jul 4 23:55:11 UTC 2009
Ralph Angenendt <ra+centos at br-online.de>

Scott Ehrlich wrote:
> What exactly does the announcement mean to the CentOS community?

This is not an easy answer.

> From what point in the past to what point present/future should the
> user community be concerned?

This happened currently. And as far as we can say now it only concerned
our CMS (xoops in this case). And even there we are fairly sure that
nothing has happened - resetting all passwords was a measure to make
sure that *if* we had a compromised account, the attacker wouldn't be
able to use the same password.

> Once you find the final culprit, how sure will you be whether any
> issue is/was malicious vs benign?

I do not understand that question.

> Do you perform regular server checksums to compare what _might_ have
> changed (i.e. tripwire, etc)?

There are measures in place to provide at least a certain level of
security - which is hard in case of a CMS where other people have
logins.

> What is the level and mitigation of damage control - current and
> future?

What are you trying to get at? This issue *only* concerned our web
server. None of the machines actually "doing" the distribution are even
reachable by that machine.

> What additional specifics can we learn from you - from safe/tainted
> media checksum files to ISO media itself?  From keeping machines up
> and running to needing a fresh install?

As said before: None of the machines which are used for composing the
distribution are touched by this issue. These machines are not reachable
by the outside - and you always have signed packages. 

> Could the same thing happen, or did it, with the upstream provider, or
> is it limited to the CentOS community?

We don't know. But as upstream does not use xoops, they probably did not
have that issue. Both sites being down was a coincidence.

The only machine which had a problem was the web server. And even there
we are fairly sure by now that the machine was not misused.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090705/bc148a8e/attachment-0005.sig>