Hi all,
I just took net/pear-Net_SMTP as an example and compared it with "make
makesum" SHA256 and SIZE.
The values are the same. So the packages are not compromised.
But today I will start testing all PEAR ports for different values. This
can unfortunately take time.
If a port has different values, it would be good to mark it as BROKEN
and if the project is on GitHub, to switch.
Greetings
Jochen
On 21.01.19 21:23, Remko Lodder wrote:
Hi Stefan,
On 21 Jan 2019, at 21:18, Stefan Bethke <[email protected]> wrote:
I’ve just learned that the repository for the PHP PEAR set of extensions had
their distribution server compromised.
https://twitter.com/pear/status/1086634503731404800
I don’t really work with PHP much apart from installing packages of popular PHP
web apps on my servers, so I can’t tell whether this code made it onto machines
building from PEAR sources, or even into FreeBSD binary packages of PEAR
extensions. Given the large user base for these packages, some advice to
FreeBSD users might be well received.
Thank you for sending the headsup to the FreeBSD users.
I have CC’ed ports-secteam, they will handle with due care when more
information is available and they can act upon something.
I have BCC’ed the maintainer for the PHP port(s), but I am not entirely sure
whether he maintains all the pear ports as well.
Again, thank you.
Best regards,
Remko
Hat: Security Team
Thanks,
Stefan
--
Stefan Bethke <[email protected]> Fon +49 151 14070811
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
