Mieux vaut �tre pr�venu !
From: CERT Advisory <[EMAIL PROTECTED]>
Date: Wed Aug 13, 2003 11:49:14 PM Europe/Zurich
To: [EMAIL PROTECTED]
Subject: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
Original issue date: August 13, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received a report that the system housing the
primary
FTP servers for the GNU software project was compromised.
I. Description
The GNU Project, principally sponsored by the Free Software
Foundation
(FSF), produces a variety of freely available software. The
CERT/CC
has learned that the system housing the primary FTP servers for
the
GNU software project, gnuftp.gnu.org, was root compromised by
an
intruder. The more common host names of ftp.gnu.org and
alpha.gnu.org
are aliases for the same compromised system. The compromise
is
reported to have occurred in March of 2003.
The FSF has released an announcement describing the incident.
Because this system serves as a centralized archive of
popular
software, the insertion of malicious code into the
distributed
software is a serious threat. As the above announcement
indicates,
however, no source code distributions are believed to have
been
maliciously modified at this time.
II. Impact
The potential exists for an intruder to have inserted back
doors,
Trojan horses, or other malicious code into the source
code
distributions of software housed on the compromised system.
III. Solution
We encourage sites using the GNU software obtained from
the
compromised system to verify the integrity of their distribution.
Sites that mirror the source code are encouraged to verify
the
integrity of their sources. We also encourage users to inspect any
and
all other software that may have been downloaded from the
compromised
site. Note that it is not always sufficient to rely on the
timestamps
or file sizes when trying to determine whether or not a copy of
the
file has been modified.
Verifying checksums
The FSF has produced PGP-signed lists of known-good MD5 hashes of
the
software packages housed on the compromised server. These lists can
be
found at
ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
Note that both of these files and the announcement above are signed
by
Bradley Kuhn, Executive Director of the FSF, with the following
PGP
key:
pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <[EMAIL PROTECTED]>
Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41
B387
uid Bradley M. Kuhn (bkuhn99)
<[EMAIL PROTECTED]>
uid Bradley M. Kuhn <[EMAIL PROTECTED]>
sub 2048g/75CA9CB3 1999-12-09
The CERT/CC believes this key to be valid.
As a matter of good security practice, the CERT/CC encourages users
to
verify, whenever possible, the integrity of downloaded software.
For
more information, see IN-2001-06.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for
this
advisory. As vendors report new information to the CERT/CC, we
will
update this section and note the changes in our revision history.
If a
particular vendor is not listed below, we have not received
their
comments.
Free Software Foundation
The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02
have
all been verified, and their md5sums and the reasons we believe the
md5sums can be trusted are in:
ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
We are updating that file and the site as we confirm good md5sums of
additional files. It is theoretically possible that downloads
between
March 2003 and July 2003 might have been source-compromised, so we
encourage everyone to re-download sources and compare with the
current
copies for files on the site.
Appendix B. References
* FSF announcement regarding the incident
-
ftp://ftp.gnu.org/MISSING-FILES.README
* CERT Incident Note IN-2001-06 -
http://www.cert.org/incident_notes/IN-2001-06.html
_________________________________________________________________
The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free
Software
Foundation for their timely assistance in this matter.
_________________________________________________________________
Feedback can be directed to the author: Chad Dougherty.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-21.html
______________________________________________________________________
CERT/CC Contact Information
Email: [EMAIL PROTECTED]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
/
EDT(GMT-4) Monday through Friday; they are on call for
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are available
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to [EMAIL PROTECTED] Please include in the body of
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis.
Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty
of
fitness for a particular purpose or merchantability, exclusivity
or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to freedom
from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
August 13, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
OeyQrFbsq54=
=/72G
-----END PGP SIGNATURE-----
_______________________________________________
gull mailing list
[EMAIL PROTECTED]
http://lists.alphanet.ch/mailman/listinfo/gull
