On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: > >> Actually, some php.net machines have been compromised and prevent us > >> from releasing 5.6.1. [...] > All the source and binary releases along with git is safe.
To be more precise: The machine used to package up the releases show some traces of an infection. recent releases are being reviewed and show no traces of anything being injected there, still we are not comfortable with using the box to build new tarballs ;) Short FAQ: Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. Q: Are downloads from php.net/downloads affected? A: The attack would happen during creating the release tarballs. Recent releases are being reviewed and show no traces of modifications. Q: Are downloads from windows.php.net affected? A: Windows builds are created from release tarballs. If those were infected this might affect Windows, too. But no such infection could be found. Q: Why are release actually build on some server instead of RM's machines? A: The git repository is not directly usable by endusers as it contains only the individual config.m4 files etc. and no complete configure script and only some parsers in raw form and not the generated c file. As we want to ensure reliable behavior we use a machine with specific versions of bison, autoconf and other tools. See the make_dist script in php-src for details what's being made. Q: Are snaps or RC releases affected? A: I do not know, but know of no traces. Q: Are other boxes effected, could the attacker steal credentials? A: Login to the box happens via ssh keypairs so no secret credentials reach the box on login, if a user provided a password (i.e. for running sudo) while the box was infected this might be compromised. This won't affect other php.net systems, though as those are only reachable via specific servers using two-factor-authentification (or actually three-factor: ssh key, ssh key passphrase and one time passcode (RFC6238)) johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
