Re: Question on security issue alert from recent centos-announce

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Scott Ehrlich wrote:
> What exactly does the announcement mean to the CentOS community?

This is not an easy answer.

> From what point in the past to what point present/future should the
> user community be concerned?

This happened currently. And as far as we can say now it only concerned
our CMS (xoops in this case). And even there we are fairly sure that
nothing has happened - resetting all passwords was a measure to make
sure that *if* we had a compromised account, the attacker wouldn't be
able to use the same password.

> Once you find the final culprit, how sure will you be whether any
> issue is/was malicious vs benign?

I do not understand that question.

> Do you perform regular server checksums to compare what _might_ have
> changed (i.e. tripwire, etc)?

There are measures in place to provide at least a certain level of
security - which is hard in case of a CMS where other people have
logins.

> What is the level and mitigation of damage control - current and
> future?

What are you trying to get at? This issue *only* concerned our web
server. None of the machines actually "doing" the distribution are even
reachable by that machine.

> What additional specifics can we learn from you - from safe/tainted
> media checksum files to ISO media itself?  From keeping machines up
> and running to needing a fresh install?

As said before: None of the machines which are used for composing the
distribution are touched by this issue. These machines are not reachable
by the outside - and you always have signed packages. 

> Could the same thing happen, or did it, with the upstream provider, or
> is it limited to the CentOS community?

We don't know. But as upstream does not use xoops, they probably did not
have that issue. Both sites being down was a coincidence.

The only machine which had a problem was the web server. And even there
we are fairly sure by now that the machine was not misused.

Ralph

Attachment: pgpFEZJNEnqeF.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux