On 21-09-15 15:05, SCHAER Frederic wrote:
> Hi,
>
> Forgive the question if the answer is obvious... It's been more than "an hour or so" and eu.ceph.com apparently still hasn't been re-signed or at least what I checked wasn't :
>
> # rpm -qp --qf '%{RSAHEADER:pgpsig}' http://eu.ceph.com/rpm-hammer/el7/x86_64/ceph-0.94.3-0.el7.centos.x86_64.rpm
> RSA/SHA1, Wed 26 Aug 2015 09:57:17 PM CEST, Key ID 7ebfdd5d17ed316d
>
> Should this repository/mirror be discarded and should we (in EU) switch to download.ceph.com ?
I fixed eu.ceph.com by putting a Varnish HTTP cache in between which now
links to ceph.com
You can still use eu.ceph.com and should be able to do so.
eu.ceph.com caches all traffic so that should be much snappier then
downloading everything from download.ceph.com directly.
Wido
>
> Thanks && regards
>
>
> -----Message d'origine-----
> De : ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] De la part de Sage Weil
> Envoyé : jeudi 17 septembre 2015 18:30
> À : ceph-announce@xxxxxxxx; ceph-devel@xxxxxxxxxxxxxxx; ceph-users@xxxxxxxx; ceph-maintainers@xxxxxxxx
> Objet : Important security noticed regarding release signing key
>
> Last week, Red Hat investigated an intrusion on the sites of both the Ceph
> community project (ceph.com) and Inktank (download.inktank.com), which
> were hosted on a computer system outside of Red Hat infrastructure.
>
> Ceph.com provided Ceph community versions downloads signed with a Ceph
> signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases
> of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed
> with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation
> into the intrusion is ongoing, our initial focus was on the integrity of
> the software and distribution channel for both sites.
>
> To date, our investigation has not discovered any compromised code or
> binaries available for download on these sites. However, we cannot fully
> rule out the possibility that some compromised code or binaries were
> available for download at some point in the past. Further, we can no
> longer trust the integrity of the Ceph signing key, and therefore have
> created a new signing key (id E84AC2C0460F3994) for verifying downloads.
> This new key is committed to the ceph.git repository and is
> also available from
>
> https://git.ceph.com/release.asc
>
> The new key should look like:
>
> pub 4096R/460F3994 2015-09-15
> uid Ceph.com (release key) <security@xxxxxxxx>
>
> All future release git tags will be signed with this new key.
>
> This intrusion did not affect other Ceph sites such as download.ceph.com
> (which contained some older Ceph downloads) or git.ceph.com (which mirrors
> various source repositories), and is not known to have affected any other
> Ceph community infrastructure. There is no evidence that build system or
> the Ceph github source repository were compromised.
>
> New hosts for ceph.com and download.ceph.com have been created and the
> sites have been rebuilt. All content available on download.ceph.com as
> been verified, and all ceph.com URLs for package locations now redirect
> there. There is still some content missing from download.ceph.com that
> will appear later today: source tarballs will be regenerated from git, and
> older release packages are being resigned with the new release key DNS
> changes are still propogating so you may not see the new versions of the
> ceph.com and download.ceph.com sites for another hour or so.
>
> The download.inktank.com host has been retired and affected Red Hat
> customers have been notified, further information is available at
> https://securityblog.redhat.com/2015/09/17/.
>
> Users of Ceph packages should take action as a precautionary measure to
> download the newly-signed versions. Please see the instructions below.
>
> The Ceph community would like to thank Kai Fabian for initially alerting
> us to this issue.
>
> Any questions can be directed to the email discussion lists or the #ceph
> IRC channel on irc.oftc.net.
>
> Thank you!
> sage
>
> -----
>
> The following steps should be performed on all nodes with Ceph software
> installed.
>
> Replace APT keys (Debian, Ubuntu)
>
> sudo apt-key del 17ED316D
> curl https://git.ceph.com/release.asc | sudo apt-key add -
>
> Replace RPM keys (Fedora, CentOS, SUSE, etc.)
>
> sudo rpm -e --allmatches gpg-pubkey-17ed316d-4fb96ee8
> sudo rpm --import 'https://git.ceph.com/release.asc'
>
> Reinstalling packages (Fedora, CentOS, SUSE, etc.)
>
> sudo yum clean metadata
> sudo yum reinstall -y $(repoquery --disablerepo= --enablerepo=ceph \
> --queryformat='%{NAME}' list '*')
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
