CentOS - Jul 2009 - Question on security issue alert from recent centos-announce

What exactly does the announcement mean to the CentOS community?
>From what point in the past to what point present/future should the
user community be concerned?

Once you find the final culprit, how sure will you be whether any
issue is/was malicious vs benign?

Do you perform regular server checksums to compare what _might_ have
changed (i.e. tripwire, etc)?

What is the level and mitigation of damage control - current and future?

What additional specifics can we learn from you - from safe/tainted
media checksum files to ISO media itself?  From keeping machines up
and running to needing a fresh install?

Could the same thing happen, or did it, with the upstream provider, or
is it limited to the CentOS community?

Thank you.

Scott

Scott Ehrlich wrote:
> What exactly does the announcement mean to the CentOS community?
This is not an easy answer.
> From what point in the past to what point present/future should the
> user community be concerned?
This happened currently. And as far as we can say now it only concerned
our CMS (xoops in this case). And even there we are fairly sure that
nothing has happened - resetting all passwords was a measure to make
sure that *if* we had a compromised account, the attacker wouldn't be
able to use the same password.
> Once you find the final culprit, how sure will you be whether any
> issue is/was malicious vs benign?
I do not understand that question.
> Do you perform regular server checksums to compare what _might_ have
> changed (i.e. tripwire, etc)?
There are measures in place to provide at least a certain level of
security - which is hard in case of a CMS where other people have
logins.
> What is the level and mitigation of damage control - current and
> future?
What are you trying to get at? This issue *only* concerned our web
server. None of the machines actually "doing" the distribution are
even
reachable by that machine.
> What additional specifics can we learn from you - from safe/tainted
> media checksum files to ISO media itself?  From keeping machines up
> and running to needing a fresh install?
As said before: None of the machines which are used for composing the
distribution are touched by this issue. These machines are not reachable
by the outside - and you always have signed packages. 
> Could the same thing happen, or did it, with the upstream provider, or
> is it limited to the CentOS community?
We don't know. But as upstream does not use xoops, they probably did not
have that issue. Both sites being down was a coincidence.

The only machine which had a problem was the web server. And even there
we are fairly sure by now that the machine was not misused.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090705/bc148a8e/attachment-0003.sig>

On Sat, Jul 4, 2009 at 7:55 PM, Ralph Angenendt<ra+centos at br-online.de>
wrote:
> Scott Ehrlich wrote:
>
>> What is the level and mitigation of damage control - current and
>> future?
>
> What are you trying to get at? This issue *only* concerned our web
> server. None of the machines actually "doing" the distribution
are even
> reachable by that machine.
That is what I needed to know.

I re-read the announcement, and the extent of reported damage wasn't
convincingly clear to me that all was well.

Your response above has validated and confirmed the data of concern
(the distro files) are ok (unless we learn otherwise).

All is well.

Thank you.

Scott