[CentOS-announce] CentOS position on systems intrusion at Red Hat

[news 28]

Earlier in the day today Red Hat made an announcement [1] that there had been an

intrusion into some of their computer systems last week. In the same

announcement they mention that some of the packages for OpenSSH on RHEL-4 ( i386

and x86_64 ) as well as RHEL-5 ( x86_64 ) were signed by the intruder. In their

announcement they also clarified that they were confident that none of these,

potentially compromised, packages made their way into or through RHN to client

and customer machines. As a security measure a script [3] was made available

along with a semi-detailed description of the issue [2].

 

We take security issues very seriously, and as soon as we were made aware of the

situation I undertook a complete audit of the entire CentOS4/5 Build and Signing

infrastructure. We can now assure everyone that no compromise has taken place

anywhere within the CentOS Infrastructure. Our entire setup is located behind

multiple firewalls, and only accessible from a very small number of

places, by only a few people. Also included in this audit were all entry points

to the build services, signing machines, primary release machines and

connectivity between all these hosts.

 

Since OpenSSH is a critical component of any Linux machine, we considered it

essential to audit the last two released package sets (

openssh-4.3p2-26.el5.src.rpm, openssh-4.3p2-26.el5_2.1.src.rpm ). I have just

finished this code audit, and can assure everyone that there is no compromised

code included in either of these packages. A similar check is also being done

for the CentOS-4 sources.

 

Packages released today, by upstream, ( based on :

openssh-4.3p2-26.el5_2.1.src.rpm, openssh-3.9p1-11.el4_7.src.rpm ) address two

issues. Firstly they contain a fix for

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 . And secondly, in

the remote event that someone had indeed got compromised packages via RHN, their

packages would get updated to a known good state. We wanted to get these

packages out right away to address the first issue, and also to cover users

converting non updated RHEL installs to CentOS in the next few weeks/months.

Release of these packages into the mirror.centos.org network does *not* imply

that CentOS users are affected by the intrusion at Red Hat.

 

Finally, while we feel confident that there is no possibility of this compromise

having been passed onto the CentOS userbase, we still encourage users to verify

their packages independently using whatever resources they might have available.

 

--

 

[1]: https://rhn.redhat.com/errata/RHSA-2008-0855.html

 

[2]: http://www.redhat.com/security/data/openssh-blacklist.html

 

[3]: https://www.redhat.com/security/data/openssh-blacklist-1.0.sh :Its

important to note that this script *only* checks for packages built within

Red Hat, and will *not* be a reliable source of verification on CentOS since we

rebuild from sources, using no Red Hat binary.

 

--

Karanbir Singh

CentOS Project { http://www.centos.org/ }

irc: z00dax, #centos ( -at -) irc.freenode.net

 

_______________________________________________