Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

3 of 349 comments (clear)

  1. Re:Once is ok, but twice is too much... by Josh+Triplett · · Score: 5, Informative
    first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

    No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
  2. Re:Question by Nutria · · Score: 5, Informative
    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

    http://www.debian.org/security/

    Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

    --
    "I don't know, therefore Aliens" Wafflebox1
  3. Re:Once is ok, but twice is too much... by YU+Nicks+NE+Way · · Score: 5, Informative

    You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.