Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

8 of 349 comments (clear)

  1. Question by Frogbert · · Score: 4, Interesting

    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

  2. Re:Once is ok, but twice is too much... by sqlrob · · Score: 3, Interesting

    Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

    Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?

  3. What was exploited..? by paulmer2003 · · Score: 3, Interesting

    Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.

  4. Re:Once is ok, but twice is too much... by Waffle+Iron · · Score: 3, Interesting

    If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.

  5. Dear Hackers by SnowZero · · Score: 3, Interesting

    Dear Hackers,

    If you manage to hack into the main repository, please fix this bug. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

    If you hack, do it for the right reasons.

  6. Re:Once is ok, but twice is too much... by mverwijs · · Score: 2, Interesting

    ...only attempted to run x86 code.

    So they hacked in, and only ran x86 code? Sounds like a script kiddie to me.

    /me ponders on the enormity of that thought.

  7. Re:"...with your high UID"... by monsted · · Score: 2, Interesting

    He was lying!

    I wonder if i could sell a 4-digit /. UID on eBay just like they did with ICQ numbers years ago (where 5-digit IDs sold for small fortunes).

  8. Re:This has been said before... by vadim_t · · Score: 2, Interesting

    Gentoo, IMO, is nice for many reasons that have nothing to do with speed:

    First, USE flags allow precise control of what you want to be installed. If a package supports gnome, and I don't want gnome stuff, I just add "-gnome" in the USE flags. Debian would either force me to install Gnome libraries, or have to provide several versions.

    Second, compiling from source means I can get a benefit from things like stack protection in GCC instead of having to wait for Debian to rebuild every package, which may never happen.

    Third, since Gentoo builds everything from source, if you want to build something yourself, especially things like KDE, you already have all the tools in place. In comparison, in Debian it requires hunting for -dev packages and running ./configure 20 times until it works. There's apt-run, but it's not perfect, and tends to install completely unnecessary compatibility packages and such.

    Also, you can often get versions not in the official repository by simply bumping the ebuild's version number manually.