from debian-private:
On Mon, Aug 18, 2003 at 02:51:55AM +0000, Robert Millan wrote:
>
> Hi there,
>
> As you might have already heard, a root compromise, which presumably has been
> there for two months, was recently detected in {ftp,alpha}.gnu.org
> (read http://ftp.gnu.org/MISSING-FILES.README for details)
>
> The following paragraph should draw attention for Debian:
>
> "The modus operandi of the cracker shows that (s)he was interested primarily
> in using gnuftp to collect passwords and as a launching point to attack
> other
> machines."
>
> 1) Some Debian developers do also have GNU accounts, in case any of them
> had the (bad, bad) idea of accessing a Debian machine from ftp.gnu.org
> this could compromise the Debian machine park.
>
> 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> the March-July period, and most of GNU packages have their corresponding
> packages in the Debian archive. It is clear there's a risk that the Debian
> archive could have been compromised.
>
> What do you suggest to do? First, can this dicussion be disclosed? (e.g:
> into debian-security). Then how can we deal with these two problems? Would
> an alert message to -devel-announce suffice?
--
Robert Millan
"[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work."
-- J.R.R.T, Ainulindale (Silmarillion)
