| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Oct 2011 07:28:48 -0700 From: Greg KH <greg@...ah.com> To: akwatts@...il.com Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: kernel.org status: hints on how to check your machine for intrusion On Sat, Oct 01, 2011 at 09:17:51AM -0500, akwatts@...il.com wrote: > Greg, many thanks for providing these helpful hints for assessing > system integrity. > > On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote: > > The compromise of kernel.org and related machines has made it clear that > > some developers, at least, have had their systems penetrated. As we > > seek to secure our infrastructure, it is imperative that nobody falls > > victim to the belief that it cannot happen to them. We all need to > > check our systems for intrusions. Here are some helpful hints as > > proposed by a number of developers on how to check to see if your Linux > > machine might be infected with something: > > I understand that git repos are protected from ex-post tampering by a > rolling sha-1 hash. However, is it possible that code submissions were > faked during the intrusion window and pulled by legitimate subsystem > or system managers? > > The intrusion on kernel.org has been dated as potentially weeks > before 8/28 which means many tarballs (that common users rely on more > than git) were posted after that. > > Can we confirm a few things? At this time, we are unable to discuss the events that took place due to an ongoing investigation into the matter. After that is complete, I will be working to provide a report of what happened, but that will take some time. When www.kernel.org and git.kernel.org come back up, the kernels on them will have been checked to be verified to be correct. Everyone involved is working as hard as they can to make that happen as soon as is possible. > c) can someone with verifiably clean code (i.e. not just downloads from > kernel.org) post checksums (md5,sha1,rmd160) for official tarball > releases since say 3/2011 (both full kernel and patches)? You can do this today yourself from Linus's git tree if you want to, it's very easy to script. Just watch out for the fact that gzip puts dates into the header, so you need to check the .tar file, not the compressed ones. thanks for your patience, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists