Date: Fri, 29 Mar 2024 03:10:03 -0400 (EDT) Message-ID: <1383353172.547.1711696203531@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_546_92994782.1711696203528" ------=_Part_546_92994782.1711696203528 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT/CC has received a report that the system housing the primary FT= P servers for the GNU software project was compromised.
The GNU Project, principally sponsored by the Free Softwa= re Foundation (FSF), produces a variety of freely available software. T= he CERT/CC has learned that the system housing the primary FTP servers for = the GNU software project, gnuftp.gnu.org, was= root compromised by an intruder. The more common host names of ftp.gnu.org and alpha.gnu.org are aliases for the same compromised system. The compromise is reporte= d to have occurred in March of 2003.
The FSF has released an announcement describing the incident.
Because this system serves as a centralized archive of popular software,= the insertion of malicious code into the distributed software is a serious= threat. As the above announcement indicates, however, no source code distr= ibutions are believed to have been maliciously modified at this time.
The potential exists for an intruder to have inserted back doors, Trojan= horses, or other malicious code into the source code distributions of soft= ware housed on the compromised system.
We encourage sites using the GNU software obtained from the compromised = system to verify the integrity of their distribution.
Sites that mirror the source code are encouraged to verify the integrity= of their sources. We also encourage users to inspect any and all other sof= tware that may have been downloaded from the compromised site. Note that it= is not always sufficient to rely on the timestamps or file sizes when tryi= ng to determine whether or not a copy of the file has been modified.
The FSF has produced PGP-signed lists of known-good MD5 hashes of the so= ftware packages housed on the compromised server. These lists can be found = at
Note that both of these files and the announcement above are signed by B= radley Kuhn, Executive Director of the FSF, with the following PGP key:
pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> Key fingerprint =3D 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387 uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org&= gt; uid Bradley M. Kuhn <bkuhn@gnu.org> sub 2048g/75CA9CB3 1999-12-09
The CERT/CC believes this key to be valid.
As a matter of good security practice, the CERT/CC encourages users to v= erify, whenever possible, the integrity of downloaded software. For more in= formation, see IN-2001-06.
This appendix contains information provided by vendors for this advisory= . As vendors report new information to the CERT/CC, we will update this sec= tion and note the changes in our revision history. If a particular vendor i= s not listed below, we have not received their comments.
The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have all been verified, and their md5sums and the reasons we believe the md5sums can be trusted are in: ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc We are updating that file and the site as we confirm good md5sums of additional files. It is theoretically possible that downloads between March 2003 and July 2003 might have been source-compromised, so we encourage everyone to re-download sources and compare with the current copies for files on the site.
The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software Fou= ndation for their timely assistance in this matter.
Feedback can be directed to the author: Chad Dougherty.
Copyright 2002 Carnegie Mellon University.
Revision History
August 13, 2003: Initial release