[PLUG] [aafugit] Re: [QCLUG] Debian Compromised (fwd)

David Fleck david.fleck at mchsi.com
Fri Nov 21 18:06:02 UTC 2003


fyi-

just saw this on another LUG mailing list.

http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt

--
David Fleck
david.fleck at mchsi.com


---------- Forwarded message ----------
Date: Fri, 21 Nov 2003 09:36:32 -0600
Reply-To: aafugit at aafugit.org
To: qclug at qclug.org
Cc: aafugit at aafugit.org
Subject: [aafugit] Re: [QCLUG] Debian Compromised

On Fri, Nov 21, 2003 at 08:03:46AM -0600, Nick Welch wrote:
> I first saw this on debian-user, and it was at one point labeled a hoax,
> and never really officially confirmed/denied as far as I saw.  But
> there's this:

> http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt

> And now I find out that Martin Schulz is a high up debian person (and I
> asked on irc so of course I was met with "if you don't know who he is,
> you don't deserve to be alive" type of response), and the message is
> signed.

Martin Schulze is the press officer and the stable release manager for
Debian.

This is real.

At this time, only master, murphy, gluck, and klecker are known to be
affected; notably, the master ftp server (auric) is not on this list, so
there is as yet no evidence to suggest the main archive has been
compromised.  Of course, given the timing, care has been taken to ensure
that the 3.0r2 release was completely clean as noted in Martin's email.

> So, hold off on any package updates until further notice, I guess.

Yes, it's quite frustrating to not be able to push any updated packages
into unstable right now... ;)

-- 
Steve Langasek
postmodern programmer




More information about the PLUG mailing list