Clarrification on whether portsnap was affected by the 2012 compromise
John Bayly
john.bayly at tipstrade.net
Tue Nov 20 12:48:08 UTC 2012
On 20/11/12 12:15, Gary Palmer wrote:
> On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote:
>> Regarding the 2012 compromise, I'm a little confused as to what was and
>> wasn't affected:
>>
>> >From the release:
>>> or of any ports compiled from trees obtained via any means other than
>>> through svn.freebsd.org or one of its mirrors
>> Does that mean that any ports updated using the standard "portsnap
>> fetch" may have been affected, I'm guessing yes.
>>
> " We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted. "
I suppose that implies that the previous portsnap snapshots couldn't be
[completely] trusted. Basically I wanted to know whether I had to go
through all the ports I've updated from the snapshots within the given
time frame and to a portupgrade --force on them. In the end I decided
yes (luckily it's only on a single box)
More information about the freebsd-security
mailing list