Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77700 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 93011 invoked from network); 29 Sep 2014 15:04:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Sep 2014 15:04:22 -0000 Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:43137] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/D0-18131-4F479245 for ; Mon, 29 Sep 2014 11:04:21 -0400 Received: by mail.experimentalworks.net (Postfix, from userid 1003) id 0E1E84253A; Mon, 29 Sep 2014 17:04:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on km31408.keymachine.de X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-HAM-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from [192.168.2.34] (ppp-93-104-18-61.dynamic.mnet-online.de [93.104.18.61]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id AD68342537; Mon, 29 Sep 2014 17:04:26 +0200 (CEST) Message-ID: <1412003052.13103.30.camel@kuechenschabe> To: Rasmus Lerdorf Cc: Jan Ehrhardt , "internals@lists.php.net" Date: Mon, 29 Sep 2014 17:04:12 +0200 In-Reply-To: <46ABAB22-F304-4BC3-A3AE-02DE462565D2@lerdorf.com> References: <0cb6f4a2d771155c6cad865f945e98e6@archlinux.de> <46ABAB22-F304-4BC3-A3AE-02DE462565D2@lerdorf.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: What happened to the 5.6.1 release? From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: > >> Actually, some php.net machines have been compromised and prevent us > >> from releasing 5.6.1. [...] > All the source and binary releases along with git is safe. To be more precise: The machine used to package up the releases show some traces of an infection. recent releases are being reviewed and show no traces of anything being injected there, still we are not comfortable with using the box to build new tarballs ;) Short FAQ: Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. Q: Are downloads from php.net/downloads affected? A: The attack would happen during creating the release tarballs. Recent releases are being reviewed and show no traces of modifications. Q: Are downloads from windows.php.net affected? A: Windows builds are created from release tarballs. If those were infected this might affect Windows, too. But no such infection could be found. Q: Why are release actually build on some server instead of RM's machines? A: The git repository is not directly usable by endusers as it contains only the individual config.m4 files etc. and no complete configure script and only some parsers in raw form and not the generated c file. As we want to ensure reliable behavior we use a machine with specific versions of bison, autoconf and other tools. See the make_dist script in php-src for details what's being made. Q: Are snaps or RC releases affected? A: I do not know, but know of no traces. Q: Are other boxes effected, could the attacker steal credentials? A: Login to the box happens via ssh keypairs so no secret credentials reach the box on login, if a user provided a password (i.e. for running sudo) while the box was infected this might be compromised. This won't affect other php.net systems, though as those are only reachable via specific servers using two-factor-authentification (or actually three-factor: ssh key, ssh key passphrase and one time passcode (RFC6238)) johannes