store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Nov 21, 2014 10:45 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Non-ASL Proftpd Source code compromised
Unread postPosted: Thu Dec 02, 2010 10:35 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7956
Location: earth
NOTE: This does not effect either the builds distributed by Atomicorp or Parallels.

Before building any third party applications, we always verify the source code GPG signature for every vendor that signs their code (proftpd is one of them) using keys we know we can trust. Furthermore in many cases we also manually review source code passing through the atomic and asl repos before building - and we always check diffs to know if any changes are worth pushing updates. So even if they had managed to compromise the code, and the keys - the diffs in this case would have been reviewed and we are (as our ASL users know) very very paranoid people.

Finally, all of our binary packages are signed with our GPG key from systems that are not part of the proftp mirror network. This compromise only effected the official proftp source code for a few days, and did not effect either the builds distributed by Atomicorp or Parallels.

If you have manually downloaded the source code between November 28 and December 2 from any official proftpd mirror this advisory effects you.

If you are using any atomicorp build you are NOT effected by this.

Official note from the proftp team:

ftp.proftpd.org compromised

The ProFTPD Project team is sorry to announce that the Project's main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD 1.3.3c source code, from the November 28 2010 to December 2 2010. All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD.


Further information is available here:
http://www.proftpd.org/
http://www.net-security.org/secworld.php?id=10243


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group