Gentoo pulls vulnerable server offline

Gentoo pulls vulnerable server offline

Summary: The Gentoo Project has removed a server hosting several sites and services after the discovery of a potentially serious command injection vulnerability.

SHARE:
TOPICS: Security, Servers
35

Gentoo pulls vulnerable server offline The Gentoo Project has removed a server hosting several sites and services after the discovery of a potentially serious command injection vulnerability.

The open-source group, which produces a popular Linux distribution, said the security hole was verified within http://packages.gentoo.org.

"The Infrastructure team verified the vulnerability and the server was immediately taken down to prevent further exploitation and to allow for forensic analysis," Gentoo said in brief note on its Web site.

The server hosted the following sites and services:

  • archives.gentoo.org
  • packagestest.gentoo.org
  • scripts.gentoo.org
  • archivestest.gentoo.org
  • kiss.gentoo.org
  • packages.gentoo.org
  • stats.gentoo.org
  • survey.gentoo.org

The group said the affected server will be rebuilt while the http://packages.gentoo.org service's source undergoes a full security audit prior to being restored. The tree and all other services were unaffected.

The Gentoo site vulnerability comes on the heels of this week's security breach at Ubuntu that forced the removal of 5 of 8 productions servers from the Internet.

The Ubuntu servers were found to be missing security patches, using insecure protocols (FTP without SSL) to access the machines and without upgrades past breezy due to problems with the network cards and later kernels.

Topics: Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • How can this be? Isn't UNIX da bomb when it comes to security?

    Two exploited Linux systems within a weeks time? I thought UNIX was impervious to exploits. Surely you must be spreading FUD :-)
    ye
    • How many MS servers hacked this week?

      Maybe when you remove your lips from the MS teat, you'll have some time to actually produce a quote from someone influential in the *nix community who actually said that UNIX/Linux was "impervious" to exploits.

      Then when you're done with that, don't forget to update your anti-virus definitions, your anti-spyware definitions, and then reboot your Redmond OS because it's been running for a full hour and has become unacceptably slow. Hey, watch out for that BSOD!

      (PS - you did ACTIVATE your copy of Redmond OS, didn't you?!?!)
      shoktai@...
      • Zero, but that has nothing to do with Linux

        Nice try at changing the topic though.
        No_Ax_to_Grind
      • Irrelevant.

        "Maybe when you remove your lips from the MS teat, you'll have some time to actually produce a quote from someone influential in the *nix community who actually said that UNIX/Linux was "impervious" to exploits."

        There is no direct quote. It's more a matter of attitude displayed by the Linux crowd whenever Windows is exploited. A prime example is your post.
        ye
    • Wrong as usual

      [i]"Two exploited Linux systems within a weeks time?"[/i]

      RTFA - This server was not hacked. Gentoo noted it had a vulnerability and then they took it down.
      bportlock
      • Article said "to prevent further exploitation"

        Key word here being "further" which implies it was already exploited. Now it may be
        this server was not exploited. But with the information given one has to conclude it
        was.

        Either way with Linux being impervious, as the Linux fanbois have led us all to
        believe, I fail to see where this is an issue. Why bother taking it down and wasting
        time on a forensic analysis when Linux cannot be exploited? Seems a whole lot of
        wasted effort over nothing.
        ye
        • Try reading the bugzilla report

          There was no compromise or exploitation. It was reported to Gentoo directly as a vulnerability discovered by a user called "bannedit".
          bportlock
          • May very well be. That doesn't change my point.

            If Linux is impervious to exploits, as the Linux fanbois have led us to believe, why are they even bothering? Seems like a lot of work for no reason. Don't you agree?
            ye
          • Don't be absurd!

            The whole point of a vulnerability is that it leaves you vulnerable. That is what it means.
            bportlock
          • Not according to the Linux fanbois they don't.

            "The whole point of a vulnerability is that it leaves you vulnerable."

            According to them the security model built into Linux prevents vulnerabilities from being a concern. So I ask again: Why all the fuss?
            ye
          • I don't know ye, why are you making a fuss about it?

            calm down and go deny your own prioblems like ani
            exploits and Vista forced shutdowns, eh?
            Kid Icarus-21097050858087920245213802267493
          • I am pointing out the hypocirsy.

            And I must be doing a great job at it given the amount of ad hominems being levied against me. When you've got a constructive argument get back to me. Until then I recommend you leave the ad homeinems out.
            ye
        • Quit being retarded

          This is standard CIA procedure. (Confidentiality, Integrity, Availability)

          Even if they were able to execute code via the web app it runs as apache which has less rights than a normal user and certainly less rights than The network service that IIS on Windows runs as.

          The security team is merely following procedures, that most Windows admins have never read in the first place.
          Suicida|
          • I'm not the one who claimed Linux was impervious to exploits.

            That would be the Linux fanbois. Now I am asking them to explain, based on the
            reasons they've provided to switch from Windows to Linux, why this would be an
            issue. And thus far I have not received one. I don't expect I will either. Because they
            were full of it then and it's just now coming back to bite them in the behind.
            ye
          • What a limited vocabulary

            "Linux fanbois"? Are you kidding me? In every post? Can't come up with anything else?
            "impervious to exploits"? who said that? don't tell me "Linux fanbois" - point to the actual post... End if someone actually did say that - they have even less brains than you do...
            vgrig
          • Linux fanbois implied it.

            "Linux fanbois"? Are you kidding me? In every post? Can't come up with anything else?"

            Why would I want to soil the good name of Linux users for the actions of the fanbois?

            "impervious to exploits"? who said that? don't tell me "Linux fanbois" - point to the actual post... End if someone actually did say that - they have even less brains than you do..."

            As I said the Linux fanbois implied it every time they suggested someone switch to Linux due to security reasons. Sorry if you don't like the reasoning but it most certainly is NOT mine.
            ye
  • Does this disprove the "many eyes" theory?

    and if not, does this show a severe lack of attention to less popular code?
    Scrat
    • Proves it doesn't work (nt)

      .
      No_Ax_to_Grind
    • It demonstrates what many of us already knew.

      That Linux (UNIX) and open source software is no more/less secure than Windows and closed source software. That both are dependent on patches and good administration in order to remain as secure as possible. And without either both can be exploited.

      For some reason the ABM crowd just doesn't like recognizing this.
      ye
      • The reason the opne source crowd says it is...

        They have no other claim to make. Linux is NOT better than Windows/Solaris/OS X and open source apps are a joke compared to proprietary. All thats left is for them to try and play the "security card" but that is quickly going up in a puff of smoke.
        No_Ax_to_Grind