[cip-dev] Reproducible Builds in August 2019

All of lore.kernel.org
 help / color / mirror / Atom feed

From: pavel@ucw.cz (Pavel Machek)
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] Reproducible Builds in August 2019
Date: Tue, 10 Sep 2019 14:51:15 +0200	[thread overview]
Message-ID: <20190910125115.GA16598@amd> (raw)
In-Reply-To: <5b563474-b5ff-4de2-b370-6a25752c6c26@www.fastmail.com>

Hi!

> Media coverage & events
> =======================
> 
> A backdoor was found in Webmin [2] a popular web-based application used
> by sysadmins to remotely manage Unix-based systems. Whilst more details
> can be found on upstream's dedicated exploit page [3], it appears that
> the build toolchain was compromised. Especially of note is that the
> exploit "did not show up in any Git diffs" and thus would not have
> been

Page says:

# At some time in April 2018, the Webmin development build server was
# exploited and a vulnerability added to the password_change.cgi
# script. Because the timestamp on the file was set back, it did not
# show up in any Git diffs. This was included in the Webmin 1.890
# release.

That sounds to me like source code was modified locally on the build
server, not any sort of advanced toolchain compromise.

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.cip-project.org/pipermail/cip-dev/attachments/20190910/1f02de85/attachment.sig>

next prev parent reply	other threads:[~2019-09-10 12:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-06 12:15 [cip-dev] Reproducible Builds in August 2019 Chris Lamb
2019-09-10 12:51 ` Pavel Machek [this message]
2019-09-10 13:04   ` Chris Lamb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190910125115.GA16598@amd \
    --to=pavel@ucw.cz \
    --cc=cip-dev@lists.cip-project.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.