Important security noticed regarding release signing key

Important security noticed regarding release signing key

[Sage Weil]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Last week, Red Hat investigated an intrusion on the sites of both the Ceph 
community project (ceph.com) and Inktank (download.inktank.com), which 
were hosted on a computer system outside of Red Hat infrastructure.

Ceph.com provided Ceph community versions downloads signed with a Ceph 
signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases 
of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed 
with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation 
into the intrusion is ongoing, our initial focus was on the integrity of 
the software and distribution channel for both sites.

To date, our investigation has not discovered any compromised code or 
binaries available for download on these sites. However, we cannot fully 
rule out the possibility that some compromised code or binaries were 
available for download at some point in the past. Further, we can no 
longer trust the integrity of the Ceph signing key, and therefore have 
created a new signing key (id E84AC2C0460F3994) for verifying downloads. 
This new key is committed to the ceph.git repository and is 
also available from

	https://git.ceph.com/release.asc

The new key should look like:

pub   4096R/460F3994 2015-09-15
uid                  Ceph.com (release key) <security-Qp0mS5GaXlQ@public.gmane.org>

All future release git tags will be signed with this new key.

This intrusion did not affect other Ceph sites such as download.ceph.com 
(which contained some older Ceph downloads) or git.ceph.com (which mirrors 
various source repositories), and is not known to have affected any other 
Ceph community infrastructure.  There is no evidence that build system or 
the Ceph github source repository were compromised.

New hosts for ceph.com and download.ceph.com have been created and the 
sites have been rebuilt.  All content available on download.ceph.com as 
been verified, and all ceph.com URLs for package locations now redirect 
there.  There is still some content missing from download.ceph.com that 
will appear later today: source tarballs will be regenerated from git, and 
older release packages are being resigned with the new release key DNS 
changes are still propogating so you may not see the new versions of the 
ceph.com and download.ceph.com sites for another hour or so.

The download.inktank.com host has been retired and affected Red Hat 
customers have been notified, further information is available at 
https://securityblog.redhat.com/2015/09/17/.

Users of Ceph packages should take action as a precautionary measure to 
download the newly-signed versions.  Please see the instructions below.

The Ceph community would like to thank Kai Fabian for initially alerting 
us to this issue.

Any questions can be directed to the email discussion lists or the #ceph 
IRC channel on irc.oftc.net.

Thank you!
sage

- -----

The following steps should be performed on all nodes with Ceph software 
installed.

Replace APT keys (Debian, Ubuntu)

	sudo apt-key del 17ED316D
	curl https://git.ceph.com/release.asc | sudo apt-key add -

Replace RPM keys (Fedora, CentOS, SUSE, etc.)

	sudo rpm -e --allmatches gpg-pubkey-17ed316d-4fb96ee8
	sudo rpm --import 'https://git.ceph.com/release.asc'

Reinstalling packages (Fedora, CentOS, SUSE, etc.)

	sudo yum clean metadata
	sudo yum reinstall -y $(repoquery --disablerepo= --enablerepo=ceph \
		--queryformat='%{NAME}' list '*')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlX66k0ACgkQ2kQg7SiJlcg0wQCfVy+/2BfoNqtCfAcbuNABczFx
bpIAoLf8RTHisIn5wFvEb4Akym/UNn5l
=SEws
-----END PGP SIGNATURE-----

Re: Important security noticed regarding release signing key

[Robin H. Johnson]

On Thu, Sep 17, 2015 at 09:29:35AM -0700,  Sage Weil wrote:
> Last week, Red Hat investigated an intrusion on the sites of both the Ceph 
> community project (ceph.com) and Inktank (download.inktank.com), which 
> were hosted on a computer system outside of Red Hat infrastructure.
> 
> Ceph.com provided Ceph community versions downloads signed with a Ceph 
> signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases 
> of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed 
> with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation 
> into the intrusion is ongoing, our initial focus was on the integrity of 
> the software and distribution channel for both sites.
Please revoke the old keys, so that if they were taken by the attacker,
they cannot be used (you can't un-revoke a key generally).

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: Important security noticed regarding release signing key

[Sage Weil]

On Thu, 17 Sep 2015, Robin H. Johnson wrote:
> On Thu, Sep 17, 2015 at 09:29:35AM -0700,  Sage Weil wrote:
> > Last week, Red Hat investigated an intrusion on the sites of both the Ceph 
> > community project (ceph.com) and Inktank (download.inktank.com), which 
> > were hosted on a computer system outside of Red Hat infrastructure.
> > 
> > Ceph.com provided Ceph community versions downloads signed with a Ceph 
> > signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases 
> > of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed 
> > with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation 
> > into the intrusion is ongoing, our initial focus was on the integrity of 
> > the software and distribution channel for both sites.
>
> Please revoke the old keys, so that if they were taken by the attacker,
> they cannot be used (you can't un-revoke a key generally).

Done:

	http://pgp.mit.edu/pks/lookup?search=ceph&op=index

sage

Re: Important security noticed regarding release signing key

[Robin H. Johnson]

On Thu, Sep 17, 2015 at 11:19:28AM -0700, Sage Weil wrote:
> > Please revoke the old keys, so that if they were taken by the attacker,
> > they cannot be used (you can't un-revoke a key generally).
> Done:
> 	http://pgp.mit.edu/pks/lookup?search=ceph&op=index
Thank you!

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: Important security noticed regarding release signing key

[Michael Kuriger]

Thanks for the notice!



 
Michael Kuriger
Sr. Unix Systems Engineer
r mk7193-CivJcMWXhi0@public.gmane.org |  818-649-7235



-----Original Message-----
From: ceph-users [mailto:ceph-users-bounces-idqoXFIVOFJgJs9I8MT0rw@public.gmane.org] On Behalf Of Sage Weil
Sent: Thursday, September 17, 2015 9:30 AM
To: ceph-announce-Qp0mS5GaXlQ@public.gmane.org; ceph-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org; ceph-users-Qp0mS5GaXlQ@public.gmane.org; ceph-maintainers-Qp0mS5GaXlQ@public.gmane.org
Subject: [ceph-users] Important security noticed regarding release signing key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Last week, Red Hat investigated an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com), which were hosted on a computer system outside of Red Hat infrastructure.

Ceph.com provided Ceph community versions downloads signed with a Ceph signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation into the intrusion is ongoing, our initial focus was on the integrity of the software and distribution channel for both sites.

To date, our investigation has not discovered any compromised code or binaries available for download on these sites. However, we cannot fully rule out the possibility that some compromised code or binaries were available for download at some point in the past. Further, we can no longer trust the integrity of the Ceph signing key, and therefore have created a new signing key (id E84AC2C0460F3994) for verifying downloads. 
This new key is committed to the ceph.git repository and is also available from

	https://git.ceph.com/release.asc

The new key should look like:

pub   4096R/460F3994 2015-09-15
uid                  Ceph.com (release key) <security-Qp0mS5GaXlQ@public.gmane.org>

All future release git tags will be signed with this new key.

This intrusion did not affect other Ceph sites such as download.ceph.com (which contained some older Ceph downloads) or git.ceph.com (which mirrors various source repositories), and is not known to have affected any other Ceph community infrastructure.  There is no evidence that build system or the Ceph github source repository were compromised.

New hosts for ceph.com and download.ceph.com have been created and the sites have been rebuilt.  All content available on download.ceph.com as been verified, and all ceph.com URLs for package locations now redirect there.  There is still some content missing from download.ceph.com that will appear later today: source tarballs will be regenerated from git, and older release packages are being resigned with the new release key DNS changes are still propogating so you may not see the new versions of the ceph.com and download.ceph.com sites for another hour or so.

The download.inktank.com host has been retired and affected Red Hat customers have been notified, further information is available at https://securityblog.redhat.com/2015/09/17/.

Users of Ceph packages should take action as a precautionary measure to download the newly-signed versions.  Please see the instructions below.

The Ceph community would like to thank Kai Fabian for initially alerting us to this issue.

Any questions can be directed to the email discussion lists or the #ceph IRC channel on irc.oftc.net.

Thank you!
sage

- -----

The following steps should be performed on all nodes with Ceph software installed.

Replace APT keys (Debian, Ubuntu)

	sudo apt-key del 17ED316D
	curl https://git.ceph.com/release.asc | sudo apt-key add -

Replace RPM keys (Fedora, CentOS, SUSE, etc.)

	sudo rpm -e --allmatches gpg-pubkey-17ed316d-4fb96ee8
	sudo rpm --import 'https://git.ceph.com/release.asc'

Reinstalling packages (Fedora, CentOS, SUSE, etc.)

	sudo yum clean metadata
	sudo yum reinstall -y $(repoquery --disablerepo= --enablerepo=ceph \
		--queryformat='%{NAME}' list '*')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlX66k0ACgkQ2kQg7SiJlcg0wQCfVy+/2BfoNqtCfAcbuNABczFx
bpIAoLf8RTHisIn5wFvEb4Akym/UNn5l
=SEws
-----END PGP SIGNATURE-----
_______________________________________________
ceph-users mailing list
ceph-users-idqoXFIVOFJgJs9I8MT0rw@public.gmane.org
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: Important security noticed regarding release signing key

[Songbo Wang]

[-- Attachment #1.1: Type: text/plain, Size: 4478 bytes --]

Hi, all,
        Since the last week‘s attack, “ceph.com/packages/ceph-extras” can
be opened never, but where can I get the releases of ceph-extra now?

Thanks and Regards,
WangSongbo

2015-09-18 0:29 GMT+08:00 Sage Weil <sage-BnTBU8nroG7k1uMJSBkQmQ@public.gmane.org>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Last week, Red Hat investigated an intrusion on the sites of both the Ceph
> community project (ceph.com) and Inktank (download.inktank.com), which
> were hosted on a computer system outside of Red Hat infrastructure.
>
> Ceph.com provided Ceph community versions downloads signed with a Ceph
> signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases
> of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed
> with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation
> into the intrusion is ongoing, our initial focus was on the integrity of
> the software and distribution channel for both sites.
>
> To date, our investigation has not discovered any compromised code or
> binaries available for download on these sites. However, we cannot fully
> rule out the possibility that some compromised code or binaries were
> available for download at some point in the past. Further, we can no
> longer trust the integrity of the Ceph signing key, and therefore have
> created a new signing key (id E84AC2C0460F3994) for verifying downloads.
> This new key is committed to the ceph.git repository and is
> also available from
>
>         https://git.ceph.com/release.asc
>
> The new key should look like:
>
> pub   4096R/460F3994 2015-09-15
> uid                  Ceph.com (release key) <security-Qp0mS5GaXlQ@public.gmane.org>
>
> All future release git tags will be signed with this new key.
>
> This intrusion did not affect other Ceph sites such as download.ceph.com
> (which contained some older Ceph downloads) or git.ceph.com (which mirrors
> various source repositories), and is not known to have affected any other
> Ceph community infrastructure.  There is no evidence that build system or
> the Ceph github source repository were compromised.
>
> New hosts for ceph.com and download.ceph.com have been created and the
> sites have been rebuilt.  All content available on download.ceph.com as
> been verified, and all ceph.com URLs for package locations now redirect
> there.  There is still some content missing from download.ceph.com that
> will appear later today: source tarballs will be regenerated from git, and
> older release packages are being resigned with the new release key DNS
> changes are still propogating so you may not see the new versions of the
> ceph.com and download.ceph.com sites for another hour or so.
>
> The download.inktank.com host has been retired and affected Red Hat
> customers have been notified, further information is available at
> https://securityblog.redhat.com/2015/09/17/.
>
> Users of Ceph packages should take action as a precautionary measure to
> download the newly-signed versions.  Please see the instructions below.
>
> The Ceph community would like to thank Kai Fabian for initially alerting
> us to this issue.
>
> Any questions can be directed to the email discussion lists or the #ceph
> IRC channel on irc.oftc.net.
>
> Thank you!
> sage
>
> - -----
>
> The following steps should be performed on all nodes with Ceph software
> installed.
>
> Replace APT keys (Debian, Ubuntu)
>
>         sudo apt-key del 17ED316D
>         curl https://git.ceph.com/release.asc | sudo apt-key add -
>
> Replace RPM keys (Fedora, CentOS, SUSE, etc.)
>
>         sudo rpm -e --allmatches gpg-pubkey-17ed316d-4fb96ee8
>         sudo rpm --import 'https://git.ceph.com/release.asc'
>
> Reinstalling packages (Fedora, CentOS, SUSE, etc.)
>
>         sudo yum clean metadata
>         sudo yum reinstall -y $(repoquery --disablerepo= --enablerepo=ceph
> \
>                 --queryformat='%{NAME}' list '*')
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlX66k0ACgkQ2kQg7SiJlcg0wQCfVy+/2BfoNqtCfAcbuNABczFx
> bpIAoLf8RTHisIn5wFvEb4Akym/UNn5l
> =SEws
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[-- Attachment #1.2: Type: text/html, Size: 6650 bytes --]

[-- Attachment #2: Type: text/plain, Size: 178 bytes --]

_______________________________________________
ceph-users mailing list
ceph-users-idqoXFIVOFJgJs9I8MT0rw@public.gmane.org
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Important security noticed regarding release signing key

[Ken Dreyer]

On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227@gmail.com> wrote:
> Hi, all,
>         Since the last week‘s attack, “ceph.com/packages/ceph-extras” can be
> opened never, but where can I get the releases of ceph-extra now?
>
> Thanks and Regards,
> WangSongbo
>

The packages in "ceph-extras" were old and subject to CVEs (the big
one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
in the new location.

- Ken
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ceph-users] Important security noticed regarding release signing key

[wangsongbo]

Hi Ken,
     Thanks for your reply. But in the ceph-cm-ansible project scheduled 
by teuthology, "ceph.com/packages/ceph-extras" is in used now, such as 
qemu-kvm-0.12.1.2-2.415.el6.3ceph, 
qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph etc.
     Any new releases will be provided ?

On 15/9/22 下午10:24, Ken Dreyer wrote:
> On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227@gmail.com> wrote:
>> Hi, all,
>>          Since the last week‘s attack, “ceph.com/packages/ceph-extras” can be
>> opened never, but where can I get the releases of ceph-extra now?
>>
>> Thanks and Regards,
>> WangSongbo
>>
> The packages in "ceph-extras" were old and subject to CVEs (the big
> one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
> in the new location.
>
> - Ken

--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ceph-users] Important security noticed regarding release signing key

[Ken Dreyer]

Hi Songbo, It's been removed from Ansible now:
https://github.com/ceph/ceph-cm-ansible/pull/137

- Ken

On Tue, Sep 22, 2015 at 8:33 PM, wangsongbo <songbo1227@gmail.com> wrote:
> Hi Ken,
>     Thanks for your reply. But in the ceph-cm-ansible project scheduled by
> teuthology, "ceph.com/packages/ceph-extras" is in used now, such as
> qemu-kvm-0.12.1.2-2.415.el6.3ceph, qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph
> etc.
>     Any new releases will be provided ?
>
>
> On 15/9/22 下午10:24, Ken Dreyer wrote:
>>
>> On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227@gmail.com> wrote:
>>>
>>> Hi, all,
>>>          Since the last week‘s attack, “ceph.com/packages/ceph-extras”
>>> can be
>>> opened never, but where can I get the releases of ceph-extra now?
>>>
>>> Thanks and Regards,
>>> WangSongbo
>>>
>> The packages in "ceph-extras" were old and subject to CVEs (the big
>> one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
>> in the new location.
>>
>> - Ken
>
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Important security noticed regarding release signing key

[wangsongbo]

Hi Ken,
         Thank you, I will update my repo and continue my test.

- Songbo

On 15/9/23 上午10:50, Ken Dreyer wrote:
> Hi Songbo, It's been removed from Ansible now:
> https://github.com/ceph/ceph-cm-ansible/pull/137
>
> - Ken
>
> On Tue, Sep 22, 2015 at 8:33 PM, wangsongbo <songbo1227@gmail.com> wrote:
>> Hi Ken,
>>      Thanks for your reply. But in the ceph-cm-ansible project scheduled by
>> teuthology, "ceph.com/packages/ceph-extras" is in used now, such as
>> qemu-kvm-0.12.1.2-2.415.el6.3ceph, qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph
>> etc.
>>      Any new releases will be provided ?
>>
>>
>> On 15/9/22 下午10:24, Ken Dreyer wrote:
>>> On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227@gmail.com> wrote:
>>>> Hi, all,
>>>>           Since the last week‘s attack, “ceph.com/packages/ceph-extras”
>>>> can be
>>>> opened never, but where can I get the releases of ceph-extra now?
>>>>
>>>> Thanks and Regards,
>>>> WangSongbo
>>>>
>>> The packages in "ceph-extras" were old and subject to CVEs (the big
>>> one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
>>> in the new location.
>>>
>>> - Ken
>>

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: Important security noticed regarding release signing key

[wangsongbo]

[-- Attachment #1.1: Type: text/plain, Size: 1579 bytes --]

Hi  Ken,
     Just now, I run teuthology-suites in our testing, it failed because 
of lacking these packages, such as 
qemu-kvm-0.12.1.2-2.415.el6.3ceph.x86_64, 
qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph etc.
     The modify " rm ceph-extras repository config#137" remove the 
repository , but did not solve the ansible's dependence.

     How to solve this dependence ?

Thanks and Regards,
WangSongbo

On 15/9/23 上午10:50, Ken Dreyer wrote:
> Hi Songbo, It's been removed from Ansible now:
> https://github.com/ceph/ceph-cm-ansible/pull/137
>
> - Ken
>
> On Tue, Sep 22, 2015 at 8:33 PM, wangsongbo <songbo1227-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> Hi Ken,
>>      Thanks for your reply. But in the ceph-cm-ansible project scheduled by
>> teuthology, "ceph.com/packages/ceph-extras" is in used now, such as
>> qemu-kvm-0.12.1.2-2.415.el6.3ceph, qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph
>> etc.
>>      Any new releases will be provided ?
>>
>>
>> On 15/9/22 下午10:24, Ken Dreyer wrote:
>>> On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>> Hi, all,
>>>>           Since the last week‘s attack, “ceph.com/packages/ceph-extras”
>>>> can be
>>>> opened never, but where can I get the releases of ceph-extra now?
>>>>
>>>> Thanks and Regards,
>>>> WangSongbo
>>>>
>>> The packages in "ceph-extras" were old and subject to CVEs (the big
>>> one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
>>> in the new location.
>>>
>>> - Ken
>>


[-- Attachment #1.2: Type: text/html, Size: 2649 bytes --]

[-- Attachment #2: Type: text/plain, Size: 178 bytes --]

_______________________________________________
ceph-users mailing list
ceph-users-idqoXFIVOFJgJs9I8MT0rw@public.gmane.org
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: Important security noticed regarding release signing key

[wangsongbo]

Hi  Ken,
Just now, I run teuthology-suites in our testing, it failed because of lacking these packages,
such as qemu-kvm-0.12.1.2-2.415.el6.3ceph.x86_64, qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph etc.
The modify "rm ceph-extras repository config#137" only remove the repository , but did not solve the ansible's dependence.
How to solve this dependence ?

Thanks and Regards,
WangSongbo


On 15/9/23 上午10:50, Ken Dreyer wrote:
> Hi Songbo, It's been removed from Ansible now:
> https://github.com/ceph/ceph-cm-ansible/pull/137
>
> - Ken
>
> On Tue, Sep 22, 2015 at 8:33 PM, wangsongbo <songbo1227@gmail.com> wrote:
>> Hi Ken,
>>      Thanks for your reply. But in the ceph-cm-ansible project scheduled by
>> teuthology, "ceph.com/packages/ceph-extras" is in used now, such as
>> qemu-kvm-0.12.1.2-2.415.el6.3ceph, qemu-kvm-tools-0.12.1.2-2.415.el6.3ceph
>> etc.
>>      Any new releases will be provided ?
>>
>>
>> On 15/9/22 下午10:24, Ken Dreyer wrote:
>>> On Tue, Sep 22, 2015 at 2:38 AM, Songbo Wang <songbo1227@gmail.com> wrote:
>>>> Hi, all,
>>>>           Since the last week‘s attack, “ceph.com/packages/ceph-extras”
>>>> can be
>>>> opened never, but where can I get the releases of ceph-extra now?
>>>>
>>>> Thanks and Regards,
>>>> WangSongbo
>>>>
>>> The packages in "ceph-extras" were old and subject to CVEs (the big
>>> one being VENOM, CVE-2015-3456). So I don't intend to host ceph-extras
>>> in the new location.
>>>
>>> - Ken
>>

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [Ceph-announce] Important security noticed regarding release signing key

[Gaudenz Steinlin]

[-- Attachment #1: Type: text/plain, Size: 2941 bytes --]

Sage Weil <sage@newdream.net> writes:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Last week, Red Hat investigated an intrusion on the sites of both the Ceph 
> community project (ceph.com) and Inktank (download.inktank.com), which 
> were hosted on a computer system outside of Red Hat infrastructure.
>
> Ceph.com provided Ceph community versions downloads signed with a Ceph 
> signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases 
> of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed 
> with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation 
> into the intrusion is ongoing, our initial focus was on the integrity of 
> the software and distribution channel for both sites.
>
> To date, our investigation has not discovered any compromised code or 
> binaries available for download on these sites. However, we cannot fully 
> rule out the possibility that some compromised code or binaries were 
> available for download at some point in the past. Further, we can no 
> longer trust the integrity of the Ceph signing key, and therefore have 
> created a new signing key (id E84AC2C0460F3994) for verifying downloads. 
> This new key is committed to the ceph.git repository and is 
> also available from
>
> 	https://git.ceph.com/release.asc
>
> The new key should look like:
>
> pub   4096R/460F3994 2015-09-15
> uid                  Ceph.com (release key) <security@ceph.com>
>
> All future release git tags will be signed with this new key.
>
> This intrusion did not affect other Ceph sites such as download.ceph.com 
> (which contained some older Ceph downloads) or git.ceph.com (which mirrors 
> various source repositories), and is not known to have affected any other 
> Ceph community infrastructure.  There is no evidence that build system or 
> the Ceph github source repository were compromised.
>
> New hosts for ceph.com and download.ceph.com have been created and the 
> sites have been rebuilt.  All content available on download.ceph.com as 
> been verified, and all ceph.com URLs for package locations now redirect 
> there.  There is still some content missing from download.ceph.com that 
> will appear later today: source tarballs will be regenerated from git, and 
> older release packages are being resigned with the new release key DNS 
> changes are still propogating so you may not see the new versions of the 
> ceph.com and download.ceph.com sites for another hour or so.

It would be nice to have a way to verify the integrity of tarballs
downloaded from http://download.ceph.com/tarballs/. Could you please add
individual signatures or an sha256sum file signed with your release key.
This is important for people building from source tarballs and
distribution packagers baseing their packages from tarballs. Debian and
Ubuntu packages are currently built from them.

Gaudenz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 810 bytes --]

Re: [Ceph-announce] Important security noticed regarding release signing key

[Sage Weil]

On Wed, 23 Sep 2015, Gaudenz Steinlin wrote:
> Sage Weil <sage@newdream.net> writes:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Last week, Red Hat investigated an intrusion on the sites of both the Ceph 
> > community project (ceph.com) and Inktank (download.inktank.com), which 
> > were hosted on a computer system outside of Red Hat infrastructure.
> >
> > Ceph.com provided Ceph community versions downloads signed with a Ceph 
> > signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases 
> > of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed 
> > with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation 
> > into the intrusion is ongoing, our initial focus was on the integrity of 
> > the software and distribution channel for both sites.
> >
> > To date, our investigation has not discovered any compromised code or 
> > binaries available for download on these sites. However, we cannot fully 
> > rule out the possibility that some compromised code or binaries were 
> > available for download at some point in the past. Further, we can no 
> > longer trust the integrity of the Ceph signing key, and therefore have 
> > created a new signing key (id E84AC2C0460F3994) for verifying downloads. 
> > This new key is committed to the ceph.git repository and is 
> > also available from
> >
> > 	https://git.ceph.com/release.asc
> >
> > The new key should look like:
> >
> > pub   4096R/460F3994 2015-09-15
> > uid                  Ceph.com (release key) <security@ceph.com>
> >
> > All future release git tags will be signed with this new key.
> >
> > This intrusion did not affect other Ceph sites such as download.ceph.com 
> > (which contained some older Ceph downloads) or git.ceph.com (which mirrors 
> > various source repositories), and is not known to have affected any other 
> > Ceph community infrastructure.  There is no evidence that build system or 
> > the Ceph github source repository were compromised.
> >
> > New hosts for ceph.com and download.ceph.com have been created and the 
> > sites have been rebuilt.  All content available on download.ceph.com as 
> > been verified, and all ceph.com URLs for package locations now redirect 
> > there.  There is still some content missing from download.ceph.com that 
> > will appear later today: source tarballs will be regenerated from git, and 
> > older release packages are being resigned with the new release key DNS 
> > changes are still propogating so you may not see the new versions of the 
> > ceph.com and download.ceph.com sites for another hour or so.
> 
> It would be nice to have a way to verify the integrity of tarballs
> downloaded from http://download.ceph.com/tarballs/. Could you please add
> individual signatures or an sha256sum file signed with your release key.
> This is important for people building from source tarballs and
> distribution packagers baseing their packages from tarballs. Debian and
> Ubuntu packages are currently built from them.

Future releases will have tarball signatures.  Alfredo and Andrew are 
working on the new build/release tooling now.

sage