[MPlayer-dev-eng] MPHQ server maintainence, upgrade

Birzan George Cristian ymir at wolfheart.ro
Sun Dec 21 11:42:44 CET 2003


On Sun, Dec 21, 2003 at 11:31:36AM +0100, Arpi wrote:
> we didnt find what vuln was used, that time

So you did now?

> as we had no idea how do they come in, we find it better not advertising
> that mphq is vulnerable, until we find the problem.
> shutting down mphq and waiting for miracles, or do per-file audit of the
> whole shit debian were not options.

Fair enough. But, again, have you found out NOW what vulnerability they
used? Or at the very least, what service they exploited?

> the system was kept up-to-date (as much apt-get update&upgrade can do that),
> the public services were configured correctly (no silly configuration
> mistakes) so the only cause can be either getting compromised packages from
> cracked debian servers, or having some debian packages having some bugs.

The former is out of the question, as the files have been checked and
they weren't modified during the Debian compromise. The latter, however,
is quite possible, but that doesn't mean another distro won't have them.
I am not aware of any security bug that wasn't fixed in Debian, and even
if I'm not a reliable source, think of the fact that Debian has quite an
userbase and at least some of them would've noticed.

-- 
Birzan George			Violence is the last refuge of
  Cristian			the incompetent -- Salvor Hardin




More information about the MPlayer-dev-eng mailing list