THE FREEBSD PROJECT has announced two machines in the freebsd.org cluster were compromised recently.
The FreeBSD Project, which produces the FreeBSD operating system, announced on Saturday that two machines on its cluster were compromised. The outfit said that it couldn't find any evidence of code being altered but that it took the machines offline and performed security audits of its servers.
The FreeBSD Project said that no part of the base system was affected and it added that the intruder did not modify any part of the FreeBSD base. However it added that the intruder had sufficient access to modify third party packages, many of which are compiled and installed through FreeBSD's ports system.
In a statement the FreeBSD Project said, "We have verified the state of FreeBSD packages and releases currently available on ftp.FreeBSD.org. All package sets for existing versions of FreeBSD and all available releases have been validated and we can confirm that the currently available packages and releases have not been modified in any way."
According to the FreeBSD Project, it cannot guarantee the integrity of packages downloaded between 19 September 2012 and 11 November 2012 or any software compiled from the ports from any mirror other than svn.freebsd.org. or one of its mirrors. It recommends that users reinstall any affected machines from scratch.
The FreeBSD Project was gearing up for the FreeBSD 9.1 release, however as it is unable to verify the integrity of the package set, that has been removed and will be rebuilt prior to the release. In the meantime, the outfit recommends that users move away from cvsup and onto portsnap and conduct audits of systems that have installed or updated software between 19 September 2012 and 11 November 2012. µ