In case you are not aware this bad news. FreeBSD.org was compromised on September 17, 2012. Good news is that the compromise was caused by a human error (a stupid developer leaked a SSH private key somewhere), which has nothing to do with the code quality of the FreeBSD. 🙂 Bad news is that this may affect you if you use port. 🙁
The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.
We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources.
In short, the port tree was affected from September 19, 2012 to November 11, 2012. If you downloaded the ports in between this period, you are likely a victim of this incident. 🙁 Here is how to clean up the mess:
Stop using cvsup/csup to update your port. Use portsnap instead.
If you already used portsnap, do the following:
sudo portsnap fetch extract sudo portsnap upgrade
If you have no idea what is portsnap, here is a quick tutorial:
First, install the portmaster and portupgrade. Port-Upgrade downloads the new ports to your server and Port-Master updates your applications based on the downloaded ports.
sudo pkg_add -r portupgrade portmaster
Download all ports. Notice that this is one-time work.
sudo portsnap fetch extract
If you decide to update your port tree, run the following:
sudo portsnap fetch update
Or if you like to run it in a cron job, run the following instead:
sudo nano /etc/crontab #Run every three hours 0 */3 * * * root portsnap -I cron update && pkg_version -vIL= >/dev/null 2>&1
Now you have an updated port tree. Next you will need to update your applications based on your local port tree:
sudo portmaster -Dai
And remember, NEVER put your SSH private key in a public area.