Linux Mint ISO was compromised.

Status
Not open for further replies.
simple_gifts

simple_gifts

Joined
Jul 26, 2004
Messages
14,115
Location
New Bri-en, CT
http://blog.linuxmint.com/?p=2994

Only for one day...

Just posting since it seems Mint is quite popular here @ bitog.

Quote:

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
 
shocked2.gif
 
Got me. I needed a live CD so downloaded the latest.

Knew something was up as I couldn't get out to the internet.

Fortunately I didn't install it.
 
That's wild, they backdoor'd the ISO. I wonder how much personal information they were able to grab in the period it was compromised?
 
While Linux has many security advantages over Windows or OS X...obscurity has been its strongest security.

Looks like hackers have deemed Mint popular enough to give it attention. Thankfully the open source community was on it quickly as usual.
 
This is a bit of crazy news. I was just going to wipe and reinstall a clean copy of 17.3 on my laptop. Guess I'll hold off until the dust settles with this.

I have 3 machines with this installed, but they were upgraded via the package manager. I'm guessing those aren't vulnerable. Being as this was discovered on Feb 21, are any prior ISOs downloaded vulnerable?
 
Originally Posted By: MysticGold04
Being as this was discovered on Feb 21, are any prior ISOs downloaded vulnerable?


Only the Cinammon version ISO downloaded directly from their servers (torrents were unaffected) on that 1 day were compromised.
 
Originally Posted By: MysticGold04
Yes, I visited there this morning and my email address was on the list...


As long as there are no reported "pastes" at that site I think you're in good shape. Once the forum is back up it will certainly not hurt to change your password, however!
 
Yes, I did that this morning. The forums are back online... they are now using https, and have changed hosting servers it looks like.
 
I think this point here rings quite true:

Quote:
The problem with security in Linux Mint

The architectural design of Linux Mint inherits a great deal from its upstream sources Debian and Ubuntu (which is itself based upon Debian). Unfortunately, it lacks any sort of security advisories—Linux Mint evangelists insist that referring to the Ubuntu or Debian advisories is sufficient. Not every package in Linux Mint is available in Ubuntu or Debian, and this argument is further complicated by the fact that updates that work perfectly in Ubuntu or Debian are blacklisted by the Linux Mint team due to compatibility issues.

Linux Mint has the somewhat peculiar design decision of not updating the kernel using the graphical update manager. Users must run apt-get dist-upgrade in a terminal in order to receive updates, when users of Ubuntu receive the same kernel updates automatically. This leaves users vulnerable to potential root exploits and hardware issues. Additionally, there is an issue with shifting release cadences—with version 17, the underlying base moved from standard releases to Long-Term Support (LTS) releases of Ubuntu. Consequently, the packages incorporated are older, on average, than in previous releases, and if blacklisted are both old and insecure.


Debian and Ubuntu are both very well supported. But then so are projects like Fedora. I'm a big fan of RHEL but it isn't a logical choice for a home user due to the subscription costs but even if you look at CentOS (the free version of RHEL) it still isn't as user-friendly as the first two.
 
Originally Posted By: StorminNorvin

I use Ubuntu MATE 14.04.3 LTS as I liked Mint a little but hated Ubuntu's Unity layout.


Then why not Mint's MATE version? It's been around a while longer and has had a lot more attention given it over the years.
 
Well, you choose as you need and see fit, but, as was noted, this was a website security issue as much as anything else. Pointing to the "wrong" download has been a hacking technique since dialup BBS days.
 
Originally Posted By: uc50ic4more
Then why not Mint's MATE version? It's been around a while longer and has had a lot more attention given it over the years.

I hate the layout. I also hate the fact that to update the kernel, you have to do it in Terminal instead of the Software Updater. Still, I hate the layout.
 
Status
Not open for further replies.

Similar threads

S
Need help setting up a new printer with a Linux/Mint laptop
Replies
12
Views
1K
Brons2
OVERKILL
The real cost of wind and solar: Why rates don't match the claims
4 5 6
Replies
116
Views
10K
oil pan 4
wwillson
  • Locked
Answers - Pennzoil Technology behind "Made From Natural Gas" and Vehicle maintenance while driving less Q&A
Replies
5
Views
31K
RateNate
T
  • Locked
Best Way To Desludge This New-To-Me Dodge Dakota w/4.7L V8?
3 4 5
Replies
80
Views
31K
Astro14
OVERKILL
  • Locked
Router review - Cisco ASA 5506W-X w/FirePOWER
Replies
8
Views
6K
Rand
Back
Top