FreeBSD Project has released a summary on their security breach two machines within the cluster have been compromised and have been consequently pulled offline for analysis.  The affected machines were taken offline for analysis.   However it added that the intruder had sufficient access to modify third party packages, many of which are compiled and installed through FreeBSD’s ports system.

Users are advised to check for packages downloaded between certain dates and replace them, although not because known Trojans have been found, but rather because the project has not yet been able to confirm that they could not exist.

The Admin team verifies the infrastructure and source trees are clean and the suspect machines are either being re installed retired, or thoroughly audited before being brought back online.  Apparently access was via a developer’s stolen SSH key, but fortunately the project’s clusters were partitioned so that the effects were limited.