|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi all, If you have been wondering about the GNU Classpath services on savannah note that they are having trouble. This means CVS and the classpath project page are currently down. For more information see http://savannah.gnu.org/ Savannah is currently down - details to follow. There's been a SQL injection leading to leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access. We're reinstalling the system and restoring the data from a safe backup, November 24th. Please prepare to recommit your changes since that date. While effort was made in the past to fix injection vulnerabilities in the Savane2 legacy codebase, it appears this was not enough :/ No firm ETA for the return online yet (but during the week). * 2010/11/29 21:30 GMT: access to the base host restored, extracting incremental backup from the 24th * 2010/11/29 23:30 GMT: finished diagnosing original attack TODO * Put services online using backup, except for password-based ones (e.g. the web interface) * Fix SQL injection and look for potential others * Reset passwords * Implement crypt-md5 support (like /etc/shadow, strong and LDAP-compatible) hashes * Implement password strength enforcement * Bring back web interface -- The Savannah Hackers Also see http://identi.ca/group/fsfstatus for information.