Google
  Web www.spinics.net

Re: Savannah accident

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 30 November 2010 11:38, Mark Wielaard <mark@xxxxxxxxx> wrote:
> Hi all,
>
> If you have been wondering about the GNU Classpath services on savannah
> note that they are having trouble. This means CVS and the classpath
> project page are currently down.
>
> For more information see http://savannah.gnu.org/
>
> Â Â Â ÂSavannah is currently down - details to follow.
>
> Â Â Â ÂThere's been a SQL injection leading to leaking of encrypted
> Â Â Â Âaccount passwords, some of them discovered by brute-force
> Â Â Â Âattack, leading in turn to project membership access.
> Â Â Â ÂWe're reinstalling the system and restoring the data from a safe
> Â Â Â Âbackup, November 24th.
> Â Â Â ÂPlease prepare to recommit your changes since that date.
> Â Â Â ÂWhile effort was made in the past to fix injection
> Â Â Â Âvulnerabilities in the Savane2 legacy codebase, it appears this
> Â Â Â Âwas not enough :/
>
>
> Â Â Â ÂNo firm ETA for the return online yet (but during the week).
>
> Â Â Â Â Â Â Â* 2010/11/29 21:30 GMT: access to the base host restored,
> Â Â Â Â Â Â Â Âextracting incremental backup from the 24th
> Â Â Â Â Â Â Â* 2010/11/29 23:30 GMT: finished diagnosing original
> Â Â Â Â Â Â Â Âattack
>
> Â Â Â ÂTODO
>
> Â Â Â Â Â Â Â* Put services online using backup, except for
> Â Â Â Â Â Â Â Âpassword-based ones (e.g. the web interface)
> Â Â Â Â Â Â Â* Fix SQL injection and look for potential others
> Â Â Â Â Â Â Â* Reset passwords
> Â Â Â Â Â Â Â* Implement crypt-md5 support (like /etc/shadow, strong
> Â Â Â Â Â Â Â Âand LDAP-compatible) hashes
> Â Â Â Â Â Â Â* Implement password strength enforcement
> Â Â Â Â Â Â Â* Bring back web interface
>
> Â Â Â Â--
> Â Â Â ÂThe Savannah Hackers
>
> Â Â Â ÂAlso see http://identi.ca/group/fsfstatus for information.
>
>
>
>

That explains why I couldn't cvs update yesterday.  I wonder why I
didn't get this message too?  Maybe I just missed it.

At least there haven't been any Classpath CVS changes since the 24th.... :-(
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FAÂ 7927 142C 2591 94EF D9D8




[Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]

  Powered by Linux