[VIM] savannah.gnu.org compromised
jericho at attrition.org
Tue Nov 30 18:48:25 CST 2010
Savannah is currently down - details to follow.
There's been a SQL injection leading to leaking of encrypted account
passwords, some of them discovered by brute-force attack, leading in turn
to project membership access.
We're reinstalling the system and restoring the data from a safe backup,
November 23th circa 12:00 GMT.
Please prepare to recommit your changes since that date.
While effort was made in the past to fix injection vulnerabilities in the
Savane2 legacy codebase, it appears this was not enough :/
No firm ETA for the return online yet (but during the week).
* 2010/11/29 21:30 GMT: access to the base host restored, extracting
incremental backup from the 23th
* 2010/11/29 23:30 GMT: finished diagnosing original attack
* 2010/11/30 12:30 GMT: data transfers in progress
* 2010/11/30 13:30 GMT: read-only access to source repositories
* 2010/11/30 14:30 GMT: write access to source repositories
* 2010/11/30 16:30 GMT: data transfers finished
* 2010/11/30 18:00 GMT: access to downloads and GNU Arch
* 2010/11/30 21:00 GMT: audited code and found no other SQL injection
* 2010/11/30 22:30 GMT: found trace of earlier attack on Nov 23th 4h
* 2010/11/30 22:45 GMT: stopped write access and preparing new backup
from the 22th
* 2010/11/30 23:45 GMT: found trace of earlier read-only SQL
injections as back as January, but apparently none with actual account
cracking; searching more
* [X] Put services online using backup, except for password-based ones
(e.g. the web interface)
* [X] Reset passwords
* [X] Fix SQL injection and look for potential others
* [ ] Implement crypt-md5 support (like /etc/shadow, strong and
LDAP-compatible) hashes, or possibly crypt-sha2
* [ ] Implement password strength enforcement
* [ ] Bring back web interface
* [/] Audit changes between the 23th and the 27th to see what was
The Savannah Hackers
Also see http://identi.ca/group/fsfstatus for information.
More information about the VIM