[VIM] savannah.gnu.org compromised

security curmudgeon jericho at attrition.org
Tue Nov 30 18:48:25 CST 2010


Savannah downtime

Savannah is currently down - details to follow.

There's been a SQL injection leading to leaking of encrypted account 
passwords, some of them discovered by brute-force attack, leading in turn 
to project membership access.
We're reinstalling the system and restoring the data from a safe backup, 
November 23th circa 12:00 GMT.
Please prepare to recommit your changes since that date.
While effort was made in the past to fix injection vulnerabilities in the 
Savane2 legacy codebase, it appears this was not enough :/

No firm ETA for the return online yet (but during the week).

     * 2010/11/29 21:30 GMT: access to the base host restored, extracting 
incremental backup from the 23th
     * 2010/11/29 23:30 GMT: finished diagnosing original attack
     * 2010/11/30 12:30 GMT: data transfers in progress
     * 2010/11/30 13:30 GMT: read-only access to source repositories
     * 2010/11/30 14:30 GMT: write access to source repositories
     * 2010/11/30 16:30 GMT: data transfers finished
     * 2010/11/30 18:00 GMT: access to downloads and GNU Arch
     * 2010/11/30 21:00 GMT: audited code and found no other SQL injection
     * 2010/11/30 22:30 GMT: found trace of earlier attack on Nov 23th 4h
     * 2010/11/30 22:45 GMT: stopped write access and preparing new backup 
from the 22th
     * 2010/11/30 23:45 GMT: found trace of earlier read-only SQL 
injections as back as January, but apparently none with actual account 
cracking; searching more


     * [X] Put services online using backup, except for password-based ones 
(e.g. the web interface)
     * [X] Reset passwords
     * [X] Fix SQL injection and look for potential others
     * [ ] Implement crypt-md5 support (like /etc/shadow, strong and 
LDAP-compatible) hashes, or possibly crypt-sha2
     * [ ] Implement password strength enforcement
     * [ ] Bring back web interface
     * [/] Audit changes between the 23th and the 27th to see what was 

The Savannah Hackers

Also see http://identi.ca/group/fsfstatus for information.

More information about the VIM mailing list