corosync.org compromised

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

The virtual machine that hosts corosync.org was root compromised recently.

It does not appear the compromise resulted in much damage, but as a
precautionary measure, corosync.org was reinstalled and several
corrective actions have been executed.  The site corosync.org provided
the following services previously:

1) ftp access to released tarballs
2) website documentation and access
3) buildbot automated functional testing
4) mailing list

The git repository is hosted by github and protected by git's hashing
mechanisms.  No private keys for access to github accounts were stored
on the compromised machine.

A key risk of this compromise is that the tarballs distributed from
corosync.org were in some way modified.  When the attack was detected,
the virtual machine was shutdown and a snapshot of the filesystem was
taken.  A diff of every release since 0.95 was extracted from git and
diffed against the tarballs that corosync.org distributes.

The initial analysis shows that no trees distributed from corosync.org
were modified at the time the attack was detected.  One possible
exception is version 1.2.4, which appears to have been tagged improperly
rather then physically attacked.

For those that have concern this analysis was done properly, the work
can be verified by downloading the 100 MB tarball located here:

http://corosync.org/comparison.tar.gz

It is possible your mailing list password was compromised.  I would
recommend changing your mailing list password.

A summary of the attack:

1) No distributed tarballs were attacked at the time the attack was detected
2) 1.2.4 should be considered suspect, but looks as if it were tagged
improperly rather then attacked
3) mailing list passwords could be compromised

A summary of actions we recommend you take:

1) Change your mailing list password
2) If you reused your mailing list password, consider it compromised
everywhere it was reused

The corrective actions the corosync maintainers are taking are as follows:

1) VM was reinstalled
2) Only mailing list will be hosted at corosync.org
3) Files will be hosted on the github downloads feature
4) SHA256 sums + a signature will be distributed with future tarballs
5) 1.2.4 requires further analysis
6) corosync.org website will be hosted on github pages
   http://corosync.github.com/corosync/
7) A cname will point wwww.corosync.org to the corosync github pages to
provide a seamless corosync.org website

Regards
-steve
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss


[Index of Archives]     [Linux Clusters]     [Corosync Project]     [Linux USB Devel]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Linux Kernel]     [Linux SCSI]     [X.Org]

  Powered by Linux