Re: corosync.org compromised

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You can use the mail list website;

http://lists.corosync.org/mailman/listinfo/discuss

digimer

On 09/24/2012 12:46 PM, Grüninger, Andreas (LGL Extern) wrote:
Could you give a hint how to change the password?

Thanks Andreas

-----Ursprüngliche Nachricht-----
Von: discuss-bounces@xxxxxxxxxxxx [mailto:discuss-bounces@xxxxxxxxxxxx] Im Auftrag von Steven Dake
Gesendet: Montag, 24. September 2012 18:26
An: discuss@xxxxxxxxxxxx
Betreff:  corosync.org compromised

Hello,

The virtual machine that hosts corosync.org was root compromised recently.

It does not appear the compromise resulted in much damage, but as a precautionary measure, corosync.org was reinstalled and several corrective actions have been executed.  The site corosync.org provided the following services previously:

1) ftp access to released tarballs
2) website documentation and access
3) buildbot automated functional testing
4) mailing list

The git repository is hosted by github and protected by git's hashing mechanisms.  No private keys for access to github accounts were stored on the compromised machine.

A key risk of this compromise is that the tarballs distributed from corosync.org were in some way modified.  When the attack was detected, the virtual machine was shutdown and a snapshot of the filesystem was taken.  A diff of every release since 0.95 was extracted from git and diffed against the tarballs that corosync.org distributes.

The initial analysis shows that no trees distributed from corosync.org were modified at the time the attack was detected.  One possible exception is version 1.2.4, which appears to have been tagged improperly rather then physically attacked.

For those that have concern this analysis was done properly, the work can be verified by downloading the 100 MB tarball located here:

http://corosync.org/comparison.tar.gz

It is possible your mailing list password was compromised.  I would recommend changing your mailing list password.

A summary of the attack:

1) No distributed tarballs were attacked at the time the attack was detected
2) 1.2.4 should be considered suspect, but looks as if it were tagged improperly rather then attacked
3) mailing list passwords could be compromised

A summary of actions we recommend you take:

1) Change your mailing list password
2) If you reused your mailing list password, consider it compromised everywhere it was reused

The corrective actions the corosync maintainers are taking are as follows:

1) VM was reinstalled
2) Only mailing list will be hosted at corosync.org
3) Files will be hosted on the github downloads feature
4) SHA256 sums + a signature will be distributed with future tarballs
5) 1.2.4 requires further analysis
6) corosync.org website will be hosted on github pages
    http://corosync.github.com/corosync/
7) A cname will point wwww.corosync.org to the corosync github pages to provide a seamless corosync.org website

Regards
-steve
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss



--
Digimer
Papers and Projects: https://alteeve.ca
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss



[Index of Archives]     [Linux Clusters]     [Corosync Project]     [Linux USB Devel]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Linux Kernel]     [Linux SCSI]     [X.Org]

  Powered by Linux