In a recent audit of the overall Gluster.org infrastructure, we discovered an intrusion into a little-used server. As a result, we are notifying the community of the intrusion which we do not believe has compromised any of the GlusterFS code or packages offered to the community. However, in an abundance of caution, we are sharing steps we are taking as a result, including replacing the download area of Gluster.org’s infrastructure.
More detail: The legacy server in question was no longer being used for development and was not hosted within the main Gluster Project infrastructure. The intrusion occurred in 2013-2014.
We believe the intrusion was a result of a brute-force password attack, and the attackers were attempting to use the compromised infrastructure as part of a botnet. Red Hat’s information security team has found no evidence that the intruders attempted to access any parts of the critical release infrastructure, and there is no evidence that any of Gluster’s code or binaries were tampered with.
Plan: We are accelerating our plans to replace our download server. As an extra measure we will also update the Gluster Project’s package signing keys.
Security and the trust of the community is of utmost importance to us. We wanted to share this information so that the Gluster community was aware of the reasons for any infrastructure changes. We also want to note that we are making a number of scheduled changes to improve the Gluster infrastructure, and will soon open a discussion about how interested members of the Gluster community can participate in managing project infrastructure.
--
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
