Savannah accident

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

If you have been wondering about the GNU Classpath services on savannah
note that they are having trouble. This means CVS and the classpath
project page are currently down.

For more information see http://savannah.gnu.org/

        Savannah is currently down - details to follow.
        
        There's been a SQL injection leading to leaking of encrypted
        account passwords, some of them discovered by brute-force
        attack, leading in turn to project membership access.
        We're reinstalling the system and restoring the data from a safe
        backup, November 24th.
        Please prepare to recommit your changes since that date.
        While effort was made in the past to fix injection
        vulnerabilities in the Savane2 legacy codebase, it appears this
        was not enough :/
        
        
        No firm ETA for the return online yet (but during the week).
        
              * 2010/11/29 21:30 GMT: access to the base host restored,
                extracting incremental backup from the 24th
              * 2010/11/29 23:30 GMT: finished diagnosing original
                attack
        
        TODO
        
              * Put services online using backup, except for
                password-based ones (e.g. the web interface)
              * Fix SQL injection and look for potential others
              * Reset passwords
              * Implement crypt-md5 support (like /etc/shadow, strong
                and LDAP-compatible) hashes
              * Implement password strength enforcement
              * Bring back web interface
        
        -- 
        The Savannah Hackers
        
        Also see http://identi.ca/group/fsfstatus for information.





[Index of Archives]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]

  Powered by Linux