On 30 November 2010 11:38, Mark Wielaard <mark@xxxxxxxxx> wrote: > Hi all, > > If you have been wondering about the GNU Classpath services on savannah > note that they are having trouble. This means CVS and the classpath > project page are currently down. > > For more information see http://savannah.gnu.org/ > > Â Â Â ÂSavannah is currently down - details to follow. > > Â Â Â ÂThere's been a SQL injection leading to leaking of encrypted > Â Â Â Âaccount passwords, some of them discovered by brute-force > Â Â Â Âattack, leading in turn to project membership access. > Â Â Â ÂWe're reinstalling the system and restoring the data from a safe > Â Â Â Âbackup, November 24th. > Â Â Â ÂPlease prepare to recommit your changes since that date. > Â Â Â ÂWhile effort was made in the past to fix injection > Â Â Â Âvulnerabilities in the Savane2 legacy codebase, it appears this > Â Â Â Âwas not enough :/ > > > Â Â Â ÂNo firm ETA for the return online yet (but during the week). > > Â Â Â Â Â Â Â* 2010/11/29 21:30 GMT: access to the base host restored, > Â Â Â Â Â Â Â Âextracting incremental backup from the 24th > Â Â Â Â Â Â Â* 2010/11/29 23:30 GMT: finished diagnosing original > Â Â Â Â Â Â Â Âattack > > Â Â Â ÂTODO > > Â Â Â Â Â Â Â* Put services online using backup, except for > Â Â Â Â Â Â Â Âpassword-based ones (e.g. the web interface) > Â Â Â Â Â Â Â* Fix SQL injection and look for potential others > Â Â Â Â Â Â Â* Reset passwords > Â Â Â Â Â Â Â* Implement crypt-md5 support (like /etc/shadow, strong > Â Â Â Â Â Â Â Âand LDAP-compatible) hashes > Â Â Â Â Â Â Â* Implement password strength enforcement > Â Â Â Â Â Â Â* Bring back web interface > > Â Â Â Â-- > Â Â Â ÂThe Savannah Hackers > > Â Â Â ÂAlso see http://identi.ca/group/fsfstatus for information. > > > > That explains why I couldn't cvs update yesterday. I wonder why I didn't get this message too? Maybe I just missed it. At least there haven't been any Classpath CVS changes since the 24th.... :-( -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FAÂ 7927 142C 2591 94EF D9D8
