Re: WineHQ database compromise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2011/10/11 Jerome Leclanche <adys.wh@xxxxxxxxx>:
> Thank you so much for letting the users know so early on.
>
> Bugzilla/forum passwords should probably be reset as well for appdb
> users, there's no doubt most people share passwords with the appdb.
>
> On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <jwhite@xxxxxxxxxxxxxxx> wrote:
>> Hi,
>>
>> I am sad to say that there was a compromise of the WineHQ database system.
>>
>> What we know at this point that someone was able to obtain unauthorized
>> access to the phpmyadmin utility.  We do not exactly how they obtained
>> access; it was either by compromising an admins credentials, or by
>> exploiting an unpatched vulnerability in phpmyadmin.
>>
>> We had reluctantly provided access to phpmyadmin to the appdb developers
>> (it is a very handy tool, and something they very much wanted).  But it
>> is a prime target for hackers, and apparently our best efforts at
>> obscuring it and patching it were not sufficient.
>>
>> So we have removed all access to phpmyadmin from the outside world.
>>
>> We do not believe the attackers obtained any other form of access to the
>> system.
>>
>> On the one hand, we saw no evidence of harm to any database. We saw no
>> evidence of any attempt to change the database (and candidly, using the
>> real appdb or bugzilla is the easy way to change the database).
>>
>> Unfortunately, the attackers were able to download the full login
>> database for both the appdb and bugzilla.  This means that they have all
>> of those emails, as well as the passwords.  The passwords are stored
>> encrypted, but with enough effort and depending on the quality of the
>> password, they can be cracked.
>>
>> This, I'm afraid, is a serious threat; it means that anyone who uses the
>> same email / password on other systems is now vulnerable to a malicious
>> attacker using that information to access their account.
>>
>> We are going to be resetting every password and sending a private email
>> to every affected user.
>>
>> This is again another reminder to never use a common username / password
>> pair.  This web site provides further advice as well:
>> http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/
>>
>> I am very sad to have to report this.  We have so many challenges in our
>> world today that this is a particularly painful form of salt for our wounds.
>>
>> However, I think it is urgent for everyone to know what happened.
>>
>> Cheers,
>>
>> Jeremy
>>
>>
>>
>
>
>
Thanks for the early notice !

Testbot passwords should also be reset as it seems it doesn't allow
password reset / change ATM. (At least I wasn't able to find that
possibility)

-- 
Nicolas Le Cam




[Index of Archives]     [Gimp for Windows]     [Red Hat]     [Samba]     [Yosemite Camping]     [Graphics Cards]     [Wine Home]

  Powered by Linux