Re: [kaffe] [OffTopic] Savannah has been compromised

[Mark Wielaard <mark at klomp dot org>]

Hi,

On Thu, 2003-12-04 at 00:54, Dalibor Topic wrote:
> since I haven't received any news on this yet, and many people here 
> probably contribute to one project on Savannah or another, I just wanted 
> to spread the news that savannah.gnu,org has been compromised. cracked. 
> broken in. just like debian last week.

Thanks. I tried to send the attached message to the classpath
mailinglist about it. But it didn't arrive so probably the mailinglist
at gnu.org are also down :{

I CCed the gcj mailinglist to make sure most of our contributors know
about this issue. I'll try to keep you up to date when I know more.

Be careful out there.
And please check your machines for any irregularities.

Cheers,

Mark

--- Begin Message ---

• From: Mark Wielaard <mark at klomp dot org>
• To: classpath at gnu dot org
• Date: Thu, 04 Dec 2003 11:48:45 +0100
• Subject: savannah.gnu.org compromised

Hi all,

If you were wondering why CVS doesn't work anymore or why the last
classpath 0.07 release hasn't gone up on the gnu.org servers this is the
reason. From http://savannah.gnu.org/statement.html:

        On December 1st, 2003, we discovered that the "Savannah" system,
        which is maintained by the Free Software Foundation and provides
        CVS and development services to the GNU project and other Free
        Software projects, was compromised at circa November 2nd, 2003.
        
        The compromise seems to be of the same nature as the recent
        attacks on Debian project servers; the attacker seemed to
        operate identically. However, this incident was distinctly
        different from the modus operandi we found in the attacks on our
        FTP server in August 2003. We have also confirmed that an
        unauthorized party gained root access and installed a root-kit
        ("SucKIT") on November 2nd, 2003.
        
        In the interest of continuing cooperation and in helping to
        improve security for all essential Free Software infrastructure,
        and despite important philosophical differences, we are working
        closely with Debian project members to find the perpetrators and
        to secure essential Free Software infrastructure for the future.
        We hope to have future joint announcements that discuss a
        unified strategy for addressing these problems.
        
        For the moment, we are installing replacement hardware for the
        Savannah system, and we will begin restoring the Savannah
        software this week. Initially, there will be some security
        related changes which may be inconvenient for our developers. We
        will try to ease these as we find secure ways to do so. We are
        in particular researching ways to ensure secured authentication
        of the source code trees stored on the system.
        
        We will send more detailed announcements about efforts to verify
        the authenticity of the source code hosted on Savannah, and how
        the community can help in that effort once we've brought the
        system back online.
        
        We hope to have at least minimal services back up by Friday 5
        December 2003.

[...insert some strong negative statement here, not appropriate for
little children...]

As soon as I have more information I will let you know.

Meanwhile please all check your own machines carefully.
Some help for people running Debian GNU/Linux to do this can be found
at: http://www.wiggy.net/debian/developer-securing/
(It specifically describes what debian developers should do, but is
useful information for everybody.)

Mark

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---