On 30 November 2010 11:38, Mark Wielaard <[email protected]> wrote: > Hi all, > > If you have been wondering about the GNU Classpath services on savannah > note that they are having trouble. This means CVS and the classpath > project page are currently down. > > For more information see http://savannah.gnu.org/ > > Savannah is currently down - details to follow. > > There's been a SQL injection leading to leaking of encrypted > account passwords, some of them discovered by brute-force > attack, leading in turn to project membership access. > We're reinstalling the system and restoring the data from a safe > backup, November 24th. > Please prepare to recommit your changes since that date. > While effort was made in the past to fix injection > vulnerabilities in the Savane2 legacy codebase, it appears this > was not enough :/ > > > No firm ETA for the return online yet (but during the week). > > * 2010/11/29 21:30 GMT: access to the base host restored, > extracting incremental backup from the 24th > * 2010/11/29 23:30 GMT: finished diagnosing original > attack > > TODO > > * Put services online using backup, except for > password-based ones (e.g. the web interface) > * Fix SQL injection and look for potential others > * Reset passwords > * Implement crypt-md5 support (like /etc/shadow, strong > and LDAP-compatible) hashes > * Implement password strength enforcement > * Bring back web interface > > -- > The Savannah Hackers > > Also see http://identi.ca/group/fsfstatus for information. > > > >
That explains why I couldn't cvs update yesterday. I wonder why I didn't get this message too? Maybe I just missed it. At least there haven't been any Classpath CVS changes since the 24th.... :-( -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
