I wonder if that user was setup a while ago as a way of getting update messages to the mailing list (maybe in the very early days of JIRA before notification schemes). I'd suggest we disable the account.
-Grant On Apr 13, 2010, at 8:08 PM, sebb wrote: > On 14/04/2010, Uwe Schindler <u...@thetaphi.de> wrote: >> Hi Grant, >> >> It is that user, who is assigned to the very early JIRA issues, e.g.: >> https://issues.apache.org/jira/browse/LUCENE-1 >> >> I changed the password of this user in response to that email (for >> security), but I think we should simply let infra remove it. The problem is, >> almost anybody can instruct JIRA to reset the password and let JIRA send it >> again to the "email" which is the public java-dev list. And then it is >> public again. > > If the user is still needed (for whatever reason) maybe the user can > be disabled, or maybe they can be removed from the list of users who > have update access to the JIRA. > > But so long as the user is not an administrator, then it's no > different really from any other account that can be created by Joe > Public. > >> Uwe >> >> ----- >> Uwe Schindler >> H.-H.-Meier-Allee 63, D-28213 Bremen >> http://www.thetaphi.de >> eMail: u...@thetaphi.de >> >> >>> -----Original Message----- >>> From: Grant Ingersoll [mailto:gsi...@gmail.com] On Behalf Of Grant >>> Ingersoll >>> Sent: Wednesday, April 14, 2010 1:50 AM >>> To: java-dev@lucene.apache.org >>> Subject: Re: issues.apache.org compromised: please update your >>> passwords >>> >>> FYI, this is for real. Some have asked me if it is made up. I don't >>> know who owns that user, so we should ask on infra, I suspect. Also, >>> this applies to all user accounts too on JIRA. >>> >>> On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote: >>> >>>> Dear Lucene Developers, >>>> >>>> You are receiving this email because you have a login, 'java- >>> d...@lucene.apache.org', on the Apache JIRA installation, >>> https://issues.apache.org/jira/ >>>> >>>> On April 6 the issues.apache.org server was hacked. The attackers >>> were able to install a trojan JIRA login screen and later get full root >>> access: >>>> >>>> https://blogs.apache.org/infra/entry/apache_org_04_09_2010 >>>> >>>> We are assuming that the attackers have a copy of the JIRA database, >>> which includes a hash (SHA-512 unsalted) of the password >>>> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If >>> the password you set was not of great quality (eg. based on a >>> dictionary word), it >>>> should be assumed that the attackers can guess your password from the >>> password hash via brute force. >>>> >>>> The upshot is that someone malicious may know both your email address >>> and a password of yours. >>>> >>>> This is a problem because many people reuse passwords across online >>> services. If you reuse passwords across systems, we urge you to change >>>> your passwords on ALL SYSTEMS that might be using the compromised >>> JIRA password. Prime examples might be gmail or hotmail accounts, >>> online >>>> banking sites, or sites known to be related to your email's domain, >>> lucene.apache.org. >>>> >>>> Naturally we would also like you to reset your JIRA password. That >>> can be done at: >>>> >>>> >>> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern >>> ame=java-...@lucene.apache.org >>>> >>>> We (the Apache JIRA administrators) sincerely apologize for this >>> security breach. If you have any questions, please let us know by >>> email. >>>> We are also available on the #asfinfra IRC channel on >>> irc.freenode.net. >>>> >>>> >>>> Regards, >>>> >>>> The Apache Infrastructure Team >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org >>>> For additional commands, e-mail: java-dev-h...@lucene.apache.org >>>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org >>> For additional commands, e-mail: java-dev-h...@lucene.apache.org >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org