On Wed, Apr 14, 2010 at 01:08:41AM +0100, sebb wrote:
> On 14/04/2010, Uwe Schindler <u...@thetaphi.de> wrote:
> > Hi Grant,
> >
> >  It is that user, who is assigned to the very early JIRA issues, e.g.:
> >  https://issues.apache.org/jira/browse/LUCENE-1
> >
> >  I changed the password of this user in response to that email (for 
> > security), but I think we should simply let infra remove it. The problem 
> > is, almost anybody can instruct JIRA to reset the password and let JIRA 
> > send it again to the "email" which is the public java-dev list. And then it 
> > is public again.
> 
> If the user is still needed (for whatever reason) maybe the user can
> be disabled, or maybe they can be removed from the list of users who
> have update access to the JIRA.
> 
> But so long as the user is not an administrator, then it's no
> different really from any other account that can be created by Joe
> Public.

Yes, that account has no special access. If someone wants to unassign the 319
issues this user is the 'assignee' of, then the account can be deleted:

https://issues.apache.org/jira/secure/IssueNavigator.jspa?sorter/order=ASC&sorter/field=priority&assignee=java-dev%40lucene.apache.org&reset=true&assigneeSelect=specificuser&mode=hide


--Jeff

> >  Uwe
> >
> >  -----
> >  Uwe Schindler
> >  H.-H.-Meier-Allee 63, D-28213 Bremen
> >  http://www.thetaphi.de
> >  eMail: u...@thetaphi.de
> >
> >
> >  > -----Original Message-----
> >  > From: Grant Ingersoll [mailto:gsi...@gmail.com] On Behalf Of Grant
> >  > Ingersoll
> >  > Sent: Wednesday, April 14, 2010 1:50 AM
> >  > To: java-dev@lucene.apache.org
> >  > Subject: Re: issues.apache.org compromised: please update your
> >  > passwords
> >  >
> >  > FYI, this is for real.  Some have asked me if it is made up.  I don't
> >  > know who owns that user, so we should ask on infra, I suspect.  Also,
> >  > this applies to all  user accounts too on JIRA.
> >  >
> >  > On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote:
> >  >
> >  > > Dear Lucene Developers,
> >  > >
> >  > > You are receiving this email because you have a login, 'java-
> >  > d...@lucene.apache.org', on the Apache JIRA installation,
> >  > https://issues.apache.org/jira/
> >  > >
> >  > > On April 6 the issues.apache.org server was hacked. The attackers
> >  > were able to install a trojan JIRA login screen and later get full root
> >  > access:
> >  > >
> >  > > https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> >  > >
> >  > > We are assuming that the attackers have a copy of the JIRA database,
> >  > which includes a hash (SHA-512 unsalted) of the password
> >  > > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If
> >  > the password you set was not of great quality (eg. based on a
> >  > dictionary word), it
> >  > > should be assumed that the attackers can guess your password from the
> >  > password hash via brute force.
> >  > >
> >  > > The upshot is that someone malicious may know both your email address
> >  > and a password of yours.
> >  > >
> >  > > This is a problem because many people reuse passwords across online
> >  > services. If you reuse passwords across systems, we urge you to change
> >  > > your passwords on ALL SYSTEMS that might be using the compromised
> >  > JIRA password. Prime examples might be gmail or hotmail accounts,
> >  > online
> >  > > banking sites, or sites known to be related to your email's domain,
> >  > lucene.apache.org.
> >  > >
> >  > > Naturally we would also like you to reset your JIRA password. That
> >  > can be done at:
> >  > >
> >  > >
> >  > https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern
> >  > ame=java-...@lucene.apache.org
> >  > >
> >  > > We (the Apache JIRA administrators) sincerely apologize for this
> >  > security breach. If you have any questions, please let us know by
> >  > email.
> >  > > We are also available on the #asfinfra IRC channel on
> >  > irc.freenode.net.
> >  > >
> >  > >
> >  > > Regards,
> >  > >
> >  > > The Apache Infrastructure Team
> >  > >
> >  > > ---------------------------------------------------------------------
> >  > > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
> >  > > For additional commands, e-mail: java-dev-h...@lucene.apache.org
> >  > >
> >  >
> >  >
> >  >
> >  > ---------------------------------------------------------------------
> >  > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
> >  > For additional commands, e-mail: java-dev-h...@lucene.apache.org
> >
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: java-dev-h...@lucene.apache.org

Reply via email to