On Wed, Apr 14, 2010 at 01:08:41AM +0100, sebb wrote: > On 14/04/2010, Uwe Schindler <u...@thetaphi.de> wrote: > > Hi Grant, > > > > It is that user, who is assigned to the very early JIRA issues, e.g.: > > https://issues.apache.org/jira/browse/LUCENE-1 > > > > I changed the password of this user in response to that email (for > > security), but I think we should simply let infra remove it. The problem > > is, almost anybody can instruct JIRA to reset the password and let JIRA > > send it again to the "email" which is the public java-dev list. And then it > > is public again. > > If the user is still needed (for whatever reason) maybe the user can > be disabled, or maybe they can be removed from the list of users who > have update access to the JIRA. > > But so long as the user is not an administrator, then it's no > different really from any other account that can be created by Joe > Public.
Yes, that account has no special access. If someone wants to unassign the 319 issues this user is the 'assignee' of, then the account can be deleted: https://issues.apache.org/jira/secure/IssueNavigator.jspa?sorter/order=ASC&sorter/field=priority&assignee=java-dev%40lucene.apache.org&reset=true&assigneeSelect=specificuser&mode=hide --Jeff > > Uwe > > > > ----- > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de > > eMail: u...@thetaphi.de > > > > > > > -----Original Message----- > > > From: Grant Ingersoll [mailto:gsi...@gmail.com] On Behalf Of Grant > > > Ingersoll > > > Sent: Wednesday, April 14, 2010 1:50 AM > > > To: java-dev@lucene.apache.org > > > Subject: Re: issues.apache.org compromised: please update your > > > passwords > > > > > > FYI, this is for real. Some have asked me if it is made up. I don't > > > know who owns that user, so we should ask on infra, I suspect. Also, > > > this applies to all user accounts too on JIRA. > > > > > > On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote: > > > > > > > Dear Lucene Developers, > > > > > > > > You are receiving this email because you have a login, 'java- > > > d...@lucene.apache.org', on the Apache JIRA installation, > > > https://issues.apache.org/jira/ > > > > > > > > On April 6 the issues.apache.org server was hacked. The attackers > > > were able to install a trojan JIRA login screen and later get full root > > > access: > > > > > > > > https://blogs.apache.org/infra/entry/apache_org_04_09_2010 > > > > > > > > We are assuming that the attackers have a copy of the JIRA database, > > > which includes a hash (SHA-512 unsalted) of the password > > > > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If > > > the password you set was not of great quality (eg. based on a > > > dictionary word), it > > > > should be assumed that the attackers can guess your password from the > > > password hash via brute force. > > > > > > > > The upshot is that someone malicious may know both your email address > > > and a password of yours. > > > > > > > > This is a problem because many people reuse passwords across online > > > services. If you reuse passwords across systems, we urge you to change > > > > your passwords on ALL SYSTEMS that might be using the compromised > > > JIRA password. Prime examples might be gmail or hotmail accounts, > > > online > > > > banking sites, or sites known to be related to your email's domain, > > > lucene.apache.org. > > > > > > > > Naturally we would also like you to reset your JIRA password. That > > > can be done at: > > > > > > > > > > > https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern > > > ame=java-...@lucene.apache.org > > > > > > > > We (the Apache JIRA administrators) sincerely apologize for this > > > security breach. If you have any questions, please let us know by > > > email. > > > > We are also available on the #asfinfra IRC channel on > > > irc.freenode.net. > > > > > > > > > > > > Regards, > > > > > > > > The Apache Infrastructure Team > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org > > > > For additional commands, e-mail: java-dev-h...@lucene.apache.org > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org > > > For additional commands, e-mail: java-dev-h...@lucene.apache.org > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org