FYI passing this along... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.mattm...@jpl.nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
------ Forwarded Message From: Kevan Miller <kevan.mil...@gmail.com> Reply-To: <sis-...@incubator.apache.org> Date: Mon, 12 Apr 2010 06:40:49 -0700 To: <aries-...@incubator.apache.org>, <bval-...@incubator.apache.org>, <sis-...@incubator.apache.org>, <imperius-...@incubator.apache.org>, <vcl-...@incubator.apache.org>, <wink-...@incubator.apache.org> Subject: Fwd: [NOTICE] compromised jira passwords Apologies for the cross post, want to be sure the word gets out to my incubator projects... If you aren't subscribed to commun...@apache, you should be. If you aren't subscribed, please note the following information and take action, if needed. --kevan Begin forwarded message: > From: Joe Schaefer <joe_schae...@yahoo.com> > Date: April 10, 2010 1:24:14 PM EDT > To: commun...@apache.org > Subject: [NOTICE] compromised jira passwords > Reply-To: commun...@apache.org > > Hello Apache community@ [1], > > As you are probably aware we have been working to restore services > that have been compromised by a very targetted attack against Apache's > jira installation. The good news is that jira is back online, with > bugzilla and confluence soon to follow [2]. The bad news is that the > hacker was able to rejigger jira's code to sniff any cookies and > passwords sent to the server between April 6 and April 9. If you > used jira at all this week, including via IDE's that interface via > SOAP, it is IMPERATIVE that you take time to immediately reset your > jira password, and possibly your ldap password if those match up. > If you have admin privs in jira your password was reset by us, so > you'll need to use the password reset form in jira to regain access. > > To have a reset password mailed to your contact information in jira, > visit > > https://issues.apache.org/jira/secure/ForgotPassword!default.jspa > > When you do login to jira be sure to double-check your contact info. > > To change your ldap password login to people.apache.org and run > /usr/sbin/passwd, or else visit https://svn.apache.org/change-password > . > > Thanks for your patience and diligence in this matter. A blog post > will be forthcoming which will provide details of the attack and > what we have done to mitigate future hack attempts. > > > [1] feel free to forward this note to any other apache mailing list, > public or private. > > [2] at this time we do not believe the hacker compromised the confluence > and bugzilla installs, but we are awaiting confirmation from our admins > before bringing those back online. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: community-unsubscr...@apache.org > For additional commands, e-mail: community-h...@apache.org > ------ End of Forwarded Message