Re: FreeBSD wiki offline for a bit

2013-01-08 Thread Simon L. B. Nielsen 
On 6 January 2013 20:40, Simon L. B. Nielsen si...@freebsd.org wrote:
 Hey,

 tl;dr Wiki is back, and everybody with account need to reset their password.

Small followup. The wiki's surge protection (yet again) got confused
and blocked the frontend proxy. I think it should be fixed now.

If you see any 'varnish guru meditation' please let me know, and
include the XID number so I can trace it in the logs.

-- 
Simon L. B. Nielsen
Hat: clusteradm
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: FreeBSD wiki offline for a bit

2013-01-06 Thread Simon L. B. Nielsen 
Hey,

tl;dr Wiki is back, and everybody with account need to reset their password.

On 4 January 2013 22:38, Simon L. B. Nielsen si...@freebsd.org wrote:
 Due to a security issue in the moinmoin wiki software, the FreeBSD
 wiki will be offline for a bit. I do not yet know if the issue
 actually has been exploited in the FreeBSD wiki (haven't had the time
 yet to examine it), but I took the wiki down just in case.

 Note that even if the software was compromised, it was considered
 untrusted from the start and as such heavily sandboxed (including
 jailed) to keep it away from any sensitive FreeBSD.org parts, so there
 is absolutely no reason to believe a compromise would go any further
 than the wiki itself.

 I hope to have the wiki back within 24 hours, assuming not too much
 gets in the way.

 For further reference see: http://moinmo.in/SecurityFixes and
 http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 .

 PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise.

The wiki is back now.

Looking at logs it there were people attempting to exploit this back
in July but I do not think they actually succeeded. It seemed to
mostly automated bot and not a target attempt.

The wiki has been reinstalled from scratch and users and pages were
copied. As I did a very selective copy it's entirely possible I made
the wiki unhappy, so let me know if you see issues.

Just to be extra safe I have reset all password, so everybody will
need need to use the standard account recovery process to set a new
password.

On a side note we have ~23000 user accounts and had 26000 empty pages
mostly caused by spammers, so someone(tm) will likely need to find a
way to change how we handle wiki user accounts to fix this.

PS. only reason I could see that they tried back in July was that I
found out I had forgotten to set up log rotation, so the wiki logfile
was over 3GB :-). (It was the internal log file which doesn't contain
user IP's so privacy part isn't really an issue.)

-- 
Simon L. B. Nielsen
Hat: clusteradm
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

FreeBSD wiki offline for a bit

2013-01-04 Thread Simon L. B. Nielsen 
Hey,

Due to a security issue in the moinmoin wiki software, the FreeBSD
wiki will be offline for a bit. I do not yet know if the issue
actually has been exploited in the FreeBSD wiki (haven't had the time
yet to examine it), but I took the wiki down just in case.

Note that even if the software was compromised, it was considered
untrusted from the start and as such heavily sandboxed (including
jailed) to keep it away from any sensitive FreeBSD.org parts, so there
is absolutely no reason to believe a compromise would go any further
than the wiki itself.

I hope to have the wiki back within 24 hours, assuming not too much
gets in the way.

For further reference see: http://moinmo.in/SecurityFixes and
http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 .

PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise.

-- 
Simon L. B. Nielsen
Hat: FreeBSD clusteradm / FreeBSD Security Officer
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org