Hi, Alioth's web server was unavailable for most of the 5th of september. It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy. Two pmwiki instances have been put offline, the corresponding project administrators are already aware of that. This security alert is over, however we have way too many projects running some custom-installed web applications. We're going to review everything that is installed and come up with suggestion to use the packaged (and thus security-supported) version of the web applications when possible. We'll probably ask some projects to stop using some web apps and/or to switch to another supported one. However, it would be of great help if all project administrators could check what they have installed [2] and remove whatever they are not using. Remember that a service like alioth is of great use for everybody, but its openness is also its weakness: do not forget the security implications of your actions. And if you find something suspicious, please don't hesitate to inform admin@alioth.debian.org. Migration of Alioth to a new host --------------------------------- On a related matter, we're preparing the move of Alioth to a new (and bigger) machine (called wagner.debian.org), and we'll make use of that opportunity to further strengthen the security measures as well as add more security checks. This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o (alioth.debian.org) on a single host. This also means that the transition can't be 100% transparent as we will only keep home directories and cron jobs from haydn.d.o. The files from costa will be made available on the new host during a transition period but it wouldn't hurt if you could already clean up your home directories and put costa files that you'd like to keep on alioth. There's no fixed date for the move yet, but it's likely to happen in the upcoming weeks. We'll send another notice in time. Thanks for your comprehension and for your help! Raphael H. on behalf of the Alioth admins [1] http://www.securityfocus.com/bid/16421/discuss [2] Check /var/lib/gforge/chroot/home/groups/<project>/ (and what's in htdocs and cgi-bin in particular) as well as what you can have installed in your ~/public_html/ directory. -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Attachment:
signature.asc
Description: Digital signature