[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security incident on Alioth and other Alioth news


Alioth's web server was unavailable for most of the 5th of september. It was
simply stopped because we discovered that some script kiddies were running an
IRC proxy. After thorough investigation, we discovered that they exploited a
pmwiki security hole[1] to deface some web pages, to install some malicious php
pages which in turn were used to setup the IRC proxy.

Two pmwiki instances have been put offline, the corresponding project
administrators are already aware of that. 

This security alert is over, however we have way too many projects running some
custom-installed web applications. We're going to review everything that is
installed and come up with suggestion to use the packaged (and thus
security-supported) version of the web applications when possible. We'll
probably ask some projects to stop using some web apps and/or to switch to
another supported one.

However, it would be of great help if all project administrators could check
what they have installed [2] and remove whatever they are not using. Remember
that a service like alioth is of great use for everybody, but its openness is
also its weakness: do not forget the security implications of your
actions. And if you find something suspicious, please don't hesitate to
inform admin@alioth.debian.org.

Migration of Alioth to a new host

On a related matter, we're preparing the move of Alioth to a new (and bigger)
machine (called wagner.debian.org), and we'll make use of that opportunity to
further strengthen the security measures as well as add more security checks. 

This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o
(alioth.debian.org) on a single host. This also means that the transition can't
be 100% transparent as we will only keep home directories and cron jobs from
haydn.d.o. The files from costa will be made available on the new host during a
transition period but it wouldn't hurt if you could already clean up your home
directories and put costa files that you'd like to keep on alioth.

There's no fixed date for the move yet, but it's likely to happen in the
upcoming weeks. We'll send another notice in time.

Thanks for your comprehension and for your help!

Raphael H.
  on behalf of the Alioth admins

[1] http://www.securityfocus.com/bid/16421/discuss
[2] Check /var/lib/gforge/chroot/home/groups/<project>/ (and what's in htdocs
and cgi-bin in particular) as well as what you can have installed in your
~/public_html/ directory.

Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :

Attachment: signature.asc
Description: Digital signature

Reply to: