[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] BerliOS.de comrpomise
From:       Nico Golde <oss-security+ml () ngolde ! de>
Date:       2010-01-20 12:31:42
Message-ID: 20100120123142.GI14634 () ngolde ! de
[Download RAW message or body]


Hi,
* Josh Bressers <bressers@redhat.com> [2010-01-18 22:16]:
> As some of you have heard, it seems that BerliOS was compromised recently.
> http://lwn.net/Articles/369633/
> http://www.h-online.com/open/news/item/BerliOS-open-source-project-portal-falls-victim-to-attack-903990.html
> 
> I've mailed the BerliOS admins with no reply. I'm wondering if anyone has 
> any additional details regarding this.
> 
> The Apache group had a similar incident some years back, and did an 
> incredible job of documenting things:
> http://www.apache.org/info/20010519-hack.html

We (Debian) also contacted them and got a rather distracting reply so far 
which doesn't help much. We are thinking about informing our maintainers to 
check the upstream tarballs. But given the replies in the lwn thread and a 
look at git.berlios.de doesn't give the impression so far that anything has 
been fixed in a secure manner. I'll keep you updated but so far at least (and 
this is my personal opinion) it doesn't look to me like it would be a wise 
decision to host files at BerliOS currently and that BerliOS is interested to 
do what apache has been done.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]