Re: BerliOS.de comrpomise

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
* Josh Bressers <bressers () redhat com> [2010-01-18 22:16]:
> As some of you have heard, it seems that BerliOS was compromised recently.
> http://lwn.net/Articles/369633/
> http://www.h-online.com/open/news/item/BerliOS-open-source-project-portal-falls-victim-to-attack-903990.html
>
> I've mailed the BerliOS admins with no reply. I'm wondering if anyone has 
> any additional details regarding this.
>
> The Apache group had a similar incident some years back, and did an 
> incredible job of documenting things:
> http://www.apache.org/info/20010519-hack.html

We (Debian) also contacted them and got a rather distracting reply so far 
which doesn't help much. We are thinking about informing our maintainers to 
check the upstream tarballs. But given the replies in the lwn thread and a 
look at git.berlios.de doesn't give the impression so far that anything has 
been fixed in a secure manner. I'll keep you updated but so far at least (and 
this is my personal opinion) it doesn't look to me like it would be a wise 
decision to host files at BerliOS currently and that BerliOS is interested to 
do what apache has been done.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: