[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Savannah, SQL Injection, Passwords, and Security Posture
From: |
Jeffrey Walton |
Subject: |
Savannah, SQL Injection, Passwords, and Security Posture |
Date: |
Thu, 2 Dec 2010 15:34:47 -0500 |
Hi All,
According to http://savannah.gnu.org/, the server was down for a few
days due to a SQL Injection. Because the server did not properly
sanitize its data, the password database was compromised.
Today, I tried to change my password to a similar password.
Surprisingly, the change was rejected because the password was too
similar. The "surprising" part is it appears GNU is storing passwords
in plain text.
I'm going out on the limb and guessing that free software stored the
passwords in the plain text. "Password Security: A Case History" by
Morris and Thompson was written in the 1970s. Sadly, GNU has totally
punned lessons learned in the past.
The GnuTLS project happily uses dangerous string function. Use of the
functions appears unaudited, suffering unchecked buffer overflows and
truncations. In fact, the project took a buffer overflow report today
due to a call to sprintf. Sadly, GNU has totally punned lessons
learned in the past (again).
Would someone be able to provide GNU's policy regarding application
security and proper use of cryptography in GNU projects. "GNU Coding
Standards" (http://www.gnu.org/prep/standards/standards.html) does not
address anything security related. I'm very interested in learning
about GNU's security posture.
Jeff
- Savannah, SQL Injection, Passwords, and Security Posture,
Jeffrey Walton <=
- Re: Savannah, SQL Injection, Passwords, and Security Posture, Nikos Mavrogiannopoulos, 2010/12/05
- Re: Savannah, SQL Injection, Passwords, and Security Posture, Simon Josefsson, 2010/12/06