[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[avr-gcc-list] Savannah Attacked

From: Steven Chang-Lin Yu
Subject: [avr-gcc-list] Savannah Attacked
Date: Sat, 6 Dec 2003 13:11:05 +1000

This is from the savannah website:


On December 1st, 2003, we discovered that the "Savannah" system, which is
maintained by the Free Software Foundation and provides CVS and development
services to the GNU project and other Free Software projects, was
compromised at circa November 2nd, 2003. 

The compromise seems to be of the same nature as the recent attacks on
Debian project servers; the attacker seemed to operate identically. However,
this incident was distinctly different from the modus operandi we found in
the attacks on our FTP server in August 2003. We have also confirmed that an
unauthorized party gained root access and installed a root-kit ("SucKIT") on
November 2nd, 2003. 

In the interest of continuing cooperation and in helping to improve security
for all essential Free Software infrastructure, and despite important
philosophical differences, we are working closely with Debian project
members to find the perpetrators and to secure essential Free Software
infrastructure for the future. We hope to have future joint announcements
that discuss a unified strategy for addressing these problems. 

For the moment, we are installing replacement hardware for the Savannah
system, and we will begin restoring the Savannah software this week.
Initially, there will be some security related changes which may be
inconvenient for our developers. We will try to ease these as we find secure
ways to do so. We are in particular researching ways to ensure secured
authentication of the source code trees stored on the system. 

We will send more detailed announcements about efforts to verify the
authenticity of the source code hosted on Savannah, and how the community
can help in that effort once we've brought the system back online. 

We hope to have at least minimal services back up by Friday 5 December 2003.


Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

reply via email to

[Prev in Thread] Current Thread [Next in Thread]