You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oodt.apache.org by "Mattmann, Chris A (388J)" <ch...@jpl.nasa.gov> on 2010/04/12 15:58:58 UTC

FW: [NOTICE] compromised jira passwords

FYI passing this along...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Chris Mattmann, Ph.D.
Senior Computer Scientist
NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
Office: 171-266B, Mailstop: 171-246
Email: Chris.Mattmann@jpl.nasa.gov
WWW:   http://sunset.usc.edu/~mattmann/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Adjunct Assistant Professor, Computer Science Department
University of Southern California, Los Angeles, CA 90089 USA
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


------ Forwarded Message
From: Kevan Miller <ke...@gmail.com>
Reply-To: <si...@incubator.apache.org>
Date: Mon, 12 Apr 2010 06:40:49 -0700
To: <ar...@incubator.apache.org>, <bv...@incubator.apache.org>, <si...@incubator.apache.org>, <im...@incubator.apache.org>, <vc...@incubator.apache.org>, <wi...@incubator.apache.org>
Subject: Fwd: [NOTICE] compromised jira passwords

Apologies for the cross post, want to be sure the word gets out to my incubator projects...

If you aren't subscribed to community@apache, you should be. If you aren't subscribed, please note the following information and take action, if needed.

--kevan

Begin forwarded message:

> From: Joe Schaefer <jo...@yahoo.com>
> Date: April 10, 2010 1:24:14 PM EDT
> To: community@apache.org
> Subject: [NOTICE] compromised jira passwords
> Reply-To: community@apache.org
>
> Hello Apache community@ [1],
>
> As you are probably aware we have been working to restore services
> that have been compromised by a very targetted attack against Apache's
> jira installation.  The good news is that jira is back online, with
> bugzilla and confluence soon to follow [2].  The bad news is that the
> hacker was able to rejigger jira's code to sniff any cookies and
> passwords sent to the server between April 6 and April 9.  If you
> used jira at all this week, including via IDE's that interface via
> SOAP, it is IMPERATIVE that you take time to immediately reset your
> jira password, and possibly your ldap password if those match up.
> If you have admin privs in jira your password was reset by us, so
> you'll need to use the password reset form in jira to regain access.
>
> To have a reset password mailed to your contact information in jira,
> visit
>
> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa
>
> When you do login to jira be sure to double-check your contact info.
>
> To change your ldap password login to people.apache.org and run
> /usr/sbin/passwd, or else visit https://svn.apache.org/change-password
> .
>
> Thanks for your patience and diligence in this matter.  A blog post
> will be forthcoming which will provide details of the attack and
> what we have done to mitigate future hack attempts.
>
>
> [1] feel free to forward this note to any other apache mailing list,
> public or private.
>
> [2] at this time we do not believe the hacker compromised the confluence
> and bugzilla installs, but we are awaiting confirmation from our admins
> before bringing those back online.
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: community-unsubscribe@apache.org
> For additional commands, e-mail: community-help@apache.org
>



------ End of Forwarded Message