You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by ro...@apache.org on 2010/04/13 18:25:59 UTC
issues.apache.org compromised: please update your passwords
Dear Lucene Developers,
You are receiving this email because you have a login, 'java-dev@lucene.apache.org', on the Apache JIRA installation, https://issues.apache.org/jira/
On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010
We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password
you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it
should be assumed that the attackers can guess your password from the password hash via brute force.
The upshot is that someone malicious may know both your email address and a password of yours.
This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change
your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online
banking sites, or sites known to be related to your email's domain, lucene.apache.org.
Naturally we would also like you to reset your JIRA password. That can be done at:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=java-dev@lucene.apache.org
We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email.
We are also available on the #asfinfra IRC channel on irc.freenode.net.
Regards,
The Apache Infrastructure Team
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: issues.apache.org compromised: please update your passwords
Posted by Grant Ingersoll <gs...@apache.org>.
I wonder if that user was setup a while ago as a way of getting update messages to the mailing list (maybe in the very early days of JIRA before notification schemes). I'd suggest we disable the account.
-Grant
On Apr 13, 2010, at 8:08 PM, sebb wrote:
> On 14/04/2010, Uwe Schindler <uw...@thetaphi.de> wrote:
>> Hi Grant,
>>
>> It is that user, who is assigned to the very early JIRA issues, e.g.:
>> https://issues.apache.org/jira/browse/LUCENE-1
>>
>> I changed the password of this user in response to that email (for security), but I think we should simply let infra remove it. The problem is, almost anybody can instruct JIRA to reset the password and let JIRA send it again to the "email" which is the public java-dev list. And then it is public again.
>
> If the user is still needed (for whatever reason) maybe the user can
> be disabled, or maybe they can be removed from the list of users who
> have update access to the JIRA.
>
> But so long as the user is not an administrator, then it's no
> different really from any other account that can be created by Joe
> Public.
>
>> Uwe
>>
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: uwe@thetaphi.de
>>
>>
>>> -----Original Message-----
>>> From: Grant Ingersoll [mailto:gsiasf@gmail.com] On Behalf Of Grant
>>> Ingersoll
>>> Sent: Wednesday, April 14, 2010 1:50 AM
>>> To: java-dev@lucene.apache.org
>>> Subject: Re: issues.apache.org compromised: please update your
>>> passwords
>>>
>>> FYI, this is for real. Some have asked me if it is made up. I don't
>>> know who owns that user, so we should ask on infra, I suspect. Also,
>>> this applies to all user accounts too on JIRA.
>>>
>>> On Apr 13, 2010, at 12:25 PM, root@apache.org wrote:
>>>
>>>> Dear Lucene Developers,
>>>>
>>>> You are receiving this email because you have a login, 'java-
>>> dev@lucene.apache.org', on the Apache JIRA installation,
>>> https://issues.apache.org/jira/
>>>>
>>>> On April 6 the issues.apache.org server was hacked. The attackers
>>> were able to install a trojan JIRA login screen and later get full root
>>> access:
>>>>
>>>> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
>>>>
>>>> We are assuming that the attackers have a copy of the JIRA database,
>>> which includes a hash (SHA-512 unsalted) of the password
>>>> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If
>>> the password you set was not of great quality (eg. based on a
>>> dictionary word), it
>>>> should be assumed that the attackers can guess your password from the
>>> password hash via brute force.
>>>>
>>>> The upshot is that someone malicious may know both your email address
>>> and a password of yours.
>>>>
>>>> This is a problem because many people reuse passwords across online
>>> services. If you reuse passwords across systems, we urge you to change
>>>> your passwords on ALL SYSTEMS that might be using the compromised
>>> JIRA password. Prime examples might be gmail or hotmail accounts,
>>> online
>>>> banking sites, or sites known to be related to your email's domain,
>>> lucene.apache.org.
>>>>
>>>> Naturally we would also like you to reset your JIRA password. That
>>> can be done at:
>>>>
>>>>
>>> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern
>>> ame=java-dev@lucene.apache.org
>>>>
>>>> We (the Apache JIRA administrators) sincerely apologize for this
>>> security breach. If you have any questions, please let us know by
>>> email.
>>>> We are also available on the #asfinfra IRC channel on
>>> irc.freenode.net.
>>>>
>>>>
>>>> Regards,
>>>>
>>>> The Apache Infrastructure Team
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
>>>> For additional commands, e-mail: java-dev-help@lucene.apache.org
>>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
>>> For additional commands, e-mail: java-dev-help@lucene.apache.org
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
RE: issues.apache.org compromised: please update your passwords
Posted by Chris Hostetter <ho...@fucit.org>.
: I disabled the account by assigning a dummy eMail and gave it a random password.
:
: I was not able to unassign the issues, as most issues were "Closed",
: where no modifications can be done anymore. Reopening and changing
Uwe: it may be too late (depending on wether you remember the dummy
password) but an alternate course of action would have been to change the
email address to the PMC list (private@lucene) which is not publicly
archived.
-Hoss
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
RE: issues.apache.org compromised: please update your passwords
Posted by Uwe Schindler <uw...@thetaphi.de>.
> > > Hi Grant,
> > >
> > > It is that user, who is assigned to the very early JIRA issues,
> e.g.:
> > > https://issues.apache.org/jira/browse/LUCENE-1
> > >
> > > I changed the password of this user in response to that email (for
> security), but I think we should simply let infra remove it. The
> problem is, almost anybody can instruct JIRA to reset the password and
> let JIRA send it again to the "email" which is the public java-dev
> list. And then it is public again.
> >
> > If the user is still needed (for whatever reason) maybe the user can
> > be disabled, or maybe they can be removed from the list of users who
> > have update access to the JIRA.
> >
> > But so long as the user is not an administrator, then it's no
> > different really from any other account that can be created by Joe
> > Public.
>
> Yes, that account has no special access. If someone wants to unassign
> the 319
> issues this user is the 'assignee' of, then the account can be deleted:
>
> https://issues.apache.org/jira/secure/IssueNavigator.jspa?sorter/order=
> ASC&sorter/field=priority&assignee=java-
> dev%40lucene.apache.org&reset=true&assigneeSelect=specificuser&mode=hid
> e
>
I disabled the account by assigning a dummy eMail and gave it a random password.
I was not able to unassign the issues, as most issues were "Closed", where no modifications can be done anymore. Reopening and changing assignment and reverting to closed is too risky, as after reopening you don’t know anymore which issues you need to revert to closed after unassignment...
Uwe
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: issues.apache.org compromised: please update your passwords
Posted by Jeff Turner <je...@apache.org>.
On Wed, Apr 14, 2010 at 01:08:41AM +0100, sebb wrote:
> On 14/04/2010, Uwe Schindler <uw...@thetaphi.de> wrote:
> > Hi Grant,
> >
> > It is that user, who is assigned to the very early JIRA issues, e.g.:
> > https://issues.apache.org/jira/browse/LUCENE-1
> >
> > I changed the password of this user in response to that email (for security), but I think we should simply let infra remove it. The problem is, almost anybody can instruct JIRA to reset the password and let JIRA send it again to the "email" which is the public java-dev list. And then it is public again.
>
> If the user is still needed (for whatever reason) maybe the user can
> be disabled, or maybe they can be removed from the list of users who
> have update access to the JIRA.
>
> But so long as the user is not an administrator, then it's no
> different really from any other account that can be created by Joe
> Public.
Yes, that account has no special access. If someone wants to unassign the 319
issues this user is the 'assignee' of, then the account can be deleted:
https://issues.apache.org/jira/secure/IssueNavigator.jspa?sorter/order=ASC&sorter/field=priority&assignee=java-dev%40lucene.apache.org&reset=true&assigneeSelect=specificuser&mode=hide
--Jeff
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: Grant Ingersoll [mailto:gsiasf@gmail.com] On Behalf Of Grant
> > > Ingersoll
> > > Sent: Wednesday, April 14, 2010 1:50 AM
> > > To: java-dev@lucene.apache.org
> > > Subject: Re: issues.apache.org compromised: please update your
> > > passwords
> > >
> > > FYI, this is for real. Some have asked me if it is made up. I don't
> > > know who owns that user, so we should ask on infra, I suspect. Also,
> > > this applies to all user accounts too on JIRA.
> > >
> > > On Apr 13, 2010, at 12:25 PM, root@apache.org wrote:
> > >
> > > > Dear Lucene Developers,
> > > >
> > > > You are receiving this email because you have a login, 'java-
> > > dev@lucene.apache.org', on the Apache JIRA installation,
> > > https://issues.apache.org/jira/
> > > >
> > > > On April 6 the issues.apache.org server was hacked. The attackers
> > > were able to install a trojan JIRA login screen and later get full root
> > > access:
> > > >
> > > > https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> > > >
> > > > We are assuming that the attackers have a copy of the JIRA database,
> > > which includes a hash (SHA-512 unsalted) of the password
> > > > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If
> > > the password you set was not of great quality (eg. based on a
> > > dictionary word), it
> > > > should be assumed that the attackers can guess your password from the
> > > password hash via brute force.
> > > >
> > > > The upshot is that someone malicious may know both your email address
> > > and a password of yours.
> > > >
> > > > This is a problem because many people reuse passwords across online
> > > services. If you reuse passwords across systems, we urge you to change
> > > > your passwords on ALL SYSTEMS that might be using the compromised
> > > JIRA password. Prime examples might be gmail or hotmail accounts,
> > > online
> > > > banking sites, or sites known to be related to your email's domain,
> > > lucene.apache.org.
> > > >
> > > > Naturally we would also like you to reset your JIRA password. That
> > > can be done at:
> > > >
> > > >
> > > https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern
> > > ame=java-dev@lucene.apache.org
> > > >
> > > > We (the Apache JIRA administrators) sincerely apologize for this
> > > security breach. If you have any questions, please let us know by
> > > email.
> > > > We are also available on the #asfinfra IRC channel on
> > > irc.freenode.net.
> > > >
> > > >
> > > > Regards,
> > > >
> > > > The Apache Infrastructure Team
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> > > > For additional commands, e-mail: java-dev-help@lucene.apache.org
> > > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> > > For additional commands, e-mail: java-dev-help@lucene.apache.org
> >
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
RE: issues.apache.org compromised: please update your passwords
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi Grant,
It is that user, who is assigned to the very early JIRA issues, e.g.:
https://issues.apache.org/jira/browse/LUCENE-1
I changed the password of this user in response to that email (for security), but I think we should simply let infra remove it. The problem is, almost anybody can instruct JIRA to reset the password and let JIRA send it again to the "email" which is the public java-dev list. And then it is public again.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Grant Ingersoll [mailto:gsiasf@gmail.com] On Behalf Of Grant
> Ingersoll
> Sent: Wednesday, April 14, 2010 1:50 AM
> To: java-dev@lucene.apache.org
> Subject: Re: issues.apache.org compromised: please update your
> passwords
>
> FYI, this is for real. Some have asked me if it is made up. I don't
> know who owns that user, so we should ask on infra, I suspect. Also,
> this applies to all user accounts too on JIRA.
>
> On Apr 13, 2010, at 12:25 PM, root@apache.org wrote:
>
> > Dear Lucene Developers,
> >
> > You are receiving this email because you have a login, 'java-
> dev@lucene.apache.org', on the Apache JIRA installation,
> https://issues.apache.org/jira/
> >
> > On April 6 the issues.apache.org server was hacked. The attackers
> were able to install a trojan JIRA login screen and later get full root
> access:
> >
> > https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> >
> > We are assuming that the attackers have a copy of the JIRA database,
> which includes a hash (SHA-512 unsalted) of the password
> > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If
> the password you set was not of great quality (eg. based on a
> dictionary word), it
> > should be assumed that the attackers can guess your password from the
> password hash via brute force.
> >
> > The upshot is that someone malicious may know both your email address
> and a password of yours.
> >
> > This is a problem because many people reuse passwords across online
> services. If you reuse passwords across systems, we urge you to change
> > your passwords on ALL SYSTEMS that might be using the compromised
> JIRA password. Prime examples might be gmail or hotmail accounts,
> online
> > banking sites, or sites known to be related to your email's domain,
> lucene.apache.org.
> >
> > Naturally we would also like you to reset your JIRA password. That
> can be done at:
> >
> >
> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern
> ame=java-dev@lucene.apache.org
> >
> > We (the Apache JIRA administrators) sincerely apologize for this
> security breach. If you have any questions, please let us know by
> email.
> > We are also available on the #asfinfra IRC channel on
> irc.freenode.net.
> >
> >
> > Regards,
> >
> > The Apache Infrastructure Team
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> > For additional commands, e-mail: java-dev-help@lucene.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: issues.apache.org compromised: please update your passwords
Posted by Grant Ingersoll <gs...@apache.org>.
FYI, this is for real. Some have asked me if it is made up. I don't know who owns that user, so we should ask on infra, I suspect. Also, this applies to all user accounts too on JIRA.
On Apr 13, 2010, at 12:25 PM, root@apache.org wrote:
> Dear Lucene Developers,
>
> You are receiving this email because you have a login, 'java-dev@lucene.apache.org', on the Apache JIRA installation, https://issues.apache.org/jira/
>
> On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
>
> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
>
> We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password
> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it
> should be assumed that the attackers can guess your password from the password hash via brute force.
>
> The upshot is that someone malicious may know both your email address and a password of yours.
>
> This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change
> your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online
> banking sites, or sites known to be related to your email's domain, lucene.apache.org.
>
> Naturally we would also like you to reset your JIRA password. That can be done at:
>
> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=java-dev@lucene.apache.org
>
> We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email.
> We are also available on the #asfinfra IRC channel on irc.freenode.net.
>
>
> Regards,
>
> The Apache Infrastructure Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org