[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:56674] Fw: wiki.debian.org security breach



 やまねです。

 Debian Wikiが利用しているWikiソフトウェア moin の脆弱性(*)を突かれたので、
 新サーバーを構築、全アカウントについてパスワードをリセットしたそうです。
 Wikiをご利用の方は適宜更新ください。

 *) http://www.debian.org/security/2012/dsa-2593


 なお、今のところ侵入の形跡は見当たらないようで、監査が行われています。
 

Begin forwarded message:

Date: Fri, 4 Jan 2013 14:44:22 +0000
From: Steve McIntyre <93sam@debian.org>
To: debian-devel-announce@lists.debian.org
Subject: wiki.debian.org security breach


Dear editors of the Debian wiki,

The Debian Security Team recently issued Debian Security Announcement
2593-1 [1] regarding the 'moin' package [2] and a remote arbitrary
code execution vulnerability in the twikidraw / anywikidraw
components. Debian's wiki [3] is implemented using 'moin' and includes
support for the twikidraw component.

A review of the apache2 log files for wiki.debian.org reveal that this
vulnerability was exploited successfully. As a consequence, the
wiki.debian.org service has been moved from the old server to a new
server using the fixed package and with a corresponding restructuring
of the deployment methodology.

We are currently conducting an audit of the old server to determine
the extent of the penetration. At this time, we have no evidence to
indicate that the intrusion was particularly successful (logs have not
been altered; root escalation has not been detected). That said, the
audit is ongoing. Should the audit reveal a greater penetration than
currently understood, a follow-up email detailing our findings will be
issued.

At this time, we are resetting all wiki account passwords for
safety. Existing wiki account holders will need to follow the password
recovery process [4] in order to regain access to their accounts. We
apologise for the inconvenience to users.

If you have any questions or concerns, please contact the Debian Wiki
Administrator Team [5] and/or the Debian System Administration Team [6].

Finally, we'd like to thank Peter Palfrader for reacting quickly to
the Debian Security Announcement, taking time away from his conference
to move wiki.debian.org to the new server.

With kind regards,
Steve McIntyre for the Debian Wiki Administrator Team
Luca Filipozzi for the Debian System Administration Team

[1] http://www.debian.org/security/2012/dsa-2593
[2] http://packages.qa.debian.org/m/moin.html
[3] http://wiki.debian.org
[4] http://wiki.debian.org/FrontPage?action=recoverpass
[5] debian-www@lists.debian.org
[6] debian-admin@debian.org

--
Steve McIntyre                                        93sam@debian.org
Debian wiki admin - wiki.debian.org

Attachment: signature.asc
Description: PGP signature

Attachment: pgpGkhHWRqxg1.pgp
Description: PGP signature